LogRhythm Software Install Guide 7.8.0 RevA

Install a New LogRhythm Deployment
August 09, 2021

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by copyright
and possible non-disclosure agreements. The Software described in this Guide is furnished under the End User License
Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the Software. This Software
may be used or copied only in accordance with the Agreement. No part of this Guide may be reproduced or transmitted
in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other
than what is permitted in the Agreement.
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of
any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of
merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Phone Support (7am - 6pm, Monday-Friday)

Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Review Assumptions ........................................................................................................ 5
The LogRhythm Infrastructure Installer ......................................................................... 5
Review the Requirements for a New LogRhythm Deployment ..................................... 6
LogRhythm Licensing ..............................................................................................................................6
SQL Server Licensing ...............................................................................................................................6
Platform Requirements ...........................................................................................................................6
Virtualization Platform Considerations ................................................................................................11
LogRhythm Component Compatibility.................................................................................................13
Networking and Communication..........................................................................................................16
Select a Method of Deploying LogRhythm.................................................................... 17
Gen5 Reference Architecture.................................................................................................................17
Download Software to Install a New LogRhythm Deployment ................................... 64
Install LogRhythm .......................................................................................................... 65
Configure Hardware or Virtual Machine................................................................................................65
Shut Down Antivirus and Endpoint Protection Software ....................................................................65
Install the LogRhythm Databases for the Platform Manager or XM ....................................................65
Run the LogRhythm Install Wizard........................................................................................................66
Use the LogRhythm Configuration Manager ........................................................................................70
Install the LogRhythm Data Indexer ............................................................................. 73
(Optional) Deploy ISO image to Each Linux Data Indexer Node..........................................................73
Install the Data Indexer on Linux...........................................................................................................76
(Optional) Use the Data Indexer Node Installer....................................................................................79
Add a Node to an Existing Cluster .........................................................................................................80
Information about Automatic Maintenance .........................................................................................89
Complete Additional LogRhythm Installation Tasks ................................................... 91
Configure or Verify Communication Ports............................................................................................91
Verify SQL Server Authentication and LogRhythm Databases ............................................................92
LogRhythm, Inc. | Contents 3

Verify LogRhythm Installation ...............................................................................................................93
Verify Web Console Processes ...............................................................................................................93
Install Other Agents ...............................................................................................................................94
Configure the LogRhythm Software......................................................................................................95
Add Realtime Antivirus Exclusions for LogRhythm ..............................................................................95
Supplemental Information for Installations................................................................. 98
Troubleshoot the LogRhythm Configuration Manager ........................................................................98
Back Up and Restore a LogRhythm Configuration...............................................................................98
Add Additional Components to an Existing Deployment ....................................................................99
Add Additional Web Consoles .............................................................................................................101
Generate Self-Signed Certificates for the Web Console.....................................................................102
Remove the Web Console ....................................................................................................................104
LogRhythm, Inc. | Contents 4

This document helps you determine a platform for the LogRhythm Software and provides instructions for installing
LogRhythm on your own systems.
 We recommend that you perform these procedures with the assistance of LogRhythm Professional Services.
Review Assumptions
Before installing the LogRhythm Software, ensure the following:
• Administrative permissions to complete the assigned preparation and installation.
• Dedicated hardware and/or virtual environments are configured as outlined in this installation guide.
 Configuring your dedicated hardware or virtual environment outside the parameters listed in this document
may prevent the LogRhythm Software from operating and performing properly. LogRhythm does not support
non-standard configurations. If your environments cannot be configured to the standard configurations,
contact LogRhythm to determine whether a custom solution is possible.
 The LogRhythm installer is not supported on systems that use compressed drives.
The LogRhythm Infrastructure Installer

The LogRhythm Deployment Tool, also called the Infrastructure Installer, coordinates the installation and configuration
of the LogRhythm Common Components (LR Common) across a set of machines.
LRCommon currently contains:
• LogRhythm API Gateway
• LogRhythm Service Registry
• LogRhythm Metrics Collection
Note the following requirements of the Infrastructure Installer:
• User Access. The user needs to be able to log on to each host in the deployment in order to run the Host
Infrastructure Installer.
• Elevated Execution. The tool executes local commands under an elevated context. The user running the tool
must have permission to elevate the execution.
• Network Time. The times on the hosts must be synchronized. This is a requirement for SSL certificates that are
shared among the hosts in the deployment. If times are not synchronized, this tool will likely report that consul
is unable to elect a leader.
 If this prerequisite is not met, the deployment may not function properly after installation is complete.
Review Assumptions 5
Review the Requirements for a New LogRhythm Deployment

LogRhythm Licensing
The LogRhythm Solution requires a LogRhythm license file which contains a LogRhythm Master License and
Component Licenses. The Master License is tied to an individual customer for a single deployment of LogRhythm (1
Platform Manager and 1 or more Data Processors). Component Licenses fall within the Master License and are used to
license specific LogRhythm components within the same LogRhythm deployment.
A LogRhythm license file can contain the following component and subscription licenses:
• Platform Manager License (always included)
• Data Processor License(s)
• Software License
• Appliance License
• Log Message Source License(s)
• Quantity License
• Unlimited License
• System Monitor Lite License
• System Monitor Pro License
• System Monitor Collector license
• Advanced Intelligence Engine License (separate volume license)
• GeoIP Resolution Subscription License
To learn more about LogRhythm Licensing, see the Licensing topic in the Enterprise SIEM Help. The LogRhythm End
User Licensing Agreement (EULA) contains specific details regarding licensing and is the legal agreement for the
solution you purchased.
SQL Server Licensing

Your LogRhythm Software includes a SQL Server license. However, you must also acquire a Client Access Licenses (CAL)
for every LogRhythm user, as outlined in the SQL Server End User License Agreement (EULA). An initial number of CALs
are included at the time of purchase. To understand how many CALs you have purchased or to purchase additional
CALs, contact LogRhythm Support or your sales representative. The SQL Server EULA contains specific details regarding
licensing and the legal agreement between you and Microsoft. It serves as your proof of purchase.
Platform Requirements
Server Roles
Different LogRhythm server roles perform key tasks for log collection, analysis, and reporting in the LogRhythm SIEM.
When you install LogRhythm on your own systems, you need the following server roles:
• Platform Manager. The Platform Manager provides the central event management and administration of the
LogRhythm SIEM, including:
• Configuration information for all agents, log sources, and log source types.
Review the Requirements for a New LogRhythm Deployment 6

• Knowledge Base, which includes all processing rules, built-in reports (for compliance), built-in alarms,
and other processing-related information.
• The Alarming and Response Manager, which is a Windows service responsible for processing alarm rules
and taking appropriate response such as sending e-mails to those on a notification list or sending SNMP
traps to an SNMP server.
• The Job Manager, which is responsible for scheduled report job generation, Agent and Data Processor
heartbeat monitoring, Active Directory synchronization, and health monitoring.
You can install the Platform Manager on a dedicated appliance (recommended for large environments) or on the
same system as the Data Processor and Data Indexer (called an XM appliance, if you need an all-in-one
appliance). The Platform Manager also includes an embedded AI Engine license, which allows you to install AIE
on the same system. There is only one Platform Manager in the SIEM environment.
• Data Processor. The Data Processor provides high-performance, distributed, and highly available processing of
machine and forensic data. Data Processors receive machine and forensic data from Collectors and Forensic
Sensors. The Data Processor archives data and distributes both the original copy and the structured copy to
other LogRhythm components for indexing, machine based analytics, and alarming.
• Data Indexer. The Data Indexer provides high-performance, distributed, and highly scalable indexing and
searching of machine and forensic data. Data Indexers store both the original and structured copies of data to
enable search-based analytics. The Data Indexer can be installed in an XM configuration on Windows, Red Hat
Enterprise Linux 7, or CentOS 7.x Minimal using our distributed CentOS 7.x ISO image.
• AI Engine. The AI Engine is an optional component that detects conditions occurring over multiple data sources
and time ranges. It provides real-time visibility into risks, threats, and critical operations issues. AI Engine
includes more than 100 preconfigured rule sets that you can use in the wizard-based, drag-and-drop interface.
You can install the AI Engine on the same system as the Platform Manager or you can install it on a dedicated
system.
• System Monitor. The System Monitor collects all log, flow, and machine data, then transfers that data to the Data
Processor. Because a System Monitor is required on each LogRhythm appliance, the LogRhythm installer
automatically deploys it with other applicable roles. You can also deploy the System Monitor using a separate
installer file (for example, silent installations in large environments).
 The LogRhythm dedicated appliance for remote log collection is called a Data Collector appliance.
Volume/Disk Configurations
LogRhythm requires specific volume/disk configurations, which can consist of physical disks or virtual disks with logical
volumes.
 LogRhythm is not supported on systems that use shared disks. Installing on a system that uses shared disks
can have a significant negative impact on performance.
• Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a
specific volume. The amount can range from a minimum of 2 up to 98 disks per system.
• Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and
performance improvements through hardware RAID technology. The amount can range from 2 to 10 virtual disks
per system.
• Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique drive letter in Windows
(for example, drive C or drive D). The logical volumes contain specific files and data related to the installation
(see the following table for more information about the contents of each drive). Any LogRhythm server that

contains a Platform Manager includes four logical volumes. The Windows Indexer should include at least two
logical volumes, and the logical volume that contains log data should be on a dedicated virtual disk using
dedicated physical disks.
 You should configure and use the logical volumes as documented.
Component Logical Volume Volume Label Label Contents
Platform Manager C Drive (C:\) n/a

Operating System, SQL Server program
files, and LogRhythm program files
D Drive (D:\) Data LogRhythm SQL Server data files

(Requires NTFS allocation unit size of
64k Bytes)
L Drive (L:\) Log Files LogRhythm SQL Server transaction log

files (Requires NTFS allocation unit size
of 64k Bytes)
T Drive (T:\) Temp DB

SQL Server Temp DB data file and SQL
Server Temp DB transaction log file
(Requires NTFS allocation unit size of
64k Bytes)
S Drive (S:\) n/a LogRhythm Application State for High

IOPS
Data Processor, AI Engine, C Drive (C:\) n/a Operating System and LogRhythm
System Monitor program files
S Drive (S:\) n/a LogRhythm Application State for High

IOPS
Web Console C Drive (C:\) n/a Operating System and LogRhythm

program files
D Drive (D:\) n/a Web Console Indicies
Data Indexer vgroup1 n/a Operating System and LogRhythm

program files
vg_data /usr/local/logrhythm Elasticsearch Data, mapped to /usr/

local/logrhythm
Performance Requirements

 The specifications provided are minimum requirements for your dedicated virtual machine and dedicated
hardware. Your system should be configured so that the end result has the minimum specification
requirement value or greater. If your hardware or virtual machine does not fit into an existing appliance
configuration, contact LogRhythm Professional Services to discuss a possible custom installation. Collection
rates are listed as a guideline. The rates may vary given different hardware configurations and drivers.
The performance specifications are based on the following assumptions:

• 100% of logs are from Syslog
• Average raw log message size = 400 Bytes
• Average online log row size (includes index) = 900 Bytes
• Average online event row size (includes index) = 1,035 Bytes
• Average archive entry size = 400 Bytes
• Average archive compression rate = 20:1
• 100% of logs are archived
• 2% of logs processed by the deployment that are considered an Event (data of interest)
• 10% of Events that are considered a Monitored Event based on Risk Based Priority (RBP)
Additional notes regarding performance specifications:
• Virtual Machines. Deploying on virtual machines incurs overhead. As a result, your actual performance will vary.
A performance degradation of 10-15% is expected when compared to running on a dedicated physical machine.
• Dedicated drives. LogRhythm is an I/O-intensive solution that requires dedicated physical drives to achieve the
published rates specified. LogRhythm makes no distinction between Direct Attached Storage (DAS) or Storage
Area Network (SAN), but the disk volumes must be dedicated.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A power cut
may cause an Elasticsearch failure that leads to a loss of indices.
Web Console Requirements
 If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET installers
from Microsoft Support before beginning the upgrade. Otherwise, the Web Services Installer will attempt to
download it during the upgrade and the upgrade will fail without internet connectivity.
You can install the Web Console software on a server, virtual server, or LogRhythm appliance that meets the
requirements listed in the following table.
 LogRhythm currently supports up to three Web Console instances with 60 concurrent users.
 To avoid conflicts, it is recommended that Web Console users are either created manually or through Active
Directory (AD), but not both.

System Requirements
LogRhythm Appliance
Install the Web Console on any of the following LogRhythm appliance models:
• LR-WS3410 LogRhythm Web Services Appliance (includes the Web
Console installer)
• PM5400 and PM7400 series appliances
• XM4400 and XM6400 series appliances
 • Do not install the Web Console on older generation

LogRhythm appliances, such as the LRX or LR series.
• Do not install the LogRhythm SOAP API service on the same
appliance that is used to run the Web Console. Note that the
SOAP API is not the same service as the Case API. The Case
API can be safely installed on the same appliance as the Web
Console.
Your own server

Install the Web Console on a server or virtual environment that meets the
following specifications:
Hardware Operating Disk/Vol 1 Disk/Vol 2

System Config Config
Windows 2016
• 1 x 2.6 GHz Physical Disk: Physical Disk:
x64 Standard
8 Core CPU Edition • 2 x 300 GB • 2 x 400 GB
• 16 vCPU 10K RPM SSD SATA
• 32 GB RAM SAS RAID 1 • 3 DWPD
• H730 RAID • Hardware • RAID 1
controller IOPS: 150 • Hardware
with 2GB • Recomme IOPS:
Cache nded IOPS: 85,000
• 2 x 1 Gigabit 150 • Recomme
Ethernet nded
NICs Virtual Disk:
IOPS:
• 278 GB 1,000
usable
Virtual Disk:
Logical Volume:
• 368 GB
• C Drive usable
(278 GB)
Logical
Volume:
• D Drive
(368 GB)

System Requirements
Web Console UI
You can access the Web Console UI from any computer running Google Chrome,
Mozilla Firefox, Microsoft Edge, or Internet Explorer 11.
The Web Console requires certain ports for its use, as listed in the following table.
Port Requirements
SSL Default Port (8443/443)

The Web Console is configured to use Port 8443 for SSL by default. This avoids
potential conflicts with the LogRhythm Mediator that uses Port 443 on XM
systems. If you are not installing the Web Console on the same system as the
LogRhythm Mediator, you can change the port to 443 or to another port number
during the installation.
Port 8501
During installation, the 8501 port is opened for the LogRhythm API Gateway. This
port provides routing, load balancing, SSL termination, and authentication
termination to deployed Web Services.
Port 43
To execute a whois query using contextualization, port 43 must be opened. For
more information on using contextualization, see the Use Contextualize topic in
the Web Console User Guide.
Virtualization Platform Considerations

The LogRhythm software can be deployed on physical, virtual or cloud environments. The LogRhythm Appliance
Platforms are validated and tested using known resource quantities at specific log processing and indexing rates. When
deploying LogRhythm on virtualized or cloud environments, it is important to consider best practices, underlying
resource availability, and the overhead associated with virtualization.
• Data Collectors. Receive, collect and forward log data. Operating under a light footprint make these systems
good candidates for virtualization.
• Data Processors. Handle processing, data enrichment, and data distribution to the other LogRhythm
components. These systems rely heavily on CPU and Memory resources while also needing access to large disks
for Long Term Archives.
• Data Indexers. Indexing and search of log data through Elasticsearch. These systems can be run in a clustered
configuration with resource utilization focused on CPU and disk I/O.
 New installations of the Data Indexer on Windows are only supported in an XM configuration.
• Platform Manager. Centralized configuration management, knowledge base data, alarming and reporting, runs
on a SQL backend. Standalone Platform Managers focus on memory and disk I/O utilization. In smaller
environments, however, AIE and Web Console may be run on these systems, increasing the resource
requirements

