LogRhythm Software Upgrade Guide 7.4.4 RevB

Upgrade a LogRhythm
Deployment to 7.4.4
January 22, 2019

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under
the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the
use of the Software. This Software may be used or copied only in accordance with the Agreement. No part of
this Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than what is permitted in the Agreement.
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Phone Support (7am - 6pm, Monday-Friday)

Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Supported Upgrade Path............................................................................................... 8
HA and DR Upgrades...................................................................................................... 8
Existing Components ..................................................................................................... 8
New Architecture and New Component Names........................................................... 9
Log Manager Database, LMDB > Data Indexer...................................................................................... 9
Log Manager (Mediator) > Data Processor............................................................................................ 9
Event Manager > Platform Manager...................................................................................................... 9
Plan for the Upgrade.............................................................................................................................. 9
Scenario A................................................................................................................................................................................9
Scenario B................................................................................................................................................................................9
Scenario C..............................................................................................................................................................................10
Upgrade Phases ................................................................................................................................... 10
Review the Upgrade Requirements and Considerations........................................... 11
Scheduling the Upgrade ...................................................................................................................... 11
FIPS Mode Supported .......................................................................................................................... 11
Core Service and Client Console Compatibility.................................................................................. 11
Some Operating Systems No Longer Supported ............................................................................... 11
SQL Server Security Hardening Impacts............................................................................................. 11
Check Point Log Collection.................................................................................................................. 12
Oracle DB Log Collection Supported by 7.4.4 64-bit Agent Using OLE DB ........................................ 12
Other System Monitor Agent Considerations ..................................................................................... 12
XM and PM + DP/DX/DPX Upgrades..................................................................................................... 12
Windows Server 2012 R2 or Server 2016 Required on XM and PM Appliances ................................. 12
SQL Server 2016 Standard SP1 Required on Platform Manager ....................................................... 13
Microsoft .NET Framework 4.5.2 ......................................................................................................... 13
Administrator Credentials ................................................................................................................... 13
Power Supply ....................................................................................................................................... 13
LogRhythm, Inc. | Contents 3

Web Console Prerequisites.................................................................................................................. 14
Special Considerations for Upgrades from 6.3.x ................................................................................ 14
6.3.x Agents Not Supported for UDLA Collection ................................................................................................................14
New Data Persistence ...........................................................................................................................................................14
Gen1 (LR) Appliances Not Supported ..................................................................................................................................15
Gen2 (LRX) Appliances Not Fully Supported .......................................................................................................................15
Custom Fields Not Supported ..............................................................................................................................................15
XM and EM + LM Appliance Upgrades ................................................................................................. 15
LogRhythm Infrastructure Installer Prerequisites ............................................................................. 15
Networking and Communication........................................................................................................ 15
LogRhythm Networking Considerations ............................................................................................ 16
LogRhythm Server IP Addresses ..........................................................................................................................................16
DNS Resolution .....................................................................................................................................................................16
Domain Membership.............................................................................................................................................................16
Remote Event Log Collection User Account ........................................................................................................................16
LogRhythm Networking Communications ......................................................................................... 16
Data Indexer - Inbound Ports .............................................................................................................. 23
Data Indexer - Local Ports ................................................................................................................... 25
Agent to Data Processor Communications......................................................................................... 26
Unidirectional Agent Communication ................................................................................................ 26
Consul Communications ..................................................................................................................... 27
Download Software to Upgrade a LogRhythm Deployment ..................................... 29
Download the LogRhythm Database Upgrade Tool .......................................................................... 29
Download the LogRhythm Install Wizard ........................................................................................... 29
Download the Linux Data Indexer Installer ........................................................................................ 30
Download TLS 1.2 Patches and Hotfixes ............................................................................................ 30
(Optional) Download the Elasticsearch Upgrade Checker ................................................................ 31
(Optional) Download System Monitor Packages for *NIX.................................................................. 32
Prepare to Upgrade a LogRhythm Deployment ......................................................... 34
Record Service Credentials.................................................................................................................. 34

Request LogRhythm License File ........................................................................................................ 34
Note Current Log, Event, and Alarm Volumes .................................................................................... 34
Modify web.config for LR API............................................................................................................... 34
Back Up Web Console Configuration .................................................................................................. 34
Note Platform Manager IP, LogRhythm Web UI Password, and Login Warning Banner.................. 35
Verify Max Log Size Bytes on the Data Indexer ................................................................................... 35
Verify Disk Utilization Limit on the Data Indexer................................................................................ 35
Synchronize Stored Knowledge Base ................................................................................................. 35
Configure the System Monitor Service ............................................................................................... 37
Manually Run Audit Reports ................................................................................................................ 37
(Optional) Run the Upgrade Checker.................................................................................................. 37
Run the Upgrade Checker on Windows ...............................................................................................................................37
Run the Upgrade Checker on Linux......................................................................................................................................37
Verify Deployment Status in the LogRhythm Infrastructure Installer............................................... 38
Shut Down Antivirus and Endpoint Protection Software .................................................................. 39
Exit All Client Consoles......................................................................................................................... 39
Upgrade LogRhythm Databases ................................................................................. 40
Run the LogRhythm Database Upgrade Tool..................................................................................... 40
Reconfigure Virtual Disks on Standalone Log Managers ................................................................... 43
Remove Existing Drives.........................................................................................................................................................43
Create a New Virtual Disk .....................................................................................................................................................43
Prepare New Virtual Disk ......................................................................................................................................................44
DAS Configuration: Remove Existing Drives ........................................................................................................................44
DAS Configuration: Create a New Virtual Disk.....................................................................................................................44
DAS Configuration: Prepare New Virtual Disk .....................................................................................................................45
Upgrade LogRhythm Appliances................................................................................. 46

Upgrade the LogRhythm Data Indexer ....................................................................... 51
Configure a Proxy Connection for Indexer Upgrades......................................................................... 51
Configure Upgrades Without Internet Access (Dark Sites) ................................................................ 51
Upgrade a Single-Node Cluster ........................................................................................................... 52

Upgrade a Multi-Node Cluster............................................................................................................. 53
Validate the Linux Indexer Upgrade.................................................................................................... 55
Perform Post-Upgrade Procedures on the Upgraded LogRhythm Deployment...... 57
Install .NET 4.5.2 Hotfixes to Support TLS 1.2 Communication ........................................................ 57
Apply .NET 4.5.2 Hotfix for Windows 7 SP1, Windows Server 2008, Windows Server 2008 R2..........................................57
Apply .NET 4.5.2 Update for Windows 8.1 or Windows Server 2012 R2..............................................................................57
Configure the Data Indexer.................................................................................................................. 58
Windows ................................................................................................................................................................................58
Linux ......................................................................................................................................................................................61
Information About Automatic Maintenance........................................................................................................................64
Disk Utilization Limit.............................................................................................................................................................64
Force Merge Config ...............................................................................................................................................................65
Index Configs.........................................................................................................................................................................66
Import the License File ........................................................................................................................ 66
Start the LogRhythm Solution............................................................................................................. 67
Upgrade and Start Other Agents ......................................................................................................... 67
Windows ................................................................................................................................................................................68
(Optional) *NIX ......................................................................................................................................................................69
Import the Latest Knowledge Base..................................................................................................... 69
Automatic Download ............................................................................................................................................................69
Manual Download .................................................................................................................................................................70
Complete Knowledge Base Import Wizard..........................................................................................................................70
Verify Communication with AI Engine ................................................................................................ 71
Configure or Verify Communication Ports.......................................................................................... 72
Configure Access for Remote Consoles ...............................................................................................................................72
Verify Ports on the Linux Data Indexer.................................................................................................................................72
Verify Ports on the Windows Data Indexer or the Data Processor .....................................................................................73
Add Realtime Antivirus Exclusions for LogRhythm ............................................................................ 73
XM Appliance .........................................................................................................................................................................73
PM Appliance.........................................................................................................................................................................73
DP or DPX Appliance (Windows)...........................................................................................................................................74
DX Appliance (Linux) .............................................................................................................................................................74

AIE Appliance.........................................................................................................................................................................74
Collector Appliance or Agents Deployed on Servers...........................................................................................................74
Agents Deployed Linux Servers ............................................................................................................................................74
High Availability Deployments .............................................................................................................................................74
Post-Upgrade Comparison and Validation......................................................................................... 75
Verify Web Console Processes ............................................................................................................. 75
Remove Generic Web Console UI Entry from the Configuration Manager........................................ 76
Recreate Task to Delete Older SQL Server Backup Files.................................................................... 76
Set KB Downloads to Automatic ......................................................................................................... 77
Remove Optional Parameters from Mediator INI File........................................................................ 77
Remove FIM State File.......................................................................................................................... 78
Reconfigure Force Merge..................................................................................................................... 78
Remove Mediator LMDB DAT Files ...................................................................................................... 78
Manually Delete Linux Data Indexer Configuration Files................................................................... 78
Supplemental Information for Upgrades ................................................................... 80
Use the LogRhythm Deployment Tool................................................................................................ 80
Installation Considerations ..................................................................................................................................................80
Use the Deployment Tool .....................................................................................................................................................80
Logs........................................................................................................................................................................................81
Troubleshooting....................................................................................................................................................................81
Use the LogRhythm Configuration Manager ...................................................................................... 83
Configure your Deployment .................................................................................................................................................83
Troubleshoot the LogRhythm Configuration Manager.......................................................................................................85
Back Up and Restore a LogRhythm Configuration .............................................................................................................85
Install and Configure the Web Console............................................................................................... 86
Install the Web Console ........................................................................................................................................................86
Configure the Web Console With the LogRhythm Configuration Manager........................................................................86
Remove the Web Console .....................................................................................................................................................87
Certificates ............................................................................................................................................................................87

Upgrade a LogRhythm Deployment to 7.4.4
This guide describes the upgrade procedure to version 7.4.4 using the Database Upgrade Tool and the
LogRhythm Install Wizard. The Database Upgrade Tool upgrades your LogRhythm databases, and the Install
Wizard upgrades the LogRhythm components.
Supported Upgrade Path

• Core Components. You can upgrade to 7.4.4 from 7.4.0, 7.3.x, 7.2.x, 7.1.x, or 6.3.9. Note the following if you are
running any other version:
• If you are running LogRhythm 5.x, you will need to upgrade to 6.2.5, then 6.3.9, and then 7.4.4. For the
correct guides, see Find More Information.
• If you are running LogRhythm 6.0.x to 6.3.3, you will need to upgrade to 6.3.9, and then upgrade to
7.4.4. For the correct guides, see Find More Information.
• Web Console. Upgrades from 6.3.3 and earlier are not supported. You will need to uninstall according to the
instructions in the Installation Guide for your version, then perform a fresh installation using the instructions
in Install a New LogRhythm 7.4.4 Deployment.
HA and DR Upgrades
This guide should only be used to upgrade standard LogRhythm systems to version 7.4.4. If your deployment
includes LogRhythm’s HA or DR solution, obtain the correct upgrade guide using the links on the right.
Existing Components
This upgrade guide describes how to update the following LogRhythm components:
7.x.x Deployments 6.3.x Deployments
Alarming and Response Manager Event Manager
Job Manager N/A
Mediator Server Log Manager
Client Console Client Console
AI Engine AI Engine
All LogRhythm Databases All LogRhythm Databases
Data Indexer N/A
LogRhythm Knowledge Base LogRhythm Knowledge Base
(Optional) All Windows System Monitor Agents (Optional) All Windows System Monitor Agents
(Optional) All *NIX System Monitor Agents (Optional) All *NIX System Monitor Agents
Supported Upgrade Path 8

If any of the following procedures are unclear, if you require assistance with your upgrade, or if you
encounter an unexpected error, please contact LogRhythm Support.
New Architecture and New Component Names

The following information applies to upgrades from 6.3.x only.
LogRhythm 7 introduces some new components and rebrands some existing components. When you have
finished upgrading to LogRhythm 7.4.4, some of your existing components will be known by another name.
Log Manager Database, LMDB > Data Indexer

The Data Indexer provides next-generation persistence and search capabilities, replacing the LMDB and
RADB functions of the previous generation Log Manager.
Log Manager (Mediator) > Data Processor

The Data Processor performs the log data processing and forwarding functions of the previous generation
Log Manager.
Event Manager > Platform Manager

The Platform Manager provides alarming, notifications, case and security incident management, workflow
automation, and centralized administration for a LogRhythm deployment. The Platform Manager is a
required component in the LogRhythm solution, and each deployment has a single Platform Manager.
Plan for the Upgrade

The upgrade from LogRhythm 6.x varies slightly according to your current deployment. The diagrams below
illustrate deployment scenarios before and after the upgrade:
Scenario A
Scenario B
New Architecture and New Component Names 9

Scenario C
Upgrade Phases
Depending on your current LogRhythm deployment, the upgrade can be carried out in four or five brief
phases, as follows:
• A, B, C: Prepare for Upgrade – review considerations and prerequisites, request license file, synchronize stored
KB, download tools and installers, run audit reports, shut down LogRhythm
• A, B, C: Upgrade LogRhythm Databases – run the Database Upgrade Tool on your XM appliance or EM & LM
appliances
• B, C: Reconfigure Virtual Disks on Standalone Log Managers – prepare your Windows-based appliance for the
Data Processor & Data Indexer
• A, B, C: Upgrade LogRhythm Appliances – run the Install Wizard on your XM appliance or EM, LM, and AIE
appliances
• A, B, C: Configure and Get Started
New Architecture and New Component Names 10

Review the Upgrade Requirements and Considerations

Scheduling the Upgrade
The LogRhythm core services – the Mediator, Job Manager, Alarming and Response Manager, and AI Engine
(if applicable) – are offline during the upgrade process. LogRhythm recommends that you schedule the
upgrade during a period when this downtime is acceptable. The LogRhythm database upgrades must be
complete before the core services can be brought back online.
You should reserve one to three hours for the following upgrade tasks. The more recent your deployment is,
the less time you will need.
• Synchronize any pending Knowledge Base updates, which takes approximately 30 minutes.
• Back up and upgrade your existing LogRhythm databases. The backup could take as little as 30 minutes or up to
several hours, depending on the size and number of your databases.
• Run the Install Wizard, which is a quick process for each appliance.
• (Optional) Install or upgrade the Linux Data Indexer.
• Upgrade additional Agents (besides the ones installed on LogRhythm appliances), which is recommended, but
not required at the same time as the main upgrade.
FIPS Mode Supported

In this release of LogRhythm, all components support operation in FIPS mode.
Before starting the upgrade, FIPS users must disable FIPS mode and run the Database Upgrade
Tool using the SQL sa account. In addition, deployments that use SQL Security where FIPS is also
enabled must be configured with Windows Integrated Security for services after your upgrade is
complete. For more information, see Integrated Security.
Core Service and Client Console Compatibility

LogRhythm 7.4.4 core services – the Mediator, Job Manager, Alarming and Response Manager, and the Client
Console – are not compatible with pre-7.4.4 databases or pre-7.4.4 LogRhythm software, except for System
Monitor Agents. All Client Consoles in your environment must be upgraded to version 7.4.4 to be compatible
with 7.4.4 core services.
The Client Console is only supported on 64-bit operating systems. For more information, see LogRhythm
Compatibility and System Monitor Functionality.
Some Operating Systems No Longer Supported
Windows 2000 and Linux 2.2 kernel operating systems are no longer supported by LogRhythm software. For
more information, see LogRhythm Compatibility and System Monitor Functionality.
SQL Server Security Hardening Impacts

