LogRhythm XM AMI Administration Guide

June 6, 2018 – Revision C

LogRhythm-XM-AMI-Admin-Guide_revC

© LogRhythm, Inc. All rights reserved

© LogRhythm, Inc. All rights reserved
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under the
End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the
Software. This Software may be used or copied only in accordance with the Agreement. No part of this Guide may
be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than what is permitted in the Agreement.
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty
of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
LogRhythm Customer Support
support@logrhythm.com

© LogRhythm, Inc. All rights reserved

Contents
Purpose ..................................................................................................................................................................................................................... 4
LogRhythm XM AMI Overview ........................................................................................................................................................................ 4
Prerequisites ....................................................................................................................................................................................................... 4
AWS Marketplace ................................................................................................................................................................................................. 4
Search AWS Marketplace .............................................................................................................................................................................. 4
LogRhythm XM AMI Listing Details .......................................................................................................................................................... 5
Launch the XM API .......................................................................................................................................................................................... 5
1-Click Launch .............................................................................................................................................................................................. 5
Manual Launch ............................................................................................................................................................................................. 5
Instance Types .............................................................................................................................................................................................. 7
Configure Instance Details ....................................................................................................................................................................... 7
Add Storage................................................................................................................................................................................................... 8
Add Tags .......................................................................................................................................................................................................10
Configure Security Group ......................................................................................................................................................................10
Review and Launch ...................................................................................................................................................................................10
Select or Create a Key Pair .....................................................................................................................................................................10
Launch Status...................................................................................................................................................................................................12
Connect to the Deployment ......................................................................................................................................................................12

© LogRhythm, Inc. All rights reserved

Purpose
This document provides guidance on how to find, launch, and manage the LogRhythm XM AMI from within the
AWS Marketplace.

LogRhythm XM AMI Overview

The LogRhythm XM AMI is an Amazon Machine Image (AMI) that is preinstalled with LogRhythm’s SIEM software.
The XM AMI is available in the Amazon Web Services (AWS) Commercial Marketplace, where it can be launched
and managed.
In the AWS Marketplace, the three available instance sizes for the AMI provide the same functionality as the
XM4400, XM6400, and XM8400 series appliances. The XM AMI has a bring-your-own-license (BYOL) payment
model. You must have a valid LogRhythm license to utilize the LogRhythm software on the AMI.
The sections that follow describe how to find and launch the XM AMI in the AWS Marketplace, and also provide
guidance on some of the more common configuration options within AWS to ensure that you can utilize the AMI
to its fullest potential.

Prerequisites
You must have the following to successfully launch and utilize the LogRhythm XM AMI:
• AWS account
• LogRhythm license that supports up to 10,000 messages per second (MPS)
• Access to the LogRhythm Support Portal (https://support.logrhythm.com)

AWS Marketplace

Search AWS Marketplace

To find the LogRhythm XM AMI:
1. Go to https://aws.amazon.com/marketplace, and then search for “LogRhythm.”
2. Click LogRhythm SIEM Amazon Instance.
The LogRhythm XM AMI instance appears.

Figure 1 LogRhythm SIEM Amazon Instance in the AWS Marketplace

© LogRhythm, Inc. All rights reserved Page 4 of 14

LogRhythm XM AMI Listing Details
The LogRhythm XM AMI listing provides details on LogRhythm and its capabilities, including:
• The latest version.
• Software highlights—a listing of the capabilities.
• Usage instructions—Help Guide and Installation Guide for reference.
• How to contact LogRhythm Support for any questions or issues.
• End-user license agreement.
• Per-hour pricing for the AMI based on instance size.

NOTE: The details highlighted on the listing page provide a high-level explanation of the product to any
interested parties and are not fully vetted as part of this document. To learn more about the
LogRhythm suite of products, go to https://logrhythm.com/request-more-information.

To configure the AMI for launch, click Continue.

Launch the XM API

Before the XM AMI is launched, you must make a variety of configuration selections to ensure that the LogRhythm
instance meets your requirements. These selections are customer-specific and will vary based on your needs. This
section explains your selection options to help you make the appropriate configuration decisions.

