Professional Documents
Culture Documents
LogRhythm-XM-AMI-Admin-Guide_revC
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
LogRhythm Customer Support
support@logrhythm.com
Prerequisites
You must have the following to successfully launch and utilize the LogRhythm XM AMI:
• AWS account
• LogRhythm license that supports up to 10,000 messages per second (MPS)
• Access to the LogRhythm Support Portal (https://support.logrhythm.com)
AWS Marketplace
NOTE: The details highlighted on the listing page provide a high-level explanation of the product to any
interested parties and are not fully vetted as part of this document. To learn more about the
LogRhythm suite of products, go to https://logrhythm.com/request-more-information.
1-Click Launch
1-Click Launch provides an experienced user with a streamlined process to quickly configure and launch an
instance. If you are an experienced user who knows what you need to launch an instance within the AWS
Marketplace, you could select this tab.
Manual Launch
The Manual Launch tab allows you to tailor the instance settings to your specific needs and provides maximum
configurability when preparing to launch an instance within the AWS Marketplace. To begin the configuration with
Manual Launch, be sure that the Manual Launch tab is selected (see Figure 2).
IMPORTANT: LogRhythm strongly recommends using the Manual Launch function rather than 1-Click Launch.
Using 1-Click Launch could result in improperly configured settings that lead to suboptimal
performance.
To view the software installation guide and application Help for the current version of the LogRhythm software,
click Usage Instructions. Note that both guides are outside the scope of this document.
Launch
The Launch section lets you choose the region to launch your instance in. The price per region varies, so make
sure your organization is aware of how Amazon charges for using an instance in a particular region. The default
region for the LogRhythm AMI is US East (N. Virginia).
To select a region, click Launch with EC2 Console.
NOTE: At the bottom of the Manual Launch page are two subsections, neither of which requires configuration
before you continue:
The Security Group section outlines the currently defined security group policies for the AMI. By
default, the LogRhythm AMI allows RDP connections over port 3389. You can change the security
group policies in a later configuration section.
The Release Notes section provides a link to release notes to the LogRhythm software so that you can
quickly see new features and bug fixes in your selected version.
The following configuration settings are available on the Configure Instance Details page:
Number of Instances
Use this setting to define how many instances to launch. You can also choose to launch an instance into an auto-
scaling group that will scale the number of instances in use based on the policies defined.
NOTE: Currently, LogRhythm does not support scaling past one (1) instance, though this may change in
future versions of the AMI.
Purchasing Option
If you want to reduce your instance cost, you can use this setting to bid on spot instances. These spot instances
are only available when the spot instance market price is lower than what you bid on the instance.
Network
This setting allows you to customize or create a new Virtual Private Cloud (VPC) that the instance will be launched
into. IP tables, routing rules, and more can be configured based on your environment and requirements. The
default VPC provides the most basic network settings recommended by AWS. Any existing AWS instances you
want to connect from should be in this same subnet.
NOTE: If you terminate an instance, that instance will be deleted and you will need to create another.
Add Storage
The LogRhythm XM AMI was created with the minimum allowed storage settings in AWS so you can tailor your
active and inactive archive storage size to match your needs. Because the recommended instance types are based
on the XM4400, XM6400, and XM8400 series appliances, the instance storage size must follow the reference
architecture.
C: /dev/sda1
D: xvdb
E: xvdc
L: xvdd
T: xvde
Table 2, taken from the LogRhythm Software Installation Guide, defines each volume’s function.
C Drive (C:\) Operating System, SQL Server program files, and LogRhythm program files
T Drive (T:\) SQL Server Temp DB data file and SQL Server Temp DB transaction log file
Volume Size
As part of the provisioning process (see Figure 6), you need to add the amount of storage you want based on your
environmental requirements. For recommended disk sizing, see the LogRhythm Software Installation Guide,
available on the LogRhythm Community.
xvde 50 50 50
The sizes for xvdb, xvdc, and xvdd (D:, E:, and L:) can be changed to meet your requirements but should be vetted
by LogRhythm Support to ensure that the product will function as intended. Volume sizes lower than the XM4400
series are not recommended due to performance loss associated with smaller volume sizes. No other changes
should be made to this section without guidance from an administrator and LogRhythm Support.
To move to the next section, click Next: Add Tags.
Add Tags
Tagging in AWS helps you categorize resources to better manage them. This section is optional and can be
changed based on your need.
To move to the next section, click Next: Configure Security Group.
2. In the Key pair name box, type a name for your key pair, and then click Download Key Pair.
The key pair downloads to your local machine.
3. Repeat step 1, but this time, select Choose an existing key pair, and then select the key pair that you just
downloaded. In Figure 8, this key pair is named “new key pair.”
4. Select the acknowledgement check box, and then click Launch Instances.
To stop the instance, right-click the instance you want to stop, click Instance State, and then click Stop. The
instance will prompt you that it is stopping. Once stopped, the instance state will appear as “stopped” (see Figure
10).
5. Click Choose File, and then select the key pair that you downloaded in the “Select or Create a Key Pair”
section of this guide.
Your key pair fills in the text box.
7. Start your preferred RDP application, and then use your public DNS (IPv4), user name, and password to
connect to your instance.
For further assistance configuring or troubleshooting your LogRhythm instance, see the LogRhythm Software
Installation Guide and the LogRhythm Help PDFs for your selected version of the LogRhythm software. Both guides
are available on the LogRhythm Community.