Professional Documents
Culture Documents
LogRhythm Software Upgrade Guide 7.4.4 RevB
LogRhythm Software Upgrade Guide 7.4.4 RevB
Deployment to 7.4.4
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
This guide describes the upgrade procedure to version 7.4.4 using the Database Upgrade Tool and the
LogRhythm Install Wizard. The Database Upgrade Tool upgrades your LogRhythm databases, and the Install
Wizard upgrades the LogRhythm components.
HA and DR Upgrades
This guide should only be used to upgrade standard LogRhythm systems to version 7.4.4. If your deployment
includes LogRhythm’s HA or DR solution, obtain the correct upgrade guide using the links on the right.
Existing Components
This upgrade guide describes how to update the following LogRhythm components:
AI Engine AI Engine
(Optional) All Windows System Monitor Agents (Optional) All Windows System Monitor Agents
(Optional) All *NIX System Monitor Agents (Optional) All *NIX System Monitor Agents
If any of the following procedures are unclear, if you require assistance with your upgrade, or if you
encounter an unexpected error, please contact LogRhythm Support.
Scenario A
Scenario B
Scenario C
Upgrade Phases
Depending on your current LogRhythm deployment, the upgrade can be carried out in four or five brief
phases, as follows:
• A, B, C: Prepare for Upgrade – review considerations and prerequisites, request license file, synchronize stored
KB, download tools and installers, run audit reports, shut down LogRhythm
• A, B, C: Upgrade LogRhythm Databases – run the Database Upgrade Tool on your XM appliance or EM & LM
appliances
• B, C: Reconfigure Virtual Disks on Standalone Log Managers – prepare your Windows-based appliance for the
Data Processor & Data Indexer
• A, B, C: Upgrade LogRhythm Appliances – run the Install Wizard on your XM appliance or EM, LM, and AIE
appliances
• A, B, C: Configure and Get Started
Before starting the upgrade, FIPS users must disable FIPS mode and run the Database Upgrade
Tool using the SQL sa account. In addition, deployments that use SQL Security where FIPS is also
enabled must be configured with Windows Integrated Security for services after your upgrade is
complete. For more information, see Integrated Security.
• Log in to SQL Server Management Studio on the Platform Manager and back up your EMDB at a minimum.
If .NET has not been updated on any host running a System Monitor Agent and you push out an
update with the System Monitor Package Manager, the Agent host will restart as part of the .NET
install.
You can download the Microsoft .NET Framework 4.5.2 standalone installer from the Microsoft website.
The .NET Framework installation requires 4.5 GB of free disk space.
Administrator Credentials
To reduce downtime, ensure the following items are available before you begin the upgrade process:
• Local administrator privileges for the LogRhythm servers.
• The SQL Server password for the LogRhythmAdmin account.
• The SQL Server sa password for the LogRhythm databases.
• The following user permissions must be assigned to the user executing the SQL Server upgrade.
• The Database Upgrade Tool verifies that you have the following permissions:
• Back up/restore files and directories
• Manage auditing and security log
• Take ownership of files or other objects
• Shut down the system and debug programs
• Sufficient time to perform the upgrade. Generally, the upgrade process can be completed in under two hours,
but it may take much longer for very large databases.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A
power cut may cause an Elasticsearch failure that leads to a loss of indices.
If you have previously installed the Web Console to a custom location, rather than the default C:
\Program Files\LogRhythm, upgrading is not recommended. You should uninstall your previous
version and perform a clean installation of version 7.4.4 following the steps described in LogRhythm
Software Installation Guide.
If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET
installers from Microsoft Support before beginning the upgrade. Otherwise, the Web Services
Installer will attempt to download it during the upgrade and the upgrade will fail without internet
connectivity.
LogRhythm v7 provides next-generation persistence and search capabilities for log and archive
data. During the upgrade from version 6.3.x, the LMDB and RADB databases are deleted. If you want
to keep a copy of these databases, make a backup and store them with the related EMDB backup
somewhere other than the Log Manager appliance. Because the LMDB and RADB are removed, you
may want to run your audit reports before starting the upgrade so that you do not have to restore
data from Archives to run the reports.
If this prerequisite is not met, the deployment may not function properly after installation is complete.
There are general guidelines, considerations, and standards to consider prior to deploying your solution
within a network. This page covers the networking and communication considerations and requirements to
help you deploy your solution.
DNS Resolution
It is recommended that the LogRhythm server acting as the Platform Manager be entered into DNS so it is
addressable by name.
Domain Membership
A LogRhythm server does not need to be a member of the Windows Domain to function correctly. However,
LogRhythm recommends adding it to make remote event log collection easier to manage.
Active Directory Group Based Authorization requires the Platform Manager to be a Domain member
to function correctly.
The following table lists all network communications and interactions within a LogRhythm deployment. It
can assist system and network administrators with configuration of network access control devices and
software.
Port 8301 must be opened for TCP and UDP traffic on all hosts in your deployment, with the
exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used
between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the
Consul cluster. No log data or customer data is passed between hosts on this port—it is only used
for membership communication between LR hosts. See Consul Communications for more
information.
Additionally, network address translation (NAT) cannot be used between core components (AIE, DP,
DX, PM, Web). All communications between these components must be real IP to real IP.
LogRhythm Components
AI Engine 3334, 3335 Data Processor 30000, 30001 TCP AIE Data
Provider on DP
forwarding log
data to AIE
Comm Manager
Client Web Random Web Console 8443 HTTPS The SSL port to
Browser use for
accessing the
Web Console.
System Monitor/ 0 (formerly 3333) Data Processor 40000 TCP Forwards raw
Data Collector log data to the
DP when
running in
Unidirectional
Agent mode
System Monitor/ 0 (formerly 3333) Data Processor 443 TCP Forwards raw
Data Collector log data to the
DP when
running in
Bidirectional
Mode
1
Metrics are collected from all components included in the LogRhythm Infrastructure Installer. This does not
include standalone System Monitors or Client Consoles.
* The server port for UDLA collection will vary based on the database server being queried.
(SQL Server default = TCP 1433; MySQL default 3306; Oracle default = TCP 1521; DB2 default = TCP 50000)
** LogRhythm alarms are forwarded to EPO via the McAfee agent installed on a Platform Manager. To
determine the ports utilized by McAfee agents and EPO server, see your McAfee ePO documentation and
configuration.
The Web Console Case API uses dynamic ports in the range of 20000-30000. These are listening
ports used for loopback purposes and do not require any firewall changes.
PM - SQL TCP 1433 Carpenter and Windows & Linux SQL Server access
Bulldozer on DX to EMDB
LogRhythm API HTTPS 8501 API Gateway Windows & Linux Enables secure,
Gateway load balanced,
and discoverable
service to service
communication.
Required to use
the JWT from the
Authentication
API.
