LogRhythm Software Install Guide 7.4.8 RevA

Install a New LogRhythm 7.4.
8
Deployment
August 12, 2019

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under
the End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the
use of the Software. This Software may be used or copied only in accordance with the Agreement. No part of
this Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying and recording for any purpose other than what is permitted in the Agreement.
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use
of this information.
Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned
may be trademarks, registered trademarks, or service marks of their respective holders.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
Phone Support (7am - 6pm, Monday-Friday)

Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Review Assumptions ...................................................................................................... 7
The LogRhythm Infrastructure Installer ....................................................................... 7
Review the Requirements for a New LogRhythm Deployment ................................... 8
LogRhythm Licensing ............................................................................................................................ 8
SQL Server Licensing ............................................................................................................................. 8
Platform Requirements ......................................................................................................................... 8
Server Roles.............................................................................................................................................................................8
Volume/Disk Configurations ..................................................................................................................................................9
Performance Requirements .................................................................................................................................................10
Power Supply ........................................................................................................................................................................11
Web Console Requirements .................................................................................................................................................11
Virtualization Platform Considerations .............................................................................................. 13
Virtualization Resource Considerations ..............................................................................................................................14
Virtualization Deployment Best Practices ...........................................................................................................................14
Virtualization Redundancy and High Availability................................................................................................................15
Virtualization Snapshots and Backups ................................................................................................................................15
Networking and Communication........................................................................................................ 15
LogRhythm Networking Considerations ............................................................................................ 15
LogRhythm Server IP Addresses ..........................................................................................................................................15
DNS Resolution .....................................................................................................................................................................16
Domain Membership.............................................................................................................................................................16
Remote Event Log Collection User Account ........................................................................................................................16
LogRhythm Networking Communications ......................................................................................... 16
Data Indexer - Inbound Ports .............................................................................................................. 24
Data Indexer - Local Ports ................................................................................................................... 25
Agent to Data Processor Communications......................................................................................... 26
Unidirectional Agent Communication ................................................................................................ 26
Consul Communications ..................................................................................................................... 27
Select a Method of Deploying LogRhythm ................................................................. 29
LogRhythm, Inc. | Contents 3

Gen5 Reference Architecture............................................................................................................... 29
Virtual Platforms ...................................................................................................................................................................29
Data Collector .......................................................................................................................................................................31
Web Console..........................................................................................................................................................................31
XM...........................................................................................................................................................................................32
Platform Manager .................................................................................................................................................................35
Data Processor ......................................................................................................................................................................37
Data Indexer ..........................................................................................................................................................................39
AI Engine ................................................................................................................................................................................41
Network Monitor ...................................................................................................................................................................42
Storage Arrays .......................................................................................................................................................................43
Cloud Platform Reference Architecture.............................................................................................. 44
Deployments in Amazon Web Services................................................................................................................................44
Deployments in Google Cloud..............................................................................................................................................54
Deployments in Microsoft Azure ..........................................................................................................................................63
Download Software to Install a New LogRhythm Deployment ................................. 76

Install LogRhythm........................................................................................................ 78
Configure Hardware or Virtual Machine ............................................................................................. 78
Shut Down Antivirus and Endpoint Protection Software .................................................................. 78
Install the LogRhythm Databases for the Platform Manager or XM .................................................. 79
Run the LogRhythm Install Wizard...................................................................................................... 80
Use the LogRhythm Configuration Manager ...................................................................................... 84
Configure your Deployment .................................................................................................................................................85
Troubleshoot the LogRhythm Configuration Manager.......................................................................................................86
Back Up and Restore a LogRhythm Configuration .............................................................................................................87
Install .NET 4.5.2 Hotfixes to Support TLS 1.2 Communication ........................................................ 88
Apply .NET 4.5.2 Hotfix for Windows 7 SP1, Windows Server 2008, Windows Server 2008 R2..........................................88
Apply .NET 4.5.2 Update for Windows 8.1 or Windows Server 2012 R2..............................................................................88
Install the LogRhythm Data Indexer ........................................................................... 90

(Optional) Deploy ISO image to Each Linux Data Indexer Node........................................................ 90
Prepare for the Installation ..................................................................................................................................................90

Install CentOS Minimal .........................................................................................................................................................90
Create the LogRhythm User on the RHEL 7 System ............................................................................................................92
Install the Data Indexer on Linux ........................................................................................................ 92
Install a Single-node Cluster ................................................................................................................................................92
Install a Multi-node Cluster ..................................................................................................................................................94
Validate the Linux Indexer Installation ............................................................................................... 95
Configure the Data Indexer.................................................................................................................. 96
Configure the Data Indexer on Windows .............................................................................................................................96
Configure the Data Indexer on Linux .................................................................................................................................100
Information about Automatic Maintenance..................................................................................... 103
Disk Utilization Limit...........................................................................................................................................................104
Force Merge Config .............................................................................................................................................................104
Index Configs.......................................................................................................................................................................105
Complete Additional LogRhythm Installation Tasks ............................................... 106

Configure or Verify Communication Ports........................................................................................ 106
Configure Access for Remote Consoles .............................................................................................................................106
Verify Ports on the Linux Data Indexer...............................................................................................................................106
Verify Ports on the Windows Data Indexer or the Data Processor ...................................................................................107
Verify SQL Server Authentication and LogRhythm Databases ........................................................ 107
Verify LogRhythm Installation........................................................................................................... 107
Verify Web Console Processes ........................................................................................................... 108
Install Other Agents ........................................................................................................................... 109
Configure the LogRhythm Software.................................................................................................. 110
Add Realtime Antivirus Exclusions for LogRhythm .......................................................................... 110
XM Appliance .......................................................................................................................................................................110
PM Appliance.......................................................................................................................................................................110
DP or DPX Appliance (Windows).........................................................................................................................................111
DX Appliance (Linux) ...........................................................................................................................................................111
AIE Appliance.......................................................................................................................................................................111
Collector Appliance or Agents Deployed on Servers.........................................................................................................111
Agents Deployed Linux Servers ..........................................................................................................................................112
High Availability Deployments ...........................................................................................................................................112