1-Click Launch
1-Click Launch provides an experienced user with a streamlined process to quickly configure and launch an
instance. If you are an experienced user who knows what you need to launch an instance within the AWS
Marketplace, you could select this tab.

Manual Launch
The Manual Launch tab allows you to tailor the instance settings to your specific needs and provides maximum
configurability when preparing to launch an instance within the AWS Marketplace. To begin the configuration with
Manual Launch, be sure that the Manual Launch tab is selected (see Figure 2).

Figure 2 Manual Launch Tab Is Selected

IMPORTANT: LogRhythm strongly recommends using the Manual Launch function rather than 1-Click Launch.
Using 1-Click Launch could result in improperly configured settings that lead to suboptimal
performance.

© LogRhythm, Inc. All rights reserved Page 5 of 14

Version
In the Version section, select which version of the LogRhythm AMI you want to use. The version should match the
LogRhythm software version that is used in the AMI.

Figure 3 LogRhythm AMI Version Selector

To view the software installation guide and application Help for the current version of the LogRhythm software,
click Usage Instructions. Note that both guides are outside the scope of this document.
Launch
The Launch section lets you choose the region to launch your instance in. The price per region varies, so make
sure your organization is aware of how Amazon charges for using an instance in a particular region. The default
region for the LogRhythm AMI is US East (N. Virginia).
To select a region, click Launch with EC2 Console.

Figure 4 LogRhythm AMI ID Launch Page

The Choose an Instance Type page appears.

NOTE: At the bottom of the Manual Launch page are two subsections, neither of which requires configuration
before you continue:

The Security Group section outlines the currently defined security group policies for the AMI. By
default, the LogRhythm AMI allows RDP connections over port 3389. You can change the security
group policies in a later configuration section.

The Release Notes section provides a link to release notes to the LogRhythm software so that you can
quickly see new features and bug fixes in your selected version.

© LogRhythm, Inc. All rights reserved Page 6 of 14

Instance Types
The LogRhythm AMI launches with an instance in Amazon’s Elastic Compute Cloud (EC2). EC2 has a wide variety of
instances for users to choose from. The LogRhythm XM AMI utilizes a memory-optimized instance to ensure that
there is enough memory available for the software to function properly. The instance type selections have been
limited to only those that meet the specifications required for running the LogRhythm software.
Select the appropriate image based on your deployment size:

Deployment Size Instance Type XM Model vCPUs Memory

Up to 1,000 MPS m4.4xlarge XM4400 16 64 GB

1,000–5,000 MPS r4.8xlarge XM6400 32 244 GB

5,000–10,000 MPS m4.16xlarge XM8400 64 256 GB

To move to the next step, click Next: Configure Instance Details.

Configure Instance Details

On the Configure Instance Details page, you’ll configure your LogRhythm instance based on your specific needs.
Most of these settings are optional and should only be used and configured by the administrator. Work with your
administrator to ensure that these settings are configured properly based on your environment and needs.
Next to each configuration setting is an information icon (see Figure 5). You can click an icon for further details
and configuration options for any setting.

Figure 5 Configuration Setting Information Icons

The following configuration settings are available on the Configure Instance Details page:
Number of Instances
Use this setting to define how many instances to launch. You can also choose to launch an instance into an auto-
scaling group that will scale the number of instances in use based on the policies defined.

NOTE: Currently, LogRhythm does not support scaling past one (1) instance, though this may change in
future versions of the AMI.

Purchasing Option
If you want to reduce your instance cost, you can use this setting to bid on spot instances. These spot instances
are only available when the spot instance market price is lower than what you bid on the instance.
Network
This setting allows you to customize or create a new Virtual Private Cloud (VPC) that the instance will be launched
into. IP tables, routing rules, and more can be configured based on your environment and requirements. The
default VPC provides the most basic network settings recommended by AWS. Any existing AWS instances you
want to connect from should be in this same subnet.