If your deployment utilizes SQL Server security hardening, this could cause problems during the upgrade or
when services attempt to connect to LogRhythm databases after the upgrade.
Review the Upgrade Requirements and Considerations 11

Check Point Log Collection

Check Point logs cannot be collected by System Monitor Agents running on Windows XP.
Oracle DB Log Collection Supported by 7.4.4 64-bit Agent Using OLE DB

Oracle database logs can only be collected by the version 7.4.4 64-bit System Monitor Agent using OLE DB.
For more information, see the Oracle Device Deployment Guides.
Other System Monitor Agent Considerations

• 5.x Agents Not Supported. The 5.x System Monitor Agents are not supported by LogRhythm 7.4.4 and must be
upgraded to Version 7.4.4. The Agent versions can be viewed in the Client Console on the System Monitor tab.
• System Requirements. Some System Monitor Agents can only be run on 64-bit systems. For a list of all
restrictions, see the System Monitor Operating System Support table in the Client Console Reference Guide.
• System Monitor Agent and Core Service Versions. System Monitor Agent versions can be less than or equal to the
versions of the core services, but never higher than the versions of the core services. Therefore, if you are
upgrading Agents to 7.4.4, do so after the core services have been upgraded and restarted.
• System Monitor Agent Collection during Upgrade. It is best to leave all System Monitor Agents running during
the upgrade, especially if they are configured to receive Syslog or NetFlow messages. These Agents continue to
collect log messages that would otherwise be lost and store them locally until the core services are restarted
after the upgrade.
XM and PM + DP/DX/DPX Upgrades

This task must be completed during upgrades from 7.3.x, 7.2.x, and 7.1.x only.
If you have the XM Appliance, you have a single integrated appliance. You need to perform these upgrade
instructions only on the XM Appliance.
If your system includes separate Platform Manager, Data Processor, Data Indexer, or Data Processor + Data
Indexer (DPX) appliances, run the Database Upgrade Tool and Install Wizard on the Platform Manager, and
run the Install Wizard on all other appliances and System Monitor hosts. If you have one or more Linux Data
Indexer clusters installed, you need to download and run the Linux Data Indexer installer on one Indexer in
each cluster.
Windows Server 2012 R2 or Server 2016 Required on XM and PM

Appliances
In this version of LogRhythm, Windows Server 2012 R2 or Windows Server 2016 is required on your XM or PM
appliance. If you are upgrading a LogRhythm XM or PM appliance running Windows Server 2008 R2, contact
LogRhythm Support for a Windows Server 2012 R2 key. If you are a software-only customer, LogRhythm is
unable to provide the license key for Windows Server 2012 R2. Before starting the upgrade, ensure that you
have done the following:
• Record your NIC settings in case they are reverted to DHCP during the upgrade.

• Log in to SQL Server Management Studio on the Platform Manager and back up your EMDB at a minimum.
SQL Server 2016 Standard SP1 Required on Platform Manager

All Platform Manager databases require SQL Server 2016 Standard SP1 (13.0.4001.0) in this release of
LogRhythm. If necessary, your existing version of SQL Server will be upgraded to SQL Server 2016 Standard
SP1 by the Database Upgrade Tool.
Microsoft .NET Framework 4.5.2

Microsoft .NET Framework 4.5.2 is required on the LogRhythm Platform Manager and other core
components. When you update LogRhythm components with the LogRhythm Install Wizard, .NET 4.5.2 is
installed when required. Before upgrading LogRhythm components, however, the Database Upgrade Tool
also checks for .NET 4.5.2. If you are not already running this version of the .NET Framework, you should
upgrade before you continue.
If .NET has not been updated on any host running a System Monitor Agent and you push out an
update with the System Monitor Package Manager, the Agent host will restart as part of the .NET
install.
You can download the Microsoft .NET Framework 4.5.2 standalone installer from the Microsoft website.
The .NET Framework installation requires 4.5 GB of free disk space.
Administrator Credentials
To reduce downtime, ensure the following items are available before you begin the upgrade process:
• Local administrator privileges for the LogRhythm servers.
• The SQL Server password for the LogRhythmAdmin account.
• The SQL Server sa password for the LogRhythm databases.
• The following user permissions must be assigned to the user executing the SQL Server upgrade.
• The Database Upgrade Tool verifies that you have the following permissions:
• Back up/restore files and directories
• Manage auditing and security log
• Take ownership of files or other objects
• Shut down the system and debug programs
• Sufficient time to perform the upgrade. Generally, the upgrade process can be completed in under two hours,
but it may take much longer for very large databases.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A
power cut may cause an Elasticsearch failure that leads to a loss of indices.

Web Console Prerequisites

Before upgrading the Web Console, verify the following:
• If you are running the Web Console on a LogRhythm XM6300 appliance, be sure you have at least 128 GB of RAM
installed.
• Make sure the Platform Manager (EMDB) is configured before you install the Web Console.
• During installation, you need the IP address or server name of the Platform Manager and the administrator login
credentials.
• Ensure that Windows Firewall is running so that the Common installer can open port 8300.
• Clear the cache on all browsers you use to access the Web Console, and then close any open browser windows.
If you have previously installed the Web Console to a custom location, rather than the default C:
\Program Files\LogRhythm, upgrading is not recommended. You should uninstall your previous
version and perform a clean installation of version 7.4.4 following the steps described in LogRhythm
Software Installation Guide.
If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET
installers from Microsoft Support before beginning the upgrade. Otherwise, the Web Services
Installer will attempt to download it during the upgrade and the upgrade will fail without internet
connectivity.
Special Considerations for Upgrades from 6.3.x

6.3.x Agents Not Supported for UDLA Collection

If you have any 6.3.x Agents performing UDLA collection in your deployment, you must upgrade these Agents
to version 7.4.4. If you do not upgrade these Agents, UDLA collection will not work after upgrading your
deployment to 7.4.4.
New Data Persistence
LogRhythm v7 provides next-generation persistence and search capabilities for log and archive
data. During the upgrade from version 6.3.x, the LMDB and RADB databases are deleted. If you want
to keep a copy of these databases, make a backup and store them with the related EMDB backup
somewhere other than the Log Manager appliance. Because the LMDB and RADB are removed, you
may want to run your audit reports before starting the upgrade so that you do not have to restore
data from Archives to run the reports.

Gen1 (LR) Appliances Not Supported

All Gen1 appliances have reached their End-of-Service and do not support LogRhythm
Gen2 (LRX) Appliances Not Fully Supported

Gen2 XM and Log Manager Appliances cannot host the Data Indexer due to CPU and memory limitations.
Custom Fields Not Supported

Custom fields are not supported in this release of LogRhythm.
XM and EM + LM Appliance Upgrades

If you have the XM Appliance, you have a single integrated appliance. You need to perform these upgrade
instructions only on the XM Appliance.
If your system includes separate EM and LM appliances, perform the upgrade procedure on each EM and LM.
LogRhythm Infrastructure Installer Prerequisites

The LogRhythm Deployment Tool, also called the Infrastructure Installer, coordinates the installation and
configuration of the LogRhythm Common Components (LR Common) across a set of machines.
LRCommon currently contains:
• LogRhythm API Gateway
• LogRhythm Service Registry
• LogRhythm Metrics Collection
Note the following requirements of the Infrastructure Installer:
• User Access. The user needs to be able to log on to each host in the deployment in order to run the Host
Infrastructure Installer.
• Elevated Execution. The tool executes local commands under an elevated context. The user running the tool
must have permission to elevate the execution.
• Network Time. The times on the hosts must be synchronized. This is a requirement for SSL certificates that are
shared among the hosts in the deployment. If times are not synchronized, this tool will likely report that consul
is unable to elect a leader.
If this prerequisite is not met, the deployment may not function properly after installation is complete.
Networking and Communication

There are general guidelines, considerations, and standards to consider prior to deploying your solution
within a network. This page covers the networking and communication considerations and requirements to
help you deploy your solution.
LogRhythm Networking Considerations

LogRhythm Server IP Addresses
LogRhythm appliances include multiple network interfaces to accommodate different deployment
topologies. All IP addresses should be statically assigned or reserved to avoid IP changes. For many
topologies, best practice is to use one of the 1Gb interfaces as management and one of the 10Gb interfaces
for data.
DNS Resolution
It is recommended that the LogRhythm server acting as the Platform Manager be entered into DNS so it is
addressable by name.
Domain Membership
A LogRhythm server does not need to be a member of the Windows Domain to function correctly. However,
LogRhythm recommends adding it to make remote event log collection easier to manage.
Active Directory Group Based Authorization requires the Platform Manager to be a Domain member
to function correctly.
Remote Event Log Collection User Account

A special user account must be created on the domain for remote event log collection. For more information,
see Windows Event Log Collection.
LogRhythm Networking Communications

LogRhythm components communicate over TCP, UDP, or HTTPS on specific ports. TLS is used when
receiving logs at the Data Processor from the LogRhythm System Monitor and also when sending logs from
the Data Processor to AI Engine. The diagram below shows the communication between the components
and the specific protocols and ports used.

The following table lists all network communications and interactions within a LogRhythm deployment. It
can assist system and network administrators with configuration of network access control devices and
software.
Port 8301 must be opened for TCP and UDP traffic on all hosts in your deployment, with the
exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used
between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the
Consul cluster. No log data or customer data is passed between hosts on this port—it is only used
for membership communication between LR hosts. See Consul Communications for more
information.
Additionally, network address translation (NAT) cannot be used between core components (AIE, DP,
DX, PM, Web). All communications between these components must be real IP to real IP.

Client Client Port Server Server Port Protocol Purpose
LogRhythm Components
AI Engine 8300 Platform 8300 TCP Incoming

Manager RPC requests
from client
Consul instances
AI Engine 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on AIE and PM
AI Engine 3334, 3335 Data Processor 30000, 30001 TCP AIE Data
Provider on DP
forwarding log
data to AIE
Comm Manager
AI Engine 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
AI Engine Random Platform 1433 TCP Configuration

Manager details from
EMDB on PM
All (common Random Platform 8076 TCP Sending metrics

components) 1 Manager data to the PM
(Metrics DB)
Client Console 8501 Data Indexer 8501 HTTPS Auth/config/

search requests
between API
Gateway on
Console and DX
Client Console 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on Console and
PM

Client Console Random Platform 1433 TCP Console SQL

Manager Server access to
PM EMDB
Client Web Random Web Console 8443 HTTPS The SSL port to
Browser use for
accessing the
Web Console.
Client Web Random Data Indexer 8111 HTTPS Web UI for

Browser visualization of
metrics stored
on Linux
Client Web Random Data Indexer 8110 HTTPS Web UI for

Browser visualization of
metrics stored
on Windows
Client Web Random Data Indexer 9100 HTTPS Configuration of

Browser the Windows DX
Client Web Random Data Indexer 80, 443 HTTPS Configuration of

Browser the Linux DX
(port 80 is
forwarded to
443)
Data Indexer Random Platform 1433 TCP DX SQL Server

Manager access to PM
EMDB
Data Indexer 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on DX and PM
Data Indexer 8300 Platform 8300 TCP Incoming

from client
Consul instances

Data Indexer 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
Data Processor 8501 Data Indexer 8501 HTTPS Auth/config/

search
requests betwee
n API Gateway
on DP and DX
LR API Random Platform 1433 TCP Bidirectional

Manager connection
between LR API
and PM
LR KB Update not applicable Platform 80, 443 TCP Bidirectional

Manager connection for
KB updates
Platform 8301 Data Processor 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
Platform 8300 Data Processor 8300 TCP Incoming

from client
Consul instances
Platform 8501 Data Processor 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on DP and PM
Platform Random Data Processor 1433 TCP DP SQL Server

Manager access to PM
EMDB

System Monitor/ 0 (formerly 3333) Data Processor 40000 TCP Forwards raw
Data Collector log data to the
DP when
running in
Unidirectional
Agent mode
System Monitor/ 0 (formerly 3333) Data Processor 443 TCP Forwards raw
Data Collector log data to the
DP when
running in
Bidirectional
Mode
Web Console 8300 Platform 8300 TCP Incoming

from client
Consul instances
Web Console 8501 Platform 8501 HTTPS Auth/config/

Manager search requests
between API
Gateway on Web
and PM
Web Console 8501 Data Indexer 8501 HTTPS Auth/config/

search
requests betwee
n API Gateway
on Web and DX
Web Console Random Platform 1433 TCP Web Console

Manager SQL Server
access to PM
Events DB.
Web Console 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances

Notifications and Alerts
LogRhythm Random SMTP Server 25 TCP Unidirectional,

Platform Client Initiated
Manager and
Web Console
LogRhythm Random SNMP Manager 162 UDP Unidirectional,

Platform Client Initiated
Manager
LogRhythm ** McAfee ePO ** ** **

Platform Server
Manager
Devices Sending Logs
UDP Syslog Random LogRhythm 514 UDP Unidirectional

Device Agent
TCP Syslog Random LogRhythm 514 TCP Unidirectional

Device Agent
NetFlow v1, v5 Configurable LogRhythm 5500 UDP Unidirectional

or v9 Device Agent
IPFIX Device Configurable LogRhythm 5500 UDP Unidirectional

Agent
J-Flow Device Configurable LogRhythm 5500 UDP Unidirectional

Agent
sFlow Device Configurable LogRhythm 6343 UDP Unidirectional

Agent
SNMP Trap Configurable LogRhythm 161 UDP Unidirectional

Device Agent
Remote Log Collection
LogRhythm Random Windows Host 135, 137, 138, TCP/RPC Bidirectional,

Agent (Windows Event 139,445 Client Initiated
Logs)

LogRhythm Random Database Server DB Server TCP/ODBC Bidirectional,

Agent (UDLA) dependent* Client Initiated
LogRhythm Random Check Point 18184 TCP/OPSEC LEA Bidirectional,

Agent Firewall Client Initiated
LogRhythm Random Cisco IDS (SDEE) 443 TCP/HTTPS Bidirectional,

Agent Client Initiated
LogRhythm Random Nessus Server 8834 TCP/HTTPS Bidirectional,

LogRhythm Random Qualys Server 443 TCP/HTTPS Bidirectional,

LogRhythm Random Metasploit 3790 TCP/HTTPS Bidirectional,

Agent Server Client Initiated
LogRhythm Random Nexpose Server 3780 TCP/HTTPS Bidirectional,

LogRhythm Random Retina Server 1433 TCP/ODBC Bidirectional,

LogRhythm 4444 eStreamer 8302 TCP/HTTPS Bidirectional,

Agent Server Client Initiated
1
Metrics are collected from all components included in the LogRhythm Infrastructure Installer. This does not
include standalone System Monitors or Client Consoles.
* The server port for UDLA collection will vary based on the database server being queried.
(SQL Server default = TCP 1433; MySQL default 3306; Oracle default = TCP 1521; DB2 default = TCP 50000)
** LogRhythm alarms are forwarded to EPO via the McAfee agent installed on a Platform Manager. To
determine the ports utilized by McAfee agents and EPO server, see your McAfee ePO documentation and
configuration.
The Web Console Case API uses dynamic ports in the range of 20000-30000. These are listening
ports used for loopback purposes and do not require any firewall changes.
Data Indexer - Inbound Ports

The table below lists DX appliance ports that should be open to enable communications from other
components.