Consul TCP/UDP 8300, 8301 Service Registry Windows & Linux Establishes a
secure cluster
between the
LogRhythm hosts
in a deployment,
not including
agents
ConfigServer TCP 13000 DX Local Only Windows & Linux Listens for
configuration
requests
Columbo TCP 13131, 13133 DX Local Only Windows & Linux Columbo internal
processing
Consul TCP/UDP 8300, 8301 Inter-node Windows & Linux Nodes in cluster
sharing keys
Elasticsearch TCP 9200 DX Local Only Windows & Linux Curl queries to
Elasticsearch
Spawn TCP 14501 DX Local Only Windows & Linux CloudAI: Replicates
data to CloudAI
Vitals TCP 13200 DX Local Only Windows & Linux Listens for stats to
monitor Data
Indexer health
1
After upgrading to 6.20, the default port is 40000. However, any existing mediators will retain the value they
had before the upgrade.
Web Console Client Random LogRhythm Web 8443 HTTPS Bidirectional, Client
Server Initiated
Web Console Client Random Data Indexer 13130, 13132 TCP Bidirectional, Client
Initiated
Consul Communications
All core LogRhythm components—PM, DP, DX, AIE, Web—must allow incoming and outgoing connections on
port 8301 over TCP/UDP to enable Consul communications with one another.
This task must be completed during upgrades from 7.2.x, 7.1.x, and 6.3.9 only.
7.2.x, 7.1.x, and 6.3.9 users should download the version of the Database Upgrade tool that includes SQL
Server. The Database Upgrade Tool is packaged in a .ZIP archive. After downloading the archive, copy it to
each XM or Platform Manager appliance or server that you want to upgrade, and then extract the contents of
the archive into a new directory.
Component Installer
AI Engine LRAIEngine_64_7.4.4.#.exe
Component Installer
To enable communication over TLS 1.2 for all LogRhythm 7.4.x components, your base deployment must
meet the following requirements:
• Platform Manager is running SQL Server 2016 Standard SP1.
• LogRhythm 7.4.x core components on Windows are running Microsoft .NET Framework 4.5.2 — the Database
Upgrade Tool will install .NET 4.6.1 on the Platform Manager.
After ensuring that your base deployment meets the above requirements, .NET 4.5.x rollup updates are
required on all Windows appliances or servers running LogRhythm components — the Platform Manager is
excepted.
If the target appliance is up-to-date with important Windows updates, some hotfixes may not be
required. If this is the case, the installer indicates that.
Installers for all the required patches and hotfixes are available in a .ZIP file on the 7.4.4 Downloads page,
under TLS 1.2 Support. You should download LR_74x_TLS_support.zip, extract its contents, and then
distribute the required installers to the required appliances or computers in your deployment.
The following patches are not required on systems running only the System Monitor Agent or on
systems where .NET 4.6 is already installed.
NDP452-KB3099845x86-x64- .NET Framework 4.5.2 Hotfix Copy the hotfix installer to all LogRhythm
ENU.exe Rollup component hosts running on Windows
appliances or computers running Windows 7
SP1, Windows Server 2008, or Windows
Server 2008 R2.
x64-Windows8.1KB3099842- Windows Update Installer for .NET Copy the installer to all LogRhythm hosts
x64.msu Framework 4.5.2 Hotfix Rollup running on Windows appliances or
computers running Windows 8.1 or Windows
Server 2012 R2.
If you want to preview any Elasticsearch 1.x indices that will be deleted during the upgrade, you can
download the Elasticsearch upgrade checker from the LogRhythm Community, for Windows or Linux. Run
upgrade checker on one node per cluster on Linux, and on each DP/DX on Windows.
LogRhythm 7.1 or 7.2 users should run the Elasticsearch upgrade checker before the upgrade to preview any
incompatible Elasticsearch 1.x indices.
The System Monitor packages for UNIX and Linux are available on the LogRhythm Community. Next to each
package is a link to a SHA256 checksum file you can use to verify the integrity of the downloaded file.
AIX
Debian
HP-UX
Oracle
Solaris
SUSE
Ubuntu
Save your Web Console configuration values by backing up the appropriate file to a location that is
accessible after the upgrade:
If you are running multiple Web Consoles and you are using environment variables to override
Configuration Manager settings on one or more Web Console servers, you should note the values of
those variables on each server where used, and then delete the variables. In LogRhythm 7.4.4, the
Configuration Manager supports individual configurations for multiple Web Consoles. If any of the
variables are left in place, they will continue to override settings in the Configuration Manager.
If a Knowledge Base has been downloaded but not synchronized, synchronize it before starting the upgrade.
If you do not have a downloaded Knowledge Base, you can skip this step.
1. Log in to a system where the Client Console is installed.
2. Start the Client Console.
3. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears. If a downloaded Knowledge Base is ready for synchronization, a notice is
displayed at the top of the window.
4. Click Synchronize Stored Knowledge Base.
The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The
file is checked for compatibility with your current deployment and prepared for import. This may take several
minutes.
When finished, the Unpack Progress: Knowledge Base unpacked message appears.
5. To Import the Knowledge Base, click Next.
6. In the Knowledge Base Updated dialog box, click OK.
7. In the Knowledge Base Import Wizard, click Close.
8. Perform either of the following procedures as needed:
• To enable the Knowledge Base Modules and synchronize them, perform the following steps:
i. Select the Action check boxes next to the modules you want.
ii. Right-click the grid, click Actions, and then click Enable Module.
The Enable Selected Modules dialogue box appears.
iii. Select the options you want, and then click OK.
The Enable Modules box displays a confirmation message.
iv. To start the synchronization, click Yes.
v. When complete, click Close to close the Import Wizard.
• To Migrate Common Event Changes, perform any of the following steps as needed:
If you are not familiar with the customizations which have been made to your deployment, you
should not proceed with the import until such knowledge is acquired or contact LogRhythm
Support for assistance. For more information, see Migrate Common Events.
If Action Required is displayed, some items need to be updated due to Common Event migration
changes. Follow the instructions below. If Action Required is not displayed, go to step 9.
i. Click Common Event Change Manager.
ii. Perform any of the following procedures as needed:
• To migrate a Common Event with a preview, select the Action check box for the item.
Right-click the grid, click Migrate with Preview, and then click Migrate Common Event
to Common Event or Common Event to MPE Rule.
• To migrate a Common Event without a preview, select the Action check box for the item.
Right-click the grid, click Action, and then click Migrate Common Event to Common
Event or Migrate Common Event to MPE Rule.
• To ignore the Common Events, select the Action check box for the item. Right-click the
grid, click Action, and then click Ignore. When this option is selected, items checked in the
grid are ignored during future Common Event Migration checks. The items no longer
appear in the Common Event Change Manager.
iii. To close the Common Event Change Manager, click Close.