Supplemental Information for Installations............................................................. 113
Use the LogRhythm Deployment Tool.............................................................................................. 113
Installation Considerations ............................................................................................................... 113
Install a New Deployment or Upgrade to a New Version of LogRhythm......................................... 113
Add a Component to an Existing LogRhythm Deployment ............................................................. 114
Logs..................................................................................................................................................... 115
Troubleshooting................................................................................................................................. 115
Not all servers are shown in the EMDB results ..................................................................................................................115
Linux deployment package will not run ............................................................................................................................115
The Deployment Tool was successful, but cannot index or process ...............................................................................115
My Deployment Status Verification says that not everything is active ............................................................................115
My upgrade won't start because Elasticsearch is not running.........................................................................................116
When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid ..............................................116
The LogRhythm Service Registry can't start during an upgrade......................................................................................116
Unable to query for legacy deploymentType value ..........................................................................................................116
Use the LogRhythm Configuration Manager .................................................................................... 116
Configure your Deployment ...............................................................................................................................................117
Troubleshoot the LogRhythm Configuration Manager.....................................................................................................119
Back Up and Restore a LogRhythm Configuration ...........................................................................................................119
Install and Configure the Web Console............................................................................................. 120
Install the Web Console ......................................................................................................................................................120
Configure the Web Console With the LogRhythm Configuration Manager......................................................................120
Remove the Web Console ...................................................................................................................................................121
Certificates ..........................................................................................................................................................................121

Install a New LogRhythm 7.4.8 Deployment
This document helps you determine a platform for the LogRhythm Software and provides instructions for
installing LogRhythm on your own systems.
We recommend that you perform these procedures with the assistance of LogRhythm Professional
Services.
Review Assumptions
Before installing the LogRhythm Software, ensure the following:
• Administrative permissions to complete the assigned preparation and installation.
• Dedicated hardware and/or virtual environments are configured as outlined in this installation guide.
Configuring your dedicated hardware or virtual environment outside the parameters listed in this
document may prevent the LogRhythm Software from operating and performing properly.
LogRhythm does not support non-standard configurations. If your environments cannot be
configured to the standard configurations, contact LogRhythm to determine whether a custom
solution is possible.
The LogRhythm installer is not supported on systems that use compressed drives.
The LogRhythm Infrastructure Installer

The LogRhythm Deployment Tool, also called the Infrastructure Installer, coordinates the installation and
configuration of the LogRhythm Common Components (LR Common) across a set of machines.
LRCommon currently contains:
• LogRhythm API Gateway
• LogRhythm Service Registry
• LogRhythm Metrics Collection
Note the following requirements of the Infrastructure Installer:
• User Access. The user needs to be able to log on to each host in the deployment in order to run the Host
Infrastructure Installer.
• Elevated Execution. The tool executes local commands under an elevated context. The user running the tool
must have permission to elevate the execution.
• Network Time. The times on the hosts must be synchronized. This is a requirement for SSL certificates that are
shared among the hosts in the deployment. If times are not synchronized, this tool will likely report that consul
is unable to elect a leader.
If this prerequisite is not met, the deployment may not function properly after installation is complete.
Review Assumptions 7
Review the Requirements for a New LogRhythm Deployment

LogRhythm Licensing
The LogRhythm Solution requires a LogRhythm license file which contains a LogRhythm Master License and
Component Licenses. The Master License is tied to an individual customer for a single deployment of
LogRhythm (1 Platform Manager and 1 or more Data Processors). Component Licenses fall within the Master
License and are used to license specific LogRhythm components within the same LogRhythm deployment.
A LogRhythm license file can contain the following component and subscription licenses:
• Platform Manager License (always included)
• Data Processor License(s)
• Software License
• Appliance License
• Log Message Source License(s)
• Quantity License
• Unlimited License
• System Monitor Lite License(s)
• System Monitor Pro License(s)
• Advanced Intelligence Engine License (separate volume license)
• GeoIP Resolution Subscription License
To learn more about LogRhythm Licensing, see Licensing. The LogRhythm End User Licensing Agreement
(EULA) contains specific details regarding licensing and is the legal agreement for the solution you
purchased.
SQL Server Licensing

Your LogRhythm Software includes a SQL Server license. However, you must also acquire a Client Access
Licenses (CAL) for every LogRhythm user, as outlined in the SQL Server End User License Agreement (EULA).
An initial number of CALs are included at the time of purchase. To understand how many CALs you have
purchased or to purchase additional CALs, contact LogRhythm Support or your sales representative. The
SQL Server EULA contains specific details regarding licensing and the legal agreement between you and
Microsoft. It serves as your proof of purchase.
Platform Requirements
Server Roles
Different LogRhythm server roles perform key tasks for log collection, analysis, and reporting in the
LogRhythm SIEM. When you install LogRhythm on your own systems, you need the following server roles:
Review the Requirements for a New LogRhythm Deployment 8