• AIE. Advanced real-time correlation engine requires CPU and memory resources for long term trend analysis.
• Web Console. User-friendly Web interface to the threat lifecycle, requires mostly CPU and memory resources.
Planning system resources for each of these components will depend on the data volume and use-cases for each
component. LogRhythm Appliance Platforms provide known performance and resource allocations, allowing
customers to scale using known quantities. In many cases, a customer will elect to split up LogRhythm roles onto their
own individual systems rather than running a single, very large instance (XM).
Virtualization or Hyperconverged Platform Considerations

LogRhythm performs testing and validation of all components using physical hardware. However, the entire
LogRhythm ecosystem can be run virtually or in the cloud when provided with adequate resourcing.
• CPU. When planning CPU resources in a shared environment, you must consider context switching and wait-
times associated with CPU core availability through the hypervisor. For this reason, LogRhythm recommends
using vCPU reservations through the hypervisor to ensure appliance specification rates can be met.
• Considerations should be made when hyperthreading is being used — LogRhythm vCPU counts assume
hyperthreaded cores.
• Additionally, it is important to observe percentage of CPU idle time over the course of the deployment. A
value more than 10% of CPU idle time is an indication of hardware performance issues, which are likely to
impact LogRhythm.
• Memory. Memory management within virtualized environments should always provide enough memory for all
guests on the hypervisor with overhead available for the hypervisor itself. Overcommitting memory will result in
poor performance and stability issues within the LogRhythm ecosystem. For LogRhythm Appliances requiring
large memory footprints, non-uniform memory access (NUMA) boundaries should be considered. Guests should
not be allocated CPU or memory resources beyond that which can be provided within a single NUMA boundary.
• Disk Volumes. Data Indexers and Platform Managers rely heavily on disk size, IOPS, random seek, and overall
capacity.
• The Data Indexer will use all disk resources available to the system, and it requires a high baseline of
resources based on the Appliance Platform. For this reason, LogRhythm requires dedicated disk
resources be committed to the system.
• Shared storage removes any benefit associated with Data Indexer clustering since all systems in the
cluster participate in searching and indexing of data — the use of shared disks is not supported.
• Many flash-optimized storage solutions provide IOPS rates based on optimized data, which is usually a
small subset of the data on the SAN/blended storage. For this reason, it is recommended to use IOPS
calculations for the disks where LogRhythm data stores exist, not the small flash-optimized data. This is
particularly true of Data Indexers because data used for searching will most certainly exceed the flash
optimized storage tier.
• Each LogRhythm logical volume should be provisioned on its own logical unit number (LUN) and not
shared with other virtual infrastructure or other LogRhythm components.
• Storage connectivity should realize an average latency of 10ms or less. Higher latencies can cause
unpredictable behavior, particularly with the Platform Manager and Data Indexer.
• Networking. Communication between LogRhythm Core Components, particularly Data Indexer clusters, requires
low latency and line-speed 1Gb/s links, at a minimum.

Virtualization Deployment Best Practices

The following best practices will allow LogRhythm to make the most of the resources available in a virtualized
environment. Note, however, that the performance and stability of the system relies 100% on the quality of the
underlying hardware.
Virtual Host (Hypervisor) Requirements

• Intel server class x86-64-bit chip architecture with hyperthreading.
• Dedicated disk volumes following IOPS/RAID specifications of the appliance platform.
• IOPS numbers should be compared using disks that store LogRhythm data and using nonoptimized random
seek per second, not sequential — automated storage tiering solutions are strongly discouraged.
Virtual Machine System Requirements

Full reservations for vCPU and vMemory with no CPU or memory over-commitment on the physical hosts.
• Where applicable, install hypervisor integration services/tools on platform guest VMs (PM, DP, AIE, DX, DC, etc.).
• Where applicable, enhanced network controllers should be used.
• Provision virtual disks as Eager Zero Thick where applicable.
• Avoid NFS disks due to higher latency, network variations, and file locking issues.
Virtualization Redundancy and High Availability

There are a number of solutions native to hypervisors that are designed to provide high availability and dynamic
resource migrations. While these solutions are not formally tested with the LogRhythm ecosystem, users should be
aware of the additional overhead associated with these servers and the impact that they could have on LogRhythm
Virtualization Snapshots and Backups

LogRhythm provides native backup mechanisms for SQL databases on the PM and archives. When combined, these two
can be used to restore a LogRhythm deployment back to 100% functionality and historical data. For this reason, and
due to the disk I/O penalties associated with snapshots, customers are strongly discouraged from taking snapshots of
their LogRhythm systems in a virtual environment. If needed, OS-level backups can be done using 3rd party software,
but is not required for LogRhythm system restoration.
LogRhythm Component Compatibility

All LogRhythm components in a deployment, except for System Monitor, must be versioned with the same major and
minor number. System Monitor versions 6.x and 7.x are supported.
Database and SQL Server Versions

This LogRhythm version requires Microsoft SQL Server 2016 Standard SP1 (version 13.0.4001.0) or higher. In this
LogRhythm 7.0 release, the schema version of all LogRhythm SQL databases is the same: 7.0.x.yyyy.

System Monitor Component Support

Earlier versions of System Monitor are compatible with this version of LogRhythm. The table below lists the System
Monitor versions that are compatible with LogRhythm 7.x.
System Monitor Versions Compatible with LogRhythm 7.x
System Monitor v6.x v7.x
System Monitor (Windows) Yes Yes
System Monitor (*NIX) Yes Yes
Component Operating System Support

This section describes operating systems and LogRhythm component compatibility for LogRhythm 7.8. The following
table defines the LogRhythm support levels used in subsequent tables.
Certified Support (CS) Limited Support (LS) Unsupported (US)
Fully tested per LogRhythm quality Limited testing, but likely to work based on Not tested.
assurance processes. engineering assessment and/or field
verification.
LogRhythm patches bugs. LogRhythm may patch bugs. LogRhythm does not patch bugs.
Full LogRhythm Technical Support. Limited LogRhythm Technical Support. No LogRhythm Technical Support.
The following table shows the support levels for LogRhythm components on various 64-bit operating systems.
 Any operating system not included in the following table is not supported.
LogRhythm 7.8 Operating System Support Levels
64-bit Data Data Platform AI LogRhyth Web Client Open

Operating Indexer Processor Manager Engine m API Console Console Collector
System
Windows 7
US LS LS US US US CS US
Windows
US US US US US US LS US
8/8.1

LogRhythm 7.8 Operating System Support Levels
64-bit Data Data Platform AI LogRhyth Web Client Open

Operating Indexer Processor Manager Engine m API Console Console Collector
System
Windows 10
US US US US US US CS US
Windows
US US US US US US CS US
Server 2008
Windows
US CS US CS CS CS CS US
Server 2008
R2
Windows
US US US US US US LS US
Server 2012
Windows
Server 2012 CS1 CS CS CS CS CS CS US
R2
Windows
Server 2016 CS1 CS CS CS CS CS CS US
Windows
US US US US US US US US
Server 2016
Core
Windows
Server 20192 CS1, 2 CS2 CS2 CS2 CS2 CS2 CS2 US
Windows
US US US US US US US US
Server 2019
Core
CentOS 7.x
CS US US US US US US US
Minimal
CentOS 7.6 or
CS US US US US US US CS
greater
CoreOS
US US US US US US US CS
RHEL 7
CS US US US US US US US

1
The Data Indexer is only supported on Windows operating systems for Gen3 appliances.
2
As of 7.7.0, only new software installations of Windows Server 2019 are supported. Upgrades to Server 2019 from previous versions are not currently
supported.
Networking and Communication

There are a large number of ports that need to be open for the different LogRhythm components to communicate. For
more information, see the Networking and Communication topic in the Enterprise SIEM Help.

Select a Method of Deploying LogRhythm

Gen5 Reference Architecture
The tables in this section describe LogRhythm appliance platforms and performance specifications for each. You can
use this information to determine what kind of systems you will use for installing LogRhythm.
 New installations of the Data Indexer are only supported on the Linux platform. The Data Indexer is only
supported on Windows in an XM configuration.
 SAN storage is supported only in LogRhythm's software only solution and not in LogRhythm appliances. With
respect to appliances, SAN storage is supported only for inactive archives.
 In the tables that follow, Allocation Unit Size is abbreviated as AUS. Where not otherwise specified, default
AUS is expected.
 The virtual platforms described in the table below are for labs/sandbox use only. They are not intended for
production use.
Reference Architectures
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Network Monitor Storage Arrays Virtual Sandboxes
Select a Method of Deploying LogRhythm 17

Reference Performance (MPS) Hardware Operating System Disk/Vol 1 Config

Platform
LR-DC3500 Series Max Collection Rate: Windows 2016 x64

• 1 x 3.0 GHz 4 Core Physical Disk:
25,000 Standard Edition
CPU (12 GHz • 2 x 300 GB 10K
total) RPM SAS RAID 1
• 4 vCPU • Hardware IOPS:
• 16 GB RAM 150
• H330 RAID • Recommended
controller IOPS: 150
• 2 x 1 Gigabit
Ethernet NICs Virtual Disk:
• 278 GB usable
Logical Volume:
• C Drive (200 GB)
• D Drive (78 GB)

Reference Performance Hardware Operating System Disk/Vol 1 Config Disk/Vol 2

Platform (MPS) Config
LR-WC3500 Windows 2016 x64

Web Console: • 1 x 2.6 GHz 8 Physical Disk: Physical Disk:
Series Standard Edition
• Max Event Core CPU • 2 x 300 GB • 2 x 400 GB
Rate: 1,000 • 16 vCPU 10K RPM SSD SATA
• Max Users: • 32 GB RAM SAS RAID 1 • 3 DWPD
35 • H730 RAID • Hardware • RAID 1
controller IOPS: 150 • Hardware
with 2GB • Recommend IOPS:
Cache ed IOPS: 150 85,000
• 2 x 1 Gigabit • Recommen
Ethernet NICs Virtual Disk:
ded IOPS:
• 278 GB 1,000
usable
Virtual Disk:
Logical Volume:
• 368 GB
• C Drive (278 usable
GB)
Logical Volume:
• D Drive (368
GB)

Reference Performance Hardware Operating Disk/Vol 1 Disk/Vol 2 Disk/Vol 3

Platform (MPS) System Config Config Config
LR-XM4500 Data • 1 x 2.2 GHz Windows 2016 Physical Physical Physical

Series Processor: 10 Core x64 Standard Disk: Disk: Disk:
(combined PM, CPU Edition
DP, DX, AIE, • Max • 2 x 240 • 6 x 600 • 2 x 400
Processi • 20 vCPU GB M.2 GB 10K GB SSD
Web, DC)
ng Rate: • 96 GB RAM SSD RPM SAS SATA
2,000 • PERC H740 • 0.3 • RAID 5 + • 3 DWPD
Integrated DWPD 1 HS • RAID 1
Data Indexer: RAID • RAID 1 • Hardwar • Hardwa
• Indexing Controller • Hardw e IOPS: re IOPS:
Rate: with 8GB are 450 85,000
2,000 Cache IOPS: • Recomm • Recom
• 2 x 10 Gb/s 85,000 ended mende
Platform
NICs • Recom IOPS: d IOPS:
Manager:
• 2 x 1 Gb/s mende 450 500
• Max NICs d IOPS:
LogMart Virtual Disk: Virtual Disk:
150
Rate: 20 • 2.2 TB • 368 GB
• Max Virtual
usable usable
Disk:
Events
Logical Logical
Rate: 20 • 220 GB
Volume: Volume:
usable
• D Drive • S Drive
Logical
(2033 (368
Volume:
GB, 64K GB)
• OS AUS)
Drive • L Drive
(220 (150 GB,
GB) 64K
AUS)
• T Drive
(50 GB,
64K
AUS)


LR-XM6500 Windows 2016

Data • 2 x 2.2 GHz Physical Physical Physical
Series x64 Standard
Processor: 10 Core Disk: Disk: Disk:
(combined PM, Edition
DP, DX, AIE, • Max CPU • 2 x 240 • 14 x 1.2 • 2 x 480
Web, DC) Processi • 40 vCPU GB M.2 TB 10K GB SSD
5,000 • PERC H740 • 0.3 • RAID 5 + • 3 DWPD
• Max Controller • Hardw e IOPS: re IOPS:
Indexing with 8GB are 1233 85,000
Rate: Cache IOPS: • Recomm • Recom
5,000 • 2 x 10 Gb/s 85,000 ended mende
Platform
• 2 x 1 Gb/s mende 1233 1,000
Manager:
NICs d IOPS:
• Max Virtual Disk: Virtual Disk:
150
LogMart • 13600 • 440 GB
Rate: Virtual
GB usable
Disk:
100 usable
Logical
• Max • 220 GB
Logical Volume:
Events usable
Volume:
Rate: • S Drive
Logical
100 • D Drive (390
Volume:
(13000 GB)
• OS GB, 64K • T Drive
Drive AUS) (50 GB,
(220 • L Drive 64K
GB) (600 GB, AUS)
64K
AUS)


LR-XM8500 Windows 2016

Series x64 Standard
Processor: 12 Core Disk: Disk: Disk:
(combined PM, Edition
DP, DX, AIE, • Max CPU • 2 x 240 • 24 x 1.2 • 2 x 800
Web, DC) Processi • 48 vCPU GB M.2 TB 10K GB SSD
10,000 • PERC H740 • 0.3 • RAID 5 + • 3 DWPD
• Max Controller • Hardw e IOPS: re IOPS:
Indexing with 8GB are 2538 85,000
Rate: Cache IOPS: • Recomm • Recom
10,000 • 2 x 10 Gb/s 85,000 ended mende
Platform
• 2 x 1 Gb/s mende 2538 1,500
Manager:
NICs d IOPS:
• Max Virtual Disk: Virtual Disk:
150
LogMart • 24568 • 736 GB
Rate: Virtual
GB usable
Disk:
200 usable
Logical
• Max • 220 GB
Logical Volume:
Events usable
Volume:
Rate: • S Drive
Logical
200 • D Drive (686
Volume:
(23568 GB)
• OS GB, 64K • T Drive
Drive AUS) (50 GB,
(220 • L Drive 64K
GB) (1000 AUS)
GB, 64K
AUS)

