Frequently Asked Questions

What ports need to be open on a hardware firewall to monitor logs?

There's a section on Firewall configuration and ports in the Troubleshooting section of the Help document that installs with LogMeister and EventMeister, but here's a brief summary:

Whatever event gathering technology you tell LogMeister (or EventMeister) to use, ultimately it makes use of Windows DCOM. DCOM uses dynamic port allocation, so by default a wide range of ports can be involved. If only the MS software firewall stands between the LogMeister host and the target machines, then you needn't concern yourself with ports because the MS firewall comes with exceptions for remote event log management; just enable the exceptions and you're done (unless you've specifically closed other ports).

If you have a hardware firewall to configure, then the process can be made much simpler by constraining DCOM to a smaller, specific range of ports of your choosing and opening them along with 135 (which always seems to be required). This takes a registry edit on all sides of the connection; consult the Help under the section "Other firewalls" for the procedure here, or the following article also covers it (MS seems to have killed its original articles in the rush to eliminate support for server 2003, even though the procedure applies to much newer OSes too).

If that link has died, the basic procedure is below:

Note#1: Use this procedure at your own discretion and on your own liability. Technology Lighthouse assumes no responsibility for the use of this procedure.

Note#2: Quotes are used below purely for clarity - omit them from your registry edits.

a. Open regedt32.exe
b. Navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
c. If there is no subkey titled "Internet", create one.
d. Inside the Internet key, create a REG_MULTI_SZ value named "Ports". Each line of the Ports value should specify a range of ports available to DCOM. For this example, add a single line that reads "3000-3010".
e. Add a new REG_SZ value named "PortsInternetAvailable", set it to "Y"
f. Add a new REG_SZ value named "UseInternetPorts", set it to "Y"
g. Open up TCP port 135 to internal traffic. (It may also be necessary to open up UDP 135)
h. Open up the DCOM port range (e.g. 3000-3010) to internal traffic.

Help Topics:

Last Updated 3 years ago

Help Topics

  • Technical Questions