• Platform Manager. The Platform Manager provides the central event management and administration of the
LogRhythm SIEM, including:
• Configuration information for all agents, log sources, and log source types.
• Knowledge Base, which includes all processing rules, built-in reports (for compliance), built-in alarms,
and other processing-related information.
• The Alarming and Response Manager, which is a Windows service responsible for processing alarm rules
and taking appropriate response such as sending e-mails to those on a notification list or sending SNMP
traps to an SNMP server.
• The Job Manager, which is responsible for scheduled report job generation, Agent and Data Processor
heartbeat monitoring, Active Directory synchronization, and health monitoring.
You can install the Platform Manager on a dedicated appliance (recommended for large environments) or on the
same system as the Data Processor and Data Indexer (called an XM appliance, if you need an all-in-one
appliance). The Platform Manager also includes an embedded AI Engine license, which allows you to install AIE
on the same system. There is only one Platform Manager in the SIEM environment.
• Data Processor. The Data Processor provides high-performance, distributed, and highly available processing of
machine and forensic data. Data Processors receive machine and forensic data from Collectors and Forensic
Sensors. The Data Processor archives data and distributes both the original copy and the structured copy to
other LogRhythm components for indexing, machine based analytics, and alarming.
• Data Indexer. The Data Indexer provides high-performance, distributed, and highly scalable indexing and
searching of machine and forensic data. Data Indexers store both the original and structured copies of data to
enable search-based analytics. The Data Indexer can be installed in an XM configuration on Windows, Red Hat
Enterprise Linux 7, or CentOS 7.x Minimal using our distributed CentOS 7.x ISO image.
• AI Engine. The AI Engine is an optional component that detects conditions occurring over multiple data sources
and time ranges. It provides real-time visibility into risks, threats, and critical operations issues. AI Engine
includes more than 100 preconfigured rule sets that you can use in the wizard-based, drag-and-drop interface.
You can install the AI Engine on the same system as the Platform Manager or you can install it on a dedicated
system.
• System Monitor. The System Monitor collects all log, flow, and machine data, then transfers that data to the
Data Processor. Because a System Monitor is required on each LogRhythm appliance, the LogRhythm installer
automatically deploys it with other applicable roles. You can also deploy the System Monitor using a separate
installer file (for example, silent installations in large environments).
The LogRhythm dedicated appliance for remote log collection is called a Data Collector appliance.
Volume/Disk Configurations
LogRhythm requires specific volume/disk configurations, which can consist of physical disks or virtual disks
with logical volumes.
LogRhythm is not supported on systems that use shared disks. Installing on a system that uses
shared disks can have a significant negative impact on performance.
• Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a
specific volume. The amount can range from a minimum of 2 up to 98 disks per system.

• Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and
performance improvements through hardware RAID technology. The amount can range from 2 to 10 virtual
disks per system.
• Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique drive letter in Windows
(for example, drive C or drive D). The logical volumes contain specific files and data related to the installation
(see the following table for more information about the contents of each drive). Any LogRhythm server that
contains a Platform Manager includes four logical volumes. The Windows Indexer should include at least two
logical volumes, and the logical volume that contains log data should be on a dedicated virtual disk using
dedicated physical disks.
You should configure and use the logical volumes as documented.
Component Logical Volume Volume Label Label Contents
Platform Manager C Drive (C:\) n/a

Operating System, SQL Server program files, and
LogRhythm program files
D Drive (D:\) Data LogRhythm SQL Server data files
L Drive (L:\) Log Files LogRhythm SQL Server transaction log files
T Drive (T:\) Temp DB

SQL Server Temp DB data file and SQL Server
Temp DB transaction log file
S Drive (S:\) n/a LogRhythm Application State for High IOPS
Data Processor, AI C Drive (C:\) n/a Operating System and LogRhythm program files
Engine, System Monitor
S Drive (S:\) n/a LogRhythm Application State for High IOPS
Performance Requirements
The table in this section describes LogRhythm appliance platforms and performance specifications for each.
You can use this information to determine what kind of systems you will use for installing LogRhythm.
Review the Minimum Appliance Specifications columns for hardware, operating systems, and volume/disk
configurations. Identify any specifications that match systems in your own network. The systems you
identify are candidates for installing LogRhythm components (Platform Manager, Data Processor, and so
on).

The specifications provided are minimum requirements for your dedicated virtual machine and
dedicated hardware. Your system should be configured so that the end result has the minimum
specification requirement value or greater. If your hardware or virtual machine does not fit into an
existing appliance configuration, contact LogRhythm Professional Services to discuss a possible
custom installation. Collection rates are listed as a guideline. The rates may vary given different
hardware configurations and drivers.
The performance specifications are based on the following assumptions:

• 100% of logs are from Syslog
• Average raw log message size = 400 Bytes
• Average online log row size (includes index) = 900 Bytes
• Average online event row size (includes index) = 1,035 Bytes
• Average archive entry size = 400 Bytes
• Average archive compression rate = 20:1
• 100% of logs are archived
• 2% of logs processed by the deployment that are considered an Event (data of interest)
• 10% of Events that are considered a Monitored Event based on Risk Based Priority (RBP)
Additional notes regarding performance specifications:
• Virtual Machines. Deploying on virtual machines incurs overhead. As a result, your actual performance will vary.
A performance degradation of 10-15% is expected when compared to running on a dedicated physical machine.
• Dedicated drives. LogRhythm is an I/O-intensive solution that requires dedicated physical drives to achieve the
published rates specified. LogRhythm makes no distinction between Direct Attached Storage (DAS) or Storage
Area Network (SAN), but the disk volumes must be dedicated.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A
power cut may cause an Elasticsearch failure that leads to a loss of indices.
Web Console Requirements
If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET
installers from Microsoft Support before beginning the upgrade. Otherwise, the Web Services
Installer will attempt to download it during the upgrade and the upgrade will fail without internet
connectivity.
You can install the Web Console software on a server, virtual server, or LogRhythm appliance that meets the
requirements listed in the following table.
LogRhythm currently supports up to three Web Console instances with 60 concurrent users.