Appliance Protocol Inbound Port Received From... Operating Purpose

System
DX - AllConf TCP 80, 443 Client Web Linux Configuration of

Browser the DX, port 80 is
forwarded to 443
DX - Consul TCP 8112 Client Web Linux Consul

Browser administration
dashboard
DX - Grafana TCP 8111 Client Web Linux Grafana

Browser dashboard on
Linux
TCP 8110 Client Web Windows Grafana

Browser dashboard on
Windows
DX - InfluxDB TCP 8086 Inbound to DX Windows & Linux Admin queries to

InfluxDB
PM - Disaster TCP 5022 Inter-node Windows Port used for

Recovery Disaster Recovery replication
communication requests in
Disaster Recovery
deployments
PM - SQL TCP 1433 Carpenter and Windows & Linux SQL Server access
Bulldozer on DX to EMDB
LogRhythm API HTTPS 8501 API Gateway Windows & Linux Enables secure,
Gateway load balanced,
and discoverable
service to service
communication.
Required to use
the JWT from the
Authentication
API.
Consul TCP/UDP 8300, 8301 Service Registry Windows & Linux Establishes a
secure cluster
between the
LogRhythm hosts
in a deployment,
not including
agents

Data Indexer - Local Ports

The table below lists ports that are used locally or for inter-component communication on the Data Indexer.
Service Protocol Port Direction Operating System Purpose
AllConf TCP 9100 DX Local Only Windows Web UI for

configuring the Data
Indexer
ConfigServer TCP 13000 DX Local Only Windows & Linux Listens for
configuration
requests
13001, 13002, ConfigServer

13004 internal processing
13003 Listens for AllConf

page requests
Columbo TCP 13131, 13133 DX Local Only Windows & Linux Columbo internal
processing
Consul TCP/UDP 8300, 8301 Inter-node Windows & Linux Nodes in cluster
sharing keys
8112 DX Local Linux Consul

administration
dashboard
8500 DX Local Only Windows Consul

administration
dashboard
Elasticsearch TCP 9200 DX Local Only Windows & Linux Curl queries to
Elasticsearch
9300-9400 Inter-node Linux Replication and

federation across
nodes
Grafana TCP 8111 DX Local Linux Grafana dashboard

on Linux
8110 Windows Grafana dashboard

on Windows

Service Protocol Port Direction Operating System Purpose
InfluxDB TCP 8083 DX Local Windows & Linux Admin queries to

InfluxDB
TCP 8086 Inter-node Vitals on a node

writing to InfluxDB
Spawn TCP 14501 DX Local Only Windows & Linux CloudAI: Replicates
data to CloudAI
Transporter TCP 16600 DX Local Only Windows & Linux HTTP/REST

interface to the Data
Indexer
Vitals TCP 13200 DX Local Only Windows & Linux Listens for stats to
monitor Data
Indexer health
Agent to Data Processor Communications

Agents communicate with Data Processors via a secure, proprietary TCP-based application protocol.
Communications are encrypted with TLS using either unilateral or bilateral authentication. The TCP port
Agents send data from, and the TCP port Data Processors listen on, is user configurable.
Unidirectional Agent Communication

LogRhythm provides support for secure transmission from an unclassified server to a top secret server. The
System Monitor Agents support unidirectional communication without receiving any control or data
transmissions from the Data Processor or Platform Manager. The table and diagram below shows the
unidirectional communication from the Agent(s) within the unclassified sector to the Data Processor within
the top secret sector. Starting with LogRhythm 6.1.2, multiple agents are supported.
Client Client Server Server Prot Communications

Port Port ocol
LogRhythm Agent 3333 LogRhythm Data 400001 TCP Unidirectional

Processor
1
After upgrading to 6.20, the default port is 40000. However, any existing mediators will retain the value they
had before the upgrade.
Web Console Client Random LogRhythm Web 8443 HTTPS Bidirectional, Client
Server Initiated

Web Console Client Random Data Indexer 13130, 13132 TCP Bidirectional, Client
Initiated
Consul Communications
All core LogRhythm components—PM, DP, DX, AIE, Web—must allow incoming and outgoing connections on
port 8301 over TCP/UDP to enable Consul communications with one another.


Download Software to Upgrade a LogRhythm Deployment

Download the LogRhythm Database Upgrade Tool
This task must be completed during upgrades from 7.3.x and 7.4.x only.
7.3 and 7.4 users should download the version of the Database Upgrade tool that does not include SQL
Server. The Database Upgrade Tool is packaged in a .ZIP archive. After downloading the archive, copy it to
each XM appliance or server that you want to upgrade, and then extract the contents of the archive into a
new directory.
This task must be completed during upgrades from 7.2.x, 7.1.x, and 6.3.9 only.
7.2.x, 7.1.x, and 6.3.9 users should download the version of the Database Upgrade tool that includes SQL
Server. The Database Upgrade Tool is packaged in a .ZIP archive. After downloading the archive, copy it to
each XM or Platform Manager appliance or server that you want to upgrade, and then extract the contents of
the archive into a new directory.
Download the LogRhythm Install Wizard

The LogRhythm Install Wizard can install any supported combination of the LogRhythm components on an
appliance or server.
The Install Wizard is packaged in a .ZIP archive. After downloading the archive, copy it to each appliance or
server that you want to upgrade, and then extract the contents of the archive into a new directory. Each of
the LogRhythm component installers are included with the Install Wizard. They can be found in the Installers
directory where you extracted the archive.
Component Installer
Infrastructure Installer LogRhythmInfrastructureInstaller-7.4.4+#.msi
Admin API LRAdministrationAPI_64_7.4.4.#.exe
AI Engine LRAIEngine_64_7.4.4.#.exe
AIE Cache Drilldown LRAIEngineCacheDrilldown_64_7.4.4.#.exe
Alarming and Response Manager LRAlarmingManager_64_7.4.4.#.exe
Authentication Services LRAuthenticationServices_64_7.4.4.#.exe
Configuration Manager LRConfigurationManager_64_7.4.4.#.exe
Download Software to Upgrade a LogRhythm Deployment 29

Component Installer
Client Console LRConsole_64_7.4.4.#.exe
Data Indexer (Windows) LRDataIndexer_7.4.4.#.exe
Job Manager LRJobManager_64_7.4.4.#.exe
Mediator Server LRMediator_64_7.4.4.#.exe
Notification Service LRNotificationService_64_7.4.4.#.exe
Windows System Monitor (32-bit) LRSystemMonitor_7.4.4.#.exe
Windows System Monitor (64-bit) LRSystemMonitor_64_7.4.4.#.exe
Windows System Monitor for Windows Server 2008 R2 Core LRSystemMonitor_64Core_7.4.4.#.exe
LogRhythm Web Console LRWebServices_64_7.4.4.#.exe
Download the Linux Data Indexer Installer

For users who are upgrading one or more Linux Data Indexers, run the LogRhythm package installer on your
existing Indexer system. You can download the .run package installer from the LogRhythm Community. The
file is named LRDataIndexer-.version.centos.x86_64.run.
After downloading the installer, use a program like WinSCP to copy it to the logrhythm user’s home directory
on one of your Indexer appliances (for example, /home/logrhythm/Soft). When connecting to the Indexer
system to transfer the file, connect as the logrhythm user.
When upgrading the Linux Indexer, note the following:

• Your cluster must contain at least 3 nodes but no more than 10 nodes.
• You only need to run the package installer on one of the cluster nodes.
• You should run the upgrade installer on the same server where you ran the original installer.
• Each Indexer appliance or server in a cluster must be of identical specification. For example, the same
appliance model, or same configuration of processors, hard drives, network interfaces, and RAM.
Download TLS 1.2 Patches and Hotfixes


To enable communication over TLS 1.2 for all LogRhythm 7.4.x components, your base deployment must
meet the following requirements:
• Platform Manager is running SQL Server 2016 Standard SP1.
• LogRhythm 7.4.x core components on Windows are running Microsoft .NET Framework 4.5.2 — the Database
Upgrade Tool will install .NET 4.6.1 on the Platform Manager.
.NET 4.5.2 will be installed by component installers that require it.
After ensuring that your base deployment meets the above requirements, .NET 4.5.x rollup updates are
required on all Windows appliances or servers running LogRhythm components — the Platform Manager is
excepted.
If the target appliance is up-to-date with important Windows updates, some hotfixes may not be
required. If this is the case, the installer indicates that.
Installers for all the required patches and hotfixes are available in a .ZIP file on the 7.4.4 Downloads page,
under TLS 1.2 Support. You should download LR_74x_TLS_support.zip, extract its contents, and then
distribute the required installers to the required appliances or computers in your deployment.
The following patches are not required on systems running only the System Monitor Agent or on
systems where .NET 4.6 is already installed.
Installer Description Do this...
NDP452-KB3099845x86-x64- .NET Framework 4.5.2 Hotfix Copy the hotfix installer to all LogRhythm
ENU.exe Rollup component hosts running on Windows
appliances or computers running Windows 7
SP1, Windows Server 2008, or Windows
Server 2008 R2.
x64-Windows8.1KB3099842- Windows Update Installer for .NET Copy the installer to all LogRhythm hosts
x64.msu Framework 4.5.2 Hotfix Rollup running on Windows appliances or
computers running Windows 8.1 or Windows
Server 2012 R2.
(Optional) Download the Elasticsearch Upgrade Checker

This task can be completed during upgrades from 7.1.x and 7.2.x only.
All Elasticsearch 1.x indices will be deleted during the upgrade.

If you want to preview any Elasticsearch 1.x indices that will be deleted during the upgrade, you can
download the Elasticsearch upgrade checker from the LogRhythm Community, for Windows or Linux. Run
upgrade checker on one node per cluster on Linux, and on each DP/DX on Windows.
LogRhythm 7.1 or 7.2 users should run the Elasticsearch upgrade checker before the upgrade to preview any
incompatible Elasticsearch 1.x indices.
(Optional) Download System Monitor Packages for *NIX

Download System Monitor packages for UNIX and Linux.
The System Monitor packages for UNIX and Linux are available on the LogRhythm Community. Next to each
package is a link to a SHA256 checksum file you can use to verify the integrity of the downloaded file.
Operating System Version 32/64-bit Installer Name
AIX
AIX 7.3 64-bit scsm7.4.4.####_aix71.tar
Debian
Debian 6 32-bit scsm-7.4.4.####-6_i686.deb
Debian 6 64-bit scsm-7.4.4.####-6_amd64.deb
Debian 7 32-bit scsm-7.4.4.####-7_i686.deb
HP-UX
HP-UX Itanium 11i v2, 11i v3 64-bit scsm7.4.4.####_hpux_ia64.tar
Oracle
Oracle Hardened Linux 5 32-bit scsm-7.4.4.####-1.uek5.i686.rpm
Oracle Hardened Linux 5 64-bit scsm-7.4.4.####-1.uek5.x86_64.rpm
Oracle Hardened Linux 6 32-bit scsm-7.4.4.####-1.uek6.i686.rpm

Operating System Version 32/64-bit Installer Name
Solaris
Solaris x86 10, 11 64-bit scsm7.4.4.####_solaris10_x86.tar
Red Hat Enterprise/CEntOS
Red Hat Enterprise/CEntOS 5 32-bit scsm-7.4.4.####-1.el5.i686.rpm
Red Hat Enterprise/CEntOS 5 64-bit scsm-7.4.4.####-1.el5.x86_64.rpm
Red Hat Enterprise/CEntOS 6 32-bit scsm-7.4.4.####-1.el6.i686.rpm
SUSE
SUSE Linux Enterprise Server 11 64-bit scsm-7.4.4.####-1.suse11.x86_64.rpm
Ubuntu
Ubuntu 12 64-bit scsm-7.4.4.####-Ubuntu12_x64.deb

Prepare to Upgrade a LogRhythm Deployment

Record Service Credentials
If the LogRhythm services in your deployment use Windows accounts, you need the account name and
password to complete this upgrade.
1. To see if a service is running under a Windows account, click Start, click All Programs, click Administrative
Tools, and then click Services.
2. Double-click a LogRhythm service.
3. In Service Properties, click the Log On tab. If the This account option button is selected, this service is running
under Windows credentials.
4. For each LogRhythm service, note the account name and obtain the account password from your network
administrator.
Request LogRhythm License File

Contact LogRhythm Support and request your LogRhythm 7.4 license file. If you have an AI Engine, the AI
Engine license is included in your LogRhythm license file.
The license file is imported after upgrading the LogRhythm components.
Note Current Log, Event, and Alarm Volumes

This task must be completed during upgrades from 6.3.9 only.
After you have completed the upgrade, one way to ensure that your deployment is operating as expected is
to compare your volume of Logs, Events, and Alarms before and after the upgrade. Before proceeding, note
these volumes for use later.
Modify web.config for LR API

If not already done, LR API users who are upgrading need to update web.config as the value for
ApplicationAccountKey must be encrypted with LRCrypt. For more information, see Initialize Users in the
Web Configuration.
Back Up Web Console Configuration

It is important that you complete the following procedure before starting the upgrade process.
There are some portions of your existing configuration that may not be preserved during the
upgrade. You will need to manually restore your configuration when the upgrade is complete.
Save your Web Console configuration values by backing up the appropriate file to a location that is
accessible after the upgrade:
Prepare to Upgrade a LogRhythm Deployment 34

• Versions Prior to 7.2.0. C:\Program Files\LogRhythm\LogRhythm Web Console\config\default.json

• Versions 7.2.x. C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Services Host
API\vendor\servicesHostAPI\LogRhythm.Web.ServicesHost.exe.config
If you have multiple Web Consoles in use, you will need to backup the config file on each server.
• Versions 7.3.x. Start the Configuration Manager on the Platform Manager or any Web Console server, click
Backup/Restore, and then click Backup to File.
If you are running multiple Web Consoles and you are using environment variables to override
Configuration Manager settings on one or more Web Console servers, you should note the values of
those variables on each server where used, and then delete the variables. In LogRhythm 7.4.4, the
Configuration Manager supports individual configurations for multiple Web Consoles. If any of the
variables are left in place, they will continue to override settings in the Configuration Manager.
Note Platform Manager IP, LogRhythm Web UI Password, and Login

Warning Banner
Following the upgrade, you need to supply the Platform Manager (EMDB) IP address and LogRhythmWebUI
password in the Configuration Manager. These values are in the Global, Database Server and Web Global,
Database Password fields, respectively. Additionally, if you have a login warning banner configured, you
should copy it out to a file so it can be set again after the upgrade.
Verify Max Log Size Bytes on the Data Indexer

This task must be completed during upgrades from 7.1.6 and earlier only.
Before starting the upgrade, ensure that Max Log Size Bytes is set to its default value of 1000000 (one
million). For information about logging in to AllConf to verify this setting, see Perform Post-Upgrade
Procedures on the Upgraded LogRhythm Deployment.
After the upgrade, this parameter is not available to configure in AllConf. If the value is not restored to its
default before the upgrade, you need assistance from LogRhythm Support to change it after the upgrade is
complete.
Verify Disk Utilization Limit on the Data Indexer

Before starting the upgrade, ensure that the value of Disk Util Limit is not set higher than 80. This can impact
the ability of Elastic search to store replica shards for the purpose of failover. This parameter can be found
under Go Maintain Config. For information about logging in to AllConf to verify this setting, see Perform Post-
Upgrade Procedures on the Upgraded LogRhythm Deployment.
Synchronize Stored Knowledge Base

If a Knowledge Base has been downloaded but not synchronized, synchronize it before starting the upgrade.
If you do not have a downloaded Knowledge Base, you can skip this step.
1. Log in to a system where the Client Console is installed.
2. Start the Client Console.
3. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears. If a downloaded Knowledge Base is ready for synchronization, a notice is
displayed at the top of the window.
4. Click Synchronize Stored Knowledge Base.
The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The
file is checked for compatibility with your current deployment and prepared for import. This may take several
minutes.
When finished, the Unpack Progress: Knowledge Base unpacked message appears.
5. To Import the Knowledge Base, click Next.
6. In the Knowledge Base Updated dialog box, click OK.
7. In the Knowledge Base Import Wizard, click Close.
8. Perform either of the following procedures as needed:
• To enable the Knowledge Base Modules and synchronize them, perform the following steps:
i. Select the Action check boxes next to the modules you want.
ii. Right-click the grid, click Actions, and then click Enable Module.
The Enable Selected Modules dialogue box appears.
iii. Select the options you want, and then click OK.
The Enable Modules box displays a confirmation message.
iv. To start the synchronization, click Yes.
v. When complete, click Close to close the Import Wizard.
• To Migrate Common Event Changes, perform any of the following steps as needed:
If you are not familiar with the customizations which have been made to your deployment, you
should not proceed with the import until such knowledge is acquired or contact LogRhythm
Support for assistance. For more information, see Migrate Common Events.
If Action Required is displayed, some items need to be updated due to Common Event migration
changes. Follow the instructions below. If Action Required is not displayed, go to step 9.
i. Click Common Event Change Manager.
ii. Perform any of the following procedures as needed:
• To migrate a Common Event with a preview, select the Action check box for the item.
Right-click the grid, click Migrate with Preview, and then click Migrate Common Event
to Common Event or Common Event to MPE Rule.
• To migrate a Common Event without a preview, select the Action check box for the item.
Right-click the grid, click Action, and then click Migrate Common Event to Common
Event or Migrate Common Event to MPE Rule.
• To ignore the Common Events, select the Action check box for the item. Right-click the
grid, click Action, and then click Ignore. When this option is selected, items checked in the
grid are ignored during future Common Event Migration checks. The items no longer
appear in the Common Event Change Manager.
iii. To close the Common Event Change Manager, click Close.
9. To view the Synchronization History, click View Synchronization History.
10. Click Close.

