Professional Documents
Culture Documents
LogRhythm Software Install Guide 7.8.0 RevA
LogRhythm Software Install Guide 7.8.0 RevA
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of
any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of
merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
This document helps you determine a platform for the LogRhythm Software and provides instructions for installing
LogRhythm on your own systems.
We recommend that you perform these procedures with the assistance of LogRhythm Professional Services.
Review Assumptions
Before installing the LogRhythm Software, ensure the following:
• Administrative permissions to complete the assigned preparation and installation.
• Dedicated hardware and/or virtual environments are configured as outlined in this installation guide.
Configuring your dedicated hardware or virtual environment outside the parameters listed in this document
may prevent the LogRhythm Software from operating and performing properly. LogRhythm does not support
non-standard configurations. If your environments cannot be configured to the standard configurations,
contact LogRhythm to determine whether a custom solution is possible.
The LogRhythm installer is not supported on systems that use compressed drives.
If this prerequisite is not met, the deployment may not function properly after installation is complete.
Review Assumptions 5
Install a New LogRhythm Deployment
Platform Requirements
Server Roles
Different LogRhythm server roles perform key tasks for log collection, analysis, and reporting in the LogRhythm SIEM.
When you install LogRhythm on your own systems, you need the following server roles:
• Platform Manager. The Platform Manager provides the central event management and administration of the
LogRhythm SIEM, including:
• Configuration information for all agents, log sources, and log source types.
• Knowledge Base, which includes all processing rules, built-in reports (for compliance), built-in alarms,
and other processing-related information.
• The Alarming and Response Manager, which is a Windows service responsible for processing alarm rules
and taking appropriate response such as sending e-mails to those on a notification list or sending SNMP
traps to an SNMP server.
• The Job Manager, which is responsible for scheduled report job generation, Agent and Data Processor
heartbeat monitoring, Active Directory synchronization, and health monitoring.
You can install the Platform Manager on a dedicated appliance (recommended for large environments) or on the
same system as the Data Processor and Data Indexer (called an XM appliance, if you need an all-in-one
appliance). The Platform Manager also includes an embedded AI Engine license, which allows you to install AIE
on the same system. There is only one Platform Manager in the SIEM environment.
• Data Processor. The Data Processor provides high-performance, distributed, and highly available processing of
machine and forensic data. Data Processors receive machine and forensic data from Collectors and Forensic
Sensors. The Data Processor archives data and distributes both the original copy and the structured copy to
other LogRhythm components for indexing, machine based analytics, and alarming.
• Data Indexer. The Data Indexer provides high-performance, distributed, and highly scalable indexing and
searching of machine and forensic data. Data Indexers store both the original and structured copies of data to
enable search-based analytics. The Data Indexer can be installed in an XM configuration on Windows, Red Hat
Enterprise Linux 7, or CentOS 7.x Minimal using our distributed CentOS 7.x ISO image.
• AI Engine. The AI Engine is an optional component that detects conditions occurring over multiple data sources
and time ranges. It provides real-time visibility into risks, threats, and critical operations issues. AI Engine
includes more than 100 preconfigured rule sets that you can use in the wizard-based, drag-and-drop interface.
You can install the AI Engine on the same system as the Platform Manager or you can install it on a dedicated
system.
• System Monitor. The System Monitor collects all log, flow, and machine data, then transfers that data to the Data
Processor. Because a System Monitor is required on each LogRhythm appliance, the LogRhythm installer
automatically deploys it with other applicable roles. You can also deploy the System Monitor using a separate
installer file (for example, silent installations in large environments).
The LogRhythm dedicated appliance for remote log collection is called a Data Collector appliance.
Volume/Disk Configurations
LogRhythm requires specific volume/disk configurations, which can consist of physical disks or virtual disks with logical
volumes.
LogRhythm is not supported on systems that use shared disks. Installing on a system that uses shared disks
can have a significant negative impact on performance.
• Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a
specific volume. The amount can range from a minimum of 2 up to 98 disks per system.
• Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and
performance improvements through hardware RAID technology. The amount can range from 2 to 10 virtual disks
per system.
• Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique drive letter in Windows
(for example, drive C or drive D). The logical volumes contain specific files and data related to the installation
(see the following table for more information about the contents of each drive). Any LogRhythm server that
contains a Platform Manager includes four logical volumes. The Windows Indexer should include at least two
logical volumes, and the logical volume that contains log data should be on a dedicated virtual disk using
dedicated physical disks.
Data Processor, AI Engine, C Drive (C:\) n/a Operating System and LogRhythm
System Monitor program files
Performance Requirements
The specifications provided are minimum requirements for your dedicated virtual machine and dedicated
hardware. Your system should be configured so that the end result has the minimum specification
requirement value or greater. If your hardware or virtual machine does not fit into an existing appliance
configuration, contact LogRhythm Professional Services to discuss a possible custom installation. Collection
rates are listed as a guideline. The rates may vary given different hardware configurations and drivers.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A power cut
may cause an Elasticsearch failure that leads to a loss of indices.
If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET installers
from Microsoft Support before beginning the upgrade. Otherwise, the Web Services Installer will attempt to
download it during the upgrade and the upgrade will fail without internet connectivity.
You can install the Web Console software on a server, virtual server, or LogRhythm appliance that meets the
requirements listed in the following table.
LogRhythm currently supports up to three Web Console instances with 60 concurrent users.
To avoid conflicts, it is recommended that Web Console users are either created manually or through Active
Directory (AD), but not both.
System Requirements
LogRhythm Appliance
Install the Web Console on any of the following LogRhythm appliance models:
• LR-WS3410 LogRhythm Web Services Appliance (includes the Web
Console installer)
• PM5400 and PM7400 series appliances
• XM4400 and XM6400 series appliances
Windows 2016
• 1 x 2.6 GHz Physical Disk: Physical Disk:
x64 Standard
8 Core CPU Edition • 2 x 300 GB • 2 x 400 GB
• 16 vCPU 10K RPM SSD SATA
• 32 GB RAM SAS RAID 1 • 3 DWPD
• H730 RAID • Hardware • RAID 1
controller IOPS: 150 • Hardware
with 2GB • Recomme IOPS:
Cache nded IOPS: 85,000
• 2 x 1 Gigabit 150 • Recomme
Ethernet nded
NICs Virtual Disk:
IOPS:
• 278 GB 1,000
usable
Virtual Disk:
Logical Volume:
• 368 GB
• C Drive usable
(278 GB)
Logical
Volume:
• D Drive
(368 GB)
System Requirements
Web Console UI
You can access the Web Console UI from any computer running Google Chrome,
Mozilla Firefox, Microsoft Edge, or Internet Explorer 11.