© LogRhythm, Inc. All rights reserved Page 7 of 14

Subnet
This setting allows you to further refine how your EC2 instance is divided in IP space. You can either choose a
default setting recommended by AWS or create your own setting that is tailored to your environment.
Auto-Assign Public IP
In some situations, you may need an instance to have a public IP address so that it is reachable via the public
internet. This setting lets you request an auto-assigned public IP address or have a persistent public IP address
assigned to the instance.
Placement Group
If you plan to eventually create a cluster of instances, this setting allows you to create a placement group where
multiple instances can be assigned. This setting should only be configured after careful planning with your
administrator.
Domain Join Directory
If you utilize AWS Directory Service with defined roles in AWS IAM (Identity and Access Management), you can
assign the instance to use those policies for single sign-on and other services.
IAM Role
If you’re using IAM to manage credentials and roles, this setting can assign a role to the instance to simplify how it
is accessed and utilized.
Shutdown Behavior
This setting configures whether the instance stops or terminates when an OS-level shutdown is performed.

NOTE: If you terminate an instance, that instance will be deleted and you will need to create another.

Enable Termination Protection

This setting ensures that the instance cannot be accidentally terminated.
Monitoring
If you use AWS CloudWatch, you can add monitoring to CloudWatch by enabling this setting for a fee.
EBS-Optimized Instance
If you want to optimize traffic sent between EBS (Elastic Block Store) and EC2, you can enable this setting for a fee.
To move to the next section, click Next: Add Storage.

Add Storage
The LogRhythm XM AMI was created with the minimum allowed storage settings in AWS so you can tailor your
active and inactive archive storage size to match your needs. Because the recommended instance types are based
on the XM4400, XM6400, and XM8400 series appliances, the instance storage size must follow the reference
architecture.

© LogRhythm, Inc. All rights reserved Page 8 of 14

Volume Correlation
The LogRhythm storage volumes are given different values when installed to the AMI. Table 1 defines how the
LogRhythm volumes correlate to the AMI volumes.

LogRhythm Volume AMI Volume

C: /dev/sda1

D: xvdb

E: xvdc

L: xvdd

T: xvde

Table 1 LogRhythm Volume/AMI Volume Correlation

Table 2, taken from the LogRhythm Software Installation Guide, defines each volume’s function.

LogRhythm Volume Function

C Drive (C:\) Operating System, SQL Server program files, and LogRhythm program files

D Drive (D:\) LogRhythm SQL Server data files

E Drive (E:\) LogRhythm Data Indexer data

L Drive (L:\) LogRhythm SQL Server transaction log files

T Drive (T:\) SQL Server Temp DB data file and SQL Server Temp DB transaction log file

Table 2 LogRhythm Volume Function

Volume Size
As part of the provisioning process (see Figure 6), you need to add the amount of storage you want based on your
environmental requirements. For recommended disk sizing, see the LogRhythm Software Installation Guide,
available on the LogRhythm Community.

Figure 6 Add Storage Based on Archive Requirements

© LogRhythm, Inc. All rights reserved Page 9 of 14

Depending on the reference architecture in the version of the LogRhythm Software Installation Guide that you are
using, the volume sizes in Table 3 are the default values recommended by LogRhythm.

Volume m4.4xlarge/XM44XX r4.8xlarge/XM64XX m4.16xlarge/XM84XX

Configuration 1 (GB) Configuration 1 (GB) Configuration 1 (GB)

/dev/sda1 200 200 200

xvdb 533 3000 5000

xvdc 1500 9000 16000

xvdd 150 880 1000

xvde 50 50 50

Table 3 Recommended Volume Sizes

The sizes for xvdb, xvdc, and xvdd (D:, E:, and L:) can be changed to meet your requirements but should be vetted
by LogRhythm Support to ensure that the product will function as intended. Volume sizes lower than the XM4400
series are not recommended due to performance loss associated with smaller volume sizes. No other changes
should be made to this section without guidance from an administrator and LogRhythm Support.
To move to the next section, click Next: Add Tags.

Add Tags
Tagging in AWS helps you categorize resources to better manage them. This section is optional and can be
changed based on your need.
To move to the next section, click Next: Configure Security Group.