11. To close the Knowledge Base Manager, click OK.
Configure the System Monitor Service

The LogRhythm System Monitor service must start automatically after a reboot. Therefore, you must verify
that the LogRhythm System Monitor Service Startup type is set to Automatic.
1. Log in to the System Monitor host as an administrator.
2. On the Start menu, click Administrative Tools, and then click Services.
3. Locate the LogRhythm System Monitor service.
4. Right-click the service, and then click Properties.
5. On the General tab, change the Startup type to Automatic.
6. Click OK.
7. Close the Services window.
Manually Run Audit Reports

The following information applies to upgrades from 6.3.9 only.
Because the LMBD and RADB are removed during the upgrade, you may want to run your audit reports
before you proceed so that you do not have to restore data from Archives to run the reports. For more
information, see Report Center.
(Optional) Run the Upgrade Checker

This task can be completed during upgrades from 7.2.x and 7.1.x only.
Elasticsearch 1.x indices will be deleted during the upgrade. If you want, you can run the upgrade checker
before anything else to see if any such indices exist in your deployment.
Run the Upgrade Checker on Windows

To run the upgrade checker on Windows, do the following:
1. Ensure that the Elasticsearch service is running on your Windows Data Indexer (XM or DP/DX).
2. Copy UpgradeChecker.exe to a known location on your XM or each DP/DX in your deployment (for example, C:
\checker).
3. Open a command prompt and go to the directory where you copied the upgrade checker.
4. Run the upgrade checker with the following command: UpgradeChecker.exe live-cleanup
5. The upgrade checker will inspect your Data Indexer cluster and report what it finds.
6. If you have more than one cluster (multiple DP/DX systems or multiple Linux clusters), repeat the above steps on
each cluster.
7. If all clusters are ready to upgrade, you may proceed with the next section.
Run the Upgrade Checker on Linux

On Linux, the upgrade checker only needs to be run on one node per cluster. If you have multiple DX clusters,
you may want to execute a query on the Platform Manager to identify the IP address of one node in each
cluster.
To identify cluster nodes, do the following:
1. Log in to your Platform Manager as an administrator and start Microsoft SQL Server Management Studio.
2. Right-click the LogRhythmEMDB database, and then click New Query.
3. Paste the following into the query window:
SELECT A.DataIP, A.ClusterID
FROM (
SELECT LogRhythmEMDB.dbo.NGPNode.DataIP, LogRhythmEMDB.dbo.NGPCluster.ClusterID,
ROW_NUMBER() OVER(PARTITION BY LogRhythmEMDB.dbo.NGPCluster.ClusterID ORDER BY
LogRhythmEMDB.dbo.NGPNode.DataIP) AS RN
FROM LogRhythmEMDB.dbo.NGPNode
INNER JOIN LogRhythmEMDB.dbo.NGPCluster ON LogRhythmEMDB.dbo.NGPNode.ClusterID =
LogRhythmEMDB.dbo.NGPCluster.ClusterID) A
WHERE A.RN = 1;
4. Click Execute.
The query will return a table of DataIPs and ClusterIDs. Each DataIP is the IP address of a cluster node where you
will need to copy and run the upgrade checker.
To run the upgrade checker on Linux, do the following:
1. Using a tool like WinSCP, connect as logrhythm to each of the identified nodes and copy the upgrade checker
RPM to /home/logrhythm/Soft.
2. Log in to one of the cluster nodes where you copied the upgrade checker.
3. From the /home/logrhythm/Soft directory, run
sudo yum localinstall upgradechecker-7.4.4.<version>.x86_64.rpm
Be sure you are installing the correct version of upgrade checker.
4. Ensure that the Elasticsearch service is running.

5. Go to /urs/local/logrhythm/tools and run upgrade checker with the following command
./UpgradeChecker live-cleanup
6. The upgrade checker will inspect your Data Indexer cluster and report what it finds.
7. If you have more than one cluster, repeat the above steps on the next node identified previously.
8. If all clusters are ready to upgrade, you may proceed with the next section.
Verify Deployment Status in the LogRhythm Infrastructure Installer

It is critical that you complete the following procedure successfully before starting the upgrade
process. If you do not successfully verify your deployment status before upgrading LogRhythm
components, your deployment could be left in an unusable state.

The LogRhythm 7.4.4 Infrastructure Installer requires a valid record of your deployment status. To ensure
that this record exists, do the following:
1. Log in to your Platform Manager as a user with administrative privileges.
2. From Start or under Apps, click LogRhythm Infrastructure Installer under the LogRhythm folder.
3. On the main page, click the Verify Deployment Status button if it is available.
If Verify Deployment Status is not available, click Exit and proceed to the next section.
The installer ensures that the plan file (plan.yml) matches the active hosts in the deployment.
4. Verify that the deployment status is successful.
5. Do not proceed if your deployment status cannot be verified. Ensure that all hosts in the plan file are online, and
that no new hosts have been added to the deployment since the plan file was created. If any hosts were added,
you will need to add them in the Infrastructure Installer, generate a deployment package, and run the package
on the new hosts.
If you still cannot verify your deployment status, you will need to add all of your hosts again, generate
deployment packages for all hosts, and run the deployment packages on all hosts. For additional
details, see the guide that you used when you upgraded to your current version.
6. When the status has been verified successfully, click Exit to close the Infrastructure Installer.
Shut Down Antivirus and Endpoint Protection Software

Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
In the case of endpoint protection software, you may need to uninstall the software from all
LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection
software again.
Exit All Client Consoles

Close all Client Consoles running on all systems.

Upgrade LogRhythm Databases

Run the LogRhythm Database Upgrade Tool
LogRhythm v7 provides next-generation persistence and search capabilities for log and archive data. During
the upgrade from version 6.3.x, the LMDB and RADB databases are deleted. If you want to keep a copy of
these databases, make a backup and store them with the related EMDB backup somewhere other than the
Log Manager appliance. Keep in mind that, due to its size, the backup job could take several hours to
complete and will not be usable on a Log Manager appliance since the SQL Server software is removed.
The LogRhythm Database Upgrade Tool is packaged in a .ZIP file. After downloading the file, extract it using
a tool such as WinZip and place the files on the local drive of your XM, Platform Manager (for 7.2.x and 7.1.x),
or Event Manager and Log Managers (for 6.3.9). You must upgrade all of the LogRhythm databases using the
Database Upgrade Tool. If you have an XM appliance, you only need to run the tool on the XM appliance. For
upgrades from 7.2.x and 7.1.x, if you have a separate Platform Manager appliance, you only need to run the
tool on the PM appliance.
You have to run the LogRhythm Database Upgrade Tool on all Platform Managers.
The following information applies to upgrades from 7.2.x, 7.1.x, and 6.3.9 only.
During the upgrade, you may be presented with one or more warnings about losing live log data.
Elasticsearch 1.x indices are incompatible with the version of Elasticsearch in LogRhythm 7.4.4, and
those indices must be deleted during the upgrade. These indices were present in LogRhythm 7.1
and earlier versions of 7.2. If you are concerned about losing any of these indices, run the upgrade
checker to verify which — in any — indices would be affected. If you do not want to upgrade at this
time, you can upgrade to the latest LogRhythm 7.2 version and stay on that version until the
incompatible indices age out (until the default TTL on the Data Indexer has passed).
The database upgrade will remove SQL Server 2008 R2 and install SQL Server 2016 SP1, as well as .NET
Framework 4.6.1. During the upgrade, you are prompted to reboot the appliance being upgraded. You
cannot complete the upgrade without this reboot.
If FIPS (Federal Information Processing Standard) is enabled in your deployment, you must disable
it before proceeding with the Database Upgrade Tool. After finishing the upgrade, you can enable
FIPS again.
1. Log in to the appliance as an administrator.

2. Locate the directory on the appliance where you extracted the Database Upgrade Tool.
3. Right-click LogRhythmDatabaseUpgradeSetup.exe, and then click Run as administrator.
Upgrade LogRhythm Databases 40

The account that runs the Database Upgrade Tool must have the following rights: the right to back up
files and directories and the right to manage auditing and the security log. If you are unsure, contact
your system administrator.
4. If possible, run the installer as a local administrator instead of a domain administrator.

5. If Microsoft .NET Framework 4.5.2 or higher is not installed, an error message is displayed. If necessary,
install .NET Framework 4.5.2 and run the LogRhythm Database Upgrade Tool again.
You can download the Microsoft .NET Framework 4.5.2 standalone installer from: https://
www.microsoft.com/en-us/download/details.aspx?id=42642 The .NET Framework installation
requires 4.5 GB of free disk space.
6. The Introduction screen appears. Before you begin, ensure that your system meets all the prerequisites.
7. To proceed, click Next.
The Database Upgrade Tool displays a confirmation dialog box: Are you sure you understand these instructions
and are ready to proceed with the upgrade?
8. Click Yes.
The Login screen appears.
9. Select SQL Server Authentication and provide the password for the sa and LogRhythmAdmin accounts.
Do not use Windows Authentication for the database upgrade.
10. Click Next. The Database Upgrade Tool validates your credentials against the database. If validation fails, an
error message appears and you must enter the proper credentials.
If prompted for a SQL Server 2016 product key, click Next to proceed. The upgrade tool should apply
the key supplied by LogRhythm.
The Review Components screen displays the current services and database versions. This page provides you
with information about installed LogRhythm services, their current state, and their version. All databases on the
server are listed including the type, version, host name, and an estimate of how long it will take to upgrade the
database.
There are no changes required on this screen.
11. To proceed, click Next.
The Backup Databases screen appears.
12. Select the Backup check box for each of the databases that you want to back up later in the upgrade process.
• By default, the LogRhythm EMDB database is selected and must be backed up. During the upgrade, all
database data (except for LMDB and RADB data in upgrades from 6.3.9) is retained. As an additional
precaution, you can choose to backup additional databases.
• Generally, the backup process can be completed in about an hour, but it may take much longer for very
large databases.
• If you clear the check box and click Next, the following message appears and the LogRhythmEMDB
database is selected after you click OK: Performing a backup of the LogRhythmEMDB database is
required.
13. To select a directory for the database backups, click Browse.

The SQL Server service must have permission to write to this folder.
• If you select additional databases, the following message appears: You have elected to backup an
additional database. These databases can be very large. Ensure that the backup location has sufficient
space to store the backups.
• If you do not have enough space, change the location or clear the check boxes of any databases that you
do not want to back up.
14. Click Next.
The Database Upgrade Tool displays a warning about removing the LMDB and RADB databases.
While the Database Upgrade Tool suggests that you back up your LMDB and RADB, this is not
necessary since that data can be restored with SecondLook.
When you are ready to proceed, click OK.

The Upgrade Databases screen appears.
15. To proceed, click Upgrade.
After SQL Server 2008 R2 is removed and .NET 4.6.1 is installed, you must reboot your system to
continue. Click Yes to reboot.
When your system starts again, the Database Upgrade Tool should continue with the installation of
SQL Server 2016 Standard SP1.
The removal of SQL Server 2008 R2 and installation of SQL Server 2016 could take a considerable
amount of time. Please be patient while the upgrade proceeds. 7. If the upgrade does not resume,
start the Database Upgrade Tool as described at the beginning of this procedure.
SQL Server 2016 Standard SP1 will be installed, and the database upgrade steps will continue. Status
is displayed during the upgrade, and SQL script output is displayed in a separate window.
If you cancel the upgrade, you can run the Database Upgrade Tool again later. The upgrade will
continue at the point where it was stopped.
When the upgrade is finished, the LogRhythm Database Upgrade Tool confirmation message appears.
16. To close the message and continue, click OK.
The Complete screen appears.
• To see upgrade logs, click View log files.
• To see script output, click View script output.
17. To exit the Database Upgrade Tool, click Close.

In 7.2.x, 7.1.x, and 6.3.9 deployments, the SQL Server Upgrade process will revert the account
used to run SQL Server and SQL Server Agent to system defaults. Ensure they are set to use
the same credentials on both servers. Active Directory accounts with local administrative
rights must be used to run these services.
In 7.2.x, 7.1.x, and 6.3.9 deployments, the SQL Server Upgrade process restarts the services
you previously shut down during the Prepare to Upgrade step. You must stop those services
again before running the LogRhythm Installation Wizard in the next step.
Reconfigure Virtual Disks on Standalone Log Managers

This task must be completed during upgrades from 6.3.x only.
Do not perform this step in XM deployments. This step is only applicable to standalone 6.3 Log
Managers. After running the Database Upgrade Tool on each Log Manager, you must reconfigure
the virtual disks on each appliance before installing the Data Processor and Data Indexer.
Before you begin, ensure that the following prerequisites have been met:
• Dell Open Manage Server Administrator is installed
• The LogRhythm Database Upgrade Tool has uninstalled MS SQL Server
• All data on drives D:, L:, and T: has been backed up in a safe location (also drives E:, M:, and U: for DAS
configurations)
• All physical drives attached to the RAID controller are in good health
• If you are using a DAS configuration, you need to perform the DAS Configuration: Remove Existing Drives
procedures
Remove Existing Drives

1. On the Start menu, click All Programs, click Administrative Tools, and then click Server Manager.
2. Expand the Storage node in the left pane, and then click Disk Management.
3. Right-click the D: drive, and then click Delete Volume.
4. Repeat the previous step for the L: and T: drives.
When you are finished, you should have three unallocated disk volumes.
5. On the File menu, click Exit.
Create a New Virtual Disk

1. On the desktop, double-click the Server Administrator icon.
2. If you receive a certificate warning, click Continue to this website to ignore it and proceed.
3. Log in to Server Administrator as an administrator.
4. Under the System tree on the left, click Storage.
5. Expand the PERC H710 or H710P node, and then click Virtual Disks.
6. Ensure that all the check boxes in the Status column are green.

