About the LogicMonitor Collector

The LogicMonitor Collector is an application that runs on a Linux or Windows server within your infrastructure and uses standard monitoring protocols to intelligently monitor devices within your infrastructure.

LogicMonitor Collectors are not agents and do not have to be installed on every resource within your infrastructure that you would like monitored. Rather, you should install a Collector on a host in each location of your infrastructure. For more information, see Installing Collectors.

The Collector retrieves data from all the devices assigned to it, then encrypts the data and sends it back to the LogicMonitor servers over an outgoing SSL connection.

One Collector can typically monitor hundreds of devices; however, this capacity depends on how many metrics are being monitored for each device, as well as the available resources of the server on which the Collector is installed. For more information on capacity, see Collector Capacity.

How Collectors Determine What Metrics to Monitor for Devices

When you add a device into monitoring, LogicMonitor applies built-in intelligence to recognize what kind of device it is. Based on the information discovered about the device, LogicMonitor DataSources are applied.

DataSources are templates that tell the Collector how to monitor the device, what metrics to collect for the device, how to display those metrics as graphs, and what values indicate issues that need attention. LogicMonitor installs with hundreds of pre-built DataSources that will automatically apply when you add devices into your account.

Collector Data Storage

All of the data from your Collectors is consolidated in a LogicMonitor data center, and this data is accessible in your LogicMonitor portal from anywhere with an internet connection. This necessitates that the server your Collector is installed on can make an outgoing HTTPS connection to LogicMonitor’s data centers (note, however, that Collectors can be installed on proxy servers).

Ports Used by Collectors

The server on which a Collector is installed must be able to able to make an outgoing HTTPS connection to the LogicMonitor servers (proxies are supported). In addition, the ports for the monitoring protocols you intend to use (e.g. SNMP, WMI, JDBC, etc.) must be unrestricted between your Collector machine and the resources you want to monitor.

The following tables document how the Collector communicates outbound traffic so that firewall rules can be configured accordingly. Additionally, it highlights the use cases in which the Collector is listening for inbound traffic and, when applicable, the configurations that can be used to update these inbound ports.

Inbound communication

Port	Protocol	Use Case	Configuration Setting
162	UDP	SNMP traps received from target devices	eventcollector.snmptrap.address
514	UDP	Syslog messages received from target devices	eventcollector.syslog.port
2055	UDP	NetFlow data received from target devices	netflow.ports
6343	UDP	sFlow data received from target devices	netflow.sflow.ports
7214	HTTP/ Proprietary	Communication from custom JobMonitors to Collector service	httpd.port

Outbound communication

Port	Protocol	Use Case	Configuration Setting
443	HTTP/TLS	Communication between the Collector and the LogicMonitor data center (port 443 must be permitted to access LogicMonitor’s public IP addresses; If your environment does not allow the Collector to directly connect with the LogicMonitor data centers, you can configure the Collector to communicate through a proxy.)	N/A
Other non-privileged	SNMP, WMI, HTTP, SSH, JMX, etc.	Communication between Collector and target resources assigned for monitoring	N/A

Internal communication

Port	Protocol	Use Case	Configuration Setting
7211	Proprietary	Communication between Watchdog and Collector services to OS Proxy service (sbwinproxy/sblinuxproxy)	sbproxy.port
7212	Proprietary	Communication from Watchdog service to Collector service	agent.status.port
7213	Proprietary	Communication from Collector service to Watchdog service	watchdog.status.port
15003	Proprietary	Communication between Collector service and its service wrapper	N/A
15004	Proprietary	Communication between Collector service and its service wrapper	N/A

For instructions on editing a Collector’s configurations, see Editing the Collector Config Files.

Collector Security

The LogicMonitor Collector has been carefully designed and developed with high security in mind. For details on Collector security measures and recommended best practices, see LogicMonitor Security Best Practices.

Anti-malware Considerations

LogicMonitor Collector undergoes rigorous security testing and is digitally signed using a DigiCert code signing certificate to ensure the authenticity and integrity of each release. This guarantees that the code has not been altered or tampered with after publication, providing users with a secure and trusted experience. Despite this, the network traffic patterns may look suspicious to anti-malware tools such as Heuristic antivirus or intelligent endpoint detection and response services. If you choose to run such software on collector systems, be aware that it may interfere with the collector’s operations. Frequent collector service restarts and process crashes are some of the common indicators of anti-malware interference.