The Web Console requires certain ports for its use, as listed in the following table.
Port Requirements
Port 8501
During installation, the 8501 port is opened for the LogRhythm API Gateway. This
port provides routing, load balancing, SSL termination, and authentication
termination to deployed Web Services.
Port 43
To execute a whois query using contextualization, port 43 must be opened. For
more information on using contextualization, see the Use Contextualize topic in
the Web Console User Guide.
New installations of the Data Indexer on Windows are only supported in an XM configuration.
• Platform Manager. Centralized configuration management, knowledge base data, alarming and reporting, runs
on a SQL backend. Standalone Platform Managers focus on memory and disk I/O utilization. In smaller
environments, however, AIE and Web Console may be run on these systems, increasing the resource
requirements
• AIE. Advanced real-time correlation engine requires CPU and memory resources for long term trend analysis.
• Web Console. User-friendly Web interface to the threat lifecycle, requires mostly CPU and memory resources.
Planning system resources for each of these components will depend on the data volume and use-cases for each
component. LogRhythm Appliance Platforms provide known performance and resource allocations, allowing
customers to scale using known quantities. In many cases, a customer will elect to split up LogRhythm roles onto their
own individual systems rather than running a single, very large instance (XM).
Fully tested per LogRhythm quality Limited testing, but likely to work based on Not tested.
assurance processes. engineering assessment and/or field
verification.
LogRhythm patches bugs. LogRhythm may patch bugs. LogRhythm does not patch bugs.
Full LogRhythm Technical Support. Limited LogRhythm Technical Support. No LogRhythm Technical Support.
The following table shows the support levels for LogRhythm components on various 64-bit operating systems.
Any operating system not included in the following table is not supported.
Windows 7
US LS LS US US US CS US
Windows
US US US US US US LS US
8/8.1
Windows 10
US US US US US US CS US
Windows
US US US US US US CS US
Server 2008
Windows
US CS US CS CS CS CS US
Server 2008
R2
Windows
US US US US US US LS US
Server 2012
Windows
Server 2012 CS1 CS CS CS CS CS CS US
R2
Windows
Server 2016 CS1 CS CS CS CS CS CS US
Windows
US US US US US US US US
Server 2016
Core
Windows
Server 20192 CS1, 2 CS2 CS2 CS2 CS2 CS2 CS2 US
Windows
US US US US US US US US
Server 2019
Core
CentOS 7.x
CS US US US US US US US
Minimal
CentOS 7.6 or
CS US US US US US US CS
greater
CoreOS
US US US US US US US CS
RHEL 7
CS US US US US US US US
1
The Data Indexer is only supported on Windows operating systems for Gen3 appliances.
2
As of 7.7.0, only new software installations of Windows Server 2019 are supported. Upgrades to Server 2019 from previous versions are not currently
supported.
New installations of the Data Indexer are only supported on the Linux platform. The Data Indexer is only
supported on Windows in an XM configuration.
SAN storage is supported only in LogRhythm's software only solution and not in LogRhythm appliances. With
respect to appliances, SAN storage is supported only for inactive archives.
In the tables that follow, Allocation Unit Size is abbreviated as AUS. Where not otherwise specified, default
AUS is expected.
The virtual platforms described in the table below are for labs/sandbox use only. They are not intended for
production use.
Reference Architectures
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
LR- Windows
Platform • 2 x 2.6 GHz Physical Physical Physical Physical
PM750 2016 x64
Manager: 12 Core CPU Disk: Disk: Disk: Disk:
0 Series Standard
• Max • 48 vCPU Edition • 2 x 240 • 18 x 900 • 4 x 900 • 2x1
LogMar • 196 GB RAM GB M.2 GB 15K GB 15K TB
t Rate: • PERC H740 SSD RPM RPM SSD
2,000 Integrated • 0.3 SAS SAS SATA
• Max RAID DWPD • RAID 10 • RAID 10 • 3
Events Controller • RAID 1 • Hardwa • Hardwa DWPD
Rate: with 8GB • Hardw re IOPS: re • RAID 1
1,000 Cache are 2538 IOPS: • Hard
• 2 x 10 Gb/s IOPS: • Recom 564 ware
NICs 85,000 mende • Recom IOPS:
• 2 x 1 Gb/s • Recom d IOPS: mende 85,000
NICs mende 2538 d IOPS: • Reco
d IOPS: 564 mmen
Virtual Disk:
150 ded
Virtual Disk:
• 7452 GB IOPS:
Virtual Disk:
usable • 1656 1,000
• 220 GB GB
Logical Virtual
usable Volume: usable
Disk:
Logical Logical
• D Drive • 920
Volume: Volume:
(7452 GB
• OS GB, 64K • L Drive usabl
Drive AUS) (1656 e
(220 GB, 64K
Logical
GB) AUS)
Volume:
• S
Drive
(870
GB)
• T
Drive
(50
GB,
64K
AUS)
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Network Monitor Storage Arrays Virtual Sandboxes
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Network Monitor Storage Arrays Virtual Sandboxes
SANM5026 (direct 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
attached storage for Controller with 8 GB
NM) Cache • 24 x 1.2 TB
10K RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 2538
Virtual Disk:
• 24464 GB
usable
Logical Volume:
• Data Drive
(24464 GB)
SAAR5120 (direct 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
attached storage for Controller with 8 GB
archives) Cache • 24 x 12 TB
7200 RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 1135
Virtual Disk:
• 120 TB
usable
Logical Volume:
• Archive
Drive (120
TB)
Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine
Network Monitor Storage Arrays Virtual Sandboxes
Reference Platform Performance Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config
(MPS)
Reference Platform Performance Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config
(MPS)
• Google Cloud
• Microsoft Azure
Installation Overview
It is assumed that the user has experience with Amazon Web Services EC2.