7. Under Tasks for Virtual Disk 1, select Delete, and then click Execute.
A warning about deleting all data appears.
8. Scroll to the bottom of the page and click Delete.
You are prompted to confirm the deletion.
9. To delete the virtual disk, click OK.
10. Repeat steps 7 through 9 for virtual disks 2 and 3.
11. Click Go to the Create Virtual Disk Wizard.
12. Select the Advanced Wizard option, select RAID-5 next to RAID Level, and then click Continue.
13. Select all physical disks on Connector 0 except for the first one, and then click Continue.
14. Review the Summary of Virtual Disk Attributes page. No changes are required.
15. Scroll to the bottom of the page, select the only drive available to be the dedicated hot spare, and then click
Finish.
16. Confirm your selections and verify that you have created a supported configuration.
17. To confirm the configuration, click OK, and then wait for the new configuration to be created.
This may take up to 15 minutes.
When the configuration is complete, the final state of the RAID appears.
18. Click Log Out, and then click Quit Browser.
Prepare New Virtual Disk

The Initialize Disk dialog box appears.
3. Select Disk 1, select the GPT partition style, and then click OK.
4. Right-click the unallocated disk, and then click New Simple Volume.
5. The New Simple Volume Wizard appears.
6. Follow the steps in the wizard, making the following selections:
• Specify Volume Size. Set to maximum disk space value.
• Assign Drive Letter or Path. Assign drive letter D.
• Format Partition. Format as NTFS, 64K allocation size, volume label of “Data.”
• Quick format option. You can leave this option selected.
7. To create the new volume, click Finish on the last page of the wizard.
DAS Configuration: Remove Existing Drives

The following procedure is only required for DAS configurations.
3. Right-click the E: drive, and then click Delete Volume.
4. Repeat the previous step for the M: and U: drives.
When you are finished, you should have three unallocated disk volumes.
5. On the File menu, click Exit.
DAS Configuration: Create a New Virtual Disk

1. On the desktop, double-click the Server Administrator icon.

2. If you receive a certificate warning, click Continue to this website to ignore it and proceed.
3. Log in to Server Administrator as an administrator.
4. Under the System tree on the left, click Storage.
5. Expand the second PERC adapter node, and then click Virtual Disks.
6. Ensure that all the check boxes in the Status column are green.
7. Under Tasks for Virtual Disk 0, select Delete, and then click Execute.
A warning about deleting all data appears.
8. Scroll to the bottom of the page and click Delete. You will be prompted to confirm the deletion.
9. To delete the virtual disk, click OK.
10. Repeat steps 7 through 9 for virtual disks 1 and 2.
11. Click Go to the Create Virtual Disk Wizard.
12. Select the Advanced Wizard option, select RAID-5 next to RAID Level, and then click Continue.
13. Select all physical disks on Connector 0 except for the first one, and then click Continue.
14. Review the Summary of Virtual Disk Attributes page. No changes are required.
15. Scroll to the bottom of the page, select the only drive available to be the dedicated hot spare, and then click
Finish.
16. Wait for the new configuration to be created. This may take up to 15 minutes. When the configuration is
complete, the final state of the RAID appears.
17. Click Log Out, and then click Quit Browser.
DAS Configuration: Prepare New Virtual Disk

The Initialize Disk dialog box appears.
3. Select Disk 2, select the GPT partition style, and then click OK.
4. Right-click the unallocated disk, and then click New Simple Volume.
5. The New Simple Volume Wizard appears.
6. Follow the steps in the wizard, making the following selections:
• Specify Volume Size. Set to maximum disk space value
• Assign Drive Letter or Path. Assign drive letter E
• Format Partition. Format as NTFS, Default allocation size, volume label of “Data1”
• Quick format option. You can leave this option selected
7. On the last page of the wizard, click Finish to create the new volume.
The new volume can now be used for Elasticsearch data storage.

Upgrade LogRhythm Appliances

Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You
must run the Install Wizard on each appliance or server in your deployment, and select the appliance
configuration that you want to install or upgrade.
• The LogRhythm Install Wizard requires .NET Framework version 4.5.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.
• Before installing or upgrading the Web Console, ensure that Windows Firewall is running so the
Common installer can open port 8300.
When the Client Console is installed on a fresh system, additional software packages must be
installed such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime
engine, and .NET Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes
or more to complete.
1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm
software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.
Upgrade LogRhythm Appliances 46

For certain configurations, you can optionally select to install or upgrade the AI Engine.
If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see Use the LogRhythm Configuration Manager.
8. For each appliance that you install, select the target appliance configuration, according to the following table.
The following information applies to upgrades from 7.x only.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in
the Install Wizard, select one of the available configurations and then run the wizard again to install
the next configuration.
7.x.x Configuration Select…
XM XM
Platform Manager PM
Data Processor + Data Indexer DPX
Data Processor DP
Web Console Web Console
AI Engine AIE
Data Collector/System Monitor DC

If you are upgrading an existing XM appliance and want to add the Linux Data Indexer to your
deployment, you need to install the PM configuration and then run the Install Wizard again to install
the DP configuration. For more information about installing the Linux Indexer, see Install a New
LogRhythm 7.4.4 Deployment. Similarly, to install another configuration that is not represented in the
Install Wizard, select one of the available configurations and then run the wizard again to install the
next configuration.
6.3.9 Configuration Select...
XM XM

6.3.9 Configuration Select...
Event Manager PM
Log Manager (keeping persistence) DPX
Log Manager (Mediator only) DP
Web Console Web Console
AI Engine AIE
Site Log Forwarder/System Monitor DC
If you are upgrading the LogRhythm Web Console, pay attention to the following:
• Upgrades from Web Console 6.1.x and 6.2.x are not supported. Uninstall your Web Console and
complete a fresh installation.
• If you have a 7.2.0 deployment, close the Web Services Configuration Manager prior to
beginning the upgrade.
9. When you have selected the target configuration, click Install.

The LogRhythm Deployment Tool appears.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade Deployment,
depending on your situation. Then, follow the on-screen instructions to create a Deployment Package.
Additional help is available by clicking the question mark icon in the upper-right of the tool.
For more information, see Use the LogRhythm Deployment Tool before proceeding.
When you are finished preparing your deployment, you will be returned to the Install Wizard.
10. Observe for any failures as the wizard installs or upgrades the applications according to the selected
configurations.
When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.
Progress in the installation screen is indicated as follows:

Color Meaning
Green The application was installed successfully. A message about the application
and installed version
is also printed below the status indicators.
Blue The application is being installed.
Yellow The current or a newer version of the application is already installed.
Red Something went wrong and the application was not installed. Additional
details will be printed
below the status indicators. If something went wrong, check the installer logs
located in the following location:
C:\LogRhythm\Installer Logs\<install date and time>\
During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
11. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see Use the LogRhythm
Configuration Manager.
While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.
• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the
Configuration Manager.

After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.
12. To close the LogRhythm Install Wizard, click Exit.
If you need to install additional components that were not included in the selected configuration,
run the Install Wizard again and select the necessary components.

Upgrade the LogRhythm Data Indexer

If you are upgrading the Linux Indexer in your deployment, follow the procedure listed below.
If you are adding the Linux Data Indexer to your deployment, see Install the LogRhythm Data
Indexer.
Configure a Proxy Connection for Indexer Upgrades

If your Linux Data Indexer sits behind a proxy server, you may need to add the proxy address and optional
username and password to the yum configuration file on the Indexer from which you are running the
upgrade.
If you are upgrading a multi-node cluster, you only need to modify yum.conf on the node from
which you will run the upgrade.
To configure proxy options in yum.conf:

1. Log in to your Indexer appliance or server as logrhythm.
2. Type sudo vi /etc/yum.conf to open the file for editing.
3. To enter INSERT mode, press the i key.
4. Add the following lines to the file:
proxy=<proxyURL:port>
proxy_username=<username>
proxy_password=<password>
EXAMPLE
proxy=http://my.proxyaddress.com:9999
proxy_username=myloginID
proxy_password=mypassword
5. Press the Esc key.

6. Type the following characters to exit and save yum.conf: :wq
Configure Upgrades Without Internet Access (Dark Sites)

If your Linux Data Indexer does not have access to the Internet (for example, in a restricted environment or
at a dark site), you may need to modify CentOS-Base.repo so that repositories are skipped if they are
unavailable.
Upgrade the LogRhythm Data Indexer 51

CentOS-Base.repo contains the base, updates, extras, and centosplus repositories. By default, updates to
centosplus are disabled (i.e., enabled is set to 0). For base, updates, and extras, you will need to add a line
that will skip updates if the repo is unavailable.
If you are upgrading a multi-node cluster, you only need to modify CentOS-Base.repo on the node
from which you will be running the upgrade.
To configure repository options in CentOS-Base.repo:

2. Type sudo vi /etc/yum.repos.d/CentOS-Base.repo to open the file for editing.
3. To enter INSERT mode, press the i key.
4. Within each of the three repository sections — base, updates, and extras — add the following line:
skip_if_unavailable=true
5. Press Esc.
6. Enter the following characters to exit and save CentOS-Base.repo: :wq
Upgrade a Single-Node Cluster

The script used to install or upgrade a Data Indexer cluster requires the use of a hosts file to assign a
hostname to each Data Indexer node. If you used a hosts file when you first installed the Data
Indexer or during a previous upgrade, point to the same file during the upgrade. If you have not
previously used a hosts file, you need to create the file for the upgrade.
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld

2. Change to the /home/logrhythm/Soft directory where you copied the updated installation script.
You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
Ensure that you specify the current Data Indexer hostname if you are creating a new file.
The hosts file must follow a defined pattern of <IPv4 address> and <hostname> on each line. You must separate
the address and hostname with a space. The file might look like the following:
10.1.23.91 LRLinux1

Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer with the hosts file argument, as follows:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/Soft/hosts --plan /home/logrhythm/plan.yml
You can press the Tab key after starting to type out the installer name, and the filename autocompletes for you.
5. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs the Data Indexer.
The installation process may take up to 10 minutes.
When the installation is complete, a confirmation message appears.

6. Check the status of services by typing sudo systemctl at the prompt, and then look for failed services.
If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld
Upgrade a Multi-Node Cluster

The script used to install or upgrade a Data Indexer cluster requires the use of a hosts file to assign a
hostname to each Data Indexer node. If you used a hosts file when you first installed the Data
Indexer or during a previous upgrade, point to the same file during the upgrade. If you have not
previously used a hosts file, you need to create the file for the upgrade.
You only need to run the upgrade on one of your cluster nodes. Run it on the same machine where
you ran the original installer. The package installer installs a Data Indexer on each node.
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld


2. Change to the /home/logrhythm/Soft directory where you copied the updated installation script.
You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation. The hosts file must follow a defined pattern of {IPv4 address} and {hostname} on each line. You
must separate the address and hostname with a space.
The contents of the file might look like the following:
10.1.23.65 LRLinux1
10.1.23.67 LRLinux2
10.1.23.91 LRLinux3
Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer using the original or updated hosts file, as follows:
When upgrading a DX7500 that is already running as a 2XDX, only run the regular
LRDataIndexer.run file, as described below. Do not run the 2XDX installer.
sudo sh LRDataIndexer-version.centos.x86_64.run --hosts

/home/logrhythm/Soft/hosts --plan /home/logrhythm/plan.yml
You can press the Tab key after starting to type out the installer name, and the filename autocompletes for you.
5. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs the Data Indexer on each of the DX machines.
The installation process may take up to 30 minutes.
When the installation is complete, a confirmation message appears.

6. Check the status of services by typing sudo systemctl at the prompt, looking for “failed” services.

If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld
Validate the Linux Indexer Upgrade

To validate a successful upgrade of the Linux Indexer, check the following logs in /var/log/persistent:
• ansible.log echoes console output from the upgrade, and should end with details about the number of
components that upgraded successfully, as well as any issues (unreachable or failed)
• logrhythm-node-install.sh.log lists all components that were installed or updated, along with current versions
• logrhythm-cluster-install.sh.log should end with a message stating that the Indexer was successfully installed
Additionally, you can issue the following command and verify the installed version of various LogRhythm
services, tools, and libraries, as well as third party tools: sudo yum list installed | grep -i logrhythm
1. Verify that the following LogRhythm services are at the same version as the main installer version:
• AllConf
• Bulldozer
• Carpenter
• Columbo
• Configuration
• Server
• GoMaintain
• HeartThrob
• Spawn
• Transporter
• Vitals
• Watchtower
2. Verify that the following tools/libraries have been updated to the version matching the installer name:
• Cluster Health
• Conductor
• DX Config Files
• ES Templater
• Merge Control
• Persistent
• Silence
• Unicon
• Unique ID
• Upgrade Checker
3. Verify the following versions of these services and third party tools:
• consul-template 0.19.0
• consul-ui 1.0.1
• consul-utils 1.0.1
• elasticsearch 5.6.6
• grafana 4.6.3_1
• influxdb 1.4.2
• LogRhythmAPIGateway 2.4.2

• LogRhythmMetricsCollection 1.0.0
• LogRhythmServiceRegistry 1.5.1
• nginx 1.10.1
• zeromq 4.0.5

Perform Post-Upgrade Procedures on the Upgraded LogRhythm

Deployment
After you have upgraded all your appliances, you can perform a few configuration tasks and restart the
LogRhythm solution.
Install .NET 4.5.2 Hotfixes to Support TLS 1.2 Communication

The following requirements and procedures apply only to Windows-based appliances and servers.
These patches are not required on Linux systems, on the Platform Manager, on systems running
only the System Monitor Agent, or on systems where .NET 4.6 is already installed.
To enable communication over TLS 1.2, LogRhythm 7.4 core components on Windows must be running
Microsoft .NET Framework 4.5.2 — .NET 4.6 is acceptable, though this version is only installed on the
Platform Manager.
• .NET 4.5.2 will be installed for any LogRhythm component that requires it.
• The .NET 4.5.2 hotfixes are available in a .zip file under Documentation & Downloads on the LogRhythm
Community.
Apply .NET 4.5.2 Hotfix for Windows 7 SP1, Windows Server 2008, Windows Server
2008 R2
The .NET 4.5.2 rollup hotfix, is provided in the TLS 1.2 Support package on the LogRhythm Community. To
apply the hotfix, do the following on all appliances or computers running LogRhythm core components on
Windows 7 SP1, Windows Server 2008, or Windows Server 2008 R2:
1. Log in to the appliance or computer as an administrator.
2. Browse to the directory where you copied NDP452-KB3099845-x86-x64-ENU.exe.
3. Right-click NDP452-KB3099845-x86-x64-ENU.exe, and then click Run as administrator.
The Microsoft .NET Framework 4.5.2 Hotfix Rollup Setup wizard appears.
4. Accept the license agreement and then click Install to apply the hotfix.
When the installation is complete, restart the appliance or server.
Apply .NET 4.5.2 Update for Windows 8.1 or Windows Server 2012 R2
The .NET 4.5.2 update, x64-Windows8.1-KB3099842-x64.msu, is provided in the TLS 1.2 Support package on
the LogRhythm Community. To apply the update, do the following on all appliances or computers running
LogRhythm core components on Windows 8.1 or Windows Server 2012 R2:
1. Log in to the appliance or computer as an administrator.
Perform Post-Upgrade Procedures on the Upgraded LogRhythm Deployment 57

