User guide

# which contains full configuration information.

options {

# Network Monitor log messages are stored in files named according to the date

# in the following directory.

log-directory "/opt/network_monitor/";

# This section defines the IP address for connections to the

# Log Correlation Engine server. In the example, the server is located at

203.0.113.250

# Only one LCE server is currently supported.

lce-server 172.26.34.167 { }

# The LCE server can be configured to listen on a user-specified port. The

setting

# below should match the server setting, which is 31300 by default.

server-port "31300";

}

Default TNM XML Policy

The following is taken from the default_rhel_networkmonitor.lcp policy file. These settings can be changed using

the LCE Client Manager. Remember to never edit the XML file directly; instead, download and edit any of the policy files

from SecurityCenter or LCE Manager, and import the new file to assign it to the proper client.

<?xml version="1.0" encoding="UTF-8" standalone="no" ?>

<!-- Network Monitor log messages are stored in files named according to the date

in the following directory. -->

<log-directory>./</log-directory>

<!-- The Network Monitor automatically generates a tcpdump filter expression that

selects

which network packets will be processed. This expression is based on the

syslog

monitoring settings below. The following option allows the default filter to

overridden with a custom expression. -->

<!-- The network monitor will report traffic from only the interfaces listed

below. -->

<!-- Traffic containing syslog messages is forwarded to the LCE server for the

hosts

matching the filtering criteria in the final section. The following specifies

the

protocol/port pairs for which all traffic will be processed as syslog

messages.

These settings should match the syslog or syslog-ng configuration. -->

<monitor-syslog-port>udp/514</monitor-syslog-port>

<monitor-syslog-port>tcp/1468</monitor-syslog-port>