To avoid conflicts, it is recommended that Web Console users are either created manually or
through Active Directory (AD), but not both.
System Requirements
LogRhythm Appliance
Install the Web Console on any of the following LogRhythm appliance
models:
• LR-WS3310 and LR-WS3410 LogRhythm Web Services Appliance
(includes the Web Console installer)
• EM3300/XM4300 series appliances, with a memory upgrade to 64 GB
• XM6300/EM5300 series appliances, with a memory upgrade to 128 GB
• EM7300 series appliances
• PM5400 and PM7400 series appliances
• XM4400 and XM6400 series appliances
• Do not install the Web Console on older generation

LogRhythm appliances, such as the LRX or LR series.
• Do not install the LogRhythm SOAP API service on the same
appliance that is used to run the Web Console. Note that the
SOAP API is not the same service as the Case API. The Case
API can be safely installed on the same appliance as the Web
Console.
Your own server

Install the Web Console on a server or virtual environment that meets the
following specifications:
• Microsoft Windows Server 2008 R2, Microsoft Windows Server 2012 R2
(Enterprise or Standard edition), or Microsoft Windows Server 2016;
64-bit
• 4 cores, 2 GHz or more
• 32 GB RAM
• 300 GB for the operating system and data
Web Console UI
You can access the Web Console UI from any computer running Google
Chrome, Mozilla Firefox, Microsoft Edge, or Internet Explorer 11.
The Web Console requires certain ports for its use, as listed in the following table.

Port Requirements
SSL Default Port (8443/443)

The Web Console is configured to use Port 8443 for SSL by default. This
avoids potential conflicts with the LogRhythm Mediator that uses Port
443 on XM systems. If you are not installing the Web Console on the same
system as the LogRhythm Mediator, you can change the port to 443 or to
another port number during the installation.
Port 8501
During installation, the 8501 port is opened for the LogRhythm API
Gateway. This port provides routing, load balancing, SSL termination,
and authentication termination to deployed Web Services.
Port 43
To execute a whois query using contextualization, port 43 must be
opened. For more information on using contextualization, see Use
Contextualize.
Virtualization Platform Considerations

The LogRhythm software can be deployed on physical, virtual or cloud environments. The LogRhythm
Appliance Platforms are validated and tested using known resource quantities at specific log processing and
indexing rates. When deploying LogRhythm on virtualized or cloud environments, it is important to consider
best practices, underlying resource availability, and the overhead associated with virtualization.
• Data Collectors. Receive, collect and forward log data. Operating under a light footprint make these systems
good candidates for virtualization.
• Data Processors. Handle processing, data enrichment, and data distribution to the other LogRhythm
components. These systems rely heavily on CPU and Memory resources while also needing access to large disks
for Long Term Archives.
• Data Indexers. Indexing and search of log data through Elasticsearch. These systems can be run in a clustered
configuration with resource utilization focused on CPU and disk I/O.
New installations of the Data Indexer on Windows are only supported in an XM configuration.
• Platform Manager. Centralized configuration management, knowledge base data, alarming and reporting, runs
on a SQL backend. Standalone Platform Managers focus on memory and disk I/O utilization. In smaller
environments, however, AIE and Web Console may be run on these systems, increasing the resource
requirements
• AIE. Advanced real-time correlation engine requires CPU and memory resources for long term trend analysis.
• Web Console. User-friendly Web interface to the threat lifecycle, requires mostly CPU and memory resources.
Planning system resources for each of these components will depend on the data volume and use-cases for
each component. LogRhythm Appliance Platforms provide known performance and resource allocations,

allowing customers to scale using known quantities. In many cases, a customer will elect to split up
LogRhythm roles onto their own individual systems rather than running a single, very large instance (XM).
Virtualization Resource Considerations

LogRhythm performs testing and validation of all components using physical hardware. However, the entire
LogRhythm ecosystem can be run virtually or in the cloud when provided with adequate resourcing.
• CPU. When planning CPU resources in a shared environment, you must consider context switching and wait-
times associated with CPU core availability through the hypervisor. For this reason, LogRhythm recommends
using vCPU reservations through the hypervisor to ensure appliance specification rates can be met.
• Considerations should be made when hyperthreading is being used — LogRhythm vCPU counts assume
hyperthreaded cores.
• Additionally, it is important to observe percentage of CPU idle time over the course of the deployment. A
value more than 10% of CPU idle time is an indication of hardware performance issues, which are likely
to impact LogRhythm.
• Memory. Memory management within virtualized environments should always provide enough memory for all
guests on the hypervisor with overhead available for the hypervisor itself. Overcommitting memory will result in
poor performance and stability issues within the LogRhythm ecosystem. For LogRhythm Appliances requiring
large memory footprints, non-uniform memory access (NUMA) boundaries should be considered. Guests should
not be allocated CPU or memory resources beyond that which can be provided within a single NUMA boundary.
• Disk Volumes. Data Indexers and Platform Managers rely heavily on disk size, IOPS, random seek, and overall
capacity.
• The Data Indexer will use all disk resources available to the system, and it requires a high baseline of
resources based on the Appliance Platform. For this reason, LogRhythm requires dedicated disk
resources be committed to the system.
• Shared storage removes any benefit associated with Data Indexer clustering since all systems in the
cluster participate in searching and indexing of data — the use of shared disks is not supported.
• Many flash-optimized storage solutions provide IOPS rates based on optimized data, which is usually a
small subset of the data on the SAN. For this reason, it is recommended to use IOPS calculations for the
disks where LogRhythm data stores exist, not the small flash-optimized data. This is particularly true of
Data Indexers because data used for searching will most certainly exceed the flash optimized storage
tier.
• Each LogRhythm logical volume should be provisioned on its own logical unit number (LUN) and not
shared with other virtual infrastructure or other LogRhythm components.
• Storage connectivity should realize an average latency of 10ms or less. Higher latencies can cause
unpredictable behavior, particularly with the Platform Manager and Data Indexer.
• Networking. Communication between LogRhythm Core Components, particularly Data Indexer clusters,
requires low latency and line-speed 1Gb/s links, at a minimum.
Virtualization Deployment Best Practices

The following best practices will allow LogRhythm to make the most of the resources available in a
virtualized environment. Note, however, that the performance and stability of the system relies 100% on the
quality of the underlying hardware.