Refere Performanc Hardware Operating Disk/Vol 1 Disk/Vol 2 Disk/Vol 3 Disk/Vol 4

nce e (MPS) System Config Config Config Config
Platfor
m
LR- Windows not

Platform • 1 x 2.2 GHz Physical Physical Physical
PM550 2016 x64 applicable
Manager: 10 Core CPU Disk: Disk: Disk:
0 Series Standard
• Max • 20 vCPU Edition • 2 x 240 • 8 x 600 • 2 x 480
LogMar • 128 GB RAM GB M.2 GB 15K GB SSD
t Rate: • PERC H740 SSD RPM SATA
800 Integrated • 0.3 SAS • 3 DWPD
• Max RAID DWPD • RAID 10 • RAID 1
Events Controller • RAID 1 • Hardwa • Hardwa
Rate: with 8GB • Hardw re IOPS: re
400 Cache are 1,128 IOPS:
• 2 x 10 Gb/s IOPS: • Recom 85,000
NICs 85,000 mende • Recom
• 2 x 1 Gb/s • Recom d IOPS: mende
NICs mende 1,128 d IOPS:
d IOPS: 500
Virtual Disk:
150
Virtual Disk:
• 2200 GB
Virtual Disk:
usable • 440 GB
• 220 GB usable
Logical
usable Volume: Logical
Logical Volume:
• D Drive
Volume:
(2000 • S Drive
• OS GB, 64K (390
Drive AUS) GB)
(220 • L Drive • T Drive
GB) (200 (50 GB,
GB, 64K 64K
AUS) AUS)

Refere Performanc Hardware Operating Disk/Vol 1 Disk/Vol 2 Disk/Vol 3 Disk/Vol 4

nce e (MPS) System Config Config Config Config
Platfor
m
LR- Windows
Platform • 2 x 2.6 GHz Physical Physical Physical Physical
PM750 2016 x64
Manager: 12 Core CPU Disk: Disk: Disk: Disk:
0 Series Standard
• Max • 48 vCPU Edition • 2 x 240 • 18 x 900 • 4 x 900 • 2x1
LogMar • 196 GB RAM GB M.2 GB 15K GB 15K TB
t Rate: • PERC H740 SSD RPM RPM SSD
2,000 Integrated • 0.3 SAS SAS SATA
• Max RAID DWPD • RAID 10 • RAID 10 • 3
Events Controller • RAID 1 • Hardwa • Hardwa DWPD
Rate: with 8GB • Hardw re IOPS: re • RAID 1
1,000 Cache are 2538 IOPS: • Hard
• 2 x 10 Gb/s IOPS: • Recom 564 ware
NICs 85,000 mende • Recom IOPS:
• 2 x 1 Gb/s • Recom d IOPS: mende 85,000
NICs mende 2538 d IOPS: • Reco
d IOPS: 564 mmen
Virtual Disk:
150 ded
Virtual Disk:
• 7452 GB IOPS:
Virtual Disk:
usable • 1656 1,000
• 220 GB GB
Logical Virtual
usable Volume: usable
Disk:
Logical Logical
• D Drive • 920
Volume: Volume:
(7452 GB
• OS GB, 64K • L Drive usabl
Drive AUS) (1656 e
(220 GB, 64K
Logical
GB) AUS)
Volume:
• S
Drive
(870
GB)
• T
Drive
(50
GB,
64K
AUS)


LR-DP5500 Windows 2016

Series x64 Standard
Processor: 12 Core CPU Disk: Disk: Disk:
Edition
• Max • 24 vCPU • 2 x 240 • 4 x 2 TB • 2 x 1 TB
Processin • 64 GB RAM GB M.2 7.2K SSD
g Rate: • PERC H740 SSD RPM SATA
15,000 Integrated • 0.3 SAS • 3 DWPD
RAID DWPD • RAID 5 + • RAID 1
Controller • RAID 1 1 HS • Hardwa
with 8GB • Hardwa • Hardwa re IOPS:
Cache re IOPS: re IOPS: 85,000
• 2 x 10 Gb/s 85,000 148 • Recom
NICs • Recom • Recom mended
• 2 x 1 Gb/s mended mended IOPS:
NICs IOPS: IOPS: 750
150 148
Virtual Disk:
Virtual Disk: Virtual Disk:
• 920 GB
• 220 GB • 3.6 TB usable
usable usable
Logical
Logical Logical Volume:
Volume: Volume:
• S Drive
• OS • D Drive (920
Drive (3.6 TB) GB)
(220
GB)


LR-DP7500 Windows 2016

Series x64 Standard
Processor: 12 Core CPU Disk: Disk: Disk:
Edition
• Max • 48 vCPU • 2 x 240 • 8 x 2 TB • 2 x 2 TB
Processin • 128 GB RAM GB M.2 7.2K SSD
g Rate: • PERC H740 SSD RPM SATA
40,000 Integrated • 0.3 SAS • 3 DWPD
RAID DWPD • RAID 5 + • RAID 1
Controller • RAID 1 1 HS • Hardwa
with 8GB • Hardwa • Hardwa re IOPS:
Cache re IOPS: re IOPS: 85,000
• 2 x 10 Gb/s 85,000 395 • Recom
NICs • Recom • Recom mended
• 2 x 1 Gb/s mended mended IOPS:
NICs IOPS: IOPS: 1500
150 395
Virtual Disk:
• 1.8 TB
• 220 GB • 11 TB usable
usable usable
Logical
Volume: Volume:
• S Drive
• OS • D Drive (1.8 TB)
Drive (11 TB)
(220
GB)

Reference Performance Hardware Operating System Disk/Vol 1 Disk/Vol 2

Platform (MPS) Config Config
LR-DX3500 CentOS 7.x or Red

Data Indexer: • 1 x 2.3 GHz 12 Physical Disk: Physical Disk:
Series Hat Enterprise
• Max Core CPU Linux 7 • 2 x 240 GB • 10 x 1.2 TB
Indexing • 24 vCPU M.2 SSD 10K RPM
Rate: 5,000 • 64 GB RAM • 0.3 DWPD SAS
• PERC H740 • RAID 1 • RAID 5 + 1
Integrated RAID • Hardware HS
Controller with IOPS: • Hardware
8GB Cache 85,000 IOPS: 793
• 2 x 10 Gb/s NICs • Recomme • Recommen
• 2 x 1 Gb/s NICs nded ded IOPS:
IOPS: 150 793
• 220 GB • 8.8 TB
usable usable
Volume:
• Data Drive
• OS Drive (8.8TB)
(220 GB)

• Max Core CPU Linux 7 • 2 x 240 GB • 16 x 1.2 TB
Indexing • 28 vCPU M.2 SSD 10K RPM
Rate: • 128 GB RAM • 0.3 DWPD SAS
10,000 • PERC H740 • RAID 1 • RAID 5 + 1
IOPS: 150 1410
• 220 GB • 15.45 TB
usable usable
Volume:
• Data Drive
• OS Drive (15.45 TB)
(220 GB)



• Max Core CPU (72.8 Linux 7 • 2 x 240 GB • 26 x 1.8 TB
Indexing GHz total) M.2 SSD 10K RPM
Rate: • 56 vCPU • 0.3 DWDP SAS
20,000 • Dedicated Disk • RAID 1 • RAID 5 + 1
Drives (DAS or • Hardware HS
SAN) IOPS: • Hardware
• 256 GB RAM 85,000 IOPS: 2750
• PERC H740P • Recomme • Recommen
Integrated RAID nded ded IOPS:
Controller IOPS: 150 2750
• 2 x 10 Gigabit
Ethernet NICs Virtual Disk: Virtual Disk:
• 2 x 1 Gigabit • 220 GB • 39 TB
Ethernet NICs usable usable
Volume:
• Data Drive
• OS Drive (39 TB)
(220 GB)
Logical
Volume:
• OS Drive
(546 GB)


LR-DXW5120 CentOS 7.x or Red

Data Indexer: • 1 x 2. 2 GHz 10 Core Physical Disk: Physical Disk:
Hat Enterprise
CPU
• Max Linux 7 • 2 x 240 GB • 1 2 x 12
Indexing • 2 0 vCPU M.2 SSD TB 7.2K
Rate: 0 • 128 GB RAM • 0.3 DWPD RPM SATA
RAID 1 • RAID 5 + 1
• PERC H740
• Hardware HS
Integrated RAID
IOPS: • Hardware
Controller with 8GB
Cache 85,000 IOPS: 750
• Recomme • Recommen
• 2 x 10 Gb/s NICs nded ded IOPS
• 2 x 1 Gb/s NICs IOPS: 150 750
Virtual Disk:
Virtual Disk: • 108 TB
• 220 GB usable
usable
Logical Volume:
Logical • Data Drive
Volume: ( 108 TB)
• OS Drive
(220 GB)


LR-AIE7500 Windows 2016 x64

• Max MPS: • 2 x 3.0 GHz 12 Physical Disk: Physical Disk:
Series Standard Edition
75,000 Core CPU • 2 x 240 GB • 2 x 2 TB
• Max • 48 vCPU M.2 SSD SSD SATA
Number of • 128 GB RAM • 0.3 DWPD • 3 DWPD
Rules: 2,000 • PERC H740 • RAID 1 • RAID 1
Integrated RAID • Hardware • Hardware
Controller with IOPS: IOPS:
8GB Cache 85,000 85,000
IOPS: 150 2,000
• 220 GB • 1.8 TB
usable usable
Volume:
• S Drive (1.8
• OS Drive TB)
(220 GB)

Reference Performance Hardware Operating Disk/Vol 1 Disk/Vol 2

Platform (MPS) System Config Config
LR-NM3500 1 Gb Network CentOS 7.6 or Red

• 1 x 2.3 GHz 12 Physical Disk: Physical Disk:
Monitor Hat Enterprise
Core CPU Linux 7 • 2 x 240 GB • 8 x 600 GB
• 24 vCPU M.2 SSD 10K RPM
• 64 GB RAM • 0.3 DWPD SAS
• PERC H740 • RAID 1 • RAID 5 + 1
IOPS: 150 717
• 220 GB • 3312 GB
usable usable
Volume:
• Data Drive
• OS Drive (3312 GB)
(220 GB)
LR-NM5500 5 Gb Network CentOS 7.6 or Red

• 2 x 2.6 GHz 14 Physical Disk: Physical Disk:
Monitor Hat Enterprise
Core CPU Linux 7 • 2 x 240 GB • 24 x 600 GB
• 56 vCPU M.2 SSD 10K RPM
• 128 GB RAM • 0.3 DWPD SAS
• PERC H740 • RAID 1 • RAID 5 + 1
IOPS: 150 2115
• 220 GB • 12284 GB
usable usable
Volume:
• Data Drive
• OS Drive (12232 GB)
(220 GB)

Reference Platform Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2

(MPS) System Config
SANM5026 (direct 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
attached storage for Controller with 8 GB
NM) Cache • 24 x 1.2 TB
10K RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 2538
Virtual Disk:
• 24464 GB
usable
Logical Volume:
• Data Drive
(24464 GB)
SAAR5120 (direct 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
archives) Cache • 24 x 12 TB
7200 RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 1135
Virtual Disk:
• 120 TB
usable
Logical Volume:
• Archive
Drive (120
TB)

Reference Platform Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2

(MPS) System Config
SAPM5020 (direct 12 Gbps SAS PERC H840 RAID not applicable

Physical Disk: Physical Disk:
PM) Cache • 20 x 900 GB • 4 x 900 GB
15K RPM 15K RPM
SAS SAS
• RAID 10 • RAID 10
• Hardware • Hardware
IOPS: 2820 IOPS: 564
• 8280 GB • 1656 GB
usable usable
Logical Volume: Logical Volume:
• E Drive • M Drive
(8280 GB) (1656 GB)
Reference Platform Performance Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config
(MPS)
Windows 2016 x64

LR-XMVS Data Processor: • 8 Disk: Disk:
Standard Edition
(combined PM, DP, vCPU
DX virtual server) • Max • Recommen • Recommen
Processing • 32 GB ded IOPS: ded IOPS:
For labs/sandbox use only Rate: 500 RAM 150 150
• 1 NIC
Data Indexer: Logical Volume: Logical Volume:
• Max • C Drive (100 • D Drive (150
Indexing GB) GB, 64K
Rate: 500 • L Drive (20 AUS)
GB, 64K
Platform
Manager: AUS)
• T Drive (10
• Max GB, 64K
LogMart AUS)
Rate: 50
• Max Events
Rate: 25

Reference Platform Performance Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config
(MPS)
Windows 2016 x64

LR-PMVS1 Platform • 4 Disk: Disk:
Standard Edition
(dedicated PM Manager: vCPU
virtual server) • Recommen • Recommen
• Max • 16 GB ded IOPS: ded IOPS:
For labs/sandbox use only LogMart RAM 150 150
Rate: 50 • 1 NIC
• Max Events
Rate: 25 • C Drive (100 • D Drive (150
GB) GB, 64K
• L Drive (20 AUS)
GB, 64K
AUS)
• T Drive (10
GB, 64K
AUS)
Windows 2016 x64 not applicable

LR-DPVS1 Data Processor: • 4 Disk:
Standard Edition
(dedicated DP virtual vCPU
server) • Max • Recommen
Processing • 8 GB ded IOPS:
For labs/sandbox use only Rate: 500 RAM 150
• 1 NIC
Logical Volume:
• C Drive (100
GB)
• D Drive (50
GB)
CentOS 7.6 or Red

LR-DXVS1 Data Indexer: • 4 Disk: Disk:
Hat Enterprise Linux
(dedicated DX virtual vCPU
• Max 7 • Recommen • Recommen
server) • 16 GB
Indexing ded IOPS: ded IOPS:
For labs/sandbox use only Rate: 500 RAM 150 150
• 1 NIC
• OS Drive • Data Drive
(100 GB) (150 GB)
Cloud Platform Reference Architecture

The following sections provide information about installing LogRhythm on cloud-based platforms including
• Amazon Web Services

• Google Cloud
• Microsoft Azure
Deployments in Amazon Web Services
Installation Overview
 It is assumed that the user has experience with Amazon Web Services EC2.
Design
Designing LogRhythm in AWS is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture provided in this section.
Windows Systems
Create Windows Virtual Machines using the standard EC2 instances from AWS. You will want to select the newest base
operating system supported on your version of LogRhythm.
• Select the size of the instance based on your appliance sizing needs using the AWS reference architecture table.
• Create EBS storage to match the instance mappings for volume type and size.
• Root instance store volumes should not be used for LogRhythm storage.
Linux Systems (Data Indexer)

LogRhythm recommends installing a CentOS 7.x Minimal system or Red Hat Enterprise Linux (RHEL) 7 and adhering to
the following steps:
1. Select the size of the instance based on your appliance sizing needs using the AWS reference architecture table.
2. Create EBS storage to match the instance mappings for volume type and size. For storage, SSD GP2 is
recommended for best performance.
 Root instance store volumes should not be used for LogRhythm storage.
3. Create a LogRhythm user.

a. Log into the AWS instance and elevate to the root user:
# sudo su
b. Add new user called logrhythm:
# adduser logrhythm
c. Set the password for the logrhythm user:

# passwd logrhythm
d. Provide and confirm the password for the logrhythm user.

e. Add the logrhythm user to the wheel group:
# usermod -aG wheel logrhythm
f. Navigate to the logrhythm user:
# su - logrhythm
4. Configure the SSH key.

a. Generate the SSH key:
# ssh-keygen -t rsa
b. Accept all defaults and do not enter a password.

c. Navigate to the ssh key:
# cd /home/logrhythm/.ssh
d. Copy and authorize the key:
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
f. Enter yes when prompted to continue connecting.

g. Log in as the newly created logrhythm user.
5. Install the Data Indexer.
a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:
# sudo mv <filename> /home/logrhythm/Soft
b. Run the DX installer:
# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/Soft/plan.yml
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.