Design
Designing LogRhythm in AWS is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture provided in this section.
Windows Systems
Create Windows Virtual Machines using the standard EC2 instances from AWS. You will want to select the newest base
operating system supported on your version of LogRhythm.
• Select the size of the instance based on your appliance sizing needs using the AWS reference architecture table.
• Create EBS storage to match the instance mappings for volume type and size.
• Root instance store volumes should not be used for LogRhythm storage.
Root instance store volumes should not be used for LogRhythm storage.
# sudo su
# adduser logrhythm
# passwd logrhythm
# su - logrhythm
# ssh-keygen -t rsa
# cd /home/logrhythm/.ssh
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.
d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
Standard Edition
r4.4xlarge gp2 gp2 st1 gp2 gp2
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 500 GB E Drive: 1500 L Drive: 150 GB T Drive: 50 GB
GB
Description: S Drive: 100 GB Description: Description:
Description:
Operating Description: SQL Logs SQL Temp
System ElasticSearch
SQL Databases
Data
and LR
State
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
Standard Edition
r4.8xlarge gp2 gp2 st1 gp2 gp2
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 2750 E Drive: 9000 L Drive: 880 GB T Drive: 50 GB
GB GB
Description: Description: Description:
S Drive: 250 GB Description:
Operating SQL Logs SQL Temp
System Description: ElasticSearch
Data
SQL Databases
and LR
State
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
Standard Edition
m4.16xlarge gp2 gp2 st1 gp2 gp2
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 4500 E Drive: 16000 L Drive: 1000 T Drive: 50 GB
GB GB GB
Description: Description:
S Drive: 500 GB Description: Description:
Operating SQL Temp
System Description: ElasticSearch SQL Logs
Data
SQL Databases
and LR
State
(none) (none)
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
m5.4xlarge gp2 gp2 sc1
Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 500 GB E Drive: 2000
GB
Description: Description:
Description:
Operating Active Archives
System and LR Inactive
Archives
State
(adjustable)
(none) (none)
AWS: Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
m5.12xlarge gp2 gp2 sc1
Volume Size: Volume Size: Volume Size:
C Drive: 200 GB D Drive: 1200 E Drive: 8000
GB GB
Description:
Description: Description:
Operating
System Active Archives Inactive
and LR Archives
State (adjustable)
Instanc Operating Disk/ Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol
e Type System Vol Config 2 Config 3 Config 4 Config 5 Config 6 Config 7 Config 8
Config
1
Installation Overview
It is assumed that the user has experience with Google Cloud and Google Compute.
Design
Designing LogRhythm in GCP is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the Compute Engine VM instances from GCP. Select the newest base operating
system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the GCP reference architecture table.
• Create disk storage to match the instance mappings for volume type and size.
# adduser logrhythm
# passwd logrhythm
# su - logrhythm
Custom Windows 2016 Disk Type: Disk Type: (none) (none) (none)
Machine x64 Standard
Standard Standard
Edition
20 Cores Persistent Disk Persistent Disk
96GB Volume Size: Volume Size:
Memory
C Drive: 200 GB D Drive: 2000 GB
Description: L Drive: 150 GB
Operating S Drive: 100 GB
System
T Drive: 50 GB
Description:
SQL Databases/ES
Data/SQL Logs/LR
State/SQL Temp
Instance Operating Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config Disk/Vol Config Disk/Vol
Type System 1 3 4 Config 5
Custom Windows 2016 Disk Type: Disk Type: Disk Type: Disk Type : (none)
Machine x64 Standard
Standard Standard Persistent Standard SSD Persistent
Edition
40 Cores Persistent Disk Disk Persistent Disk Disk
192GB Volume Size: Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB D Drive: 2750 GB E Drive: 9000 GB S Drive: 250 GB
Description: L Drive: 250 GB Description: Description:
Operating T Drive: 50 GB ElasticSearch LR State
System Data
Description:
SQL Databases/SQL
Logs/SQL Temp
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type: (none) (none)
Machine Standard Edition
Standard Standard SSD Persistent
48 Cores Persistent Persistent Disk Disk
Disk
256GB Volume Size: Volume Size:
Memory Volume Size:
D Drive: 4500 GB E Drive: 18000
C Drive: 200 GB
L Drive: 1000 GB
GB
S Drive: 500
T Drive: 50 GB
Description: GB
Description:
Operating Description:
System SQL Databases/
ElasticSearch
SQL Logs/SQL
Data/ LR State
Temp
Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Disk/Vol Disk/Vol
Type 1 Config 3 Config 4 Config 5
(none) (none)
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Machine Standard Edition
Standard SSD Persistent Standard
24 Cores Persistent Disk Disk Persistent Disk
64GB Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB S Drive: 500 GB E Drive: 2000 GB
Description: Description: Description:
Operating Active Inactive
System Archives/LR Archives
State (adjustable)
(none) (none)
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type:
Machine Standard Edition
Standard SSD Persistent Standard
48 Cores Persistent Disk Disk Persistent Disk
128GB Volume Size: Volume Size: Volume Size:
Memory
C Drive: 200 GB S Drive: 1000 E Drive: 8000 GB
GB
Description: Description:
Description:
Operating Inactive
System Active Archives
Archives/LR
(adjustable)
State
Instance Operating System Disk/Vol Config Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol
Type 1 2 Config 3 Config 4 Config 5
Instance Operating System Disk/Vol Config Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol
Type 1 2 Config 3 Config 4 Config 5
*GCP only allows for a max volume of 64TB per instance. You will need to add multiple instances to meet the DXW5120
hardware appliance.
Deployments in MicrosoftAzure
This section provides information about reference architectures for LogRhythm appliances and information about how
to design and deploy LogRhythm in Microsoft Azure.
Installation Overview
It is assumed that the user has experience with Microsoft HyperV and Azure services.
Design
Designing LogRhythm in Azure is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the standard compute instances from Azure. Select the newest operating
system supported on your version of LogRhythm.
• VM disk type should be SSD.
• Select the size of the instance based on your appliance sizing needs using the Azure reference architecture table.