9. To view the Synchronization History, click View Synchronization History.
10. Click Close.
On Linux, the upgrade checker only needs to be run on one node per cluster. If you have multiple DX clusters,
you may want to execute a query on the Platform Manager to identify the IP address of one node in each
cluster.
To identify cluster nodes, do the following:
1. Log in to your Platform Manager as an administrator and start Microsoft SQL Server Management Studio.
2. Right-click the LogRhythmEMDB database, and then click New Query.
3. Paste the following into the query window:
SELECT A.DataIP, A.ClusterID
FROM (
SELECT LogRhythmEMDB.dbo.NGPNode.DataIP, LogRhythmEMDB.dbo.NGPCluster.ClusterID,
ROW_NUMBER() OVER(PARTITION BY LogRhythmEMDB.dbo.NGPCluster.ClusterID ORDER BY
LogRhythmEMDB.dbo.NGPNode.DataIP) AS RN
FROM LogRhythmEMDB.dbo.NGPNode
INNER JOIN LogRhythmEMDB.dbo.NGPCluster ON LogRhythmEMDB.dbo.NGPNode.ClusterID =
LogRhythmEMDB.dbo.NGPCluster.ClusterID) A
WHERE A.RN = 1;
4. Click Execute.
The query will return a table of DataIPs and ClusterIDs. Each DataIP is the IP address of a cluster node where you
will need to copy and run the upgrade checker.
To run the upgrade checker on Linux, do the following:
1. Using a tool like WinSCP, connect as logrhythm to each of the identified nodes and copy the upgrade checker
RPM to /home/logrhythm/Soft.
2. Log in to one of the cluster nodes where you copied the upgrade checker.
3. From the /home/logrhythm/Soft directory, run
sudo yum localinstall upgradechecker-7.4.4.<version>.x86_64.rpm
It is critical that you complete the following procedure successfully before starting the upgrade
process. If you do not successfully verify your deployment status before upgrading LogRhythm
components, your deployment could be left in an unusable state.
The LogRhythm 7.4.4 Infrastructure Installer requires a valid record of your deployment status. To ensure
that this record exists, do the following:
1. Log in to your Platform Manager as a user with administrative privileges.
2. From Start or under Apps, click LogRhythm Infrastructure Installer under the LogRhythm folder.
3. On the main page, click the Verify Deployment Status button if it is available.
If Verify Deployment Status is not available, click Exit and proceed to the next section.
The installer ensures that the plan file (plan.yml) matches the active hosts in the deployment.
4. Verify that the deployment status is successful.
5. Do not proceed if your deployment status cannot be verified. Ensure that all hosts in the plan file are online, and
that no new hosts have been added to the deployment since the plan file was created. If any hosts were added,
you will need to add them in the Infrastructure Installer, generate a deployment package, and run the package
on the new hosts.
If you still cannot verify your deployment status, you will need to add all of your hosts again, generate
deployment packages for all hosts, and run the deployment packages on all hosts. For additional
details, see the guide that you used when you upgraded to your current version.
6. When the status has been verified successfully, click Exit to close the Infrastructure Installer.
In the case of endpoint protection software, you may need to uninstall the software from all
LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection
software again.
You have to run the LogRhythm Database Upgrade Tool on all Platform Managers.
The following information applies to upgrades from 7.2.x, 7.1.x, and 6.3.9 only.
During the upgrade, you may be presented with one or more warnings about losing live log data.
Elasticsearch 1.x indices are incompatible with the version of Elasticsearch in LogRhythm 7.4.4, and
those indices must be deleted during the upgrade. These indices were present in LogRhythm 7.1
and earlier versions of 7.2. If you are concerned about losing any of these indices, run the upgrade
checker to verify which — in any — indices would be affected. If you do not want to upgrade at this
time, you can upgrade to the latest LogRhythm 7.2 version and stay on that version until the
incompatible indices age out (until the default TTL on the Data Indexer has passed).
The database upgrade will remove SQL Server 2008 R2 and install SQL Server 2016 SP1, as well as .NET
Framework 4.6.1. During the upgrade, you are prompted to reboot the appliance being upgraded. You
cannot complete the upgrade without this reboot.
If FIPS (Federal Information Processing Standard) is enabled in your deployment, you must disable
it before proceeding with the Database Upgrade Tool. After finishing the upgrade, you can enable
FIPS again.
The account that runs the Database Upgrade Tool must have the following rights: the right to back up
files and directories and the right to manage auditing and the security log. If you are unsure, contact
your system administrator.
You can download the Microsoft .NET Framework 4.5.2 standalone installer from: https://
www.microsoft.com/en-us/download/details.aspx?id=42642 The .NET Framework installation
requires 4.5 GB of free disk space.
6. The Introduction screen appears. Before you begin, ensure that your system meets all the prerequisites.
7. To proceed, click Next.
The Database Upgrade Tool displays a confirmation dialog box: Are you sure you understand these instructions
and are ready to proceed with the upgrade?
8. Click Yes.
The Login screen appears.
9. Select SQL Server Authentication and provide the password for the sa and LogRhythmAdmin accounts.
10. Click Next. The Database Upgrade Tool validates your credentials against the database. If validation fails, an
error message appears and you must enter the proper credentials.
This task must be completed during upgrades from 7.1.x and 7.2.x only.
If prompted for a SQL Server 2016 product key, click Next to proceed. The upgrade tool should apply
the key supplied by LogRhythm.
The Review Components screen displays the current services and database versions. This page provides you
with information about installed LogRhythm services, their current state, and their version. All databases on the
server are listed including the type, version, host name, and an estimate of how long it will take to upgrade the
database.
There are no changes required on this screen.
11. To proceed, click Next.
The Backup Databases screen appears.
12. Select the Backup check box for each of the databases that you want to back up later in the upgrade process.
• By default, the LogRhythm EMDB database is selected and must be backed up. During the upgrade, all
database data (except for LMDB and RADB data in upgrades from 6.3.9) is retained. As an additional
precaution, you can choose to backup additional databases.
• Generally, the backup process can be completed in about an hour, but it may take much longer for very
large databases.
• If you clear the check box and click Next, the following message appears and the LogRhythmEMDB
database is selected after you click OK: Performing a backup of the LogRhythmEMDB database is
required.
13. To select a directory for the database backups, click Browse.
The SQL Server service must have permission to write to this folder.
• If you select additional databases, the following message appears: You have elected to backup an
additional database. These databases can be very large. Ensure that the backup location has sufficient
space to store the backups.
• If you do not have enough space, change the location or clear the check boxes of any databases that you
do not want to back up.
14. Click Next.
This task must be completed during upgrades from 6.3.9 only.
The Database Upgrade Tool displays a warning about removing the LMDB and RADB databases.
While the Database Upgrade Tool suggests that you back up your LMDB and RADB, this is not
necessary since that data can be restored with SecondLook.