LogicMonitor recommends to follow a targeted and balanced approach to address potential threats without compromising the system’s overall protection. Follow these guidelines to tune anti-malware alerts: 

• Understand the nature of anti-malware alerts to make informed decisions. You must first assess the alert details to determine whether it indicates a genuine security threat that requires your attention and action or is it a false positive alarm that you can ignore. 
• Instead of immediately adding full exclusions to the software’s directory path, you may consider adjusting the settings to permit specific components or files flagged by the alert.
• Stay updated on the security practices of the anti-malware software and regularly review the configuration settings to manage these alerts effectively.

For more information on setting exclusions in common anti-malware packages, see the following resources:

• Symantec Endpoint Protection: Excluding a file or a folder from scans
• ESET: Exclude files or folders from scanning in ESET Windows home products
• Sophos: Global Exclusions
• FortiClient: Managing the AntiVirus exclusion list

Open Source Software (OSS) List in Collector Installer

LogicMonitor has automated the OSS license report generation process. With every Collector release – Early Access (EA), Optional General Releases (GD), Required General Releases (MGD), and patch releases, a report of the OSS licenses used by the Collector is generated and bundled with the Collector installer. You can access the report file at the following locations:

• Linux – <AGENT_ROOT>/lib/THIRD-PARTY-NOTICES.txt
• Windows – <AGENT_ROOT>\lib\THIRD-PARTY-NOTICES.txt

Windows Collector Installation Directory Components

The AGENT_ROOT is the collector install path. The default AGENT_ROOT value for Linux and Windows is:

• AGENT_ROOT for Linux—/usr/local/logicmonitor/agent
• AGENT_ROOT for Windows—C:\Program Files\LogicMonitor\Agent

A summary of the components used in the Windows collector installation directory is given in the following table:

Windows Collector Directory	Description
<AGENT_ROOT>\SNMP-MIB-Copyrights.txt	This file contains copyrights of the out-of-the-box MIB files used for translating SNMP traps which are ingested as LM logs.
<AGENT_ROOT>\bin	The folder bin contains executables and DLL files that are required to start, stop, and uninstall the Agent and Watchdog services.
<AGENT_ROOT>\bin\queues	This consists of persistent queues for data reporting, and files for converting collector users to non-root or non-admin.
<AGENT_ROOT>\conf\agent.conf	This configuration file controls the business behavior of collector. It consists of all data collection, active discovery, auto property, and other business logic configurations.
<AGENT_ROOT>\conf\sbproxy.conf	This configuration file controls the internal behaviour of collector sbwinproxy process. It is recommended that you do not change this configuration.
<AGENT_ROOT>\conf\watchdog.conf	This configuration file controls the internal behaviour of collector Watchdog service. It is recommended that you do not change this configuration.
<AGENT_ROOT>\conf\wrapper.conf	This configuration file controls the internal behaviour of collector Wrapper service. It is recommended that you do not change this configuration. However, in exceptional cases,  to enlarge the memory that collector can use or the Java Classpath, you must additionally load a collector.
<AGENT_ROOT>\diagnosetool	This utility contains a number of predefined checks related to configurations, memory, network, processes, systems, and more. It also contains some SNMP commands such as snmpbulkget, snmpbulkwalk, snmpget, and snmpwalk.
<AGENT_ROOT>\lib	The lib folder contains libraries created by collector and third-party libraries on which the collector code depends.
<AGENT_ROOT>\logs	This file contains multiple logs such as logs related to collector installation, diagnose utility logs, agent logs, sbProxy logs, watchdog logs, and more.
<AGENT_ROOT>\tmp	This folder contains downloaded files used for upgrading and downgrading collectors. It also stores temporary files for monitoring.
<AGENT_ROOT>\configure.sh	(Only for Linux directory) When a collector is installed using the install.sh, the configure.sh file is run to configure the collector settings.