• Storage should be set to use managed disks.
After creating the instance, you will need to add data disks to match the reference architecture. By default, the Windows
instances will create a temporary OS disk that is used for swap and emptied with every shutdown.
On the Platform Manager, you must change the drive letter of the swap space disk from D to something else.
The LogRhythm Database Install Tool requires the D drive be used for database storage. If you install to this
swap disk, all of the databases will be removed with the virtual machine is shut down.
Skip this section if the LogRhythm user was already created to access the VM. If the user already exists
with SSH access, skip to the Install the Data Indexer section below.
a. Log into the Azure instance and elevate to the root user:
# sudo su
# adduser logrhythm
# passwd logrhythm
d. Provide and confirm the desired password for the logrhythm user.
e. Add the logrhythm user to the wheel group:
# su - logrhythm
# ssh-keygen -t rsa
# cd /home/logrhythm/.ssh
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.
d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
For all platforms, use only Read host cache on data disks, such as SQL data or Elasticsearch data.
1
Inactive archives should use File Storage or can use standard disk.
1
Inactive archives should use File Storage or can use standard disk.
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit of 16TB
total on DX5500.
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit of 32TB
total on DX7500.
CentOS Disk
D32S_ Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
7.6 or Type:
v3
Red Hat P50 P50 P50 P50 P50
P10
Enterpri
se Linux Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
Volume
7 Size: /usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm logrhythm/05 logrhythm/10 logrhythm/15 logrhythm/20
/
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
128 GB
Description: Description: Description: Description: Description:
Descripti
on: Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Operatin
g System
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/01 logrhythm/06 logrhythm/11 logrhythm/16 logrhythm/21
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Description: Description: Description: Description: Description:
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/02 logrhythm/07 logrhythm/12 logrhythm/17 logrhythm/22
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Description: Description: Description: Description: Description:
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/03 logrhythm/08 logrhythm/13 logrhythm/18 logrhythm/23
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Description: Description: Description: Description: Description:
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/04 logrhythm/09 logrhythm/14 logrhythm/19 logrhythm/24
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Description: Description: Description: Description: Description:
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
*The DX warm storage values do not match to appliances and can be adjusted based on customer need with a limit of
120TB total on DXW5120.
After ensuring that your base deployment meets the above requirements, .NET 4.7.2 rollup updates are required on all
Windows appliances or servers running LogRhythm components.
If the target appliance is up-to-date with important Windows updates, some hotfixes may not be required. If
this is the case, the installer indicates that.
Installers for all the required patches and hotfixes are available in a .zip file on the Community Downloads page for the
current release, under TLS 1.2 Support. You should download LR_75x_TLS_support.zip, extract its contents, and then
distribute the required installers to the required appliances or computers in your deployment.
Install LogRhythm
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference
Platform you selected.
1. Make sure your hardware or virtual machine is running Windows Server 2012 R2 Standard or Enterprise Edition,
or Windows Server 2016 (both 64-bit).
2. If necessary, enable .NET Framework 3.5.
a. Log in to the server as an administrator.
b. Start Server Manager.
c. Under Configure this local server, click Add roles and features.
The Add Roles and Features Wizard appears.
d. Under Installation Type, select Role-based or feature-based installation.
e. Under Server Selection, select your local server.
f. Under Features, expand the .NET Framework 3.5.1 Features node, select .NET Framework 3.5.1, and
then click Next.
g. Confirm your selection on the next page, click Install, and follow any additional guidance provided by the
installer.
3. Initialize and configure disks according to LogRhythm components. For more information, see the volume and
disk configurations in the Reference Platform section of this guide.
a. Initialize the newly created hard disks via disk management by going to Administrative
Tools, Computer Management, Storage, and Disk Management.
b. Set up disk partitions and volumes.
4. Run Windows Update to ensure the latest patches, updates, and service packs are installed.
5. If not installed, download and install .NET Framework 4.7.2 as it is required by the Database Install Tool. You can
download the Microsoft .NET Framework 4.7.2 standalone installer here.
The .NET Framework 4.7.2 installation requires 4.5 GB of free disk space.
In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm
systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.
A download link to the LogRhythm Database Install Tool should have been provided to you along with your
LogRhythm license. Contact LogRhythm Support if you cannot locate this tool.
Install LogRhythm 65
Install a New LogRhythm Deployment
The Platform Manager, and therefore an XM setup, contains LogRhythm’s SQL Server databases. Use the LogRhythm
Database Install tool to:
• Install SQL Server 2016 Standard SP2
• Apply the LogRhythm license for SQL Server
• Create the default LogRhythm users
• Create the initial databases, tables, stored procedures, and so on
• Size the databases as a percentage of disk space
The database installation can take up to 30 minutes. If you are installing on a virtual machine, it could take
longer.
If any of the drives on the server do not have enough space for the installation, the value under Will
Use is highlighted in red. You need to reconfigure the system disks to provide enough space for the
installation.
5.Click Install.
6.If you want to change the default SQL Server password for the sa account, click Change Default SQL Password.
7.Type the password for the sa account, and then click Save.
8.When you are ready to proceed, click Install.
9.The tool installs SQL Server and configures all of the necessary settings. This process may take up to ten
minutes, during which the screen appears to be inactive.
10. When the installation is finished, click Done to close the Database Install Tool.
Install LogRhythm 66
Install a New LogRhythm Deployment
• The LogRhythm Install Wizard requires .NET Framework version 4.7.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created and so the
Common installer can open port 8300.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.
When the Client Console is installed on a fresh system, additional software packages must be installed such as
Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET Framework
4.7.2. For this reason, the Client Console installer may take 30 minutes or more to complete.
1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.
For certain configurations, you can optionally select to install or upgrade the AI Engine.
If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see the Use the LogRhythm Configuration Manager section in this guide.
8. For each appliance that you install, select the target appliance configuration, according to the following table.
Install LogRhythm 67
Install a New LogRhythm Deployment
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in the Install
Wizard, select one of the available configurations and then run the wizard again to install the next configuration.
7.x.x Configuration Select…
XM XM
Platform Manager PM
Data Processor DP
AI Engine AIE
When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.7.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.