2. Browse to the directory where you copied x64-Windows8.1-KB3099842-x64.msu.

3. To launch the installer, double-click x64-Windows8.1-KB3099842-x64.msu.
If the update needs to be applied, the Windows Update Standalone Installer appears.
4. To install the update, click Yes.
5. When prompted, click Restart Now to complete the installation and restart the appliance or computer.
Restart the appliance or server when the installation is complete, regardless of whether you are
prompted to restart.
Configure the Data Indexer

Accessing and configuring the Data Indexer differs slightly between Windows and Linux. See the appropriate
procedure below according to your Data Indexer operating system.
Windows
You can configure the Indexer using the configuration web page — AllConf — that is hosted on the Indexer
Appliance or server. Please note the following requirements:
• For Windows Indexers, you must perform these steps for each Indexer in your deployment.
• Ensure that the LogRhythm DX – AllConf and LogRhythm DX – Configuration Server services are running on the
appliance before trying to connect to the Indexer.
• You can only access AllConf locally or through a remote desktop/terminal services session to the appliance.
• You can only access AllConf using Google Chrome (latest version), Mozilla Firefox (latest version), or Internet
Explorer 11.
Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to the DPX appliance as an administrator.
2. Start one of the supported browsers and type the following in the address bar: http://localhost:9100
The Data Indexer Configuration sign in page appears.
3. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.
If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
4. Modify or verify the following settings:

CloudAI Config
These configuration values apply only to users of the LogRhythm CloudAI solution.
Enable CloudAI Enables (true) or disables (false) CloudAI in your LogRhythm

deployment.
All Conf Config
Administrator Password Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Passwords must be at least six (6) characters long. It is

recommended that you create a strong password using a
combination of numbers, letters, and special characters,
and use both uppercase and lowercase letters.
Carpenter Config
Db Password This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
It is highly recommended and LogRhythm best practice to

change all MS SQL account passwords when setting up a
deployment. After you change the LogRhythmNGLM password
in Microsoft SQL Server Management Studio, you must set Db
Password to the same value. You should change the password
in Microsoft SQL Server Management Studio first, then change it
on the Data Indexer page.
Db Username This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
When in FIPS mode, Windows authentication is required (local

or domain). When using a domain account, Db Username must
be in the domain\username format.

Carpenter Config
Emdb Host This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
Minutes to Rest This can be left at the default value.
Sql Paging Size This can be left at the default value.
Cluster Node Config
Node Info [n]
Hostname Cannot be changed.
Public IP This must be set to the external IP address of your DPX appliance or server.
Elasticsearch Server Config
Elasticsearch Server Settings [n]
cluster.name If you only have one DPX appliance, you can leave this value at the default
(logrhythm). If you have more than one DPX appliance, change this value
so that each cluster name is unique. For example, logrhythm01,
logrhythm02, and logrhythm03.
In an MSSP environment, DX Cluster names are visible to all

Users of a Web Console, regardless of Entity segregation. For
privacy reasons, you may want to avoid using cluster names that
could be used to identify clients. Data and data privacy are still
maintained; only the cluster name is visible.
The cluster name for each DPX appliance must be different. When you
have finished making changes on the Data Indexer Configuration page,
ensure that you assign the correct cluster to each Data Processor. For
multiple DPX appliances, ensure that the cluster is assigned to the Data
Processor running on the same appliance.
For example, if clusters are named as follows: DPX-A = dxa, DPX-B = dxb,
and DPX-C = dxc, Data Processor A should point to cluster dxa, Data
Processor B should point to cluster dxb, and Data Processor C should
point to cluster dxc.
${DXDATAPATH} and ${DXPATH} are system variables that are created when the Data Indexer is installed. By
default, these variables are set to D:\LogRhythm\Data Indexer.

path.data This is the directory where Elasticsearch data is stored.

Default value: ${DXDATAPATH}\elasticsearch\data
Default full path: D:\LogRhythm\Data Indexer\elasticsearch\data
You can use any directory you want for storing Elasticsearch data, but it should not be on the C:
drive. You should change the data path to something like the following:
D:\LRIndexer\elasticsearch\data
If you have more than one drive for data, you can specify multiple locations separated by a comma:
D:\LRIndexer\elasticsearch\data,E:\LRIndexer\elasticsearch\data.
path.logs This is the directory location where Elasticsearch logs are stored.
Default value: ${DXPATH}\elasticsearch\logs
Default full path: C:\LogRhythm\Data Indexer\elasticsearch\logs
You can use any directory you want for storing Elasticsearch logs, but it should not be on the C:
drive. You should change the log path to something like the following:
D:\LRIndexer\elasticsearch\logs
FIPS Config
Enabled Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
5. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
Linux
Whether your Linux Data Indexer cluster is one node or 3 to 10 nodes, you only have to log in to the
configuration page on one of the nodes. Note the following requirements:
• On a Linux Data Indexer, you can only access the web page from an external computer that has access to the
Data Indexer network.
• You can only access the web page using Google Chrome, Mozilla Firefox (latest versions of each), or Internet
Explorer 11.

Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to a Windows server with network access to the Data Indexer nodes.
2. Start one of the supported browsers.
3. Type the IP address of one of the cluster nodes in the address bar, and then press Enter.
The Data Indexer Configuration sign in page appears.
4. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.
If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
5. Modify or verify the following settings:

CloudAI Config
These configuration values apply only to users of the LogRhythm CloudAI solution.
Enable CloudAI Enables (true) or disables (false) CloudAI in your LogRhythm

deployment.
All Conf Config
Administrator Password Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Passwords must be at least six (6) characters long. It is

recommended that you create a strong password using a
combination of numbers, letters, and special characters,
and use both uppercase and lowercase letters.

Carpenter Config
Db Password This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
It is highly recommended and LogRhythm best practice to

change all MS SQL account passwords when setting up a
deployment. After you change the LogRhythmNGLM password
in Microsoft SQL Server Management Studio, you must set Db
Password to the same value. You should change the password
in Microsoft SQL Server Management Studio first, then change it
on the Data Indexer page.
Db Username This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
When in FIPS mode, Windows authentication is required (local

or domain). When using a domain account, Db Username must
be in the domain\username format.
Emdb Host This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
Minutes to Rest This can be left at the default value.
Sql Paging Size This can be left at the default value.
Cluster Node Config
Node Info [n]
Hostname Cannot be changed.
Public IP For each node, this must be set to the external IP address of your Data
Indexer appliance or server.
Name cluster.name

Value If you only have one cluster, you can leave this value at the default: logrhythm
If you have more than one cluster, change this value so that each cluster name is
unique. For example, logrhythm01, logrhythm02, and logrhythm03.
In an MSSP environment, DX Cluster names are visible to all Users of a Web

Console, regardless of Entity segregation. For privacy reasons, you may
want to avoid using cluster names that could be used to identify clients.
Data and data privacy are still maintained; only the cluster name is visible.
Name path.data
Value This is the directory where Elasticsearch data is stored. You can change this location
if you like, but it is OK to leave the default location.
If you have more than one path for data, you can specify multiple locations
separated by a comma: /usr/local/logrhythm/db/data, /usr/local/logrhythm/db/
data1/
Name path.logs
Value This is the directory where Elasticsearch logs are stored. You can change this
location if you like, but it is OK to leave the default location.
FIPS Config
Enabled Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
6. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
Information About Automatic Maintenance

Automatic maintenance is governed by several settings in Go Maintain Config:
Disk Utilization Limit

• Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which
means that maintenance starts when the Elasticsearch data disk is 80% full.
The value for Disk Util Limit should not be set higher than 80. This can have an impact on the
ability of Elasticsearch to store replica shards for the purpose of failover.
• Index Configs[0]. Min indicates the absolute minimum number of indices that are required for the active
repository. The default is 2.
Maintenance is applied to the active repository, as well as archive repositories created by Second Look.
When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point,
Go Maintain deletes completed restored repositories starting with the oldest date.
The default settings prioritize restored repositories above the active log repository. Restored archived logs
are maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for
space, set your min indices equal to your max indices. This forces the maintenance process to delete
restored repositories first.
Force Merge Config
Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.
The force merge configuration combines index segments to improve search performance. In larger
deployments, search performance could degrade over time due to a large number of segments. Force merge
can alleviate this issue by optimizing older indices and reducing heap usage.
Parameter Default Value
Hour Of Day For Periodic Merge The hour of the day, in UTC, when the merge operation 1
should begin. If Only Merge Periodically is set to false, Go
Maintain merges segments continuously, and this setting
is not used.
Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.
Only Merge Periodically If set to true, Go Maintain only merges segments once per false
day, at the hour specified by Hour Of Day For Periodic
Merge. If set to false, Go Maintain merges segments on a
continuous basis.
Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

Index Configs
The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the
nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices
by closing the index. Closing the index removes the resource needs of managing that data and relieves the
heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning
threshold and continues to delete days based on the disk utilization setting of 80% by default.
The default limit is 180. The 180 days of indices will be kept if the system has enough resources to support it.
You can also configure a lower TTL by changing this number. If this number is no longer achievable, the DX
sends a diagnostic warning and starts closing the indices.
Indices that have been closed by GoMaintain are not active searchable in 7.4.0 but are maintained for
reference purposes. To see which indices are closed, you can run a curl command such as the following:
curl -s -XGET 'http://localhost:9200/_cat/indices?
h=status,index' | awk '$1 == "close" {print $2}'
You can also open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.
Indices can be reopened with the following query as long as you have enough heap memory and disk space
to support this index. If you do not, it immediately closes again.
curl -XPOST 'localhost:9200/<index>/_open?pretty'
After you open the index in this way, you can investigate the data in either the Web Console or Client
Console.
Import the License File

This section describes how to import a license file and run the licensing wizard for each Data Processor in
your deployment to ensure that the correct license has been assigned.
You must import a new license file and perform steps 5-7 on each Data Processor in your
deployment.
For more information about licensing or the licensing wizard, see Assign LogRhythm Licenses.
1. Copy your 7.4 license file to the Platform Manager or to a network location that is accessible from the Platform
Manager.
2. Log in to a system where the 7.4.4 LogRhythm Client Console is installed.
3. Import the 7.4 license file:
a. Start the LogRhythm 7.4 Client Console and click Deployment Manager.
b. On the File menu, click Import License File.
c. Browse to and select your 7.4 license file, and then click Open.
d. The License Import Warning is displayed: Importing a license synchronizes your licenses with the licenses
in the file. It is important that you only import the latest license file issued you by LogRhythm. Importing
an older license or one with a different master license ID may cause undesired results such as existing
licensed components becoming unlicensed. Are you sure the selected file is your latest? Click Yes to
continue importing the file.

e. Click Yes.
f. When the import is complete, click OK to close the Import Successful dialog box.
4. Click the Data Processors tab.
5. Double-click one of the Data Processors in the list.
The Data Processor Properties dialog box appears.
6. Select a cluster from the Cluster Name list, and then click OK.
Cluster information is sent out when applying configuration changes on the Data Indexer. For
more information, see Configure the Data Indexer above.
7. Review the current License Status and run the licensing wizard if necessary, and then click OK.
8. Repeat steps 5-7 on each Data Processor in your deployment.
Start the LogRhythm Solution

You need to do the following on each of the appliances in your deployment.
1. Log in to the appliance as an administrator.
2. On the Windows Data Indexer, run C:\Program Files\LogRhythm\Data Indexer\tools\start-allservices.bat as
an administrator.
3. Open the Services Control Panel/App.
4. For any LogRhythm services that are not running, right-click the service name, and then click Start. These
services include:
• LogRhythm core services (AI Engine services, Alarming and Response Manager, Job Manager, Mediator
Server Service, System Monitor)
• All LogRhythm Web Console services
• Any other “LogRhythm” services
5. Press F5 to refresh the list and verify that the services are started.
6. On Linux Data Indexers, run /usr/local/logrhythm/tools/start-all-services-linux.sh using sudo.
Upgrade and Start Other Agents

Agents on other collectors and aggregators can be upgraded at any time, although we recommend
upgrading them now.
Windows and Linux System Monitors can be upgraded in bulk using the System Monitor Package
Manager in the Client Console. For additional information about this and about general System
Monitor installation and upgrades, see System Monitor.

Windows hosts running System Monitors prior to version 7.2.x may still have .NET 4.0 installed.
During the upgrade, via the System Monitor Package Manager or manual upgrade, .NET 4.5.2 will be
installed. The installation of .NET 4.5.2 requires a system reboot. If you see any System Monitors in
your deployment that stop sending heartbeats after the upgrade, you may need to manually reboot
the System Monitor host to complete the .NET installation.
If you have any 6.3.x Agents performing UDLA collection in your deployment, you must upgrade
these Agents to version 7.4.4. If you do not upgrade these Agents, UDLA collection will not work
after upgrading your deployment to 7.4.4.
For additional information on System Monitor Agent installation, see Set Up an Initial System
Monitor Agent.
Windows
Users who attempt to upgrade the 32-bit System Monitor on a system having MS KB2918614 applied may
encounter a software restriction policy error. In this case, the existing System Monitor should be uninstalled
before attempting to install v7.4.4.
To upgrade System Monitor Agents to 7.4.4, do the following:
1. Log in with the Administrator account or an account having administrative privileges to the system where the
System Monitor Agent is installed.
2. Before removing system Monitor, verify the account used for the System Monitor Service. In Windows Services
console, right-click and view Properties, and click the Log On tab. If the vice does not use Local System
account, you will need the password to that account when installing the Agent or you need a new account and
password.
3. To open Windows Services, click Start, Administrative Tools, and Services.
4. Stop the service called LogRhythm System Monitor service.
5. Run the installer for the 7.4.3 32-bit or 64-bit System Monitor Agent, LRSystemMonitor_#.#.#.#.exe.
If running Windows 2008, Vista, or Windows 7, you must run the installer as administrator.
6. If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click Install.
7. Follow the instructions in the Install Wizard.
8. If prompted, accept the license agreement.
9. Choose the default installation path, and then click Next.
10. To determine if you have sufficient space for installation, click Space and then click OK.
11. (Optional) Install the Realtime FIM driver.

Realtime FIM is included with the System Monitor Lite license for desktop operating systems
only. A System Monitor Pro license is required for servers. For more information, see
LogRhythm Compatibility and System Monitor Functionality.
12. On the Install Wizard Completed screen, clear the Launch System Monitor Configuration Manager check box.
13. If your LogRhythm Windows System Monitor Agent service uses Windows accounts, open Windows Services
Control Panel.
14. Click the Log On tab and add the service account and password in the service properties.
15. To start the Agent, click Start, Administrative Tools, and Services. Right-click the agent and select Start.
16. Repeat these steps for other Windows System Monitor Agents in your deployment.
(Optional) *NIX
Only Linux 2.4 & 2.6 can be upgraded directly. Other *NIX agents must be uninstalled and reinstalled.
Read the instructions included with the installer package for your particular operating system.
1. Copy the files from the installer package to the *NIX system.
2. Follow the instructions in the scsm_<operating_system>.txt file to uninstall the old version.
3. Decompress the file with the .tar extension, using tar xf scsm_<operating_system>.tar.
4. Follow the instructions in the scsm_<operating_system>.txt file to install the new *NIX System Monitor Agent.
5. Start the *NIX System Monitor Agent according to the instructions in the scsm_<operating_ system>.txt file.
6. Repeat for all *NIX Agents in your deployment.
Import the Latest Knowledge Base

Starting with LogRhythm version 7.1.6, two versions of the LogRhythm Knowledge Base (KB) are available —
6.x and 7.x. The version 6.x KB can be used with LogRhythm 7.4.4, but only when downloaded manually. If
you use the automatic download option, LogRhythm 7.1.5 and earlier will download the version 6.x KB, and
LogRhythm 7.1.6 and higher will download the version 7.x KB.
If you install the version 7.x KB, you cannot go back to the version 6.x KB.
For more information about the KB update and the Common Event Change Manager, see Knowledge Base.
Automatic Download
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Inbound firewall rules must be set to accept traffic on Port 80 and 443.