Configure Security Group

This section is used to configure security group policies for the firewall that controls traffic on the instance. The
default security group policy allows only RDP traffic to the instance so that you can initiate an RDP session with
the instance to make any necessary configuration changes. Depending on your LogRhythm deployment design,
you may need to open ports for Agents (TCP/443), the Web Console (TCP/8443), or other services you want to use
external to the AWS instance.
Note that these rules could have significant impact on the functionality and security of the system. So while the
instance can be launched with the default value, it is important to vet this policy with your security team and IT
organization before implementing to ensure that all communication paths are open or closed based on your
requirements.
To review your AMI settings, click Review and Launch.

Review and Launch

The final step before launching the instance is to review and accept the settings that were configured throughout
the provisioning process. At this point, you can still edit any settings before launching the instance. Once you click
Launch, the instance will launch and the initialization process will begin.
The Select an existing key pair or create a new key pair dialog box appears.

Select or Create a Key Pair

A key pair is required to connect to your AMI securely. Before you launch your instance, you can either create a
new key pair or use an existing key pair. Proceeding without a key pair will prevent you from accessing your AWS
instance, and is therefore not recommended.

© LogRhythm, Inc. All rights reserved Page 10 of 14

Select an Existing Key Pair
To use an existing key pair, skip to step 3 in the “Create a New Key Pair” section that follows.
Create a New Key Pair
1. From the drop-down list on the Select an existing key pair or create a new key pair dialog box, select
Create a new key pair.

Figure 7 Create a New Key Pair

2. In the Key pair name box, type a name for your key pair, and then click Download Key Pair.
The key pair downloads to your local machine.
3. Repeat step 1, but this time, select Choose an existing key pair, and then select the key pair that you just
downloaded. In Figure 8, this key pair is named “new key pair.”

Figure 8 Select an Existing Key Pair

4. Select the acknowledgement check box, and then click Launch Instances.

© LogRhythm, Inc. All rights reserved Page 11 of 14

Launch Status
After your instance launches, click View Instances. Here, you can see which instances are stopped or running. To
ensure that your instance is running, look for the Instance State column. If the Instance State appears as “running”
with “2/2 checks,” then the instance is up and running (see Figure 9). The Status Checks column may appear as
“Initializing” until it’s ready to run. This process could take several minutes.

Figure 9 Instance Status: Running

To stop the instance, right-click the instance you want to stop, click Instance State, and then click Stop. The
instance will prompt you that it is stopping. Once stopped, the instance state will appear as “stopped” (see Figure
10).

Figure 10 Instance Status: Stopped

Connect to the Deployment

When you confirm that your instance is running, you must then connect to it via a Remote Desktop (RDP) session
and configure LogRhythm for your deployment.
1. From your EC2 Dashboard, select the instance you want to connect to.
2. Note the Public DNS and User Name, as these will be required to connect to your instance. The DNS
address has been hidden in Figure 11, but you will need to capture the entire address.

Figure 11 Connect To Your Instance Dialog Box

© LogRhythm, Inc. All rights reserved Page 12 of 14

 3. Right-click your instance, and then click Connect.
4. Click Get Password.
The Connect To Your Instance > Get Password dialog box appears.

Figure 12 Connect To Your Instance > Get Password Dialog Box

5. Click Choose File, and then select the key pair that you downloaded in the “Select or Create a Key Pair”
section of this guide.
Your key pair fills in the text box.

Figure 13 Text Box with Key Pair Selected

© LogRhythm, Inc. All rights reserved Page 13 of 14

 6. Click Decrypt Password.
The password that you need to connect to the instance will be appear in the Password field.

Figure 14 Your Password Appears in the Password Field

7. Start your preferred RDP application, and then use your public DNS (IPv4), user name, and password to
connect to your instance.
For further assistance configuring or troubleshooting your LogRhythm instance, see the LogRhythm Software
Installation Guide and the LogRhythm Help PDFs for your selected version of the LogRhythm software. Both guides
are available on the LogRhythm Community.

© LogRhythm, Inc. All rights reserved Page 14 of 14