Green The application was installed successfully. A message about the application and
installed version
is also printed below the status indicators.
Install LogRhythm 68
Install a New LogRhythm Deployment
Color Meaning
Red Something went wrong and the application was not installed. Additional details will be
printed
below the status indicators. If something went wrong, check the installer logs located in
the following location:
C:\LogRhythm\Installer Logs\<install date and time>\
During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
12. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see the Use the LogRhythm
Configuration Manager section in this guide.
While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.
• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the Configuration
Manager.
After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.
If you need to install additional components that were not included in the selected configuration, run the
Install Wizard again and select the necessary components.
Install LogRhythm 69
Install a New LogRhythm Deployment
If you are using multiple Web Console instances, the Configuration Manager lets you apply individual
configurations to each instance. Each instance, for single or multiple Web Consoles, will be identified in the
Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is the Windows host name of the
server where the Web Console is installed.
Configuring the Data Indexer for Windows and Linux has moved from the individual clusters to the
Configuration Manager on the Platform Manager.
Each Cluster has it’s own section under Data Indexers that looks like this:
Data Indexer - Cluster Name: <ClusterName> Cluster Id: <ClusterID>
The Cluster Name and Cluster ID come from the Environment variables, DX_ES_CLUSTER_NAME
and DXCLUSTERID on each server. The Cluster Name can be modified in the Configuration Manager.
If you change the Cluster Name, the name should be less than 50 characters long to ensure it
displays properly in drop-down menus. The DXCLUSTERID is automatically set by the software and
should not be modified.
Until you have had a chance to tune your deployment, and to avoid potential performance issues with AIE
Cache Drilldown, you should disable the AIE Drill Down Cache API after upgrading.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are
shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to
which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no
filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure
you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the LogRhythm
Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which Services are
active or inactive. A blue light indicates that all services are up. A red light indicates that one or more services are down.
You can hover the mouse over the indicator to see a list of which services are down. In Advanced mode, the indicator
light also appears next to each group header.
If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font Smoothing.
You can read how to do so here: http://www.microsoft.com/typography/ClearTypeFAQ.mspx
Install LogRhythm 70
Install a New LogRhythm Deployment
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
• Scroll through the Basic or Advanced configuration mode until you find the option you want. The
Configuration Manager is used to configure settings such as user ID, password, authentication strategy,
and log level for the following components:
• LogRhythm Database
• Admin API
• AIE Drilldown Cache API
• Alarm API
• API Gateway
• Authentication API
• Case API
• CloudAI
• Data Indexer - (one section per cluster)
• Help and Documentation
• Search API
• Notification Service
• SQL Service
• Web Console API
• Web Console UI
• Web Indexer
• Web Services Host SPI
• Windows Authentication Service
2. Enter the configuration you want. Note the following features:
• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• Upgrading to a new SIEM version may cause the LogRhythmWebUI Database Password to reset to the
default password in the Alarm API section in the Configuration Manager. If you had previously changed
this password, you must reenter your LogRhythmWebUI Database Password in the Alarm API section in
the Configuration Manager.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see the Log in to the Web Console topic in the Enterprise SIEM Help.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.
Install LogRhythm 71
Install a New LogRhythm Deployment
If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60 seconds is
normal.
Install LogRhythm 72
Install a New LogRhythm Deployment
Before powering on and configuring a Linux Indexer appliance for the first time, ensure that only one of the
network interfaces is connected to your active network with an Ethernet cable. If you are using a virtual
machine, ensure that only one network interface is configured to connect or come up when the virtual
machine is powered on.
The ISO download link to should have been provided to you along with your LogRhythm license.
Contact LogRhythm Support if you cannot locate this link.
• For a virtual installation, create a new virtual machine that meets the following requirements:
• OS Type is Linux
• OS Version is Red Hat 64-bit
• Hard drive, RAM, and processor meet the requirements stated above
• Two disks
• In the boot order of the system, Hard Disk should be listed before the CD/optical drive
• Note the IP address to be applied to each node, the netmask, the IP address of your default gateway, and the IP
address of two NTP servers to use.
• If you are installing a cluster of Data Indexers, note the following:
• Each Data Indexer server must be of identical specification. For example, the same appliance model, or
same configuration of processors, hard drives, network interfaces, and RAM.
• You must image each node with CentOS 7.x or RHEL 7, but you only need to run the package installer on
one of the cluster nodes.
• Your cluster can contain one or 3-10 physical hot nodes, and 1-10 warm nodes (optional).
If you are using a Red Hat Enterprise Linux 7 system, skip this procedure and go to the Create the LogRhythm
User section.
The ISO installation creates the required “logrhythm” user, creates and sizes all of the required partitions, and prompts
you for network, DNS, and NTP settings upon first logon.
1. If you are installing on a physical computer, burn the ISO image to a DVD. For a virtual install, mount the ISO for
the installation.
2. Boot the computer from the DVD, or start the virtual machine with the mounted ISO.
3. When the boot screen appears, use the arrow keys and the Enter key to select Install CentOS 7.
The operating system will be installed, which can take up to 10 minutes.
4. When prompted to log on, type logrhythm for the login and the default LogRhythm password for the password.
You are prompted to run the initial configuration script. The script is optional, but your Indexer will be
configured to use DHCP on the primary Ethernet adapter, which is not a supported configuration for a
production environment.
5. To run the script, type y.
You are prompted for network, DNS, and NTP details. At each prompt, detected or default values are displayed
in parentheses.
6. To accept these values, press Enter.
7. Enter the network and NTP information, as follows:
Prompt Description
IP Address The IP address that you want to assign to this Data Indexer node.
Domain name servers The IP address of one or more domain name servers (DNS). If any servers
were found via DHCP, they will be displayed as the defaults. If no servers
were found, the Google DNS servers will be displayed as the defaults.
NTP servers The IP address of one or more NTP servers. Enter the IP address of each
server one at a time, followed by Enter. When you are finished, press Ctrl +
D to end.
After completing the items in the configuration script, the system tests connectivity to the default gateway and
the NTP servers. If any of the tests fail, press n when prompted to enter addresses again.