Virtual Host (Hypervisor) Requirements

• Intel server class x86-64-bit chip architecture with hyperthreading.
• Dedicated disk volumes following IOPS/RAID specifications of the appliance platform.
• IOPS numbers should be compared using disks that store LogRhythm data and using nonoptimized random
seek per second, not sequential — automated storage tiering solutions are strongly discouraged.
Virtual Machine System Requirements

Full reservations for vCPU and vMemory with no CPU or memory over-commitment on the physical hosts.
• Where applicable, install hypervisor integration services/tools on platform guest VMs (PM, DP, AIE, DX, DC, etc.).
• Where applicable, enhanced network controllers should be used.
• Provision virtual disks as Eager Zero Thick where applicable.
• Avoid NFS disks due to higher latency, network variations, and file locking issues.
Virtualization Redundancy and High Availability

There are a number of solutions native to hypervisors that are designed to provide high availability and
dynamic resource migrations. While these solutions are not formally tested with the LogRhythm ecosystem,
users should be aware of the additional overhead associated with these servers and the impact that they
could have on LogRhythm
Virtualization Snapshots and Backups

LogRhythm provides native backup mechanisms for SQL databases on the PM and archives. When
combined, these two can be used to restore a LogRhythm deployment back to 100% functionality and
historical data. For this reason, and due to the disk I/O penalties associated with snapshots, customers are
strongly discouraged from taking snapshots of their LogRhythm systems in a virtual environment. If needed,
OS-level backups can be done using 3rd party software, but is not required for LogRhythm system
restoration.
Networking and Communication

There are general guidelines, considerations, and standards to consider prior to deploying your solution
within a network. This page covers the networking and communication considerations and requirements to
help you deploy your solution.
LogRhythm Networking Considerations
LogRhythm Server IP Addresses

LogRhythm appliances include multiple network interfaces to accommodate different deployment
topologies. All IP addresses should be statically assigned or reserved to avoid IP changes. For many
topologies, best practice is to use one of the 1Gb interfaces as management and one of the 10Gb interfaces
for data.

DNS Resolution
It is recommended that the LogRhythm server acting as the Platform Manager be entered into DNS so it is
addressable by name.
Domain Membership
A LogRhythm server does not need to be a member of the Windows Domain to function correctly. However,
LogRhythm recommends adding it to make remote event log collection easier to manage.
Active Directory Group Based Authorization requires the Platform Manager to be a Domain member
to function correctly.
Remote Event Log Collection User Account

A special user account must be created on the domain for remote event log collection. For more information,
see Windows Event Log Collection.
LogRhythm Networking Communications

LogRhythm components communicate over TCP, UDP, or HTTPS on specific ports. TLS is used when
receiving logs at the Data Processor from the LogRhythm System Monitor and also when sending logs from
the Data Processor to AI Engine. The diagram below shows the communication between the components
and the specific protocols and ports used.

The following table lists all network communications and interactions within a LogRhythm deployment. It
can assist system and network administrators with configuration of network access control devices and
software.
Port 8301 must be opened for TCP and UDP traffic on all hosts in your deployment, with the
exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used
between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the
Consul cluster. No log data or customer data is passed between hosts on this port—it is only used
for membership communication between LR hosts. See Consul Communications for more
information.
Additionally, network address translation (NAT) cannot be used between core components (AIE, DP,
DX, PM, Web). All communications between these components must be real IP to real IP.

Client Client Port Server Server Port Protocol Purpose
LogRhythm Components
AI Engine 8300 Platform 8300 TCP Incoming

Manager RPC requests
from client
Consul instances
AI Engine 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on AIE and PM
AI Engine 3334, 3335 Data Processor 30000, 30001 TCP AIE Data
Provider on DP
forwarding log
data to AIE
Comm Manager
AI Engine 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
AI Engine Random Platform 1433 TCP Configuration

Manager details from
EMDB on PM
All (common Random Platform 8076 TCP Sending metrics

components) 1 Manager data to the PM
(Metrics DB)
Client Console 8501 Data Indexer 8501 HTTPS Auth/config/

search requests
between API
Gateway on
Console and DX
Client Console 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on Console and
PM

Client Console Random Platform 1433 TCP Console SQL

Manager Server access to
PM EMDB
Client Web Random Web Console 8443 HTTPS The SSL port to
Browser use for
accessing the
Web Console.
Client Web Random Data Indexer 8111 HTTPS Web UI for

Browser visualization of
metrics stored
on Linux
Client Web Random Data Indexer 8110 HTTPS Web UI for

Browser visualization of
metrics stored
on Windows
Client Web Random Data Indexer 9100 HTTPS Configuration of

Browser the Windows DX
Client Web Random Data Indexer 80, 443 HTTPS Configuration of

Browser the Linux DX
(port 80 is
forwarded to
443)
Data Indexer Random Platform 1433 TCP DX SQL Server

Manager access to PM
EMDB
Data Indexer 8501 Platform 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on DX and PM
Data Indexer 8300 Platform 8300 TCP Incoming

from client
Consul instances

Data Indexer 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
Data Processor 8501 Data Indexer 8501 HTTPS Auth/config/

search
requests betwee
n API Gateway
on DP and DX
LR API Random Platform 1433 TCP Bidirectional

Manager connection
between LR API
and PM
LR KB Update not applicable Platform 80, 443 TCP Bidirectional

Manager connection for
KB updates
Platform 8301 Data Processor 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances
Platform 8300 Data Processor 8300 TCP Incoming

from client
Consul instances
Platform 8501 Data Processor 8501 HTTPS Auth/config/

Manager search
requests betwee
n API Gateway
on DP and PM
Platform Random Data Processor 1433 TCP DP SQL Server

Manager access to PM
EMDB

System Monitor/ 0 (formerly 3333) Data Processor 40000 TCP Forwards raw
Data Collector log data to the
DP when
running in
Unidirectional
Agent mode
System Monitor/ 0 (formerly 3333) Data Processor 443 TCP Forwards raw
Data Collector log data to the
DP when
running in
Bidirectional
Mode
Web Console 8300 Platform 8300 TCP Incoming

from client
Consul instances
Web Console 8501 Platform 8501 HTTPS Auth/config/

Manager search requests
between API
Gateway on Web
and PM
Web Console 8501 Data Indexer 8501 HTTPS Auth/config/

search
requests betwee
n API Gateway
on Web and DX
Web Console Random Platform 1433 TCP Web Console