The removal of SQL Server 2008 R2 and installation of SQL Server 2016 could take a considerable
amount of time. Please be patient while the upgrade proceeds. 7. If the upgrade does not resume,
start the Database Upgrade Tool as described at the beginning of this procedure.
SQL Server 2016 Standard SP1 will be installed, and the database upgrade steps will continue. Status
is displayed during the upgrade, and SQL script output is displayed in a separate window.
If you cancel the upgrade, you can run the Database Upgrade Tool again later. The upgrade will
continue at the point where it was stopped.
When the upgrade is finished, the LogRhythm Database Upgrade Tool confirmation message appears.
16. To close the message and continue, click OK.
The Complete screen appears.
• To see upgrade logs, click View log files.
• To see script output, click View script output.
17. To exit the Database Upgrade Tool, click Close.
In 7.2.x, 7.1.x, and 6.3.9 deployments, the SQL Server Upgrade process will revert the account
used to run SQL Server and SQL Server Agent to system defaults. Ensure they are set to use
the same credentials on both servers. Active Directory accounts with local administrative
rights must be used to run these services.
In 7.2.x, 7.1.x, and 6.3.9 deployments, the SQL Server Upgrade process restarts the services
you previously shut down during the Prepare to Upgrade step. You must stop those services
again before running the LogRhythm Installation Wizard in the next step.
Do not perform this step in XM deployments. This step is only applicable to standalone 6.3 Log
Managers. After running the Database Upgrade Tool on each Log Manager, you must reconfigure
the virtual disks on each appliance before installing the Data Processor and Data Indexer.
Before you begin, ensure that the following prerequisites have been met:
• Dell Open Manage Server Administrator is installed
• The LogRhythm Database Upgrade Tool has uninstalled MS SQL Server
• All data on drives D:, L:, and T: has been backed up in a safe location (also drives E:, M:, and U: for DAS
configurations)
• All physical drives attached to the RAID controller are in good health
• If you are using a DAS configuration, you need to perform the DAS Configuration: Remove Existing Drives
procedures
7. Under Tasks for Virtual Disk 1, select Delete, and then click Execute.
A warning about deleting all data appears.
8. Scroll to the bottom of the page and click Delete.
You are prompted to confirm the deletion.
9. To delete the virtual disk, click OK.
10. Repeat steps 7 through 9 for virtual disks 2 and 3.
11. Click Go to the Create Virtual Disk Wizard.
12. Select the Advanced Wizard option, select RAID-5 next to RAID Level, and then click Continue.
13. Select all physical disks on Connector 0 except for the first one, and then click Continue.
14. Review the Summary of Virtual Disk Attributes page. No changes are required.
15. Scroll to the bottom of the page, select the only drive available to be the dedicated hot spare, and then click
Finish.
16. Confirm your selections and verify that you have created a supported configuration.
17. To confirm the configuration, click OK, and then wait for the new configuration to be created.
This may take up to 15 minutes.
When the configuration is complete, the final state of the RAID appears.
18. Click Log Out, and then click Quit Browser.
2. If you receive a certificate warning, click Continue to this website to ignore it and proceed.
3. Log in to Server Administrator as an administrator.
4. Under the System tree on the left, click Storage.
5. Expand the second PERC adapter node, and then click Virtual Disks.
6. Ensure that all the check boxes in the Status column are green.
7. Under Tasks for Virtual Disk 0, select Delete, and then click Execute.
A warning about deleting all data appears.
8. Scroll to the bottom of the page and click Delete. You will be prompted to confirm the deletion.
9. To delete the virtual disk, click OK.
10. Repeat steps 7 through 9 for virtual disks 1 and 2.
11. Click Go to the Create Virtual Disk Wizard.
12. Select the Advanced Wizard option, select RAID-5 next to RAID Level, and then click Continue.
13. Select all physical disks on Connector 0 except for the first one, and then click Continue.
14. Review the Summary of Virtual Disk Attributes page. No changes are required.
15. Scroll to the bottom of the page, select the only drive available to be the dedicated hot spare, and then click
Finish.
16. Wait for the new configuration to be created. This may take up to 15 minutes. When the configuration is
complete, the final state of the RAID appears.
17. Click Log Out, and then click Quit Browser.
• The LogRhythm Install Wizard requires .NET Framework version 4.5.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.
• Before installing or upgrading the Web Console, ensure that Windows Firewall is running so the
Common installer can open port 8300.
When the Client Console is installed on a fresh system, additional software packages must be
installed such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime
engine, and .NET Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes
or more to complete.
1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm
software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.
For certain configurations, you can optionally select to install or upgrade the AI Engine.
If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see Use the LogRhythm Configuration Manager.
8. For each appliance that you install, select the target appliance configuration, according to the following table.
The following information applies to upgrades from 7.x only.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in
the Install Wizard, select one of the available configurations and then run the wizard again to install
the next configuration.
XM XM
Platform Manager PM
Data Processor DP
AI Engine AIE
XM XM
Event Manager PM
AI Engine AIE
If you are upgrading the LogRhythm Web Console, pay attention to the following:
• Upgrades from Web Console 6.1.x and 6.2.x are not supported. Uninstall your Web Console and
complete a fresh installation.
• If you have a 7.2.0 deployment, close the Web Services Configuration Manager prior to
beginning the upgrade.
For more information, see Use the LogRhythm Deployment Tool before proceeding.
When you are finished preparing your deployment, you will be returned to the Install Wizard.
10. Observe for any failures as the wizard installs or upgrades the applications according to the selected
configurations.
When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.
Color Meaning
Green The application was installed successfully. A message about the application
and installed version
is also printed below the status indicators.
Red Something went wrong and the application was not installed. Additional
details will be printed
below the status indicators. If something went wrong, check the installer logs
located in the following location:
C:\LogRhythm\Installer Logs\<install date and time>\
During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
11. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see Use the LogRhythm
Configuration Manager.
While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.
• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the
Configuration Manager.
After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.
If you need to install additional components that were not included in the selected configuration,
run the Install Wizard again and select the necessary components.
If you are adding the Linux Data Indexer to your deployment, see Install the LogRhythm Data
Indexer.
If you are upgrading a multi-node cluster, you only need to modify yum.conf on the node from
which you will run the upgrade.
EXAMPLE
proxy=http://my.proxyaddress.com:9999
proxy_username=myloginID
proxy_password=mypassword
CentOS-Base.repo contains the base, updates, extras, and centosplus repositories. By default, updates to
centosplus are disabled (i.e., enabled is set to 0). For base, updates, and extras, you will need to add a line
that will skip updates if the repo is unavailable.
If you are upgrading a multi-node cluster, you only need to modify CentOS-Base.repo on the node
from which you will be running the upgrade.
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld
You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
Ensure that you specify the current Data Indexer hostname if you are creating a new file.