If you plan to deploy the Indexer in a different network environment and you expect the connectivity
tests to fail, you can press y to proceed.
After confirming the NTP values, you will be logged on as the logrhythm user.
8. Restart the network interfaces to apply the new settings:
10. To stop the sudo password prompt, add the following line to the sudoers file using the sudo visudo command:
If you are installing a cluster of Data Indexers, repeat the ISO installation on each Data Indexer node.
If you are using a CentOS Minimal system, skip this step. The ISO installation creates the user automatically.
# sudo su
# adduser logrhythm
# passwd logrhythm
4. Provide and confirm the desired password for the logrhythm user.
5. Add the logrhythm user to the wheel group:
# su - logrhythm
7. To stop the sudo password prompt, add the following line to the sudoers file using the sudo visudo command:
Before starting the Data Indexer installation, ensure that firewalld is running on all cluster nodes. To do this,
log on to each node and run: sudo systemctl start firewalld
The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.
4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the PreInstall.sh file to /
home/logrhythm and execute the script.
sh ./PreInstall.sh
5. Generate a plan file which includes the IP of the Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:
Press Tab after starting to type out the installer name, and the filename autocompletes for you.
7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer. Common components are installed at /usr/local/logrhythm/.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log
If the installation or upgrade fails with the error — failed to connect to the firewalld daemon — ensure that
firewalld is running on all cluster nodes and start this procedure again. To do this, log on to each node and
run: sudo systemctl start firewalld
Before starting the Data Indexer installation or upgrade, ensure that firewalld is running on all cluster nodes.
To do this, log on to each node and run: sudo systemctl start firewalld
The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.
4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the the PreInstall.sh file
to /home/logrhythm and execute the script.
sh ./PreInstall.sh
5. Generate a plan file which includes the IP of Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:
Press Tab after starting to type out the installer name, and the filename autocompletes for you.
7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer on each of the DX machines. Common components are installed
at /usr/local/logrhythm.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log
If the installation or upgrade fails with the following error — failed to connect to the firewalld daemon —
ensure that firewalld is running on all cluster nodes and start the installation again. To do this, log on to each
node and run: sudo systemctl start firewalld
The LRDX Node Installer is needed to hit the specified performance numbers for the DX 7500.
Prerequisites
A CPU core of at least 50 and 124 GB of RAM are required for the LRDX Node Installer to run.
cd Soft
4. Run the LRDX Node Installer with the host file created in the initial install:
The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
10.1.23.91 LRLinux1 hot
The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.
5. When prompted for the SSH password, enter the password for the LogRhythm user.
Uninstall a Node
To uninstall the software or a Linux node:
1. Move the data from the secondary Elasticsearch node back to the primary by running:
The time required to complete this task depends on the amount of data stored.
The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
10.1.23.91 LRLinux1 hot
The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.
If the data move to the primary Elasticsearch node is not completed, this operation fails so that data
loss is avoided.
Prerequisites
These instructions assume:
• the Data Indexer ISO has already been installed on the new server.
• the node is in place and online.
• the first run has been executed and configured.
• the new node has the static IP address set.
• the new node has the hostname set.
• the new node has NTP configured.
• the Soft directory exists.
• the “logrhythm” user/password is set to match the existing “logrhythm” user.
Downtime
The amount of downtime experienced by the cluster will depend on the hardware, number of open indices, and their
relative sizes. The larger the indices are, the longer full recovery may take. All data processed by the Data Processors
will be spooled to the DXReliablePersist state folder until the cluster is recovered, and the data can be inserted into the
cluster.
Hardware Configuration
All hot nodes in the cluster require matching resources. Do not add a node to the cluster if the new node does not have
matching CPU, disk/partition, and memory configurations for the existing nodes in the cluster. Hot and Warm node
hardware configurations may be different, although all hot nodes in the cluster should have the same configuration,
and all warm nodes in the cluster should have the same configuration. A mismatch in CPU, Memory, or disk/partition
sizes may cause performance issues and can affect the number of hot and warm indices available across the entire
cluster. Warm nodes will still be used for data ingestion.
Run the installer from the same node the installer was originally run from. Do not run the installer on the new
node. Adding a new node to the cluster requires configuration changes on all nodes. Running the installer from
the install node will ensure these configurations are pushed to all nodes in the cluster.
Verify that you are installing the correct version of the LogRhythm Data Indexer. If an incorrect version is installed, the
Data Indexer cannot be downgraded without fully uninstalling the software.
Verify the current installed version by viewing the version file on an existing node:
cat /usr/local/logrhythm/version
Cluster Health
Elasticsearch is not required to be in a green state while adding a node, but it is best practice to verify the cluster is
green before adding the node to ensure the process is successful.
Run the following command on any existing node to see the cluster health:
curl localhost:9200/_cluster/health?pretty
Verify that the status is green. If the cluster status is yellow or red, we recommend correcting any issues with the
cluster before proceeding.
Cluster Size
Consider the size of the cluster before adding a node, as there are some restrictions to the sizes of a single cluster.
• Total maximum cluster size is 30 Elasticsearch nodes
Cluster Configurations:
A possible configuration: 1 or 3-10 Hot physical Nodes + 0-10 2XDX software nodes + 0-10 Warm Nodes.
A single cluster may not contain only two physical hot nodes (including when 2XDX and warm nodes are part of the
cluster). This is to avoid a “split-brain” scenario. Hot nodes on a cluster can be 1 or 3 to a maximum of 10 physical hot
nodes.
A single cluster must contain at least one hot node and can contain from 0 up to 10 warm nodes.
2XDX only applies to DX7500 nodes as 2XDX software can only be installed on servers with 256 GB memory and 56 vcpu.
Each physical hot node can have one additional instance of the 2XDX (hot software node) if they meet the resource
requirements. It is not recommended that you install 2XDX on virtual servers as performance can be impacted. If 2XDX
nodes are used in a cluster, it should be installed on all physical hot nodes in the cluster.
Installation procedure
Follow this sequence for installation:
1. Verify that the new node is online and ready to be added to the cluster, noting the current IP and hostname of
the new node.
The node should be started and ready for the LogRhythm software to be installed.
You should not need to copy or edit any files for the new node.