d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
Platform Reference Architecture for AWS
LR-DC3400 (Data Collector)

• Max Collection Rate: 15,000
• Max Remote Windows Log Sources: 500
Instance Operating Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type System Config 1 Config 2 Config 3 Config 4 Config 5
Windows 2016 (none) (none) (none)

AWS: Disk Type: Disk Type:
x64 Standard
m4.xlarge
gp2 gp2
Edition
Volume Size: Volume Size:
C Drive: 200 GB D Drive: 78 GB
Description: Description:
Operating State
System
LR-XM4500 Series (combined PM/DP/DX/AIE server)

Data Processor/Data Indexer:
• Max Processing Rate: 2,000
• Indexing Rate: 2,000
Platform Manager:
• Max LogMart Rate: 20
• Max Events Rate: 20

Instance Operating System Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol

Type Config 1 2 Config 3 Config 4 Config 5
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
Standard Edition
r4.4xlarge gp2 gp2 st1 gp2 gp2
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 500 GB E Drive: 1500 L Drive: 150 GB T Drive: 50 GB
GB
Description: S Drive: 100 GB Description: Description:
Description:
Operating Description: SQL Logs SQL Temp
System ElasticSearch
SQL Databases
Data
and LR
State

Platform Manager:

Standard Edition
r4.8xlarge gp2 gp2 st1 gp2 gp2
C Drive: 200 GB D Drive: 2750 E Drive: 9000 L Drive: 880 GB T Drive: 50 GB
GB GB
Description: Description: Description:
S Drive: 250 GB Description:
Operating SQL Logs SQL Temp
System Description: ElasticSearch
Data
SQL Databases
and LR
State



Platform Manager:

Standard Edition
m4.16xlarge gp2 gp2 st1 gp2 gp2
C Drive: 200 GB D Drive: 4500 E Drive: 16000 L Drive: 1000 T Drive: 50 GB
GB GB GB
S Drive: 500 GB Description: Description:
Operating SQL Temp
System Description: ElasticSearch SQL Logs
Data
SQL Databases
and LR
State
LR-PM5500 Series (dedicated Platform Manager)


(none) Disk Type:

AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Standard Edition gp2
r4.4xlarge gp2 gp2 gp2
Volume Size:
Volume Size: Volume Size: Volume Size:
L Drive: 400 GB
C Drive: 200 GB D Drive: 1600 T Drive: 50 GB
GB Description:
S Drive: 200GB SQL Logs
Operating SQL Temp
System Description:
SQL Databases
and LR
State

• Max LogMart Rate: 2,000

• Max Events Rate: 1,000

(none) Disk Type:

Standard Edition gp2
r4.8xlarge gp2 gp2 gp2
Volume Size:
L Drive: 800 GB
C Drive: 200 GB D Drive: 5000 T Drive: 50 GB
GB Description:
S Drive: 500 GB SQL Logs
Operating SQL Temp
System Description:
SQL Databases
and LR
State
LR-DP5500 Series (dedicated Data Processor)


(none) (none)
Standard Edition
m5.4xlarge gp2 gp2 sc1
C Drive: 200 GB D Drive: 500 GB E Drive: 2000
GB
Description:
Operating Active Archives
System and LR Inactive
Archives
State
(adjustable)



(none) (none)
Standard Edition
m5.12xlarge gp2 gp2 sc1
C Drive: 200 GB D Drive: 1200 E Drive: 8000
GB GB
Description:
Operating
System Active Archives Inactive
and LR Archives
State (adjustable)
LR-AIE7500 Series (dedicated AIE server)

• Max MPS: 75,000
• Max Number of Rules: 2,000
Instance Operating System Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type Config 1 Config 2 Config 3 Config 4 Config 5
(none) (none) (none)

AWS: Windows 2016 x64 Disk Type: Disk Type:
Standard Edition
m4.10xlarge gp2 gp2
Operating AIE State/Data
System
LR-DX3500 Series (dedicated Data Indexer)

Indexing Rate: 5,000


CentOS 7.6 or Red Disk Type: (none) (none) (none)

AWS: Disk Type:
Hat Enterprise
m4.4xlarge gp2
Linux 7 gp2
Volume Size:
Volume Size:
/
/usr/local/
200 GB logrhythm
Description: 8800 GB
Operating Description:
System
Elasticsearch
Data



AWS: Disk Type:
Hat Enterprise
h1.8xlarge gp2
Linux 7 gp2
Volume Size:
Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data


Instance Operating System Disk/Vol Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol

Type Config 1 Config 2 3 Config 4 Config 5
CentOS 7.6 or Red Disk Type: (none) (none)

AWS: Disk Type: Disk Type:
Hat Enterprise
m4.16xlarge gp2
Linux 7 gp2 gp2
Volume Size:
/
/usr/local/ /usr/local/
200 GB logrhythm logrhythm/01
Description: 16000 GB 16000 GB
Operating Description: Description:
System
Elasticsearch Elasticsearch
Data Data
LR-DXW5120 Series (dedicated warm tier)

Indexing Rate: 0
Instanc Operating Disk/ Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol
e Type System Vol Config 2 Config 3 Config 4 Config 5 Config 6 Config 7 Config 8
Config
1
CentOS 7.6 Disk

AWS: Disk Disk Disk Disk Disk Disk Disk
or Red Hat Type:
m4.10xl Type: Type: Type: Type: Type: Type: Type:
Enterprise
arge gp2
Linux 7 sc1 sc1 sc1 sc1 sc1 sc1 sc1
Volume
Volume Volume Volume Volume Volume Volume Volume
Size:
Size: Size: Size: Size: Size: Size: Size:
/
/usr/ /usr/ /usr/ /usr/ /usr/ /usr/ /usr/
200 GB local/ local/ local/ local/ local/ local/ local/
logrhyth logrhyth logrhyth logrhyth logrhyth logrhyth logrhyth
Descrip
m/01 m/07 m/02 m/03 m/04 m/05 m/06
tion:
16000 GB 16000 GB 16000 GB 16000 GB 16000 GB 16000 GB 16000 GB
Operati
ng Descripti Descripti Descripti Descripti Descripti Descripti Descripti
System on: on: on: on: on: on: on:
Elasticse Elasticse Elasticse Elasticse Elasticse Elasticse Elasticse
arch Data arch Data arch Data arch Data arch Data arch Data arch Data

Deployments in Google Cloud
 It is assumed that the user has experience with Google Cloud and Google Compute.
Design
Designing LogRhythm in GCP is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the Compute Engine VM instances from GCP. Select the newest base operating
system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the GCP reference architecture table.
• Create disk storage to match the instance mappings for volume type and size.

1. Create a CentOS 7.x or Red Hat Enterprise Linux 7 virtual machine using the Compute Engine VM instances from
GCP.
• Select the newest base operating system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the GCP reference architecture table.
• Create disk storage to match the instance mappings for volume type and size.
2. Create a Logrhythm user.
a. Log into the DX using root.
b. Add new user called logrhythm:
# adduser logrhythm
c. Set password for the logrhythm user:
# passwd logrhythm
d. Set and confirm the logrhythm users's password.

# su - logrhythm

Platform Reference Architecture for GCP

Instance Operating System Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type 1 Config 2 Config 3 Config 4 Config 5
Windows 2016 x64 (none) (none) (none)

n1- Disk Type: (none)
Standard Edition
standard-4
Standard
Persistent Disk
Volume Size:
C Drive: 200 GB
D Drive: 100 GB
Description:
Operating
System/LR State
LR-XM4500 Series (Combined PM/DP/DX/AIE Server)

Platform Manager:

Instance Operating Disk/Vol Disk/Vol Config 2 Disk/Vol Disk/Vol Disk/Vol

Type System Config 1 Config 3 Config 4 Config 5
Custom Windows 2016 Disk Type: Disk Type: (none) (none) (none)
Machine x64 Standard
Standard Standard
Edition
20 Cores Persistent Disk Persistent Disk
96GB Volume Size: Volume Size:
Memory
Description: L Drive: 150 GB
Operating S Drive: 100 GB
System
T Drive: 50 GB
Description:
SQL Databases/ES
Data/SQL Logs/LR
State/SQL Temp

Platform Manager:
Instance Operating Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config Disk/Vol Config Disk/Vol
Type System 1 3 4 Config 5
Custom Windows 2016 Disk Type: Disk Type: Disk Type: Disk Type : (none)
Machine x64 Standard
Standard Standard Persistent Standard SSD Persistent
Edition
40 Cores Persistent Disk Disk Persistent Disk Disk
192GB Volume Size: Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB D Drive: 2750 GB E Drive: 9000 GB S Drive: 250 GB
Description: L Drive: 250 GB Description: Description:
Operating T Drive: 50 GB ElasticSearch LR State
System Data
Description:
SQL Databases/SQL
Logs/SQL Temp


Platform Manager:

Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type: (none) (none)
Machine Standard Edition
Standard Standard SSD Persistent
48 Cores Persistent Persistent Disk Disk
Disk
Memory Volume Size:
D Drive: 4500 GB E Drive: 18000
C Drive: 200 GB
L Drive: 1000 GB
GB
S Drive: 500
T Drive: 50 GB
Description: GB
Description:
System SQL Databases/
ElasticSearch
SQL Logs/SQL
Data/ LR State
Temp
LR-PM5500 Series (Dedicated Platform Manager)


Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Disk/Vol Disk/Vol
Type 1 Config 3 Config 4 Config 5
Disk Type : (none)

Custom Windows 2016 x64 Disk Type: Disk Type: (none)
Machine Standard Edition SSD
Standard Standard
Persistent
Disk
Volume Size:
Memory
S Drive: 250
Description: L Drive: 200 GB GB
Operating Description: T Drive: 50 GB
System
SQL Databases/ Description:
SQL Logs
LR State/SQL
Temp
LR-PM7500 Series (Dedicated Platform Manager)

Instance Operating Disk/Vol Config Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol

Type System 1 2 Config 3 Config 4 Config 5
Disk Type : (none)

Custom Windows 2016 x64 Disk Type: Disk Type: (none)
Machine Standard Edition SSD Persistent
Standard Standard
Disk
Volume Size:
Memory S Drive: 500 GB
T Drive: 50 GB
Description: L Drive: 500 GB
Description:
System LR State/SQL
SQL Databases/
Temp
SQL Logs
LR-DP5500 Series (Dedicated Data Processor)


Instance Operating Disk/Vol Config Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol

Type System 1 Config 2 3 Config 4 Config 5
(none) (none)
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Standard SSD Persistent Standard
24 Cores Persistent Disk Disk Persistent Disk
64GB Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB S Drive: 500 GB E Drive: 2000 GB
Operating Active Inactive
System Archives/LR Archives
State (adjustable)
LR-DP7500 Series (Dedicated Data Processor)

Instance Operating Disk/Vol Config Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol

Type System 1 Config 2 3 Config 4 Config 5
(none) (none)
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Standard SSD Persistent Standard
48 Cores Persistent Disk Disk Persistent Disk
128GB Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB S Drive: 1000 E Drive: 8000 GB
GB
Description:
Operating Inactive
System Active Archives
Archives/LR
(adjustable)
State
LR-AIE7500 Series (Dedicated AIE server)

• Max MPS: 75,000

Instance Operating Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type System 1 Config 2 Config 3 Config 4 Config 5
(none) (none) (none)

Custom Windows 2016 x64 Disk Type: Disk Type:
Standard SSD Persistent
48 Cores Persistent Disk Disk
Memory
C Drive: 200 GB S Drive: 500 GB
Operating AIE State/Data
System
LR-DX3500 Series (Dedicated Data Indexer)

Instance Operating System Disk/Vol Config Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol
Type 1 2 Config 3 Config 4 Config 5

Custom Disk Type:
Hat Enterprise
Machine Standard
Linux 7 Standard
Persistent Disk
24 Cores Persistent Disk
Volume Size:
64GB Volume Size:
Memory /
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data




Custom Disk Type:
Hat Enterprise
Machine Standard
Linux 7 SSD Persistent
Persistent Disk
28 Cores Disk
Volume Size:
128GB Volume Size:
Memory /
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data



Custom Disk Type: (none)
Hat Enterprise
Machine Standard
Linux 7 SSD Persistent
Persistent Disk
56 Cores Disk
Volume Size:
256GB Volume Size:
Memory /
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data
LR-DXW5120 Series (Dedicated Warm Tier)

Indexing Rate: 0

Instance Operating System Disk/Vol Config Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol
Type 1 2 Config 3 Config 4 Config 5

Custom *Disk Type: (none)
Hat Enterprise
Machine Standard
Linux 7 Standard
Persistent Disk
20 Cores Persistent Disk
Volume Size:
128GB Volume Size:
Memory /
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data
*GCP only allows for a max volume of 64TB per instance. You will need to add multiple instances to meet the DXW5120
hardware appliance.
Deployments in MicrosoftAzure
This section provides information about reference architectures for LogRhythm appliances and information about how
to design and deploy LogRhythm in Microsoft Azure.
 It is assumed that the user has experience with Microsoft HyperV and Azure services.
Design
Designing LogRhythm in Azure is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the standard compute instances from Azure. Select the newest operating
system supported on your version of LogRhythm.
• VM disk type should be SSD.
• Select the size of the instance based on your appliance sizing needs using the Azure reference architecture table.
• Storage should be set to use managed disks.
After creating the instance, you will need to add data disks to match the reference architecture. By default, the Windows
instances will create a temporary OS disk that is used for swap and emptied with every shutdown.

 On the Platform Manager, you must change the drive letter of the swap space disk from D to something else.
The LogRhythm Database Install Tool requires the D drive be used for database storage. If you install to this
swap disk, all of the databases will be removed with the virtual machine is shut down.

LogRhythm recommends installing a CentOS 7.x minimal image or Red Hat Enterprise Linux 7 and adhering to the
following steps:
1. Use SSD for the VM disk type.
2. Select the size of the instance based on your appliance sizing needs using the Azure reference architecture table.
3. Set storage to use managed disks.
4. Set up VM access as SSH with the logrhythm user. Doing so makes step 5 unnecessary and you can skip to set 6.
5. Create LogRhythm user.
 Skip this section if the LogRhythm user was already created to access the VM. If the user already exists
with SSH access, skip to the Install the Data Indexer section below.
a. Log into the Azure instance and elevate to the root user:
# sudo su
b. Add a new user called logrhythm:
# adduser logrhythm
c. Set the password for the logrhythm user:
# passwd logrhythm
d. Provide and confirm the desired password for the logrhythm user.
# su - logrhythm
6. Configure the SSH key.

a. Generate the SSH key:

# ssh-keygen -t rsa
b. Accept all defaults and do not enter a password.

c. Navigate to the ssh key:
# cd /home/logrhythm/.ssh
d. Copy and authorize the key:
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
f. Enter yes when prompted to continue connecting.

g. Log in as the newly created logrhythm user.
7. Install the Data Indexer.
a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:
# sudo mv <filename> /home/logrhythm/Soft
b. Run the DX installer:
# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/Soft/plan.yml
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.
d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
Platform Reference Architecture for Azure
 For all platforms, use only Read host cache on data disks, such as SQL data or Elasticsearch data.




