Ga naar hoofdinhoud

Event Monitor Protocols Reference Guide

PDH

  • The Remote Registry service must be running on the system being monitored. This service runs by default on all server versions of Windows but is disabled by default on desktop versions.
  • Domain account users must be members of the Domain Users group. On monitored systems, this group must also be part of the Performance Monitor Users group.
  • Local account users must be members of the "Users" and "Performance Monitor Users" groups.
  • Performance counters utilize DCOM/RPC and dynamic ports between 49152 to 65535. Allowing "File and Printer Sharing" in Windows Firewall enables performance counter monitoring.

WMI

  • Domain account users need to be part of the Domain Admins group.
  • Local account users should be part of the "Users" and "Distributed COM Users" groups.
  • Users must have "Enable Account" and "Remote Enable" permissions in the WMI Control applet (wmimgmt.msc) for the Root\CIMV2 namespace.
  • WMI also uses DCOM/RPC and dynamic ports between 49152 to 65535. Enabling "Windows Management Instrumentation" in Windows Firewall suffices for monitoring.

SNMP

  • For SNMPv1 or SNMPv2c, the community string must match the device configuration.
  • SNMPv3 requires matching user names, security levels, passphrases, and protocols with the device setup.
  • UDP port 161, the default for SNMP, must be allowed in your firewall.

SSH

  • Logins require a valid username and password, or a valid key file for SSH key authentication.
  • TCP port 22, the default for SSH, must be permitted in your firewall.

HTTP/HTTPS

  • TCP Port 80 is used for HTTP monitoring and port 443 for HTTPS monitoring.

ICMP

  • ICMP uses IP datagrams. Enabling "File and Printer Sharing (Echo Request - ICMPv4-In)" and "File and Printer Sharing (Echo Request - ICMPv6-In)" in Windows Firewall allows IPv4 and IPv6 pings, respectively.

SMB

  • Older versions use port 139, while newer versions use port 445. Enable "File and Printer Sharing (SMB-In)" in Windows Firewall for monitoring.

DNS

  • Uses UDP port 53.

FTP

  • Uses TCP port 21.

LDAP

  • Uses port 389.

POP3

  • Uses port 110, or port 995 when SSL/TLS is enabled.

SMTP

  • Uses port 25, or port 587 when SSL/TLS/STARTLS is enabled.

Telnet

  • Uses TCP port 23.

RPC/DCOM

  • Uses a dynamic set of ports between 49152 to 65535. "File and Printer Sharing (SMB-In)" in Windows Firewall is adequate for monitoring.

Windows Service API

  • Requires the account to be a local or domain admin.

Named Pipes

  • Uses DCOM/RPC and dynamic ports between 49152 to 65535. Enabling "File and Printer Sharing (SMB-In)" permits named pipes.

WinRM

  • Utilizes HTTP (port 5985) or HTTPS (port 5986) on non-standard ports. Use the command winrm /qc to add a firewall exception.

OLEDB

  • This API for accessing databases uses RPC/COM, sharing the same port and firewall requirements.

ADSI

  • Accesses Active Directory using RPC/COM, sharing similar requirements.

Remote Registry API

  • Uses RPC/COM, hence has the same requirements.

Modbus

  • Default port 502. If protected by a firewall, it