Note the Hostname and IP Address from the server as these will need to be added to the plan, and to the hosts
files for the installed node in later steps.
Use the following commands to get the Hostname and IP of the server. The hostname must be set to the expect
hostname before adding the node to the cluster.
Hostname: hostname
IP Address: ip a
2. Identify the install node and verify the currently installed version of Data Indexer.
If you start the install with a LogRhythm Data Indexer version higher than the current installed version
on the cluster, you may need to reimage the new server to install a lower version.
a. Verify the currently installed version by running the following command on any existing node in the
cluster:
cat /usr/local/logrhythm/version
b. When the DX installer is executed in later steps, you will need to run the installer from the same node the
DX installer was originally ran on. Usually, this is the first node in the cluster and will be the node that has
the existing hosts file created for the original install.
c. If you are unsure and need to identify the node, you can use 1 or both of the following methods:
i. Check the /home/logrhythm/ and /home/logrhythm/Soft directory on the node for the hosts
file. This is the file that was created during the original install. The hosts file will contain all
existing nodes, their respective IPs, and the box type. This file does not need to exist on all nodes
in the cluster, only the previous install node.
ii. You can also verify if a node is the primary host by viewing the primary_host file on each node.
cat /usr/local/logrhythm/env/primary_host
If is_primary_host=True, then this is the node on which the installer was last run.
If is_primary_host=False or (blank), then this is not the node on which the installer was last run.
3. Create an updated LRII package using the LogRhythm Infrastructure Installer on the Platform Manager that
includes the new nodes IP address.
a. On the Platform Manager server, open the LogRhythm Infrastructure Installer from the LogRhythm
programs group.
b. Click Add/Remove Host.
c. Click Add Host.
d. Add the IP Address of the new DX host, and optionally, the host nickname.
e. Click Save.
f. Click Create Deployment Package.
g. Verify the IP Addresses in the list and click Create Deployment Package.
h. Select the folder location in which to create the new LRDeploymentPackage, and click Select Folder.
Once the package is created it will provide the path to the LRDeploymentPackage folder. Copy this path
to the clipboard if necessary to help locate the newly created package.
i. Click Next Step.
j. Click Run Host Installer on This Host.
This will start the install of the newly generated LRII package on the Platform Manager.
Once the LRII install completes on the Platform Manager, expand “Step 2”. At this point, leave the
LogRhythm Deployment Tool screen open on the Platform Manager, you will return to this screen after
the node is installed.
Do not close the LogRhythm Deployment Tool window until the cluster is successfully verified. Closing
the tool at this step may require starting the process over at the beginning (including the DX install
itself) to be able to validate the deployment.
4. Copy the necessary files to the Data Indexer install node. The currently installed version may already be present
in the Soft folder. You will not need to copy any files to the new node as the Data Indexer installer will copy
necessary files to all nodes in the cluster during install.
a. Using WinSCP, or similar, copy the plan.yml file (from the newly created LRDeploymentPackage folder
you selected on in the previous steps) to the /home/logrhythm/Soft directory on the Data Indexer install
node (not the new node you are adding to the cluster). This file contains the updated plan information
for the common components.
Make sure you are using the newly generated plan.yml file. Using a previously generated plan
file may render the Data Indexer unable to communicate with other LogRhythm services and
servers.
b. Verify that the Data Indexer installer and the PreInstall.sh file are both present in the Soft folder.
If these files are missing, re-verify that this is the node the installer was originally ran from. If the files
were deleted since the last install, download the standalone Linux Data Indexer version installer zip
from the community and copy the two files included in the zip to the Soft folder.
PreInstall.sh
LRDataIndexer-{version}.centos.x86_64.run
5. Update the existing hosts file on the installer node with the new node information. The hosts file is usually
created in the /home/logrhythm/Soft directory but may be in /home/logrhythm/. This file should already
contain the IP Hostname, and box type, of the existing nodes in the cluster.
a. Edit the LR specific hosts file used by the Data Indexer Installer using vi or similar editor.
sudo vi /home/logrhythm/Soft/hosts
box type is optional if there are only hot nodes in the cluster. If the other host lines have the
box type, it will need to be added with the new line. If warm nodes exist or you are adding a
warm node, the box type will need to be set for all hosts for a successful configuration during
install.
6. Run the PreInstaller.sh script (on the installer node) to setup PubKey (password-less) Authentication.
a. (Optional) If you had to copy PreInstall.sh, you will need to set execute permission on the PreInstall.sh
script.
sh /home/logrhythm/Soft/PreInstall.sh
c. Enter the current ssh password for the logrhythm user (password used to connect to the server).
d. Enter the path to the hosts file updated in the last step.
The script will run through multiple steps.
Some steps of the PreInstall.sh may show a warning or error depending on the current configuration.
These can be ignored if the Testing ssh as logrhythm user using Public Key Authentication section
shows SSH OK, for all hosts in the host file. If SSH: Failed shows for any host, review the output and fix
any SSH issues prior to running the DX installer.
The Data Indexer installer WILL fail if PubKey Authentication is not successfully setup prior to running
the installer.
7. Run the Data Indexer installer to add the node to the cluster. Run the install command following the Data
Indexer from the commands below. You will need to supply the full path to the hosts file, the full path plan.yml
file, enter the existing cluster name, and add the “—force” switch. The force switch is needed because you are
running the installer against the same installed version.
This step assumes the cluster health is green. The existing cluster name can be found in the
LogRhythm Console on the Clusters Tab, under Deployment Monitor.
d /home/logrhythm/Soft
Example:
The Data Indexer installer will execute and run through the full install, adding the new node to the cluster. Once
the successful message is displayed, the node has been added to the cluster. If you receive a message that the
install failed, review the /var/log/persistent/ansible.log for the reasons for the failure, correct any underlying
issues, and run the install command again.
8. (Optional) If the newly added node is a DX7500 node, run the secondary LR DX Node Installer to add the 2XDX
software to the newly installed node.
The LRDXNodeInstaller is a separate installer from the Data indexer installer available from the
downloads page.