D4S_v3 Disk Type: Disk Type:
Standard Edition
P10 S10
Operating State
System

Platform Manager:

Windows 2016 x64 (none) (none)

D16S_v3 Disk Type: Disk Type: Disk Type:
Standard Edition
P10 P40 P40
C Drive: 128 D Drive: 1748 GB E Drive: 2048
GB GB
L Drive: 150 GB
S Drive: 100 GB
Operating Elasticsearch
T Drive: 50 GB
System Data
Description:
SQL Data/SQL
Logs/LR State/SQL
Temp



Platform Manager:


Standard Edition
P10 P40 P50
C Drive: 128 D Drive: 1748 GB E Drive: 4095
GB GB
L Drive: 150 GB
S Drive: 100 GB
Operating Elasticsearch
T Drive: 50 GB
System Data
Description:
SQL Data/SQL
Logs/LR State/SQL
Temp

Platform Manager:


Windows 2016 x64 (none)

D64S_v3 Disk Type: Disk Type: Disk Type: Disk Type:
Standard Edition
P10 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 128 D Drive: 3645 GB E Drive: 4095 F Drive: 4095
GB GB GB
L Drive: 150 GB
S Drive: 250 GB
Operating Elasticsearch Elasticsearch
T Drive: 50 GB
System Data Data
Description:
SQL Data/SQL
Logs/LR State/SQL
Temp

Instance Operating Disk/Vol Disk/Vol Disk/Vol Config 3 Disk/Vol Disk/Vol


E16S_v3 Disk Type: Disk Type: Disk Type:
Standard Edition
P10 P40 P20
C Drive: 128 D Drive: 2048 L Drive: 312 GB
GB GB
S Drive: 100 GB
T Drive: 100 GB
Operating SQL Data
Description:
System
SQL Logs/LR
State/SQL Temp


Instance Operating Disk/Vol Disk/Vol Disk/Vol Config 3 Disk/Vol Disk/Vol


Standard Edition
P10 P50 P30
C Drive: 128 D Drive: 4095 L Drive: 674 GB
GB GB
S Drive: 250 GB
T Drive: 100 GB
Operating SQL Data
Description:
System
SQL Logs/LR
State/SQL Temp



D32S_v3 Disk Type: Disk Type: Disk Type &
Standard Edition
P10 P20 Volume Size1
Volume Size: Volume Size: Description:
C Drive: 128 S Drive: 512 Inactive Archives

GB GB
Operating LR State
System
1
Inactive archives should use File Storage or can use standard disk.




D64S_v3 Disk Type: Disk Type: Disk Type &
Standard Edition
P10 P30 Volume Size1
Volume Size: Volume Size: Description:
C Drive: 128 S Drive: 1024 Inactive Archives

GB GB
Operating LR State
System
1
Inactive archives should use File Storage or can use standard disk.
LR-AIE7500 Series (dedicated AIE server)

• Max MPS: 75,000


Standard Edition
P10 P10
C Drive: 128 GB S Drive: 128 GB
Operating State
System


Instance Type Operating Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

System Config 1 Config 2 Config 3 Config 4 Config 5
CentOS 7.6 or Disk Type : (none) (none) (none)

D16S_v3 Disk Type:
Red Hat
P10
Enterprise P50
Linux 7 Volume Size:
Volume Size:
/
/usr/local/
128 GB logrhythm
System
Elasticsearch
Data

Instance Type Operating Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

System Config 1 Config 2 Config 3* Config 4 Config 5
CentOS 7.6 or Disk Type: (none) (none)

Red Hat
P10
Enterprise P50 P50
/
/usr/local/ /usr/local/
128 GB logrhythm logrhythm/01
Description: 4096 GB 4096 GB
Operating Description: Description:
System
Elasticsearch Elasticsearch
Data Data
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit of 16TB
total on DX5500.


Instance Operating Disk/Vol Disk/Vol Config Disk/Vol Config 3 Disk/Vol Disk/Vol

Type System Config 1 2 Config 4 Config 5*
CentOS 7.6 or Disk Type :

D64S_v3 Disk Type: Disk Type: Disk Type: Disk Type:
Red Hat
P10
Enterprise P50 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size:
/
/usr/local/ /usr/local/ /usr/local/ /usr/local/
128 GB logrhythm logrhythm/01 logrhythm/02 logrhythm/03
Description: 4096 GB 4096 GB 4096 GB 4096 GB
Operating Description: Description: Description: Description:
System
Elasticsearch Elasticsearch Data Elasticsearch Elasticsearch
Data Data Data
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit of 32TB
total on DX7500.
LR-DXW5120 Series (dedicated warm tier)

Indexing Rate: 0
Instan Operati Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

ce ng Config 1 Config 2-5 Config 6-9 Config 10-14 Config 15-19 Config 20-24
Type System
CentOS Disk
D32S_ Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
7.6 or Type:
v3
Red Hat P50 P50 P50 P50 P50
P10
Enterpri
se Linux Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
Volume
7 Size: /usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm logrhythm/05 logrhythm/10 logrhythm/15 logrhythm/20
/
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
128 GB
Description: Description: Description: Description: Description:
Descripti
on: Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Operatin
g System


Type System
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/01 logrhythm/06 logrhythm/11 logrhythm/16 logrhythm/21
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB


Type System
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
*The DX warm storage values do not match to appliances and can be adjusted based on customer need with a limit of
120TB total on DXW5120.

Download Software to Install a New LogRhythm Deployment

Before starting the installation process, you should download the LogRhythm tools and software that will be needed
during setup, as follows:
1. Ensure you have access to the LogRhythm Database Install Tool. A download link should have been provided
along with your LogRhythm license. If you cannot locate this tool, contact LogRhythm Support.
2. Download the LogRhythm Installation Wizard, available on the LogRhythm Community.
3. If you are installing a Data Indexer or cluster of Indexers on Linux, download the Installation ISO from the link
provided with your LogRhythm license.
4. Download TLS 1.2 Patches and Hotfixes, available on the LogRhythm Community.
To enable communication over TLS 1.2 for all LogRhythm 7.8.x components, your base deployment must meet the
following requirements:
• Platform Manager is running SQL Server 2016 Standard SP1 or higher.
• LogRhythm 7.8.x core components on Windows are running Microsoft .NET Framework 4.7.2.
 .NET 4.7.2 will be installed by component installers that require it.
After ensuring that your base deployment meets the above requirements, .NET 4.7.2 rollup updates are required on all
Windows appliances or servers running LogRhythm components.
 If the target appliance is up-to-date with important Windows updates, some hotfixes may not be required. If
this is the case, the installer indicates that.
Installers for all the required patches and hotfixes are available in a .zip file on the Community Downloads page for the
current release, under TLS 1.2 Support. You should download LR_75x_TLS_support.zip, extract its contents, and then
distribute the required installers to the required appliances or computers in your deployment.
Download Software to Install a New LogRhythm Deployment 64

Install LogRhythm
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference
Platform you selected.
1. Make sure your hardware or virtual machine is running Windows Server 2012 R2 Standard or Enterprise Edition,
or Windows Server 2016 (both 64-bit).
2. If necessary, enable .NET Framework 3.5.
a. Log in to the server as an administrator.
b. Start Server Manager.
c. Under Configure this local server, click Add roles and features.
The Add Roles and Features Wizard appears.
d. Under Installation Type, select Role-based or feature-based installation.
e. Under Server Selection, select your local server.
f. Under Features, expand the .NET Framework 3.5.1 Features node, select .NET Framework 3.5.1, and
then click Next.
g. Confirm your selection on the next page, click Install, and follow any additional guidance provided by the
installer.
3. Initialize and configure disks according to LogRhythm components. For more information, see the volume and
disk configurations in the Reference Platform section of this guide.
a. Initialize the newly created hard disks via disk management by going to Administrative
Tools, Computer Management, Storage, and Disk Management.
b. Set up disk partitions and volumes.
4. Run Windows Update to ensure the latest patches, updates, and service packs are installed.
5. If not installed, download and install .NET Framework 4.7.2 as it is required by the Database Install Tool. You can
download the Microsoft .NET Framework 4.7.2 standalone installer here.
The .NET Framework 4.7.2 installation requires 4.5 GB of free disk space.
Shut Down Antivirus and Endpoint Protection Software

Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
 In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm
systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.
Install the LogRhythm Databases for the Platform Manager or XM
 A download link to the LogRhythm Database Install Tool should have been provided to you along with your
LogRhythm license. Contact LogRhythm Support if you cannot locate this tool.
Install LogRhythm 65
The Platform Manager, and therefore an XM setup, contains LogRhythm’s SQL Server databases. Use the LogRhythm
Database Install tool to:
• Install SQL Server 2016 Standard SP2
• Apply the LogRhythm license for SQL Server
• Create the default LogRhythm users
• Create the initial databases, tables, stored procedures, and so on
• Size the databases as a percentage of disk space
 The database installation can take up to 30 minutes. If you are installing on a virtual machine, it could take
longer.
To install the LogRhythm databases:

1. Log in to the Platform Manager or XM server and copy the LogRhythm Database Install Tool archive to a new
directory.
2. Locate the archive and extract it to a new directory on a local drive.
3. Browse to the new directory, right-click LogRhythmDatabaseInstallTool.exe, and then click Run as
administrator.
The server role page appears.
4. Select the system’s target role. If you are installing a standalone Platform Manager, select PM. If you are
installing an XM server, select XM.
 If any of the drives on the server do not have enough space for the installation, the value under Will
Use is highlighted in red. You need to reconfigure the system disks to provide enough space for the
installation.
5.Click Install.
6.If you want to change the default SQL Server password for the sa account, click Change Default SQL Password.
7.Type the password for the sa account, and then click Save.
8.When you are ready to proceed, click Install.
9.The tool installs SQL Server and configures all of the necessary settings. This process may take up to ten
minutes, during which the screen appears to be inactive.
10. When the installation is finished, click Done to close the Database Install Tool.
Run the LogRhythm Install Wizard

The LogRhythm Install Wizard can be used to install one or more applications or server roles on each server in your
deployment. The wizard is designed for simplicity, so you can pick the applications or roles you are installing, and the
wizard does everything else.
The installation of one or more applications should not take more than 10 minutes to complete. If you are installing an
XM setup with all applications, the installation may take up to 15 minutes depending on your server specifications. If
you are installing on a virtual machine, the installation times will be slightly increased.
Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You must run the
Install Wizard on each appliance or server in your deployment, and select the appliance configuration that you want to
install or upgrade.
 • The LogRhythm Install Wizard requires .NET Framework version 4.7.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created and so the
Common installer can open port 8300.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.
 When the Client Console is installed on a fresh system, additional software packages must be installed such as
Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET Framework
4.7.2. For this reason, the Client Console installer may take 30 minutes or more to complete.
1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.
 For certain configurations, you can optionally select to install or upgrade the AI Engine.
 If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see the Use the LogRhythm Configuration Manager section in this guide.
8. For each appliance that you install, select the target appliance configuration, according to the following table.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in the Install
Wizard, select one of the available configurations and then run the wizard again to install the next configuration.
7.x.x Configuration Select…
XM XM
Platform Manager PM
Data Processor DP
Client Console Client Console
Web Console Web Console
AI Engine AIE
Data Collector/System Monitor DC
LogRhythm Diagnostics Tool LRD Tool
LogRhythm Diagnostics Tools Agent LRD Agent
9. When you have selected the target configuration, click Install.

The LogRhythm Deployment Tool appears.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade
Deployment, depending on your situation.
10. Follow the on-screen instructions to create a Deployment Package. Additional help is available by clicking the
question mark icon in the upper-right of the tool.
When you are finished preparing your deployment, you will be returned to the Install Wizard.
11. Observe for any failures as the wizard installs or upgrades the applications according to the selected
configurations.
 When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.7.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.
Progress in the installation screen is indicated as follows:

Color Meaning
Green The application was installed successfully. A message about the application and
installed version
is also printed below the status indicators.
Blue The application is being installed.
Yellow The current or a newer version of the application is already installed.
Color Meaning
Red Something went wrong and the application was not installed. Additional details will be
printed
below the status indicators. If something went wrong, check the installer logs located in
the following location:
C:\LogRhythm\Installer Logs\<install date and time>\
 During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
12. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see the Use the LogRhythm
Configuration Manager section in this guide.
 While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.
• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the Configuration
Manager.
 After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.
13. To close the LogRhythm Install Wizard, click Exit.
 If you need to install additional components that were not included in the selected configuration, run the
Install Wizard again and select the necessary components.
Use the LogRhythm Configuration Manager
 If you are using multiple Web Console instances, the Configuration Manager lets you apply individual
configurations to each instance. Each instance, for single or multiple Web Consoles, will be identified in the
Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is the Windows host name of the
server where the Web Console is installed.
Configuring the Data Indexer for Windows and Linux has moved from the individual clusters to the
Configuration Manager on the Platform Manager.
Each Cluster has it’s own section under Data Indexers that looks like this:
Data Indexer - Cluster Name: <ClusterName> Cluster Id: <ClusterID>
 The Cluster Name and Cluster ID come from the Environment variables, DX_ES_CLUSTER_NAME
and DXCLUSTERID on each server. The Cluster Name can be modified in the Configuration Manager.
If you change the Cluster Name, the name should be less than 50 characters long to ensure it
displays properly in drop-down menus. The DXCLUSTERID is automatically set by the software and
should not be modified.
 Until you have had a chance to tune your deployment, and to avoid potential performance issues with AIE
Cache Drilldown, you should disable the AIE Drill Down Cache API after upgrading.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are
shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to
which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no
filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure
you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the LogRhythm
Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which Services are
active or inactive. A blue light indicates that all services are up. A red light indicates that one or more services are down.
You can hover the mouse over the indicator to see a list of which services are down. In Advanced mode, the indicator
light also appears next to each group header.
 If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font Smoothing.
You can read how to do so here: http://www.microsoft.com/typography/ClearTypeFAQ.mspx
To configure settings in the LogRhythm Configuration Manager:

1. Find the setting you want to configure by doing one of the following:
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
• Scroll through the Basic or Advanced configuration mode until you find the option you want. The
Configuration Manager is used to configure settings such as user ID, password, authentication strategy,
and log level for the following components:
• LogRhythm Database
• Admin API
• AIE Drilldown Cache API
• Alarm API
• API Gateway
• Authentication API
• Case API
• CloudAI
• Data Indexer - (one section per cluster)
• Help and Documentation
• Search API
• Notification Service
• SQL Service
• Web Console API
• Web Console UI
• Web Indexer
• Web Services Host SPI
• Windows Authentication Service
2. Enter the configuration you want. Note the following features:
• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• Upgrading to a new SIEM version may cause the LogRhythmWebUI Database Password to reset to the
default password in the Alarm API section in the Configuration Manager. If you had previously changed
this password, you must reenter your LogRhythmWebUI Database Password in the Alarm API section in
the Configuration Manager.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see the Log in to the Web Console topic in the Enterprise SIEM Help.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.
 If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60 seconds is
normal.
Install the LogRhythm Data Indexer

(Optional) Deploy ISO image to Each Linux Data Indexer Node
The Linux Data Indexer can be installed with a CentOS 7.x Minimal system or Red Hat Enterprise Linux (RHEL) 7. To
simplify the installation, LogRhythm provides an ISO image that contains the CentOS operating system and the Data
Indexer installer package. To use RHEL 7, you need to download and install it from the Red Hat website, and then follow
the configuration instructions in this guide.
 Before powering on and configuring a Linux Indexer appliance for the first time, ensure that only one of the
network interfaces is connected to your active network with an Ethernet cable. If you are using a virtual
machine, ensure that only one network interface is configured to connect or come up when the virtual
machine is powered on.
Prepare for the Installation