The hosts file must follow a defined pattern of <IPv4 address> and <hostname> on each line. You must separate
the address and hostname with a space. The file might look like the following:
10.1.23.91 LRLinux1
Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer with the hosts file argument, as follows:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/Soft/hosts --plan /home/logrhythm/plan.yml
You can press the Tab key after starting to type out the installer name, and the filename autocompletes for you.
5. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs the Data Indexer.
If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld
You only need to run the upgrade on one of your cluster nodes. Run it on the same machine where
you ran the original installer. The package installer installs a Data Indexer on each node.
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld
You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation. The hosts file must follow a defined pattern of {IPv4 address} and {hostname} on each line. You
must separate the address and hostname with a space.
The contents of the file might look like the following:
10.1.23.65 LRLinux1
10.1.23.67 LRLinux2
10.1.23.91 LRLinux3
Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer using the original or updated hosts file, as follows:
When upgrading a DX7500 that is already running as a 2XDX, only run the regular
LRDataIndexer.run file, as described below. Do not run the 2XDX installer.
If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld
• LogRhythmMetricsCollection 1.0.0
• LogRhythmServiceRegistry 1.5.1
• nginx 1.10.1
• zeromq 4.0.5
The following requirements and procedures apply only to Windows-based appliances and servers.
These patches are not required on Linux systems, on the Platform Manager, on systems running
only the System Monitor Agent, or on systems where .NET 4.6 is already installed.
To enable communication over TLS 1.2, LogRhythm 7.4 core components on Windows must be running
Microsoft .NET Framework 4.5.2 — .NET 4.6 is acceptable, though this version is only installed on the
Platform Manager.
• .NET 4.5.2 will be installed for any LogRhythm component that requires it.
• The .NET 4.5.2 hotfixes are available in a .zip file under Documentation & Downloads on the LogRhythm
Community.
Apply .NET 4.5.2 Hotfix for Windows 7 SP1, Windows Server 2008, Windows Server
2008 R2
The .NET 4.5.2 rollup hotfix, is provided in the TLS 1.2 Support package on the LogRhythm Community. To
apply the hotfix, do the following on all appliances or computers running LogRhythm core components on
Windows 7 SP1, Windows Server 2008, or Windows Server 2008 R2:
1. Log in to the appliance or computer as an administrator.
2. Browse to the directory where you copied NDP452-KB3099845-x86-x64-ENU.exe.
3. Right-click NDP452-KB3099845-x86-x64-ENU.exe, and then click Run as administrator.
The Microsoft .NET Framework 4.5.2 Hotfix Rollup Setup wizard appears.
4. Accept the license agreement and then click Install to apply the hotfix.
Apply .NET 4.5.2 Update for Windows 8.1 or Windows Server 2012 R2
The .NET 4.5.2 update, x64-Windows8.1-KB3099842-x64.msu, is provided in the TLS 1.2 Support package on
the LogRhythm Community. To apply the update, do the following on all appliances or computers running
LogRhythm core components on Windows 8.1 or Windows Server 2012 R2:
1. Log in to the appliance or computer as an administrator.
Restart the appliance or server when the installation is complete, regardless of whether you are
prompted to restart.
Windows
You can configure the Indexer using the configuration web page — AllConf — that is hosted on the Indexer
Appliance or server. Please note the following requirements:
• For Windows Indexers, you must perform these steps for each Indexer in your deployment.
• Ensure that the LogRhythm DX – AllConf and LogRhythm DX – Configuration Server services are running on the
appliance before trying to connect to the Indexer.
• You can only access AllConf locally or through a remote desktop/terminal services session to the appliance.
• You can only access AllConf using Google Chrome (latest version), Mozilla Firefox (latest version), or Internet
Explorer 11.
Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to the DPX appliance as an administrator.
2. Start one of the supported browsers and type the following in the address bar: http://localhost:9100
The Data Indexer Configuration sign in page appears.
3. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.
If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
CloudAI Config
These configuration values apply only to users of the LogRhythm CloudAI solution.
Administrator Password Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Carpenter Config
Db Password This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
Db Username This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
Carpenter Config
Emdb Host This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
Public IP This must be set to the external IP address of your DPX appliance or server.
cluster.name If you only have one DPX appliance, you can leave this value at the default
(logrhythm). If you have more than one DPX appliance, change this value
so that each cluster name is unique. For example, logrhythm01,
logrhythm02, and logrhythm03.
The cluster name for each DPX appliance must be different. When you
have finished making changes on the Data Indexer Configuration page,
ensure that you assign the correct cluster to each Data Processor. For
multiple DPX appliances, ensure that the cluster is assigned to the Data
Processor running on the same appliance.
For example, if clusters are named as follows: DPX-A = dxa, DPX-B = dxb,
and DPX-C = dxc, Data Processor A should point to cluster dxa, Data
Processor B should point to cluster dxb, and Data Processor C should
point to cluster dxc.
${DXDATAPATH} and ${DXPATH} are system variables that are created when the Data Indexer is installed. By
default, these variables are set to D:\LogRhythm\Data Indexer.
You can use any directory you want for storing Elasticsearch data, but it should not be on the C:
drive. You should change the data path to something like the following:
D:\LRIndexer\elasticsearch\data
If you have more than one drive for data, you can specify multiple locations separated by a comma:
D:\LRIndexer\elasticsearch\data,E:\LRIndexer\elasticsearch\data.
path.logs This is the directory location where Elasticsearch logs are stored.
Default value: ${DXPATH}\elasticsearch\logs
Default full path: C:\LogRhythm\Data Indexer\elasticsearch\logs
You can use any directory you want for storing Elasticsearch logs, but it should not be on the C:
drive. You should change the log path to something like the following:
D:\LRIndexer\elasticsearch\logs
FIPS Config
Enabled Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
5. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
Linux
Whether your Linux Data Indexer cluster is one node or 3 to 10 nodes, you only have to log in to the
configuration page on one of the nodes. Note the following requirements:
• On a Linux Data Indexer, you can only access the web page from an external computer that has access to the
Data Indexer network.
• You can only access the web page using Google Chrome, Mozilla Firefox (latest versions of each), or Internet
Explorer 11.
Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to a Windows server with network access to the Data Indexer nodes.
2. Start one of the supported browsers.
3. Type the IP address of one of the cluster nodes in the address bar, and then press Enter.
The Data Indexer Configuration sign in page appears.
4. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.
If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
These configuration values apply only to users of the LogRhythm CloudAI solution.
Administrator Password Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Carpenter Config
Db Password This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
Db Username This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
Emdb Host This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
Public IP For each node, this must be set to the external IP address of your Data
Indexer appliance or server.
Name cluster.name
Value If you only have one cluster, you can leave this value at the default: logrhythm
If you have more than one cluster, change this value so that each cluster name is
unique. For example, logrhythm01, logrhythm02, and logrhythm03.