Manager SQL Server
access to PM
Events DB.
Web Console 8301 Platform 8301 TCP/UDP Cluster

Manager membership
and inter-node
communications
between Consul
instances

Notifications and Alerts
LogRhythm Random SMTP Server 25 TCP Unidirectional,

Platform Client Initiated
Manager and
Web Console
LogRhythm Random SNMP Manager 162 UDP Unidirectional,

Platform Client Initiated
Manager
LogRhythm ** McAfee ePO ** ** **

Platform Server
Manager
Devices Sending Logs
UDP Syslog Random LogRhythm 514 UDP Unidirectional

Device Agent
TCP Syslog Random LogRhythm 514 TCP Unidirectional

Device Agent
NetFlow v1, v5 Configurable LogRhythm 5500 UDP Unidirectional

or v9 Device Agent
IPFIX Device Configurable LogRhythm 5500 UDP Unidirectional

Agent
J-Flow Device Configurable LogRhythm 5500 UDP Unidirectional

Agent
sFlow Device Configurable LogRhythm 6343 UDP Unidirectional

Agent
SNMP Trap Configurable LogRhythm 161 UDP Unidirectional

Device Agent
Remote Log Collection
LogRhythm Random Windows Host 135, 137, 138, TCP/RPC Bidirectional,

Agent (Windows Event 139,445 Client Initiated
Logs)

LogRhythm Random Database Server DB Server TCP/ODBC Bidirectional,

Agent (UDLA) dependent* Client Initiated
LogRhythm Random Check Point 18184 TCP/OPSEC LEA Bidirectional,

Agent Firewall Client Initiated
LogRhythm Random Cisco IDS (SDEE) 443 TCP/HTTPS Bidirectional,

Agent Client Initiated
LogRhythm Random Nessus Server 8834 TCP/HTTPS Bidirectional,

LogRhythm Random Qualys Server 443 TCP/HTTPS Bidirectional,

LogRhythm Random Metasploit 3790 TCP/HTTPS Bidirectional,

Agent Server Client Initiated
LogRhythm Random Nexpose Server 3780 TCP/HTTPS Bidirectional,

LogRhythm Random Retina Server 1433 TCP/ODBC Bidirectional,

LogRhythm 4444 eStreamer 8302 TCP/HTTPS Bidirectional,

Agent Server Client Initiated
1
Metrics are collected from all components included in the LogRhythm Infrastructure Installer. This does not
include standalone System Monitors or Client Consoles.
* The server port for UDLA collection will vary based on the database server being queried.
(SQL Server default = TCP 1433; MySQL default 3306; Oracle default = TCP 1521; DB2 default = TCP 50000)
** LogRhythm alarms are forwarded to EPO via the McAfee agent installed on a Platform Manager. To
determine the ports utilized by McAfee agents and EPO server, see your McAfee ePO documentation and
configuration.
The Web Console Case API uses dynamic ports in the range of 20000-30000. These are listening
ports used for loopback purposes and do not require any firewall changes.

Data Indexer - Inbound Ports

The table below lists DX appliance ports that should be open to enable communications from other
components.
Appliance Protocol Inbound Port Received From... Operating Purpose

System
DX - AllConf TCP 80, 443 Client Web Linux Configuration of

Browser the DX, port 80 is
forwarded to 443
DX - Consul TCP 8112 Client Web Linux Consul

Browser administration
dashboard
DX - Grafana TCP 8111 Client Web Linux Grafana

Browser dashboard on
Linux
TCP 8110 Client Web Windows Grafana

Browser dashboard on
Windows
DX - InfluxDB TCP 8086 Inbound to DX Windows & Linux Admin queries to

InfluxDB
PM - Disaster TCP 5022 Inter-node Windows Port used for

Recovery Disaster Recovery replication
communication requests in
Disaster Recovery
deployments
PM - SQL TCP 1433 Carpenter and Windows & Linux SQL Server access
Bulldozer on DX to EMDB
LogRhythm API HTTPS 8501 API Gateway Windows & Linux Enables secure,
Gateway load balanced,
and discoverable
service to service
communication.
Required to use
the JWT from the
Authentication
API.

Appliance Protocol Inbound Port Received From... Operating Purpose

System
Consul TCP/UDP 8300, 8301 Service Registry Windows & Linux Establishes a
secure cluster
between the
LogRhythm hosts
in a deployment,
not including
agents
Data Indexer - Local Ports

The table below lists ports that are used locally or for inter-component communication on the Data Indexer.
Service Protocol Port Direction Operating System Purpose
AllConf TCP 9100 DX Local Only Windows Web UI for

configuring the Data
Indexer
ConfigServer TCP 13000 DX Local Only Windows & Linux Listens for
configuration
requests
13001, 13002, ConfigServer

13004 internal processing
13003 Listens for AllConf

page requests
Columbo TCP 13131, 13133 DX Local Only Windows & Linux Columbo internal
processing
Consul TCP/UDP 8300, 8301 Inter-node Windows & Linux Nodes in cluster
sharing keys
8112 DX Local Linux Consul

administration
dashboard
8500 DX Local Only Windows Consul

administration
dashboard

Service Protocol Port Direction Operating System Purpose
Elasticsearch TCP 9200 DX Local Only Windows & Linux Curl queries to
Elasticsearch
9300-9400 Inter-node Linux Replication and

federation across
nodes
Grafana TCP 8111 DX Local Linux Grafana dashboard

on Linux
8110 Windows Grafana dashboard

on Windows
InfluxDB TCP 8083 DX Local Windows & Linux Admin queries to

InfluxDB
TCP 8086 Inter-node Vitals on a node

writing to InfluxDB
Spawn TCP 14501 DX Local Only Windows & Linux CloudAI: Replicates
data to CloudAI
Transporter TCP 16000 DX Local Only Windows & Linux HTTP/REST

interface to the Data
Indexer
Vitals TCP 13200 DX Local Only Windows & Linux Listens for stats to
monitor Data
Indexer health
Agent to Data Processor Communications