Before you begin, make sure you have done the following:
• Download the installation ISO. The installation ISO requires two physical disks in the Data Indexer system.
 The ISO download link to should have been provided to you along with your LogRhythm license.
Contact LogRhythm Support if you cannot locate this link.
• For a virtual installation, create a new virtual machine that meets the following requirements:
• OS Type is Linux
• OS Version is Red Hat 64-bit
• Hard drive, RAM, and processor meet the requirements stated above
• Two disks
• In the boot order of the system, Hard Disk should be listed before the CD/optical drive
• Note the IP address to be applied to each node, the netmask, the IP address of your default gateway, and the IP
address of two NTP servers to use.
• If you are installing a cluster of Data Indexers, note the following:
• Each Data Indexer server must be of identical specification. For example, the same appliance model, or
same configuration of processors, hard drives, network interfaces, and RAM.
• You must image each node with CentOS 7.x or RHEL 7, but you only need to run the package installer on
one of the cluster nodes.
• Your cluster can contain one or 3-10 physical hot nodes, and 1-10 warm nodes (optional).
Install CentOS Minimal
 If you are using a Red Hat Enterprise Linux 7 system, skip this procedure and go to the Create the LogRhythm
User section.
Install the LogRhythm Data Indexer 73

The ISO installation creates the required “logrhythm” user, creates and sizes all of the required partitions, and prompts
you for network, DNS, and NTP settings upon first logon.
1. If you are installing on a physical computer, burn the ISO image to a DVD. For a virtual install, mount the ISO for
the installation.
2. Boot the computer from the DVD, or start the virtual machine with the mounted ISO.
3. When the boot screen appears, use the arrow keys and the Enter key to select Install CentOS 7.
The operating system will be installed, which can take up to 10 minutes.
4. When prompted to log on, type logrhythm for the login and the default LogRhythm password for the password.
You are prompted to run the initial configuration script. The script is optional, but your Indexer will be
configured to use DHCP on the primary Ethernet adapter, which is not a supported configuration for a
production environment.
5. To run the script, type y.
You are prompted for network, DNS, and NTP details. At each prompt, detected or default values are displayed
in parentheses.
6. To accept these values, press Enter.
7. Enter the network and NTP information, as follows:
Prompt Description
IP Address The IP address that you want to assign to this Data Indexer node.
Netmask The netmask to use.
Default Gateway The IP address of the network gateway.
Domain name servers The IP address of one or more domain name servers (DNS). If any servers
were found via DHCP, they will be displayed as the defaults. If no servers
were found, the Google DNS servers will be displayed as the defaults.
NTP servers The IP address of one or more NTP servers. Enter the IP address of each
server one at a time, followed by Enter. When you are finished, press Ctrl +
D to end.
After completing the items in the configuration script, the system tests connectivity to the default gateway and
the NTP servers. If any of the tests fail, press n when prompted to enter addresses again.
 If you plan to deploy the Indexer in a different network environment and you expect the connectivity
tests to fail, you can press y to proceed.
After confirming the NTP values, you will be logged on as the logrhythm user.
8. Restart the network interfaces to apply the new settings:
sudo systemctl restart network
9. Restart chrony to apply NTP changes:
sudo systemctl restart chronyd

10. To stop the sudo password prompt, add the following line to the sudoers file using the sudo visudo command:
logrhythm ALL=(ALL) NOPASSWD: ALL
 If you are installing a cluster of Data Indexers, repeat the ISO installation on each Data Indexer node.
Create the LogRhythm User on the RHEL 7 System
 If you are using a CentOS Minimal system, skip this step. The ISO installation creates the user automatically.
1. Log on to the host and elevate to the root user:
# sudo su
2. Add a new user called logrhythm:
# adduser logrhythm
3. Set the password for the logrhythm user:
# passwd logrhythm
4. Provide and confirm the desired password for the logrhythm user.
5. Add the logrhythm user to the wheel group:
6. Navigate to the logrhythm user:
# su - logrhythm
7. To stop the sudo password prompt, add the following line to the sudoers file using the sudo visudo command:
logrhythm ALL=(ALL) NOPASSWD: ALL

Install the Data Indexer on Linux
Install a Single-node Cluster

If you have more than one node in your cluster, follow the instructions in the Install a Multi-node Cluster section.
 Before starting the Data Indexer installation, ensure that firewalld is running on all cluster nodes. To do this,
log on to each node and run: sudo systemctl start firewalld
1. Log on to your Indexer appliance or server as logrhythm.

2. Go to the /home/logrhythm/Soft directory where you copied the updated installation or upgrade script.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation.
The contents of the file might look like the following:
10.1.23.65 LRLinux1 hot
10.1.23.67 LRLinux2 warm
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, type i.
c. Enter the IPv4 address, hostname to use for the Indexer, and box type, separated by a space.
d. Press Esc.
e. To exit and save your hosts file type :wq.
 The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.
4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the PreInstall.sh file to /
home/logrhythm and execute the script.
 This cannot be run as sudo or the DX Installer will fail.
sh ./PreInstall.sh
5. Generate a plan file which includes the IP of the Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts

file> --plan /home/logrhythm/Soft/plan.yml --es-cluster-name <cluster_name>

Press Tab after starting to type out the installer name, and the filename autocompletes for you.
 **--es-cluster-name is required only for fresh setup not for an upgrade.
7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer. Common components are installed at /usr/local/logrhythm/.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log
 This process may take up to 10 minutes.
When the installation or upgrade is complete, a confirmation message appears.

8. Check the status of services by typing sudo systemctl at the prompt, and look for failed services.
 If the installation or upgrade fails with the error — failed to connect to the firewalld daemon — ensure that
firewalld is running on all cluster nodes and start this procedure again. To do this, log on to each node and
run: sudo systemctl start firewalld
Install a Multi-node Cluster

Run the install once for each cluster, the package installer installs a Data Indexer on each node. Run it on the same
machine where you ran the original installer.
 Before starting the Data Indexer installation or upgrade, ensure that firewalld is running on all cluster nodes.
To do this, log on to each node and run: sudo systemctl start firewalld
1. Log on to your Indexer appliance or server as logrhythm.

2. Change to the /home/logrhythm/Soft directory where you copied the script.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation.
The contents of the file might look like the following:
10.1.23.67 LRLinux2 warm
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, type i.
c. Enter the IPv4 address, hostname to use for the Indexer, and box type, separated by a space.
d. Press Esc.
e. To exit and save your hosts file type :wq.

 The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.
4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the the PreInstall.sh file
to /home/logrhythm and execute the script.
 This cannot be run as sudo or the DX Installer will fail.
sh ./PreInstall.sh
5. Generate a plan file which includes the IP of Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts

file> --plan /home/logrhythm/Soft/plan.yml --es-cluster-name <cluster_name>
Press Tab after starting to type out the installer name, and the filename autocompletes for you.
 **--es-cluster-name is required only for fresh setup not for an upgrade.
7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer on each of the DX machines. Common components are installed
at /usr/local/logrhythm.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log
 This process may take up to 10 minutes.
When the installation or upgrade is complete, a confirmation message appears.

8. Check the status of services by typing sudo systemctl at the prompt, and look for “failed” services.
 If the installation or upgrade fails with the following error — failed to connect to the firewalld daemon —
ensure that firewalld is running on all cluster nodes and start the installation again. To do this, log on to each
node and run: sudo systemctl start firewalld

(Optional) Use the Data Indexer Node Installer

The LogRhythm Data Indexer (LRDX) Node Installer is available to users that have purchased a DX 7500. The installer
leverages the resources on the DX 7500 to improve the indexing and TTL performance by adding a second Elasticsearch
instance to each DX 7500.
The LRDX Node Installer installs and adds the second instance of Elasticsearch to the DX cluster on each DX host.
 The LRDX Node Installer is needed to hit the specified performance numbers for the DX 7500.
Prerequisites
A CPU core of at least 50 and 124 GB of RAM are required for the LRDX Node Installer to run.
Install a New DX 7500

Before installing the LRDX Installer, you need to follow the standard installation documentation for the version of
software you are deploying. For more information, see Install a New LogRhythm Deployment.
1. Connect to the Data Indexer system as a LogRhythm user.
2. Download the LRDXNodeinstaller-<version>.centos.x86_64.run package installer to the Logrhythm user’s
home directory on one of your Data Indexer appliances (for example, /home/logrhythm/Soft). The installer is
available on the Support/Partner downloads section of the LogRhythm Community.
3. Change to the soft directory:
cd Soft
4. Run the LRDX Node Installer with the host file created in the initial install:
sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --add
The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
 The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.
5. When prompted for the SSH password, enter the password for the LogRhythm user.
Uninstall a Node
To uninstall the software or a Linux node:
1. Move the data from the secondary Elasticsearch node back to the primary by running:

sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --move
 The time required to complete this task depends on the amount of data stored.
2. Remove the secondary node by running:
sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --remove
The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
 The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.
 If the data move to the primary Elasticsearch node is not completed, this operation fails so that data
loss is avoided.
Add a Node to an Existing Cluster

Adding a node to an existing cluster requires running the DX installer and will cause downtime for the Data Indexer. The
steps for adding a node are generally the same but may differ slightly depending on the type of node being added and
the current cluster size.
Prerequisites
These instructions assume:
• the Data Indexer ISO has already been installed on the new server.
• the node is in place and online.
• the first run has been executed and configured.
• the new node has the static IP address set.
• the new node has the hostname set.
• the new node has NTP configured.
• the Soft directory exists.
• the “logrhythm” user/password is set to match the existing “logrhythm” user.
 See Prepare for the Installation for more information.

Downtime
The amount of downtime experienced by the cluster will depend on the hardware, number of open indices, and their
relative sizes. The larger the indices are, the longer full recovery may take. All data processed by the Data Processors
will be spooled to the DXReliablePersist state folder until the cluster is recovered, and the data can be inserted into the
cluster.
Hardware Configuration
All hot nodes in the cluster require matching resources. Do not add a node to the cluster if the new node does not have
matching CPU, disk/partition, and memory configurations for the existing nodes in the cluster. Hot and Warm node
hardware configurations may be different, although all hot nodes in the cluster should have the same configuration,
and all warm nodes in the cluster should have the same configuration. A mismatch in CPU, Memory, or disk/partition
sizes may cause performance issues and can affect the number of hot and warm indices available across the entire
cluster. Warm nodes will still be used for data ingestion.
Data Indexer Installer
Run the installer from the same node the installer was originally run from. Do not run the installer on the new
node. Adding a new node to the cluster requires configuration changes on all nodes. Running the installer from
the install node will ensure these configurations are pushed to all nodes in the cluster.
Verify that you are installing the correct version of the LogRhythm Data Indexer. If an incorrect version is installed, the
Data Indexer cannot be downgraded without fully uninstalling the software.
Verify the current installed version by viewing the version file on an existing node:
cat /usr/local/logrhythm/version
Cluster Health
Elasticsearch is not required to be in a green state while adding a node, but it is best practice to verify the cluster is
green before adding the node to ensure the process is successful.
Run the following command on any existing node to see the cluster health:
curl localhost:9200/_cluster/health?pretty
Verify that the status is green. If the cluster status is yellow or red, we recommend correcting any issues with the
cluster before proceeding.
Cluster Size
Consider the size of the cluster before adding a node, as there are some restrictions to the sizes of a single cluster.
• Total maximum cluster size is 30 Elasticsearch nodes

• A cluster may have a maximum of 20 physical nodes

• A cluster may have up to 10 software nodes
Cluster Configurations:
A possible configuration: 1 or 3-10 Hot physical Nodes + 0-10 2XDX software nodes + 0-10 Warm Nodes.
A single cluster may not contain only two physical hot nodes (including when 2XDX and warm nodes are part of the
cluster). This is to avoid a “split-brain” scenario. Hot nodes on a cluster can be 1 or 3 to a maximum of 10 physical hot
nodes.
A single cluster must contain at least one hot node and can contain from 0 up to 10 warm nodes.
2XDX only applies to DX7500 nodes as 2XDX software can only be installed on servers with 256 GB memory and 56 vcpu.
Each physical hot node can have one additional instance of the 2XDX (hot software node) if they meet the resource
requirements. It is not recommended that you install 2XDX on virtual servers as performance can be impacted. If 2XDX
nodes are used in a cluster, it should be installed on all physical hot nodes in the cluster.
Installation procedure
Follow this sequence for installation:
1. Verify that the new node is online and ready to be added to the cluster, noting the current IP and hostname of
the new node.
The node should be started and ready for the LogRhythm software to be installed.
 You should not need to copy or edit any files for the new node.
Note the Hostname and IP Address from the server as these will need to be added to the plan, and to the hosts
files for the installed node in later steps.
Use the following commands to get the Hostname and IP of the server. The hostname must be set to the expect
hostname before adding the node to the cluster.
Hostname: hostname
IP Address: ip a
2. Identify the install node and verify the currently installed version of Data Indexer.
 If you start the install with a LogRhythm Data Indexer version higher than the current installed version
on the cluster, you may need to reimage the new server to install a lower version.
a. Verify the currently installed version by running the following command on any existing node in the
cluster:
cat /usr/local/logrhythm/version
b. When the DX installer is executed in later steps, you will need to run the installer from the same node the
DX installer was originally ran on. Usually, this is the first node in the cluster and will be the node that has
the existing hosts file created for the original install.
c. If you are unsure and need to identify the node, you can use 1 or both of the following methods:

i. Check the /home/logrhythm/ and /home/logrhythm/Soft directory on the node for the hosts
file. This is the file that was created during the original install. The hosts file will contain all
existing nodes, their respective IPs, and the box type. This file does not need to exist on all nodes
in the cluster, only the previous install node.
ii. You can also verify if a node is the primary host by viewing the primary_host file on each node.
cat /usr/local/logrhythm/env/primary_host
If is_primary_host=True, then this is the node on which the installer was last run.
If is_primary_host=False or (blank), then this is not the node on which the installer was last run.
3. Create an updated LRII package using the LogRhythm Infrastructure Installer on the Platform Manager that
includes the new nodes IP address.
a. On the Platform Manager server, open the LogRhythm Infrastructure Installer from the LogRhythm
programs group.
b. Click Add/Remove Host.
c. Click Add Host.
d. Add the IP Address of the new DX host, and optionally, the host nickname.
e. Click Save.
f. Click Create Deployment Package.
g. Verify the IP Addresses in the list and click Create Deployment Package.
h. Select the folder location in which to create the new LRDeploymentPackage, and click Select Folder.
Once the package is created it will provide the path to the LRDeploymentPackage folder. Copy this path
to the clipboard if necessary to help locate the newly created package.
i. Click Next Step.
j. Click Run Host Installer on This Host.
This will start the install of the newly generated LRII package on the Platform Manager.
Once the LRII install completes on the Platform Manager, expand “Step 2”. At this point, leave the
LogRhythm Deployment Tool screen open on the Platform Manager, you will return to this screen after
the node is installed.
 Do not close the LogRhythm Deployment Tool window until the cluster is successfully verified. Closing
the tool at this step may require starting the process over at the beginning (including the DX install
itself) to be able to validate the deployment.
4. Copy the necessary files to the Data Indexer install node. The currently installed version may already be present
in the Soft folder. You will not need to copy any files to the new node as the Data Indexer installer will copy
necessary files to all nodes in the cluster during install.
a. Using WinSCP, or similar, copy the plan.yml file (from the newly created LRDeploymentPackage folder
you selected on in the previous steps) to the /home/logrhythm/Soft directory on the Data Indexer install
node (not the new node you are adding to the cluster). This file contains the updated plan information
for the common components.
 Make sure you are using the newly generated plan.yml file. Using a previously generated plan
file may render the Data Indexer unable to communicate with other LogRhythm services and
servers.

b. Verify that the Data Indexer installer and the PreInstall.sh file are both present in the Soft folder.
 If these files are missing, re-verify that this is the node the installer was originally ran from. If the files
were deleted since the last install, download the standalone Linux Data Indexer version installer zip
from the community and copy the two files included in the zip to the Soft folder.
PreInstall.sh
LRDataIndexer-{version}.centos.x86_64.run
5. Update the existing hosts file on the installer node with the new node information. The hosts file is usually
created in the /home/logrhythm/Soft directory but may be in /home/logrhythm/. This file should already
contain the IP Hostname, and box type, of the existing nodes in the cluster.
a. Edit the LR specific hosts file used by the Data Indexer Installer using vi or similar editor.
sudo vi /home/logrhythm/Soft/hosts
Type i to enter insert mode.