Name path.data
Value This is the directory where Elasticsearch data is stored. You can change this location
if you like, but it is OK to leave the default location.
If you have more than one path for data, you can specify multiple locations
separated by a comma: /usr/local/logrhythm/db/data, /usr/local/logrhythm/db/
data1/
Name path.logs
Value This is the directory where Elasticsearch logs are stored. You can change this
location if you like, but it is OK to leave the default location.
FIPS Config
Enabled Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
6. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
• Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which
means that maintenance starts when the Elasticsearch data disk is 80% full.
The value for Disk Util Limit should not be set higher than 80. This can have an impact on the
ability of Elasticsearch to store replica shards for the purpose of failover.
• Index Configs[0]. Min indicates the absolute minimum number of indices that are required for the active
repository. The default is 2.
Maintenance is applied to the active repository, as well as archive repositories created by Second Look.
When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point,
Go Maintain deletes completed restored repositories starting with the oldest date.
The default settings prioritize restored repositories above the active log repository. Restored archived logs
are maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for
space, set your min indices equal to your max indices. This forces the maintenance process to delete
restored repositories first.
Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.
The force merge configuration combines index segments to improve search performance. In larger
deployments, search performance could degrade over time due to a large number of segments. Force merge
can alleviate this issue by optimizing older indices and reducing heap usage.
Hour Of Day For Periodic Merge The hour of the day, in UTC, when the merge operation 1
should begin. If Only Merge Periodically is set to false, Go
Maintain merges segments continuously, and this setting
is not used.
Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.
Only Merge Periodically If set to true, Go Maintain only merges segments once per false
day, at the hour specified by Hour Of Day For Periodic
Merge. If set to false, Go Maintain merges segments on a
continuous basis.
Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.
Index Configs
The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the
nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices
by closing the index. Closing the index removes the resource needs of managing that data and relieves the
heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning
threshold and continues to delete days based on the disk utilization setting of 80% by default.
The default limit is 180. The 180 days of indices will be kept if the system has enough resources to support it.
You can also configure a lower TTL by changing this number. If this number is no longer achievable, the DX
sends a diagnostic warning and starts closing the indices.
Indices that have been closed by GoMaintain are not active searchable in 7.4.0 but are maintained for
reference purposes. To see which indices are closed, you can run a curl command such as the following:
curl -s -XGET 'http://localhost:9200/_cat/indices?
h=status,index' | awk '$1 == "close" {print $2}'
You can also open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.
Indices can be reopened with the following query as long as you have enough heap memory and disk space
to support this index. If you do not, it immediately closes again.
curl -XPOST 'localhost:9200/<index>/_open?pretty'
After you open the index in this way, you can investigate the data in either the Web Console or Client
Console.
You must import a new license file and perform steps 5-7 on each Data Processor in your
deployment.
For more information about licensing or the licensing wizard, see Assign LogRhythm Licenses.
1. Copy your 7.4 license file to the Platform Manager or to a network location that is accessible from the Platform
Manager.
2. Log in to a system where the 7.4.4 LogRhythm Client Console is installed.
3. Import the 7.4 license file:
a. Start the LogRhythm 7.4 Client Console and click Deployment Manager.
b. On the File menu, click Import License File.
c. Browse to and select your 7.4 license file, and then click Open.
d. The License Import Warning is displayed: Importing a license synchronizes your licenses with the licenses
in the file. It is important that you only import the latest license file issued you by LogRhythm. Importing
an older license or one with a different master license ID may cause undesired results such as existing
licensed components becoming unlicensed. Are you sure the selected file is your latest? Click Yes to
continue importing the file.
e. Click Yes.
f. When the import is complete, click OK to close the Import Successful dialog box.
4. Click the Data Processors tab.
5. Double-click one of the Data Processors in the list.
The Data Processor Properties dialog box appears.
6. Select a cluster from the Cluster Name list, and then click OK.
Cluster information is sent out when applying configuration changes on the Data Indexer. For
more information, see Configure the Data Indexer above.
7. Review the current License Status and run the licensing wizard if necessary, and then click OK.
8. Repeat steps 5-7 on each Data Processor in your deployment.
Windows and Linux System Monitors can be upgraded in bulk using the System Monitor Package
Manager in the Client Console. For additional information about this and about general System
Monitor installation and upgrades, see System Monitor.
Windows hosts running System Monitors prior to version 7.2.x may still have .NET 4.0 installed.
During the upgrade, via the System Monitor Package Manager or manual upgrade, .NET 4.5.2 will be
installed. The installation of .NET 4.5.2 requires a system reboot. If you see any System Monitors in
your deployment that stop sending heartbeats after the upgrade, you may need to manually reboot
the System Monitor host to complete the .NET installation.
If you have any 6.3.x Agents performing UDLA collection in your deployment, you must upgrade
these Agents to version 7.4.4. If you do not upgrade these Agents, UDLA collection will not work
after upgrading your deployment to 7.4.4.
For additional information on System Monitor Agent installation, see Set Up an Initial System
Monitor Agent.
Windows
Users who attempt to upgrade the 32-bit System Monitor on a system having MS KB2918614 applied may
encounter a software restriction policy error. In this case, the existing System Monitor should be uninstalled
before attempting to install v7.4.4.
To upgrade System Monitor Agents to 7.4.4, do the following:
1. Log in with the Administrator account or an account having administrative privileges to the system where the
System Monitor Agent is installed.
2. Before removing system Monitor, verify the account used for the System Monitor Service. In Windows Services
console, right-click and view Properties, and click the Log On tab. If the vice does not use Local System
account, you will need the password to that account when installing the Agent or you need a new account and
password.
3. To open Windows Services, click Start, Administrative Tools, and Services.
4. Stop the service called LogRhythm System Monitor service.
5. Run the installer for the 7.4.3 32-bit or 64-bit System Monitor Agent, LRSystemMonitor_#.#.#.#.exe.
If running Windows 2008, Vista, or Windows 7, you must run the installer as administrator.
6. If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click Install.
7. Follow the instructions in the Install Wizard.
8. If prompted, accept the license agreement.
9. Choose the default installation path, and then click Next.
10. To determine if you have sufficient space for installation, click Space and then click OK.
11. (Optional) Install the Realtime FIM driver.
Realtime FIM is included with the System Monitor Lite license for desktop operating systems
only. A System Monitor Pro license is required for servers. For more information, see
LogRhythm Compatibility and System Monitor Functionality.
12. On the Install Wizard Completed screen, clear the Launch System Monitor Configuration Manager check box.
13. If your LogRhythm Windows System Monitor Agent service uses Windows accounts, open Windows Services
Control Panel.