Agents communicate with Data Processors via a secure, proprietary TCP-based application protocol.
Communications are encrypted with TLS using either unilateral or bilateral authentication. The TCP port
Agents send data from, and the TCP port Data Processors listen on, is user configurable.
Unidirectional Agent Communication

LogRhythm provides support for secure transmission from an unclassified server to a top secret server. The
System Monitor Agents support unidirectional communication without receiving any control or data
transmissions from the Data Processor or Platform Manager. The table and diagram below shows the
unidirectional communication from the Agent(s) within the unclassified sector to the Data Processor within
the top secret sector. Starting with LogRhythm 6.1.2, multiple agents are supported.

Client Client Server Server Prot Communications

Port Port ocol
LogRhythm Agent 3333 LogRhythm Data 400001 TCP

Unidirectional
Processor
1
After upgrading to 6.20, the default port is 40000. However, any existing mediators will retain the value they
had before the upgrade.
Web Console Client Random LogRhythm Web 8443 HTTPS Bidirectional, Client
Server Initiated
Web Console Client Random Data Indexer 13130, 13132 TCP Bidirectional, Client
Initiated
Consul Communications
All core LogRhythm components—PM, DP, DX, AIE, Web—must allow incoming and outgoing connections on
port 8301 over TCP/UDP to enable Consul communications with one another.


Select a Method of Deploying LogRhythm

Gen5 Reference Architecture
The following tables provide platform architecture and specifications to help you in selecting your own
system for deploying LogRhythm.
New installations of the Data Indexer are only supported on the Linux platform. The Data Indexer is
only supported on Windows in an XM configuration or when upgrading the Gen3 LM appliance.
SAN storage is supported only in LogRhythm's software only solution and not in LogRhythm
appliances. With respect to appliances, SAN storage is supported only for inactive archives.
Virtual Platforms
These virtual platforms are for labs use only. They are not intended for production use.
Reference Performance Hardware Operating Disk/Vol 1 Disk/Vol 2

Platform (MPS) System Config Config
LR-XMVS Windows 2016

Data Processor: • 8 vCPU Disk: Disk:
(combined PM, x64 Standard
• 32 GB
DP, DX virtual • Max Edition • Recommend • Recommend
RAM
server) Processing ed IOPS: 150 ed IOPS: 150
• 1 NIC
Rate: 500
Logical Volume: Logical Volume:
Data Indexer:
• C Drive (100 • D Drive (150
• Max Indexing GB) GB)
Rate: 500 • L Drive (20
GB)
Platform
• T Drive (10
Manager:
GB)
• Max LogMart
Rate: 50
• Max Events
Rate: 25
Select a Method of Deploying LogRhythm 29


LR-PMVS1 Windows 2016

Platform • 4 vCPU Disk: Disk:
(dedicated PM x64 Standard
Manager: • 16 GB
virtual server) Edition • Recommend • Recommend
RAM
• Max LogMart ed IOPS: 150 ed IOPS: 150
• 1 NIC
Rate: 50
• Max Events
Rate: 25 • C Drive (100 • D Drive (150
GB) GB)
• L Drive (20
GB)
• T Drive (10
GB)
LR-DPVS1 Windows 2016 not applicable

Data Processor: • 4 vCPU Disk:
(dedicated DP x64 Standard
• 8 GB RAM
virtual server) • Max Edition • Recommend
• 1 NIC
Processing ed IOPS: 150
Rate: 500
Logical Volume:
• C Drive (100
GB)
• D Drive (50
GB)
LR-DXVS1 CentOS 7.6 or

Data Indexer: • 4 vCPU Disk: Disk:
(dedicated DX RHEL 7
• 16 GB
virtual server) • Max Indexing • Recommend • Recommend
RAM
Rate: 500 ed IOPS: 150 ed IOPS: 150
• 1 NIC
• OS Drive (100 • Data Drive
GB) (150 GB)

Data Collector
Reference Performance (MPS) Hardware Operating System Disk/Vol 1 Config
Platform
LR-DC3400 Series Max Collection Rate: Windows 2016 x64

• 1 x 3.0 GHz 4 Physical Disk:
25,000 Standard Edition
Core CPU (12
• 2 x 300 GB 10K
GHz total)
RPM SAS RAID 1
• 4 vCPU
• Hardware IOPS:
• 16 GB RAM
150
• H330 RAID
• Recommended
controller
IOPS: 150
• 2 x 1 Gigabit
Ethernet NICs Virtual Disk:
• 278 GB usable
Logical Volume:
• C Drive (200 GB)
• D Drive (78 GB)
Web Console
LR-WC3400 Windows 2016

Web Console: • 1 x 2.6 GHz 8 Physical Disk: Physical Disk:
Series x64 Standard
Core CPU
• Max Event Edition • 2 x 300 GB • 2 x 400 GB
• 16 vCPU
Rate: 1,000 10K RPM SSD SATA
• 32 GB RAM
• Max Users: SAS RAID 1 • 3 DWPD
• H730 RAID
35 • Hardware • RAID 1
controller
IOPS: 150 • Hardware
with 2GB
• Recommend IOPS: 85,000
Cache
ed IOPS: 150 • Recommend
• 2 x 1 Gigabit
ed IOPS:
Ethernet Virtual Disk:
1,000
NICs
• 278 GB
Virtual Disk:
usable
• 368 GB
Logical Volume:
usable
• C Drive (278
Logical Volume:
GB)
• D Drive (368
GB)