Edit the necessary lines.
Press Esc to exit insert mode.
Press shift + ; to enter command mode.
Write and quit to exit, type: wq
b. Add a new line with the IP Address, Hostname, and box type (either hot or warm) in the following
format:
<IP> <HOSTNAME> <box type>
Example: 192.168.0.1 mydxhostname hot
 box type is optional if there are only hot nodes in the cluster. If the other host lines have the
box type, it will need to be added with the new line. If warm nodes exist or you are adding a
warm node, the box type will need to be set for all hosts for a successful configuration during
install.
6. Run the PreInstaller.sh script (on the installer node) to setup PubKey (password-less) Authentication.
a. (Optional) If you had to copy PreInstall.sh, you will need to set execute permission on the PreInstall.sh
script.
sudo chmod +x /home/logrhythm/Soft/PreInstall.sh
b. Execute the PreInstall.sh script:
sh /home/logrhythm/Soft/PreInstall.sh
c. Enter the current ssh password for the logrhythm user (password used to connect to the server).

d. Enter the path to the hosts file updated in the last step.
The script will run through multiple steps.
 Some steps of the PreInstall.sh may show a warning or error depending on the current configuration.
These can be ignored if the Testing ssh as logrhythm user using Public Key Authentication section
shows SSH OK, for all hosts in the host file. If SSH: Failed shows for any host, review the output and fix
any SSH issues prior to running the DX installer.
 The Data Indexer installer WILL fail if PubKey Authentication is not successfully setup prior to running
the installer.
7. Run the Data Indexer installer to add the node to the cluster. Run the install command following the Data
Indexer from the commands below. You will need to supply the full path to the hosts file, the full path plan.yml
file, enter the existing cluster name, and add the “—force” switch. The force switch is needed because you are
running the installer against the same installed version.
 This step assumes the cluster health is green. The existing cluster name can be found in the
LogRhythm Console on the Clusters Tab, under Deployment Monitor.
a. Change to the Soft directory:
d /home/logrhythm/Soft
b. Run the Base Command:
sudo sh LRDataINdexer-<version>.centos.x86.64.run --hosts <full path to

hosts> --plan <full path to plan.yml> --es-cluster-name=<existingclustername>
--force
Example:
sudo sh LRDataIndexer-10.0.0.121-1.centos.x86_64.run --hosts /home/

logrhythm/Soft/hosts --plan /home/logrhythm/Soft/plan.yml --es-cluster-
name=mycluster --force
The Data Indexer installer will execute and run through the full install, adding the new node to the cluster. Once
the successful message is displayed, the node has been added to the cluster. If you receive a message that the
install failed, review the /var/log/persistent/ansible.log for the reasons for the failure, correct any underlying
issues, and run the install command again.
8. (Optional) If the newly added node is a DX7500 node, run the secondary LR DX Node Installer to add the 2XDX
software to the newly installed node.

 The LRDXNodeInstaller is a separate installer from the Data indexer installer available from the
downloads page.
On the install node, execute the LRDXNodeInstaller using the following Base Command:
sudo sh /usr/local/logrhythm/DXNodeInstaller-<version>.centos.x86_64.run --add --

hosts <fullpathtohosts> --ma
Example:
sudo sh /usr/local/logrhythm/DXNodeInstaller-11.0.0.4.centos.x86_64.run --add --

hosts /home/logrhythm/Soft/hosts --ma
9. Run the following command to verify that the node was successfully added to the cluster with the correct box
type:
curl localhost:9200/_cat/nodeattrs?v
All nodes for the cluster should be present along with the current box type. Any 2XDX nodes can be identified as
they will show as <hostname>-data for the node name.
You can also run the cluster health command to verify the total number of nodes present in the cluster:
curl localhost:9200/_cluster/health?pretty
Troubleshooting
After the install completes, all Data Indexer services will automatically start on all nodes. it may take a minute or two for
Elasticsearch to start on all nodes.
If the Elasticsearch API endpoint does not respond after 5 minutes, check the Elasticsearch /var/log/elasticsearch/
<clustername>.log file to identify any errors Elasticsearch may be experiencing on startup. The Elasticsearch Service
log will exist on each node in the cluster. You may need to check the log on each individual node to determine the full
extent of any issues with the service or cluster starting. The log will be named the same as the cluster name provided in
the install command.
Get the service status on a specific node:
sudo systemctl status elasticsearch
Tail the Elasticsearch log:

tail -f /var/log/elasticsearch/<clustername>.log
When the Elasticsearch node services start and the master node is elected, the cluster health will go from red -> yellow
-> green. It may take an extended period (hours) for all existing indices to be recovered after the install. The cluster
health command will show you the percentage of index shards recovered. Indexing and search will be available once
the primary shards have been recovered.
The cluster health change from red to yellow is usually relatively fast, but the time between the health change from
yellow to green will depend on the number of indices, and their shard sizes.
 Performance may be impacted while the cluster recovers.
You can verify the status of index recovery using the following command on any node:
watch -n2 ‘curl -s localhost:9200/_cat/recovery?v | grep -v done’
The number of shards that are recovered at any time is throttled by Elasticsearch settings.
If shards stop showing in the recovery list, and the cluster health has not yet reported green, please contact LogRhythm
Support to investigate why shards are not initializing or assigning as expected.
Validate the Linux Indexer Installation

To validate a successful upgrade of the Linux Indexer, check the following logs in /var/log/persistent:
• ansible.log echoes console output from the upgrade, and should end with details about the number of
components that upgraded successfully, as well as any issues (unreachable or failed)
• logrhythm-node-install.sh.log lists all components that were installed or updated, along with current versions
• logrhythm-cluster-install.sh.log should end with a message stating that the Indexer was successfully installed
Additionally, you can issue the following command to verify the installed version of various LogRhythm services, tools,
and libraries, as well as third party tools:
sudo yum list installed | grep -i logrhythm
1. Verify that the following LogRhythm services are at the same version as the main installer version:
• Bulldozer
• Carpenter
• Columbo
• GoMaintain
• Transporter
• Watchtower
2. Verify that the following tools/libraries have been installed:
• Cluster Health
• Conductor

• Persistent
• Silence
• Unique ID
• Upgrade Checker
3. Verify the following version of this service:
• elasticsearch 6.8.3
Verify a Warm Node

To identify whether a warm node is working correctly after installation, perform the following:
1. Verify Warm Node configuration:
curl localhost:9200/_cat/nodeattrs?v
2. Verify Node Settings in /usr/local/logrhythm/env/es_datapath:
[root@DX01 env]# cat /usr/local/logrhythm/env/es_datapath

DX_ES_PATH_DATA=/usr/local/logrhythm/db/elasticsearch/data
DX_ES_CLUSTER_NAME=<cluster name>
DX_ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS=<IPs of eligible master nodes>
DX_ES_DISCOVERY_ZEN_MINIMUM_MASTER_NODES=<# of eligible master nodes/2 (rounded
down) +1>
DX_ES_BOX_TYPE=warm
DX_ES_IS_MASTER=false
3. On each node in /usr/local/logrhythm/transporter/logs.json, verify the number of shards and replicas based on

number of hot nodes:
"number_of_shards": "<physical hot nodes * 2>"

"number_of_replicas": (this will be "0" for single hot node or "1" for a multi hot
node cluster)
 For 2XDX, physical nodes are only used for the shard calculation. A three-node 2XDX will have six
shards.
4. Verify warm node functionality:

a. Wait until Elasticsearch's heap moves an open index to the warm node as a closed index.
b. Verify that GoMaintain does not throw errors when moving the index to the warm node as Closed.
c. (Optional) Perform an investigation against a closed index on the warm node (though this step alone will
not confirm that the warm node is working).

Information about Automatic Maintenance

Automatic maintenance is governed by several settings in GoMaintain Config:
Disk Utilization Limit

Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which means
that maintenance starts when the Elasticsearch data disk is 80% full.
 The value for Disk Util Limit should not be set higher than 80. This can have an impact on the ability of
Elasticsearch to store replica shards for the purpose of failover.
Maintenance is applied to the active repository, as well as archive repositories created by SecondLook. When the Disk
Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, GoMaintain deletes
completed restored repositories starting with the oldest date.
The default settings prioritize restored repositories above the active log repository. Restored archived logs are
maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for space, set your min
indices equal to your max indices. This forces the maintenance process to delete restored repositories first.
Force Merge Configuration

Force Merge Config. Combines index segments to improve search performance. In larger deployments, search
performance could degrade over time due to a large number of segments. Force merge can alleviate this issue by
optimizing older indices and reducing heap usage.
 Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.
Parameter Default Value
Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.
Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.
Index Configs
The DX monitors Elasticsearch memory and DX storage capacity.
GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases
the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data
and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the
warning threshold and continues to delete days based on the disk utilization setting of 80% by default.

The default config is -1. This value monitors the systems resources and auto-manages the time-to-live (TTL). You can
configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends a diagnostic
warning and starts closing the indices.
Indices that have been closed by GoMaintain are not actively searchable in 7.6 but are maintained for reference
purposes. To see which indices are closed, run a curl command such as the following:
curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 ==

"close" {print $2}'
Open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.

Indices can be reopened with the following query as long as you have enough heap memory and disk space to support
this index. If you do not, it immediately closes again.
curl -XPOST 'localhost:9200/<index>/_open?pretty'
After you open the index in this way, you can investigate the data in either the Web Console or Client Console.

Complete Additional LogRhythm Installation Tasks

Configure or Verify Communication Ports
LogRhythm installers should open the TCP ports required for component communications. Additional configuration
may be required, as described in this section. For more information on ports, see the Networking and Communication
topic in the Enterprise SIEM Help.
 If you need assistance with any of the procedures listed below, contact your system or network administrator.
Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or
through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/
Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to
7.8.x.
If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on
any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is
not already allowed by applied policies:
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132
Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm
and run the following command:
sudo firewall-cmd --permanent --zone=public --list-all
This lists all the public ports opened for DX:

• 8501/tcp
• 8300/udp
• 8301/udp
• 8300/tcp
• 8301/tcp
If you need to open any incoming ports on the Linux Indexer, do the following:
1. Log on to the Indexer node as logrhythm and run the following commands:
Complete Additional LogRhythm Installation Tasks 91

sudo firewall-cmd --zone=public --add-port=port/tcp --permanent

sudo firewall-cmd –-reload
2. Repeat the steps above on each Linux Data Indexer.
Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:
1. Log on to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh firewall show state
Ports that are currently open on all interfaces are displayed below the firewall status.
 The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current
server.
If you need to allow any ports on a Windows server host:

1. Log on to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh advfirewall firewall add rule name="rule name" dir=in action=allow

protocol=TCP localport=port
Verify SQL Server Authentication and LogRhythm Databases

To verify authentication on the Platform Manager or XM server:
1. Click Start, Apps, and then Microsoft SQL Server Management Studio.
2. In the Connect to Server window, enter the following information:
a. Authentication. SQL Server Authentication
b. Login. sa
c. Password. Enter the appropriate password
3. Click Connect.
The Microsoft SQL Server Management Studio window opens.
4. Expand the Databases folder. You should see the following LogRhythm Databases:
• LogRhythm_Alarms
• LogRhythm_CMDB
• LogRhythm_Events
• LogRhythm_LogMart

• LogRhythmEMDB
5. Exit Microsoft SQL Server Management Studio.
Verify LogRhythm Installation

Verify that the installation completed successfully by checking for the LogRhythm components in Add/Remove
Programs.
1. Click Start, Control Panel, and Add/Remove Programs.
2. Search for the following LogRhythm components on each server type and verify the version within the support
information link.
LogRhythm Component XM PM DP DX AIE Collector
Advanced Intelligence (AI) Engine X X X
Alarming Manager X X
Console* X X
Data Indexer (DX) X X
Job Manager X X
Mediator Server Service X X
System Monitor Service** X X X X X
Common X X
* The Console can be installed on any supported system.

** The System Monitor can be installed on any supported system. At a minimum, you must install it on the XM or PM.
If you have any issues with the installation, contact LogRhythm Support. C:\LogRhythm\InstallLogs contains the
install logs that may supply useful error messages for support.
Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you should
ensure that these processes are running by doing the following:
1. Go to Services on your machines.
2. Verify that the following services have started:
• LogRhythm API Gateway
• LogRhythm Authentication API
• LogRhythm Case API
• LogRhythm Service Registry
• LogRhythm Threat Intelligence API
• LogRhythm Web Console API

• LogRhythm Web Console UI

• LogRhythm Web Indexer
• LogRhythm Web Services Host API
3. Go to Task Manager on your machine.
4. Verify that the following services have started:
• java.exe (one instance)
• LogRhythm.Web.Services.ServicesHost.exe
• LogRhythmAPIGateway.exe
• LogRhythmAuthenticationAPI.exe
• LogRhythmCaseAPI.exe
• LogRhythmServiceRegistry.exe
• LogRhythmThreatIntelligence.exe
• lr-threat-intelligence-api.exe (32 bit)
• LogRhythmWebConsoleAPI.exe
• LogRhythmWebConsoleUI.exe
• LogRhythmWebIndexer.exe
• LogRhythmWebServicesHostAPI.exe
• nginx.exe *32 (a minimum of two instances)
• node.exe (four instances)
• procman.exe (eight instances)
• NSSM Service Manager
 NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper
around Java, Go, and other services to ensure that they run properly on Windows and that they are
restarted when they stop.
Install Other Agents

To install the LogRhythm System Monitor Agent on other machines, or to install the non-Windows System Monitor
Agents:
1. System Monitor installer files are available in the LogRhythm Install Wizard, in the Installers subfolder. Make sure
to use the appropriate file for 32-bit or 64-bit systems:
• LRSystemMonitor_7.8.x.xxxx.exe
• LRSystemMonitor_64_7.8.x.xxxx.exe
You can also download the Windows System Monitor installers from the release downloads page on
the LogRhythm Community.
2. Download *NIX System Monitor Agent packages from the release downloads page on the LogRhythm
Community. Text-based installation instructions for each package and platform are available, and additional
installation instructions are available in the System Monitor documentation.
 For all *NIX operating systems that support Realtime FIM, the System Monitor requires root privileges.