14. Click the Log On tab and add the service account and password in the service properties.
15. To start the Agent, click Start, Administrative Tools, and Services. Right-click the agent and select Start.
16. Repeat these steps for other Windows System Monitor Agents in your deployment.
(Optional) *NIX
Only Linux 2.4 & 2.6 can be upgraded directly. Other *NIX agents must be uninstalled and reinstalled.
Read the instructions included with the installer package for your particular operating system.
1. Copy the files from the installer package to the *NIX system.
2. Follow the instructions in the scsm_<operating_system>.txt file to uninstall the old version.
3. Decompress the file with the .tar extension, using tar xf scsm_<operating_system>.tar.
4. Follow the instructions in the scsm_<operating_system>.txt file to install the new *NIX System Monitor Agent.
5. Start the *NIX System Monitor Agent according to the instructions in the scsm_<operating_ system>.txt file.
6. Repeat for all *NIX Agents in your deployment.
If you install the version 7.x KB, you cannot go back to the version 6.x KB.
For more information about the KB update and the Common Event Change Manager, see Knowledge Base.
Automatic Download
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Inbound firewall rules must be set to accept traffic on Port 80 and 443.
1. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears.
2. Click Synchronization Settings.
3. Select the following check boxes:
• Enable Automatic Knowledge Base Download.
• Enable Automatic Knowledge Base Core Synchronization.
• Enable Automatic Knowledge Base Module Synchronization.
4. If a proxy is required, click the Proxy Settings tab.
5. Enter the Proxy Server Address and Proxy Server Port.
6. If the proxy server requires authentication, select that check box and provide a valid User Name, Password, and
Domain.
7. Click OK.
The Knowledge Base manager checks for updates, downloads the Knowledge Base, and synchronizes as
scheduled.
8. To force an immediate download, click Check for Knowledge Base Updates.
Manual Download
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
If you do not have access to the Internet or do not want to download the KB automatically, perform the
following steps:
1. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears.
2. On the File menu, click Export Knowledge Base Request File.
3. Browse to the location where you want to save the file, then click OK.
After the request file is saved, the Export Successful dialog box appears.
4. Click OK, and then close the Client Console.
5. From a computer with Internet access, log in to the Community.
6. Click Latest Version Information, and then click Download your Knowledge Base at the bottom of the page.
7. Click Choose File to browse to and upload the KB request file, then click Get Knowledge Base — if your current
KB is not the latest, you will be prompted to save the latest KB file.
8. Enter your deployment’s License ID, Deployment ID, and Product Version in the available fields (available by
clicking About LogRhythm on the Client Console Help menu), and then click Get Knowledge Base.
9. Save the KB file and then transfer it to the computer where the KB is being updated.
The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The
file is checked for compatibility with your current deployment and prepared for import. This may take several
minutes.
Upon completion, the Unpack Progress: Knowledge Base unpacked message appears.
6. To Import Knowledge Base, click Next.
Upon completion, the Import Progress Import Completed message appears.
7. To close the message, click OK.
8. On the Knowledge Base Import Wizard, click Close.
9. To enable the Knowledge Base Modules and synchronize it, perform the following steps:
a. Select the Action check boxes next to the modules you want.
b. Right-click the module, click Actions, and then click Enable Module.
The Enable Selected Modules box displays a confirmation message with options.
c. Select the options you want, and then click OK.
The Enable Modules box message appears.
d. To start the synchronization, click Yes.
e. When complete, click Close to close the Import Wizard.
10. To Migrate Common Event Changes, perform the following steps:
If you are not familiar with the customizations which have been made to your deployment, you should
not proceed with the import until such knowledge is acquired or contact LogRhythm Support for
assistance.
a. If Action Required is displayed, some items need to be updated due to Common Event migration
changes. Click Common Event Change Manager.
• To migrate a Common Event with a preview, select the Action check box for the item, from the
context menu, click Migrate with Preview, and then click either Migrate Common Event to
Common Event or Common Event to MPE Rule.
• To migrate a Common Event without a preview, select the Action check box for the item. From the
context menu, click Action, and then click Migrate Common Event to Common Event or Migrate
Common Event to MPE Rule.
• To ignore the Common Events, select the Action check box for the item. From the context menu,
click Action and then click Ignore. When this option is selected, items checked in the grid are
ignored during future Common Event Migration checks. The items are no longer displayed in the
Common Event Change Manager.
b. To close the Common Event Change Manager, click Close.
c. To view the Synchronization History, click View Synchronization History.
11. Click Close.
12. To close the Knowledge Base Manager, click OK.
If you need assistance with any of the procedures listed below, contact your system or network
administrator.
The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, you can start Windows Firewall and search for the ports that are allowed on the
current server.
The following lists include the default directories, however, the location of any State folder
(including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any
location (for example, D:\). The locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*
DX Appliance (Linux)
• /var/log/elasticsearch
• /usr/local/logrhythm/db/elasticsearch/data
AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
If the AIE service is running on the PM appliance, exclude these directories on the PM.
The above path is the default installation locations for the System Monitor Agent. If you install the
Agent in a different location (for example, D:\), update the exclusion as required.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/
TechDoc/index.htm#DataKeeper/Administratio n/
Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10
• LogRhythmCaseAPI.exe
• LogRhythmServiceRegistry.exe
• LogRhythmThreatIntelligence.exe
• lr-threat-intelligence-api.exe (32 bit)
• LogRhythmWebConsoleAPI.exe
• LogRhythmWebConsoleUI.exe
• LogRhythmWebIndexer.exe
• LogRhythmWebServicesHostAPI.exe
• nginx.exe *32 (a minimum of two instances)
• node.exe (four instances)
• procman.exe (eight instances)
• NSSM Service Manager
NSSM is not a LogRhythm application, but a third-party service manager that provides a
wrapper around Java, Go, and other services to ensure that they run properly on Windows
and that they are restarted when they stop.
Web Console users who upgraded from LogRhythm 7.2 or 7.3 will have a section in the LogRhythm
Configuration Manager for Web Console UI, without a hostname designation to identify the Web Console
server. This section should be removed from the Configuration Manager.
1. Log in to any server where the Web Console is installed as a user with administrative privileges.
2. Open a PowerShell window and run the following command:
Invoke-RestMethod -Method Delete http://localhost:8500/v1/kv/services/lr-web-
console-ui/CONFIG_OPTIONS
3. Restart the LogRhythm Web Console UI service on all Web Console servers.
If this task is not created, the disk used to store LogRhythm database backups will eventually fill up.
5. If it is not currently displayed, open the Toolbox — on the View menu, click Toolbox.
6. In the Toolbox, double-click Maintenance Cleanup Task.
A new task is added to the maintenance plan.
7. Double-click the new task to display its properties.
8. In the Folder box, type the file path where the backups are located.
9. In the File extension box, type bak.
Do not add a period before the extension. Doing so causes the cleanup job to fail.
