Event Monitor Protocols Reference Guide

Event Monitor Protocols

View a list of protocols needed to connect your network devices to your event monitors.

PDH

The Remote Registry service must be running on the system being monitored. The Remote Registry service runs by default on all server versions of Windows. On desktop versions of Windows, it is disabled by default.

When using a domain account, the user must be a member of the Domain Users group. On the systems being monitored, the Domain Users group must be a member of the Performance Monitor Users group.

When using a local account, the user must be a member of the "Users" and "Performance Monitor Users" groups

Performance counters use DCOM/RPC and a dynamic set of ports in the range of 49152 to 65535. In Windows Firewall, allowing "File and Printer Sharing" is sufficient to allow performance counter monitoring.

WMI

When using a domain account, the user must be a member of the Domain Admins group.

When using a local account, the user must be a member of the "Users" and "Distributed COM Users" groups.

The account must be granted "Enable Account" and "Remote Enable" in the WMI Control applet (wmimgmt.msc) for the Root\CIMV2 namespace.

WMI uses DCOM/RPC and a dynamic set of ports in the range of 49152 to 65535. In Windows Firewall, allowing "Windows Management Instrumentation" is sufficient to allow WMI monitoring.

SNMP

When using SNMPv1 or SNMPv2c, the community string must match what the device has been configured to use.

When using SNMPv3, the user name, security level, passphrase, and protocol must match the device’s configuration.

UDP port 161 is the default for SNMP and must be permitted in your firewall configuration.

SSH

When using SSH logins, a valid user name and password must be supplied. When using SSH keys, a valid key file must be added to the selected authentication profile.

TCP port 22 is the default for SSH is must be permitted in your firewall configuration.

HTTP/HTTPS

TCP Port 80 is the default for HTTP monitoring. TCP port 443 is the default for HTTPS monitoring.

ICMP

ICMP (Internet Control Message Protocol) is a low level protocol that uses IP datagrams.

In Windows Firewall, enabling the rule "File and Printer Sharing (Echo Request - ICMPv4-In)" will allow the system to respond to IPv4 ping requests. Use "File and Printer Sharing (Echo Request - ICMPv6-In)" to allow IPv6 pings.

SMB

Older versions of Windows use port 139 for SMB. Newer versions of Windows use port 445 for SMB. In Windows Firewall, enabling "File and Printer Sharing (SMB-In)" will allow SMB monitoring.

DNS

DNS uses UDP port 53

FTP

FTP uses TCP port 21

LDAP

LDAP uses port 389

POP3

POP3 uses port 110. When SSL/TLS is enabled, POP3 uses port 995 instead.

SMTP

SMTP uses port 25. When SSL/TLS/STARTLS is enabled SMTP uses port 587 instead.

Telnet

Telnet uses TCP port 23

RPC/DCOM

DCOM/RPC uses a dynamic set of ports in the range of 49152 to 65535. In Windows Firewall, allowing "File and Printer Sharing (SMB-In)" is sufficient to allow WMI monitoring.

Windows Service API

In addition to the requirements for RCP/DCOM, the account used for Windows service monitoring must be a local or domain admin.

Named Pipes

Named Pipes use DCOM/RPC which in turn uses a dynamic set of ports in the range of 49152 to 65535. In Windows Firewall, allowing ""File and Printer Sharing (SMB-In)" will permit named pipes.

WinRM

Under the hood, WinRM uses either HTTP or HTTPS but on a non-standard port. For HTTP it uses port 5985. For HTTPS it uses 5986. To easily add a firewall exception for WinRM requests, open a command line window on the system being monitored and run: winrm /qc

OLEDB

Object Linking and Embedding Database (OLEDB) is an API designed by Microsoft for accessing databases. It uses RPC/COM for communications and therefore has the same port and firewall requirements as RPC/COM.

ADSI

Active Directory Service Interfaces (ADSI) uses RPC/COM to access Active Directory. Since it uses RPC/COM for communications, it therefore has the same port and firewall requirements.

Remote Registry API

The Remote Registry API uses RPC/COM for communications and therefore has the same port and firewall requirements as RPC/COM.

Modbus

The default port for Modbus is 502. Most Modbus systems do not directly implement firewalling or security. If they are protected by an additional firewall layer, it must permit port 502.

ARP

ARP stands for Address Resolution Protocol and is used for discovering devices on the local network link. It does not require any specific authentication nor any firewall rules.

Syslog

Syslog is a protocol often used by networking equipment to send messages to a monitoring system. Messages are sent over UDP port 514. To enable your FrameFlow installation to receive Syslog messages, Windows Firewall must be configured to allow that port.

Windows Event Log API

The Windows Event Log API uses RPC/COM for communications and therefore has the same port and as RPC/COM. For Windows Firewall, an exception for "Remote Event Log Management" is required.

TCP/IP

TCP/IP is a set of protocols and standards that form the basis of modern networking. Connections in TCP/IP are made by selecting a port number that corresponds to a defined protocol. When Windows Firewall is active, an exception is required to allow traffic on the selected port.

Back to Library