The Knowledge Base Manager appears.
2. Click Synchronization Settings.
3. Select the following check boxes:
• Enable Automatic Knowledge Base Download.
• Enable Automatic Knowledge Base Core Synchronization.
• Enable Automatic Knowledge Base Module Synchronization.
4. If a proxy is required, click the Proxy Settings tab.
5. Enter the Proxy Server Address and Proxy Server Port.
6. If the proxy server requires authentication, select that check box and provide a valid User Name, Password, and
Domain.
7. Click OK.
The Knowledge Base manager checks for updates, downloads the Knowledge Base, and synchronizes as
scheduled.
8. To force an immediate download, click Check for Knowledge Base Updates.
Manual Download
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
If you do not have access to the Internet or do not want to download the KB automatically, perform the
following steps:
2. On the File menu, click Export Knowledge Base Request File.
3. Browse to the location where you want to save the file, then click OK.
After the request file is saved, the Export Successful dialog box appears.
4. Click OK, and then close the Client Console.
5. From a computer with Internet access, log in to the Community.
6. Click Latest Version Information, and then click Download your Knowledge Base at the bottom of the page.
7. Click Choose File to browse to and upload the KB request file, then click Get Knowledge Base — if your current
KB is not the latest, you will be prompted to save the latest KB file.
8. Enter your deployment’s License ID, Deployment ID, and Product Version in the available fields (available by
clicking About LogRhythm on the Client Console Help menu), and then click Get Knowledge Base.
9. Save the KB file and then transfer it to the computer where the KB is being updated.
Complete Knowledge Base Import Wizard

1. Start the LogRhythm Client Console and log in as a user with Global Admin privileges.
3. If you want to automatically download the Knowledge Base, click Check for Knowledge Base Updates and
then Synchronize Stored Knowledge Base, if necessary.
4. Click Next.
5. If you manually downloaded the Knowledge Base file:
a. From the Knowledge Base Manager, click File and then click Import Knowledge Base File.
b. Select the downloaded KB file, and then click OK.

The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The
file is checked for compatibility with your current deployment and prepared for import. This may take several
minutes.
Upon completion, the Unpack Progress: Knowledge Base unpacked message appears.
6. To Import Knowledge Base, click Next.
Upon completion, the Import Progress Import Completed message appears.
7. To close the message, click OK.
8. On the Knowledge Base Import Wizard, click Close.
9. To enable the Knowledge Base Modules and synchronize it, perform the following steps:
a. Select the Action check boxes next to the modules you want.
b. Right-click the module, click Actions, and then click Enable Module.
The Enable Selected Modules box displays a confirmation message with options.
c. Select the options you want, and then click OK.
The Enable Modules box message appears.
d. To start the synchronization, click Yes.
e. When complete, click Close to close the Import Wizard.
10. To Migrate Common Event Changes, perform the following steps:
If you are not familiar with the customizations which have been made to your deployment, you should
not proceed with the import until such knowledge is acquired or contact LogRhythm Support for
assistance.
a. If Action Required is displayed, some items need to be updated due to Common Event migration
changes. Click Common Event Change Manager.
• To migrate a Common Event with a preview, select the Action check box for the item, from the
context menu, click Migrate with Preview, and then click either Migrate Common Event to
Common Event or Common Event to MPE Rule.
• To migrate a Common Event without a preview, select the Action check box for the item. From the
context menu, click Action, and then click Migrate Common Event to Common Event or Migrate
Common Event to MPE Rule.
• To ignore the Common Events, select the Action check box for the item. From the context menu,
click Action and then click Ignore. When this option is selected, items checked in the grid are
ignored during future Common Event Migration checks. The items are no longer displayed in the
Common Event Change Manager.
b. To close the Common Event Change Manager, click Close.
c. To view the Synchronization History, click View Synchronization History.
11. Click Close.
12. To close the Knowledge Base Manager, click OK.
Verify Communication with AI Engine

If your deployment includes AI Engine, following the upgrade you should ensure that Data Processor to AI
Engine communication is configured properly.
1. Start the LogRhythm Client Console and click Deployment Manager.
2. Click the Data Processors tab.

3. Double-click one of the Data Processors listed in the grid.

The Data Processor Properties dialog box appears.
4. Click the AI Engine tab and select the Enabled check box for the AI Engine where the Data Processor should be
sending logs.
5. If you need enable or disable communication with an AI Engine, click the AI Engine server, and then click
Properties.
The Data Processor to AI Engine Server Advanced Properties dialog box appears.
6. Select or clear the communications checkbox to enable or disable communication with the selected AI Engine
server.
Configure or Verify Communication Ports

LogRhythm installers should open the TCP ports required for component communications. Additional
configuration may be required, as described in this section. For more information on ports, see Networking
and Communication.
If you need assistance with any of the procedures listed below, contact your system or network
administrator.
Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local
workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM
or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be
required after upgrading to 7.4.4.
If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows
Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data
Indexer IP address is not already allowed by applied policies:
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132
Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node:
1. Log in to the Indexer node as logrhythm and run the following command:
sudo iptables -L
2. In the output, review the ports listed under IN_public_allow.
If you need to open any incoming ports on the Linux Indexer, do the following:
1. Log in to the Indexer node as logrhythm and run the following commands.
sudo firewall-cmd --zone=public --add-port=port/tcp --permanent
sudo firewall-cmd –-reload
2. Repeat the steps above on each Linux Data Indexer.

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:
1. Log in to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh firewall show state
Ports that are currently open on all interfaces are displayed below the firewall status.
The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, you can start Windows Firewall and search for the ports that are allowed on the
current server.
If you need to allow any ports on a Windows server host:

1. Log in to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port
Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation,
reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor
Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these
directories has a major impact on the performance of the LogRhythm platform. However, these locations
should be scanned on a regularly scheduled basis.
The following lists include the default directories, however, the location of any State folder
(including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any
location (for example, D:\). The locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%,
%DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To
view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state
folder)
• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Windows\Temp\jtds7640797728598499486.tmp
DX Appliance (Linux)
• /var/log/elasticsearch
• /usr/local/logrhythm/db/elasticsearch/data
AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
If the AIE service is running on the PM appliance, exclude these directories on the PM.
Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense
The above path is the default installation locations for the System Monitor Agent. If you install the
Agent in a different location (for example, D:\), update the exclusion as required.
Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense
High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/
TechDoc/index.htm#DataKeeper/Administratio n/
Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10
Post-Upgrade Comparison and Validation

If you noted your volume of Logs, Events, and Alarms before starting the upgrade, you can now compare
those values to those in your post-upgrade deployment. You can also perform a few other tasks to ensure
that your upgrade was successful.
• Check Log volume with values prior to upgrade. They should be the same.
• Check Event volume with values prior to upgrade. They will probably be slightly lower.
• Check Alarm volume with values prior to upgrade. They could be slightly lower.
• If pre-upgrade and post-upgrade Alarm volumes differ quite a bit, check the following:
• The value for Minimum RBP of Events to Monitor could have been reset.
• Global Log Processing Rules (GLPRs) may be filtering out based on RBP.
Verify Web Console Processes

Enter your EMDB address in the Web Services Configuration Manager before performing the steps below. If
you installed Web Services to the default location, the Web Services Configuration Manager can be found
here: C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Services Configuration
Manager.
The installer automatically starts the services and processes needed to run the Web Console. However, you
should ensure that these processes are running by doing the following:
1. Go to Services on your machines.
2. Verify that the following services have started:
• LogRhythm Authentication API
• LogRhythm Case API
• LogRhythm Threat Intelligence API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Web Services Host API
3. Go to Task Manager on your machine.
4. Verify that the following services have started:
• java.exe (one instance)
• LogRhythm.Web.Services.ServicesHost.exe
• LogRhythmAPIGateway.exe
• LogRhythmAuthenticationAPI.exe

• LogRhythmCaseAPI.exe
• LogRhythmServiceRegistry.exe
• LogRhythmThreatIntelligence.exe
• lr-threat-intelligence-api.exe (32 bit)
• LogRhythmWebConsoleAPI.exe
• LogRhythmWebConsoleUI.exe
• LogRhythmWebIndexer.exe
• LogRhythmWebServicesHostAPI.exe
• nginx.exe *32 (a minimum of two instances)
• node.exe (four instances)
• procman.exe (eight instances)
• NSSM Service Manager
NSSM is not a LogRhythm application, but a third-party service manager that provides a
wrapper around Java, Go, and other services to ensure that they run properly on Windows
and that they are restarted when they stop.
Remove Generic Web Console UI Entry from the Configuration Manager

Not applicable to every deployment.
Web Console users who upgraded from LogRhythm 7.2 or 7.3 will have a section in the LogRhythm
Configuration Manager for Web Console UI, without a hostname designation to identify the Web Console
server. This section should be removed from the Configuration Manager.
1. Log in to any server where the Web Console is installed as a user with administrative privileges.
2. Open a PowerShell window and run the following command:
Invoke-RestMethod -Method Delete http://localhost:8500/v1/kv/services/lr-web-
console-ui/CONFIG_OPTIONS
3. Restart the LogRhythm Web Console UI service on all Web Console servers.
Recreate Task to Delete Older SQL Server Backup Files

When SQL Server 2008 R2 is removed during the upgrade to SQL Server 2016 Standard, a recommended SQL
Server cleanup task is deleted. Follow the steps below to recreate this task.
If this task is not created, the disk used to store LogRhythm database backups will eventually fill up.
1. Log in to SQL Server 2016 Management Studio as the SQL sa user.

2. In the Object Explorer, expand the Management folder.
3. Right-click the Maintenance Plans folder, and then click New Maintenance Plan.
4. Type a name for the new plan (for example, LR Backup Cleanup), and then click OK.

5. If it is not currently displayed, open the Toolbox — on the View menu, click Toolbox.
6. In the Toolbox, double-click Maintenance Cleanup Task.
A new task is added to the maintenance plan.
7. Double-click the new task to display its properties.
8. In the Folder box, type the file path where the backups are located.
9. In the File extension box, type bak.
Do not add a period before the extension. Doing so causes the cleanup job to fail.
10. Under File age, select the Delete files based on the age of the file at task run time check box and adjust the
amount of time that you want to keep backup files.
11. On the maintenance plan toolbar, click the calendar icon to schedule the maintenance job.
12. Under Frequency, set Occurs to Daily and Recurs every to 1 (day).
13. Under Daily frequency, select Occurs once at and set the time to 12:00 PM.
14. Click OK.
15. On the main toolbar, click OK.
Set KB Downloads to Automatic

LogRhythm recommends that you configure automatic download and synchronization of your KB. If you did
not already set this option when synchronizing the latest KB, do the following:
2. Click Synchronization Settings.
3. Select the following check boxes:
a. Enable Automatic Knowledge Base Download.
b. Enable Automatic Knowledge Base Core Synchronization.
c. Enable Automatic Knowledge Base Module Synchronization.
4. If a proxy is required, click the Proxy Settings tab.
a. Enter the Proxy Server Address and Proxy Server Port.
b. If the proxy server requires authentication, select that check box and provide a valid User Name,
Password, and Domain.
5. Click OK.
6. To force an immediate download, click Check for Knowledge Base Updates.
Remove Optional Parameters from Mediator INI File

This task must be completed during upgrades from 7.3.x, 7.2.x, and 7.1.x only.

In previous releases, some Mediator configuration options could only be set by adding optional entries to
scmedsvr.ini. Some of these values have been enabled by default or moved to the UI. If you have added any
of the following optional parameters to C:\Program Files\LogRhythm\LogRhythm Mediator
Server\config\scmedsvr.ini, you should edit the file to remove them following the upgrade:
• DxNodeHost=<DX_hostname_IP>
• ShouldCompressRMPersist=true
• MPERuleTimeoutEnabled=true
Remove FIM State File

In a previous release, if the name of any FIM policies contained one or more colon ":" characters, *NIX Agents
were unable to load state files. This issue has been fixed. To eliminate any further error messages following
the upgrade, delete the existing Agent state file (../state/.filemon.log).
Reconfigure Force Merge

Force Merge settings are not preserved during an upgrade. They must be re-enabled in AllConf after
performing an upgrade.
Remove Mediator LMDB DAT Files

Summary. In some deployments where syslog data is collected, LMDB DAT files may be left in the Mediator’s
state directory after the upgrade. In version 7.x, these files are no longer needed.
Verification. On the Data Processor, DPX, or XM appliance, look for files named LogrhythmLMDB_*.dat in the
C:\Program Files\LogRhythm\LogRhythm Mediator Server\state directory.
Procedure. Manually delete any LogrhythmLMDB_*.dat files found in the C:\Program
Files\LogRhythm\LogRhythm Mediator Server\state directory.
Be careful to not delete any Logrhythm_Events_*.dat files as it could have a negative impact on
performance. Performance would only be affected briefly while the files are recreated.
Manually Delete Linux Data Indexer Configuration Files

This task must be completed during upgrades from 7.x.x only.

Summary: If you uninstall the 7.1.3 or earlier Linux Data Indexer and then install the current version, the Data
Indexer configuration page (AllConf) may fail to load.
Unless you are upgrading from version 7.1.1, it is not recommended that you uninstall your existing
Data Indexer before performing an upgrade.
Verification: The Data Indexer AllConf page will not load after the upgrade.
Procedure:
1. Uninstall the current version Data Indexer from all nodes in your cluster.
2. Log in to each Indexer node in your cluster and delete the server configuration files by running the following
command:
sudo rm /usr/local/logrhythm/configserver/conf/ConfigServerConfig.*
3. Install the current version of the Data Indexer software. For additional information, see Install a New LogRhythm
7.4.4 Deployment.