10. Under File age, select the Delete files based on the age of the file at task run time check box and adjust the
amount of time that you want to keep backup files.
11. On the maintenance plan toolbar, click the calendar icon to schedule the maintenance job.
12. Under Frequency, set Occurs to Daily and Recurs every to 1 (day).
13. Under Daily frequency, select Occurs once at and set the time to 12:00 PM.
14. Click OK.
15. On the main toolbar, click OK.
LogRhythm recommends that you configure automatic download and synchronization of your KB. If you did
not already set this option when synchronizing the latest KB, do the following:
1. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears.
2. Click Synchronization Settings.
3. Select the following check boxes:
a. Enable Automatic Knowledge Base Download.
b. Enable Automatic Knowledge Base Core Synchronization.
c. Enable Automatic Knowledge Base Module Synchronization.
4. If a proxy is required, click the Proxy Settings tab.
a. Enter the Proxy Server Address and Proxy Server Port.
b. If the proxy server requires authentication, select that check box and provide a valid User Name,
Password, and Domain.
5. Click OK.
6. To force an immediate download, click Check for Knowledge Base Updates.
In previous releases, some Mediator configuration options could only be set by adding optional entries to
scmedsvr.ini. Some of these values have been enabled by default or moved to the UI. If you have added any
of the following optional parameters to C:\Program Files\LogRhythm\LogRhythm Mediator
Server\config\scmedsvr.ini, you should edit the file to remove them following the upgrade:
• DxNodeHost=<DX_hostname_IP>
• ShouldCompressRMPersist=true
• MPERuleTimeoutEnabled=true
In a previous release, if the name of any FIM policies contained one or more colon ":" characters, *NIX Agents
were unable to load state files. This issue has been fixed. To eliminate any further error messages following
the upgrade, delete the existing Agent state file (../state/.filemon.log).
Force Merge settings are not preserved during an upgrade. They must be re-enabled in AllConf after
performing an upgrade.
Be careful to not delete any Logrhythm_Events_*.dat files as it could have a negative impact on
performance. Performance would only be affected briefly while the files are recreated.
Summary: If you uninstall the 7.1.3 or earlier Linux Data Indexer and then install the current version, the Data
Indexer configuration page (AllConf) may fail to load.
Unless you are upgrading from version 7.1.1, it is not recommended that you uninstall your existing
Data Indexer before performing an upgrade.
Verification: The Data Indexer AllConf page will not load after the upgrade.
Procedure:
1. Uninstall the current version Data Indexer from all nodes in your cluster.
2. Log in to each Indexer node in your cluster and delete the server configuration files by running the following
command:
sudo rm /usr/local/logrhythm/configserver/conf/ConfigServerConfig.*
3. Install the current version of the Data Indexer software. For additional information, see Install a New LogRhythm
7.4.4 Deployment.
The Deployment Tool improves the method for installing or upgrading a distributed deployment.
The tool is required every time you install or upgrade a LogRhythm component to ensure that all
components are communicating properly. If the tool is not utilized during an installation or
upgrade, the deployment will not be functional and you will not be able to index or retrieve data.
Installation Considerations
Running the Deployment Tool is required for all installations and upgrades. After installing or upgrading the
LogRhythm SQL databases on the PM or XM, run the Install Wizard on the PM or XM, and the Deployment
Tool will walk you through the process of preparing all of the other servers in your deployment.
You must have the IP address of each LogRhythm server in your deployment, with the exception of
those running the Client Console or standalone System Monitors. You will also need SQL database
credentials (sa or equivalent user) for the EMDB and the ability to log in to each of the LogRhythm
servers to run the deployment package that the Deployment Tool generates.
When you are upgrading a deployment, the Deployment Tool prompts you to indicate if you have a
High Availability or Disaster Recovery deployment. If you have either deployment type, you should
use the appropriate upgrade guide for those deployments and your version. These guides are
available on the Install or Upgrade a Deployment or an Appliance page.
When you are sure that all hosts have been added, click Create Deployment Package. When prompted, select
the location where you want to save the Deployment Package. You should save the Deployment Package on
a file share or some place you will be able to access it from all hosts. Make a note of the Deployment Package
location.
Click Next Step to and then follow the on-screen instructions and additional help to install the Deployment
Package on all hosts.
After you begin installing the Deployment Package on your hosts, your LogRhythm Deployment will
be down until you successfully complete the rest of the LogRhythm Deployment installation
process. Be sure you have alloted enough time and informed all affected parties.
After you have completed the final Verify Deployment Status step, click Exit to Install Wizard.
You still need to run the Install Wizard on all other components, and if you have a Linux DX, you will
also need to run that installer to complete your LogRhythm upgrade. These items can be started
after the Deployment Tool installation has completed.
Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the
installation. The _LIW will show basic information about the Install Wizard, and the LogRhythm_
Infrastructure_Installer_Silent will show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at
%Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log
or lorhythm-node-install.sh.log to view the contents of these logs.
Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.
When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution
path. It should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml
1. Open PowerShell.
2. Type the following:
cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-
backup
3. Run the following:
$ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"
4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.
5. Run the following script:
Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -
6. Restart the LogRhythm Deployment Tool.
If you are using multiple Web Console instances, the Configuration Manager lets you apply
individual configurations to each instance. Each instance, for single or multiple Web Consoles, will
be identified in the Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is
the Windows host name of the server where the Web Console is installed.
Until you have had a chance to tune your deployment, and to avoid potential performance issues
with AIE Cached Drilldown, you should disable the AIE Drill Down Cache API after upgrading to
LogRhythm 7.4.4.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic
mode, grouped according to which service they affect. The tables below describes all the settings. You can
filter the settings that are displayed by clicking one of the options on the left — All (no filtering),
Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure
you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the
LogRhythm Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which
Services are active or inactive. A blue light indicates that all services are up. A red light indicates that one or
more services are down. You can hover the mouse over the indicator to see a list of which services are down.
In Advanced mode, the indicator light also appears next to each group header.
If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font
Smoothing. You can read how to do so here: http://www.microsoft.com/typography/
ClearTypeFAQ.mspx
If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60
seconds is normal.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:
1. Select Backup/Restore in the menu.
2. Select from one of the following:
• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
changes are outlined blue.
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
changes are outlined blue.
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.
Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.
Certificates
Generate Your Own SSL Certificate for the Web Console
The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:
\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.
However, it is best practice to generate your own self-signed certificates or import certificates signed by a
third party. When configuring your own SSL Certificates for the Web Console, each certificate needs to be
configured separately. Some guidance on doing so can be found on the Digital Ocean website and the
OpenSSL website, but your IT department should follow their own policies and security practices.
Your IT department should set up proper certificates for your domain, install those on the internal systems,
and maintain them appropriately.
The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using
OpenSSL, be sure to use the -nokeys flag.
1. Ensure the private key unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.