On the install node, execute the LRDXNodeInstaller using the following Base Command:
Example:
9. Run the following command to verify that the node was successfully added to the cluster with the correct box
type:
curl localhost:9200/_cat/nodeattrs?v
All nodes for the cluster should be present along with the current box type. Any 2XDX nodes can be identified as
they will show as <hostname>-data for the node name.
You can also run the cluster health command to verify the total number of nodes present in the cluster:
curl localhost:9200/_cluster/health?pretty
Troubleshooting
After the install completes, all Data Indexer services will automatically start on all nodes. it may take a minute or two for
Elasticsearch to start on all nodes.
If the Elasticsearch API endpoint does not respond after 5 minutes, check the Elasticsearch /var/log/elasticsearch/
<clustername>.log file to identify any errors Elasticsearch may be experiencing on startup. The Elasticsearch Service
log will exist on each node in the cluster. You may need to check the log on each individual node to determine the full
extent of any issues with the service or cluster starting. The log will be named the same as the cluster name provided in
the install command.
Get the service status on a specific node:
tail -f /var/log/elasticsearch/<clustername>.log
When the Elasticsearch node services start and the master node is elected, the cluster health will go from red -> yellow
-> green. It may take an extended period (hours) for all existing indices to be recovered after the install. The cluster
health command will show you the percentage of index shards recovered. Indexing and search will be available once
the primary shards have been recovered.
The cluster health change from red to yellow is usually relatively fast, but the time between the health change from
yellow to green will depend on the number of indices, and their shard sizes.
You can verify the status of index recovery using the following command on any node:
The number of shards that are recovered at any time is throttled by Elasticsearch settings.
If shards stop showing in the recovery list, and the cluster health has not yet reported green, please contact LogRhythm
Support to investigate why shards are not initializing or assigning as expected.
1. Verify that the following LogRhythm services are at the same version as the main installer version:
• Bulldozer
• Carpenter
• Columbo
• GoMaintain
• Transporter
• Watchtower
2. Verify that the following tools/libraries have been installed:
• Cluster Health
• Conductor
• Persistent
• Silence
• Unique ID
• Upgrade Checker
3. Verify the following version of this service:
• elasticsearch 6.8.3
curl localhost:9200/_cat/nodeattrs?v
For 2XDX, physical nodes are only used for the shard calculation. A three-node 2XDX will have six
shards.
The value for Disk Util Limit should not be set higher than 80. This can have an impact on the ability of
Elasticsearch to store replica shards for the purpose of failover.
Maintenance is applied to the active repository, as well as archive repositories created by SecondLook. When the Disk
Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, GoMaintain deletes
completed restored repositories starting with the oldest date.
The default settings prioritize restored repositories above the active log repository. Restored archived logs are
maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for space, set your min
indices equal to your max indices. This forces the maintenance process to delete restored repositories first.
Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.
Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.
Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.
Index Configs
The DX monitors Elasticsearch memory and DX storage capacity.
GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases
the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data
and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the
warning threshold and continues to delete days based on the disk utilization setting of 80% by default.
The default config is -1. This value monitors the systems resources and auto-manages the time-to-live (TTL). You can
configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends a diagnostic
warning and starts closing the indices.
Indices that have been closed by GoMaintain are not actively searchable in 7.6 but are maintained for reference
purposes. To see which indices are closed, run a curl command such as the following:
After you open the index in this way, you can investigate the data in either the Web Console or Client Console.
If you need assistance with any of the procedures listed below, contact your system or network administrator.
Ports that are currently open on all interfaces are displayed below the firewall status.
The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current
server.
• LogRhythmEMDB
5. Exit Microsoft SQL Server Management Studio.
Alarming Manager X X
Console* X X
Job Manager X X
Common X X
NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper
around Java, Go, and other services to ensure that they run properly on Windows and that they are
restarted when they stop.
For all *NIX operating systems that support Realtime FIM, the System Monitor requires root privileges.
The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall) configurations
that are important to your deployment. You may want to review those guides to ensure that at least the
following items are addressed:
• Ensure that all Data Processors are assigned to a cluster
• Verify the IP Address of the LogMart Database Server
You need the following items for the deployment, whether you configure LogRhythm yourself or you work with
Professional Services:
• LogRhythm License File that is sent via email
• LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB
The following lists include the default directories. However, the location of any State folder (including AI
Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The
locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*
DX Appliance (Linux)
• /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)
AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
If the AIE service is running on the PM appliance, exclude these directories on the PM.
The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a
different location (for example, D:\), update the exclusion as required.
Web Console
• D:\tmp\indices
You must have the IP address of each LogRhythm server in your deployment, with the exception of those
running the Client Console or standalone System Monitors. You will also need SQL database credentials (sa or
equivalent user) for the EMDB and the ability to log in to each of the LogRhythm servers to run the
deployment package that the Deployment Tool generates.
1. In the Start menu on the machine where you have LogRhythm installed, click LogRhythm, and then LogRhythm
Infrastructure Installer.
2. Click Add/Remove Hosts.
3. Click Add Host.
4. Enter the information for the new host and click Save.
5. Click Deployment Properties.
6. If necessary, change the Deployment Properties to match your deployment, and then click OK.
7. Click Create Deployment Package.
8. Follow the instructions provided by the Infrastructure Installer.
9. When you have finished, return to the home page of the Infrastructure Installer and click Verify Deployment
Status.
10. When the Infrastructure Installer indicates that your deployment is healthy, use the LogRhythm Installation
Wizard to install your new component.
11. License, configure, and add the new component according the instructions provided in the LogRhythm Client
Console Help or LogRhythm Web Console Help.
Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the installation. The
_LIW will show basic information about the Install Wizard, and the LogRhythm_ Infrastructure_Installer_Silent will
show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at %Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log or
lorhythm-node-install.sh.log to view the contents of these logs.
Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.
When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution path. It
should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml
The Web Console can be accessed on Google Chrome (version 54 or higher is recommended), Mozilla Firefox
(version 50.0.1 or higher is recommended), or Internet Explorer 11. The Web Console is not supported on
tablets, mobile devices, or touch screens.
Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.
The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using OpenSSL, be
sure to use the -nokeys flag.
1. Ensure the private key is unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.
If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services directory. If
you plan to reinstall Web Services, it is not necessary to remove the Web Console folder structure.