Supplemental Information for Upgrades

Use the LogRhythm Deployment Tool
The LogRhythm Deployment Tool assists in the installation of Common Components across all LogRhythm
appliances and runs as the LogRhythm Infrastructure Installer (LRII) in the Install Wizard. The Common
Components are required on each appliance (Platform Manager, Data Processor, Data Indexer, Web Console,
and AI Engine) to enable communication between components.
The LogRhythm Deployment Tool builds a Deployment Package that you can use to manually deploy the
Common Components on each appliance in a distributed configuration. Using this method, there is no need
to relax security posture of your deployment to install Common Components.
The Deployment Tool improves the method for installing or upgrading a distributed deployment.
The tool is required every time you install or upgrade a LogRhythm component to ensure that all
components are communicating properly. If the tool is not utilized during an installation or
upgrade, the deployment will not be functional and you will not be able to index or retrieve data.
Installation Considerations
Running the Deployment Tool is required for all installations and upgrades. After installing or upgrading the
LogRhythm SQL databases on the PM or XM, run the Install Wizard on the PM or XM, and the Deployment
Tool will walk you through the process of preparing all of the other servers in your deployment.
You must have the IP address of each LogRhythm server in your deployment, with the exception of
those running the Client Console or standalone System Monitors. You will also need SQL database
credentials (sa or equivalent user) for the EMDB and the ability to log in to each of the LogRhythm
servers to run the deployment package that the Deployment Tool generates.
Use the Deployment Tool

After successfully running the Database Upgrade Tool, run the Install Wizard on your PM or XM. When you
select one of the available appliance configurations and proceed with the installation, the Deployment Tool
launches first.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade
Deployment, depending on your situation. Then, following the on-screen instructions to create a
Deployment Package. Additional help is available by clicking the question mark icon in the upper-right of the
tool.
Supplemental Information for Upgrades 80

When you are upgrading a deployment, the Deployment Tool prompts you to indicate if you have a
High Availability or Disaster Recovery deployment. If you have either deployment type, you should
use the appropriate upgrade guide for those deployments and your version. These guides are
available on the Install or Upgrade a Deployment or an Appliance page.
When you are sure that all hosts have been added, click Create Deployment Package. When prompted, select
the location where you want to save the Deployment Package. You should save the Deployment Package on
a file share or some place you will be able to access it from all hosts. Make a note of the Deployment Package
location.
Click Next Step to and then follow the on-screen instructions and additional help to install the Deployment
Package on all hosts.
After you begin installing the Deployment Package on your hosts, your LogRhythm Deployment will
be down until you successfully complete the rest of the LogRhythm Deployment installation
process. Be sure you have alloted enough time and informed all affected parties.
After you have completed the final Verify Deployment Status step, click Exit to Install Wizard.
You still need to run the Install Wizard on all other components, and if you have a Linux DX, you will
also need to run that installer to complete your LogRhythm upgrade. These items can be started
after the Deployment Tool installation has completed.
Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the
installation. The _LIW will show basic information about the Install Wizard, and the LogRhythm_
Infrastructure_Installer_Silent will show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at
%Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log
or lorhythm-node-install.sh.log to view the contents of these logs.
Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.
Not all servers are shown in the EMDB results

The search does not find standalone Web Consoles or System Monitors. You must manually add your
standalone Web Consoles. There is no need to add the standalone System Monitors.

Linux deployment package will not run

You may have to switch to the directory where the package is located and run the following command prior
to running the Linux installer:
sudo chmod +x LRII_linux
After this has been completed, you can run the Linux package with the following command:
sudo ./LRII_linux
The Deployment Tool was successful, but cannot index or process

Ensure that you also run the Install Wizard on all of your nodes and/or the Linux DX upgrade package. These
are still required to be run on your nodes in addition to the Deployment Package.
My Deployment Status Verification says that not everything is active

Check your list of hosts in the Deployment Tool for accuracy. You may need to run the Deployment Package
on the inactive servers again. Follow the instructions above to run the packages.
My upgrade won't start because Elasticsearch is not running

You may see a message stating: You cannot upgrade: Please run 'sudo systemctl start elasticsearch'.
Elasticsearch needs to be running to check your indices for incompatible versions. Start the service as
indicated, run the curl command mentioned in the error until the cluster health is green, and then try the
install again.
When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution
path. It should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml
The LogRhythm Service Registry can't start during an upgrade

This error occurs when the Service Registry service is not started when LRII runs or it was started after the
Deployment Tool loaded. The C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\data
directory is cleared prior to running LRII because it recreates a new configuration for this upgrade.
There is a backup script that saves all key values prior to running the Deployment Tool so that the data
directory can be recovered if necessary. If needed, these files are in the depconf folder.
Unable to query for legacy deploymentType value

This error message may appear if your key values have been removed. It should automatically restore them
for you, but if you run into this issue, you can run the following steps to restore the key values.

1. Open PowerShell.
2. Type the following:
cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-
backup
3. Run the following:
$ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"
4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.
5. Run the following script:
Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -
6. Restart the LogRhythm Deployment Tool.
Use the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental
variables and configure them as needed during the lifetime of a deployment. It automatically appears when
installation or upgrade of the a deployment is complete. It can also be accessed in the Configuration
Manager folder on the server where LogRhythm is installed (C:\Program Files\LogRhythm\LogRhythm
Configuration Manager) or by searching for LogRhythm Configuration Manager in the Windows Search box.
The Configuration Manager is not available remotely or online, so no login is required.
The LogRhythm Configuration Manager requires the following services:
If any of those services are not functioning, you will receive an error message and the LogRhythm
Configuration Manager will not load. To resolve this issue, see the troubleshooting section below.
Configure your Deployment
If you are using multiple Web Console instances, the Configuration Manager lets you apply
individual configurations to each instance. Each instance, for single or multiple Web Consoles, will
be identified in the Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is
the Windows host name of the server where the Web Console is installed.
Until you have had a chance to tune your deployment, and to avoid potential performance issues
with AIE Cached Drilldown, you should disable the AIE Drill Down Cache API after upgrading to
LogRhythm 7.4.4.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic

mode, grouped according to which service they affect. The tables below describes all the settings. You can
filter the settings that are displayed by clicking one of the options on the left — All (no filtering),
Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure
you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the
LogRhythm Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which
Services are active or inactive. A blue light indicates that all services are up. A red light indicates that one or
more services are down. You can hover the mouse over the indicator to see a list of which services are down.
In Advanced mode, the indicator light also appears next to each group header.
If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font
Smoothing. You can read how to do so here: http://www.microsoft.com/typography/
ClearTypeFAQ.mspx
To configure settings in the LogRhythm Configuration Manager:

1. Find the setting you want to configure by doing one of the following:
• Scroll through the Basic or Advanced configuration mode until you find the option you want.
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
2. Enter the configuration you want. Note the following features:
• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see Log in to the Web Console.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.
If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.

The affected service or services restart automatically and the changes are applied. A restart time of up to 60
seconds is normal.
Troubleshoot the LogRhythm Configuration Manager

If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not
running, you receive an error message and the LogRhythm Configuration Manager does not load. If you are
not running the LogRhythm version of SQL server, one of the following error messages displays:
• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6]
[class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied
on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.
To resolve this issue:
1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
3. Open the LogRhythm Configuration Manager.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).
The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in
Internet Explorer.
To change the proxy server settings for Internet Explorer:
1. On the Internet Options dialog box, click the Connections tab.
2. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)
check box.
4. Click OK.
If you require a proxy server for LAN connections, contact LogRhythm Support.
Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to
%APPDATA%\LogRhythm Configuration Manager\presets. However, you can create a backup of any
configuration and save it to any location to use later to restore a given configuration or share with other
users.
To back up a configuration:
1. Make any changes you want. Boxes with changes are outlined blue.
2. Select Backup/Restore in the menu.
3. Click Backup to File.
4. Name the file and save it to the location you want.

5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:
1. Select Backup/Restore in the menu.
2. Select from one of the following:
• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
changes are outlined blue.
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
changes are outlined blue.
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.
Install and Configure the Web Console

The following sections provide information about installing the Web Console and additional configuration
options.
Install the Web Console

You should only install the Web Console with the LogRhythm Install Wizard, regardless of whether or not you
are adding it to the PM or as a standalone appliance/server. For a standalone installation, be sure to follow
the instructions regarding the LogRhythm Infrastructure Installer — run your deployment package on the
Web Console server and then run the Install Wizard to install the single Web Console configuration.
Configure the Web Console With the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental
variables and configure them as needed during the lifetime of the Web Console. For more information, see
Use the LogRhythm Configuration Manager.
Configure Smart Card/CAC Authentication
Smart Card/CAC authentication is not supported on Firefox.
To configure Smart Card/CAC authentication:

1. To obtain the environment's Certificate Authority Trust chain, concatenate the set of all SSL certificates
including the root certificates, the certificates that sign the end-user certificates, and all intermediate
certificates into a single file.

Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.
2. In the Web Services Configuration Manager, complete the following:

a. In the Certificate Authority Trust section, and click Choose file. Select the single certificates file created
in step 1. The contents of the certificate file populate the Certificate Authority Trust field.
b. In the Authentication section, set the Web Console Multi-factor Authentication Type to Smart Card.
Remove the Web Console

If you need to uninstall the Web Console, log in as an Administrator, go to Add/Remove Programs, and
uninstall the LogRhythm Web Console. During the uninstallation, the following components are stopped and
removed:
• LogRhythm Authentication API
• LogRhythm Case API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Threat Intelligence API
• LogRhythm Web Services Configuration Manager (program)
After removing the Web Console, any files that were generated by the runtimes of the services above remain.
All installation directories are still present. Below are some examples of the types of files that remain on the
system:
• log files
• temporary or buffer files
• generated keys or certificates
• .pid files
If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services
directory. If you plan to reinstall Web Services, it is not necessary to remove the Web Console folder
structure.
Certificates
Generate Your Own SSL Certificate for the Web Console
The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:
\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.
However, it is best practice to generate your own self-signed certificates or import certificates signed by a
third party. When configuring your own SSL Certificates for the Web Console, each certificate needs to be
configured separately. Some guidance on doing so can be found on the Digital Ocean website and the
OpenSSL website, but your IT department should follow their own policies and security practices.

Your IT department should set up proper certificates for your domain, install those on the internal systems,
and maintain them appropriately.
The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using
OpenSSL, be sure to use the -nokeys flag.
1. Ensure the private key unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.
Trust the Self-Signed Certificate from a Client PC

Untrusted self-signed certificates can cause the Web Console to perform poorly. Self-signed certificates that
are not trusted prevent browsers from caching https requests, which causes Web Console pages to load
slowly.
To prevent this problem by configuring trusted certificates:
1. Delete the following folders:
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp
2. Run the installer for the latest version of the Web Console on a Windows machine. If you have already installed
the Web Console, run the following script as an administrator: C:\Program Files\LogRhythm\LogRhythm Web
Services\LogRhythm Web ConsoleUI\generate_keys.bat
3. Do one of the following:
• Method 1. Certificate trusted for all users of a system
i. From the Web Console server, run the Microsoft Management Console (mmc.exe).
ii. On the File menu, click Add/Remove Snap-in.
iii. Add the Certificates Snap-in.
iv. Select Computer account > Local computer.
v. Run the Microsoft Management Console with the Certificate Snap-in on the client system.
vi. Import the LogRhythm Self-Signed Certificate file from C:\Program Files\LogRhythm\LogRhythm
Web Services\LogRhythm Web Console UI\tls_temp (or your own Self-Signed Certificate) file into
the Trusted Root Certification Authorities store. The certificate will be trusted for all users of this
system.
• Method 2. Certificate trusted for current user only
• In Internet Explorer 11
1. Run Internet Explorer as an administrator.
2. Go to your Web Console deployment.
3. Click Continue to this website (not recommended).
4. Click Certificate error in the address bar.
5. In dialog box, click View certificates.
6. On the General tab, click Install Certificate, and then click Next when the wizard opens.

7. Select Place all certificates in the following store.

8. Click Browse and select the Trusted Root Certification Authorities.
9. Click OK and Next.
10. Click Finish.
• In Firefox
1. Go to the Web Console.
2. A security certificate error page appears.
3. Click the arrow next to I Understand the Risks to expand the section.
4. Click the Add Exception button.
5. At the bottom of the dialog box, select Permanently store this exception.
6. Click Confirm Security Exception.
• In Chrome
1. Browse to the Web Console.
A security certificate error page appears.
2. Click Advanced, and then click Proceed to [Web Console].
3. In the address bar, click the broken padlock icon.
4. Next to the Your connection to this site is not private warning, click Details.
5. Click the View certificate button.
6. Click the Details tab.
7. Click Copy to File.
8. Follow the steps in the wizard to save the certificate as a PKCS #7 (.P7B) certificate in a
place you can easily locate it.
9. After you finish exporting the certificate, go to Settings in your browser.
10. At the bottom of the screen, click Show advanced settings.
11. In the HTTPS/SSL section, click Manage certificates.
12. Click the Trusted Root Certification Authorities tab.
13. Click Import.
14. Follow the steps in the wizard to import the certificate you saved in Step h. You must save
the certificate to the Trusted Root Certificate Authorities store.
15. Select the newly imported certificate in the Trusted Root Certification Authorities tab, and
then click Advanced.
16. At the bottom of the dialog box, select Include all certificates in the certification path, and
then click OK.
17. Restart Chrome.

LogRhythm Software Upgrade Guide 7.4.4 RevB

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LogRhythm Software Upgrade Guide 7.4.4 RevB

Uploaded by

Copyright:

Available Formats

Upgrade a LogRhythm

January 22, 2019

Phone Support (7am - 6pm, Monday-Friday)

LogRhythm, Inc. | Contents 3

LogRhythm, Inc. | Contents 4

Upgrade LogRhythm Appliances................................................................................. 46

LogRhythm, Inc. | Contents 5

LogRhythm, Inc. | Contents 6

LogRhythm, Inc. | Contents 7

Supported Upgrade Path

7.x.x Deployments 6.3.x Deployments

Alarming and Response Manager Event Manager

Job Manager N/A

Mediator Server Log Manager

Client Console Client Console

All LogRhythm Databases All LogRhythm Databases

Data Indexer N/A

LogRhythm Knowledge Base LogRhythm Knowledge Base

Supported Upgrade Path 8

New Architecture and New Component Names

Log Manager Database, LMDB > Data Indexer

Log Manager (Mediator) > Data Processor

Event Manager > Platform Manager

Plan for the Upgrade

New Architecture and New Component Names 9

New Architecture and New Component Names 10

Review the Upgrade Requirements and Considerations

FIPS Mode Supported

Core Service and Client Console Compatibility

SQL Server Security Hardening Impacts

Review the Upgrade Requirements and Considerations 11

Check Point Log Collection

Oracle DB Log Collection Supported by 7.4.4 64-bit Agent Using OLE DB

Other System Monitor Agent Considerations

XM and PM + DP/DX/DPX Upgrades

Windows Server 2012 R2 or Server 2016 Required on XM and PM

Review the Upgrade Requirements and Considerations 12

SQL Server 2016 Standard SP1 Required on Platform Manager

Microsoft .NET Framework 4.5.2

Review the Upgrade Requirements and Considerations 13

Web Console Prerequisites

Special Considerations for Upgrades from 6.3.x

6.3.x Agents Not Supported for UDLA Collection

New Data Persistence

Review the Upgrade Requirements and Considerations 14

Gen1 (LR) Appliances Not Supported

Gen2 (LRX) Appliances Not Fully Supported

Custom Fields Not Supported

XM and EM + LM Appliance Upgrades

LogRhythm Infrastructure Installer Prerequisites

Networking and Communication

Review the Upgrade Requirements and Considerations 15

LogRhythm Networking Considerations

Remote Event Log Collection User Account

LogRhythm Networking Communications

Review the Upgrade Requirements and Considerations 16

Review the Upgrade Requirements and Considerations 17

Client Client Port Server Server Port Protocol Purpose

AI Engine 8300 Platform 8300 TCP Incoming

AI Engine 8501 Platform 8501 HTTPS Auth/config/

AI Engine 8301 Platform 8301 TCP/UDP Cluster

AI Engine Random Platform 1433 TCP Configuration

All (common Random Platform 8076 TCP Sending metrics

Client Console 8501 Data Indexer 8501 HTTPS Auth/config/

LogRhythm McAfee ePO