Configure the LogRhythm Software

You can work directly with Professional Services to configure your LogRhythm Solution, or you can follow the steps in
the New Deployment Wizard topic in the LogRhythm SIEM Help. You can find additional resources on the LogRhythm
Community.
 The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall) configurations
that are important to your deployment. You may want to review those guides to ensure that at least the
following items are addressed:
• Ensure that all Data Processors are assigned to a cluster
• Verify the IP Address of the LogMart Database Server
You need the following items for the deployment, whether you configure LogRhythm yourself or you work with
Professional Services:
• LogRhythm License File that is sent via email
• LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB
Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it.
When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure
to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the
performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.
 The following lists include the default directories. However, the location of any State folder (including AI
Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The
locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%,
%DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To
view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state
folder)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state
folder)
• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
• C:\Windows\Temp\jtds*.tmp
DX Appliance (Linux)
• /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)
AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
 If the AIE service is running on the PM appliance, exclude these directories on the PM.
Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense
 The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a
different location (for example, D:\), update the exclusion as required.
Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense
Web Console
• D:\tmp\indices

High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/
TechDoc/index.htm#DataKeeper/Administration/
Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10

Supplemental Information for Installations

Troubleshoot the LogRhythm Configuration Manager
If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not running,
you receive an error message and the LogRhythm Configuration Manager does not load. If you are not running the
LogRhythm version of SQL server, one of the following error messages displays:
• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6]
[class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied
on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.
To resolve this issue:
1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
3. Open the LogRhythm Configuration Manager.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).
The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in Internet
Explorer.
To change the proxy server settings for Internet Explorer:
1. On the Internet Options dialog box, select the Connections tab.
2. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)
check box.
4. Click OK.
If you require a proxy server for LAN connections, contact LogRhythm Support.
Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to %APPDATA%
\LogRhythm Configuration Manager\presets. However, you can create a backup of any configuration and save it to any
location to use later to restore a given configuration or share with other users.
To back up a configuration:
1. Make any changes you want. Boxes with changes are outlined in blue.
2. Select Backup/Restore from the menu.
3. Click Backup to File.
4. Name the file and save it to the location you want.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:
Supplemental Information for Installations 98

1. Select Backup/Restore from the menu.

2. Select one of the following:
• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
changes are outlined blue.
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
changes are outlined blue.
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.
Add Additional Components to an Existing Deployment

The LogRhythm Infrastructure Installer assists in the installation of Common Components across all LogRhythm
appliances and runs as the LogRhythm Infrastructure Installer (LRII) in the Install Wizard. The Common Components are
required on each appliance (Platform Manager, Data Processor, Data Indexer, Web Console, and AI Engine) to enable
communication between components. The Infrastructure Installer builds a deployment package that you can use to
manually deploy the Common Components on each appliance in a distributed configuration. Using this method, there
is no need to relax security posture of your deployment to install Common Components. The tool is required every time
you install or upgrade a LogRhythm component to ensure that all components are communicating properly. If the tool
is not utilized during an installation or upgrade, the deployment will not be functional and you will not be able to index
or retrieve data.
 You must have the IP address of each LogRhythm server in your deployment, with the exception of those
running the Client Console or standalone System Monitors. You will also need SQL database credentials (sa or
equivalent user) for the EMDB and the ability to log in to each of the LogRhythm servers to run the
deployment package that the Deployment Tool generates.
1. In the Start menu on the machine where you have LogRhythm installed, click LogRhythm, and then LogRhythm
Infrastructure Installer.
2. Click Add/Remove Hosts.
3. Click Add Host.
4. Enter the information for the new host and click Save.
5. Click Deployment Properties.
6. If necessary, change the Deployment Properties to match your deployment, and then click OK.
7. Click Create Deployment Package.
8. Follow the instructions provided by the Infrastructure Installer.
9. When you have finished, return to the home page of the Infrastructure Installer and click Verify Deployment
Status.
10. When the Infrastructure Installer indicates that your deployment is healthy, use the LogRhythm Installation
Wizard to install your new component.
11. License, configure, and add the new component according the instructions provided in the LogRhythm Client
Console Help or LogRhythm Web Console Help.

Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the installation. The
_LIW will show basic information about the Install Wizard, and the LogRhythm_ Infrastructure_Installer_Silent will
show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at %Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log or
lorhythm-node-install.sh.log to view the contents of these logs.
Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.
Not all servers are shown in the EMDB results

The search does not find standalone Web Consoles or System Monitors. You must manually add your standalone Web
Consoles. There is no need to add the standalone System Monitors.
Linux deployment package will not run

You may have to switch to the directory where the package is located and run the following command prior to running
the Linux installer:
sudo chmod +x LRII_linux
After this has been completed, you can run the Linux package with the following command:
sudo ./LRII_linux
The Deployment Tool was successful, but cannot index or process

Ensure that you also run the Install Wizard on all of your nodes and/or the Linux DX upgrade package. These are still
required to be run on your nodes in addition to the Deployment Package.
My Deployment Status Verification says that not everything is active

Check your list of hosts in the Deployment Tool for accuracy. You may need to run the Deployment Package on the
inactive servers again. Follow the instructions above to run the packages.
My upgrade won't start because Elasticsearch is not running

You may see a message stating: You cannot upgrade: Please run 'sudo systemctl start elasticsearch'.
Elasticsearch needs to be running to check your indices for incompatible versions. Start the service as indicated, run the
curl command mentioned in the error until the cluster health is green, and then try the install again.

When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution path. It
should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml
The LogRhythm Service Registry can't start during an upgrade

This error occurs when the Service Registry service is not started when LRII runs or it was started after the Deployment
Tool loaded. The C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\data directory is cleared prior to
running LRII because it recreates a new configuration for this upgrade.
There is a backup script that saves all key values prior to running the Deployment Tool so that the data directory can be
recovered if necessary. If needed, these files are in the depconf folder.
Unable to query for legacy deploymentType value

This error message may appear if your key values have been removed. It should automatically restore them for you, but
if you run into this issue, you can run the following steps to restore the key values.
1. Open PowerShell.
2. Type the following:
cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-
backup
3. Run the following:
$ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"
4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.
5. Run the following script:
Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -
6. Restart the LogRhythm Deployment Tool.
Add Additional Web Consoles

You should only install the Web Console with the LogRhythm Install Wizard, regardless of whether or not you are adding
it to the PM or as a standalone appliance/server. For a standalone installation, be sure to follow the instructions
regarding the LogRhythm Infrastructure Installer — run your deployment package on the Web Console server and then
run the Install Wizard to install the single Web Console configuration.
Any time you add a new Web Console to an existing LogRhythm deployment, you must rerun the LogRhythm
Infrastructure Installer for the new component to be able to communicate. For further instructions, see Add a
Component to an Existing LogRhythm Deployment.

 The Web Console can be accessed on Google Chrome (version 54 or higher is recommended), Mozilla Firefox
(version 50.0.1 or higher is recommended), or Internet Explorer 11. The Web Console is not supported on
tablets, mobile devices, or touch screens.
Configure the Web Console With the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental variables and
configure them as needed during the lifetime of the Web Console.
Configure Smart Card/CAC Authentication
 Smart Card/CAC authentication is not supported on Firefox.
To configure Smart Card/CAC authentication:

1. To obtain the environment's Certificate Authority Trust chain, concatenate the set of all SSL certificates
including the root certificates, the certificates that sign the end-user certificates, and all intermediate certificates
into a single file.
 Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.
2. In the Web Services Configuration Manager, complete the following:

a. In the Certificate Authority Trust section, click Choose file.
b. Select the single certificates file created in step 1. The contents of the certificate file populate the
Certificate Authority Trust field.
c. In the Authentication section, set the Web Console Multi-factor Authentication Type to Smart Card.
Generate Self-Signed Certificates for the Web Console

The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:\Program
Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.
However, it is best practice to generate your own self-signed certificates or import certificates signed by a third party.
When configuring your own SSL Certificates for the Web Console, each certificate needs to be configured separately.
Some guidance on doing so can be found on the Digital Ocean website and the OpenSSL website, but your IT
department should follow their own policies and security practices.
Your IT department should set up proper certificates for your domain, install those on the internal systems, and
maintain them appropriately.
 The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using OpenSSL, be
sure to use the -nokeys flag.

1. Ensure the private key is unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.
Trust the Self-Signed Certificate from a Client PC

Untrusted self-signed certificates can cause the Web Console to perform poorly. Self-signed certificates that are not
trusted prevent browsers from caching https requests, which causes Web Console pages to load slowly.
To prevent this problem by configuring trusted certificates:
1. Delete the following folders:
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp
2. Run the installer for the latest version of the Web Console on a Windows machine. If you have already installed
the Web Console, run the following script as an administrator: C:\Program Files\LogRhythm\LogRhythm Web
Services\LogRhythm Web ConsoleUI\generate_keys.bat
3. Do one of the following:
• Method 1. Certificate trusted for all users of a system
i.
From the Web Console server, run the Microsoft Management Console (mmc.exe).
ii.
On the File menu, click Add/Remove Snap-in.
iii.
Add the Certificates Snap-in.
iv.
Select Computer account > Local computer.
v.
Run the Microsoft Management Console with the Certificate Snap-in on the client system.
vi.
Import the LogRhythm Self-Signed Certificate file from C:\Program Files\LogRhythm\LogRhythm
Web Services\LogRhythm Web Console UI\tls_temp (or your own Self-Signed Certificate) file into
the Trusted Root Certification Authorities store. The certificate will be trusted for all users of this
system.
• Method 2. Certificate trusted for current user only
• In Internet Explorer 11
1. Run Internet Explorer as an administrator.
2. Go to your Web Console deployment.
3. Click Continue to this website (not recommended).
4. Click Certificate error in the address bar.
5. In dialog box, click View certificates.
6. On the General tab, click Install Certificate, and then click Next when the wizard opens.
7. Select Place all certificates in the following store.
8. Click Browse and select Trusted Root Certification Authorities.
9. Click OK and Next.
10. Click Finish.
• In Firefox

1. Go to the Web Console.

A security certificate error page appears.
2. Click the arrow next to I Understand the Risks to expand the section.
3. Click Add Exception.
4. At the bottom of the dialog box, select Permanently store this exception.
5. Click Confirm Security Exception.
• In Chrome
1. Browse to the Web Console.
A security certificate error page appears.
2. Click Advanced, and then click Proceed to [Web Console].
3. In the address bar, click the broken padlock icon.
4. Next to the Your connection to this site is not private warning, click Details.
5. Click View certificate.
6. Select the Details tab.
7. Click Copy to File.
8. Follow the steps in the wizard to save the certificate as a PKCS #7 (.P7B) certificate in a
place you can easily locate it.
9. After you finish exporting the certificate, go to Settings in your browser.
10. At the bottom of the screen, click Show advanced settings.
11. In the HTTPS/SSL section, click Manage certificates.
12. Select the Trusted Root Certification Authorities tab.
13. Click Import.
14. Follow the steps in the wizard to import the certificate you saved in Step h. You must save
the certificate to the Trusted Root Certificate Authorities store.
15. Select the newly imported certificate in the Trusted Root Certification Authorities tab, and
then click Advanced.
16. At the bottom of the dialog box, select Include all certificates in the certification path,
and then click OK.
17. Restart Chrome.
Remove the Web Console

If you need to uninstall the Web Console, log in as an Administrator, go to Add/Remove Programs, and uninstall the
LogRhythm Web Console. During the uninstallation, the following components are stopped and removed:
• LogRhythm Case API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Web Services Host API
• LogRhythm Threat Intelligence API
• LogRhythm Web Services Configuration Manager (program)
After removing the Web Console, any files that were generated by the runtimes of the services above remain. All
installation directories are still present. Below are some examples of the types of files that remain on the system:
• log files
• temporary or buffer files
• generated keys or certificates
• .pid files

If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services directory. If
you plan to reinstall Web Services, it is not necessary to remove the Web Console folder structure.

LogRhythm Software Install Guide 7.8.0 RevA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LogRhythm Software Install Guide 7.8.0 RevA

Uploaded by

Copyright:

Available Formats

Install a New LogRhythm Deployment

August 09, 2021

Phone Support (7am - 6pm, Monday-Friday)

LogRhythm, Inc. | Contents 3

LogRhythm, Inc. | Contents 4

The LogRhythm Infrastructure Installer

Review the Requirements for a New LogRhythm Deployment

SQL Server Licensing

Review the Requirements for a New LogRhythm Deployment 6

Review the Requirements for a New LogRhythm Deployment 7

 You should configure and use the logical volumes as documented.

Component Logical Volume Volume Label Label Contents

Platform Manager C Drive (C:\) n/a

D Drive (D:\) Data LogRhythm SQL Server data files

L Drive (L:\) Log Files LogRhythm SQL Server transaction log

T Drive (T:\) Temp DB

S Drive (S:\) n/a LogRhythm Application State for High

S Drive (S:\) n/a LogRhythm Application State for High

Web Console C Drive (C:\) n/a Operating System and LogRhythm

D Drive (D:\) n/a Web Console Indicies

Data Indexer vgroup1 n/a Operating System and LogRhythm

vg_data /usr/local/logrhythm Elasticsearch Data, mapped to /usr/

Review the Requirements for a New LogRhythm Deployment 8

The performance specifications are based on the following assumptions:

Web Console Requirements

Review the Requirements for a New LogRhythm Deployment 9

 • Do not install the Web Console on older generation

Your own server

Hardware Operating Disk/Vol 1 Disk/Vol 2

Review the Requirements for a New LogRhythm Deployment 10

SSL Default Port (8443/443)

Virtualization Platform Considerations

Review the Requirements for a New LogRhythm Deployment 11

Virtualization or Hyperconverged Platform Considerations

Review the Requirements for a New LogRhythm Deployment 12

Virtualization Deployment Best Practices

Virtual Host (Hypervisor) Requirements

Virtual Machine System Requirements

Virtualization Redundancy and High Availability

Virtualization Snapshots and Backups

LogRhythm Component Compatibility

Database and SQL Server Versions

Review the Requirements for a New LogRhythm Deployment 13

System Monitor Component Support

System Monitor Versions Compatible with LogRhythm 7.x

System Monitor v6.x v7.x

System Monitor (Windows) Yes Yes

System Monitor (*NIX) Yes Yes

Component Operating System Support

Certified Support (CS) Limited Support (LS) Unsupported (US)

LogRhythm 7.8 Operating System Support Levels

64-bit Data Data Platform AI LogRhyth Web Client Open

Review the Requirements for a New LogRhythm Deployment 14

LogRhythm 7.8 Operating System Support Levels

64-bit Data Data Platform AI LogRhyth Web Client Open

Review the Requirements for a New LogRhythm Deployment 15

Networking and Communication

Review the Requirements for a New LogRhythm Deployment 16

Select a Method of Deploying LogRhythm

Network Monitor Storage Arrays Virtual Sandboxes

Select a Method of Deploying LogRhythm 17

Reference Performance (MPS) Hardware Operating System Disk/Vol 1 Config

LR-DC3500 Series Max Collection Rate: Windows 2016 x64