XM
Reference Performance Hardware Operating Disk/Vol 1 Disk/Vol 2 Disk/Vol 3
Platform (MPS) System Config Config Config
LR-XM4500 Data • 1 x 2.2 Windows Physical Physical Physical

Series Processor: GHz 10 2016 x64 Disk: Disk: Disk:
(combined Core CPU Standard
• Max • 2 x 240 • 6 x 600 • 2 x 400
PM, DP, DX, • 20 vCPU Edition
Processin GB M.2 GB 10K GB SSD
AIE, Web, DC) • 96 GB
g Rate: SSD RPM SAS SATA
RAM
2,000 • 0.3 DWPD • RAID 5 + 1 • 3 DWPD
• PERC
• RAID 1 HS • RAID 1
Data H740
• Hardware • Hardware • Hardware
Indexer: Integrate
IOPS: IOPS: 450 IOPS:
d RAID
• Indexing 85,000 • Recomm 85,000
Controlle
Rate: • Recomm ended • Recomm
r with
2,000 ended IOPS: 450 ended
8GB
IOPS: 150 IOPS: 500
Platform Cache Virtual Disk:
Manager: • 2 x 10 Gb/ Virtual Disk: Virtual Disk:
• 2.2 TB
s NICs
• Max • 220 GB usable • 368 GB
• 2 x 1 Gb/s
LogMart usable usable
NICs Logical
Rate: 20
Logical Volume: Logical
• Max
Volume: Volume:
Events • D Drive
Rate: 20 • OS Drive (2033 GB) • S Drive
(220 GB) • L Drive (368 GB)
(150 GB)
• T Drive
(50 GB)


LR-XM6500 Windows
Data • 2 x 2.2 Physical Physical Physical
Series 2016 x64
Processor: GHz 10 Disk: Disk: Disk:
(combined Standard
Core CPU
PM, DP, DX, • Max Edition • 2 x 240 • 14 x 1.2 • 2 x 480
• 40 vCPU
AIE, Web, DC) Processin GB M.2 TB 10K GB SSD
• 196 GB
RAM
5,000 • 0.3 DWPD • RAID 5 + 1 • 3 DWPD
• PERC
Data H740
Indexer: Integrate
IOPS: IOPS: IOPS:
d RAID
• Max 85,000 1233 85,000
Controlle
Indexing • Recomm • Recomm • Recomm
r with
Rate: ended ended ended
8GB
5,000 IOPS: 150 IOPS: IOPS:
Cache
1233 1,000
Platform • 2 x 10 Gb/ Virtual Disk:
Manager: s NICs Virtual Disk: Virtual Disk:
• 220 GB
• 2 x 1 Gb/s
• Max usable • 13600 GB • 440 GB
NICs
Logical
Rate: 100
Volume: Logical Logical
• Max
Volume: Volume:
Events • OS Drive
Rate: 100 (220 GB) • D Drive • S Drive
(13000 (390 GB)
GB) • T Drive
• L Drive (50 GB)
(600 GB)


LR-XM8500 Windows
Series 2016 x64
(combined Standard
Core CPU
PM, DP, DX, • Max Edition • 2 x 240 • 24 x 1.2 • 2 x 800
• 48 vCPU
AIE, Web, DC) Processin GB M.2 TB 10K GB SSD
• 256 GB
RAM
10,000 • 0.3 DWPD • RAID 5 + 1 • 3 DWPD
• PERC
Data H740
Indexer: Integrate
IOPS: IOPS: IOPS:
d RAID
• Max 85,000 2538 85,000
Controlle
Indexing • Recomm • Recomm • Recomm
r with
Rate: ended ended ended
8GB
10,000 IOPS: 150 IOPS: IOPS:
Cache
2538 1,500
Platform • 2 x 10 Gb/ Virtual Disk:
Manager: s NICs Virtual Disk: Virtual Disk:
• 220 GB
• 2 x 1 Gb/s
• Max usable • 24568 GB • 736 GB
NICs
Logical
Rate: 200
Volume: Logical Logical
• Max
Volume: Volume:
Events • OS Drive
Rate: 200 (220 GB) • D Drive • S Drive
(23568 (686 GB)
GB) • T Drive
• L Drive (50 GB)
(1000 GB)

Platform Manager
Referen Performan Hardware Oper Disk/Vol 1 Disk/Vol 2 Disk/Vol 3 Disk/Vol 4
ce ce (MPS) ating Config Config Config Config
Platfor Syste
m m
LR- Wind not

Platform • 1 x 2.2 GHz 10 Physical Physical Physical
PM5500 ows applicable
Manager: Core CPU Disk: Disk: Disk:
Series 2016
• 20 vCPU
• Max x64 • 2 x 240 • 8 x 600 • 2 x 480
• 128 GB RAM
LogMar Stand GB M.2 GB 15K GB SSD
• PERC H740
t Rate: ard SSD RPM SATA
Integrated
800 Editio • 0.3 SAS • 3 DWPD
RAID
• Max n DWPD • RAID 10 • RAID 1
Controller
Events • RAID 1 • Hardwa • Hardwa
with 8GB
Rate: • Hardwa re IOPS: re IOPS:
Cache
400 re IOPS: 1,128 85,000
• 2 x 10 Gb/s
85,000 • Recom • Recom
NICs
• Recom mended mended
• 2 x 1 Gb/s
mende IOPS: IOPS:
NICs
d IOPS: 1,128 500
150
Virtual Virtual
Virtual Disk: Disk:
Disk:
• 2200 GB • 440 GB
• 220 GB usable usable
usable
Logical Logical
Logical Volume: Volume:
Volume:
• D Drive • S Drive
• OS (2000 (390 GB)
Drive GB) • T Drive
(220 • L Drive (50 GB)
GB) (200 GB)

Referen Performan Hardware Oper Disk/Vol 1 Disk/Vol 2 Disk/Vol 3 Disk/Vol 4

ce ce (MPS) ating Config Config Config Config
Platfor Syste
m m
LR- Wind
Platform • 2 x 2.6 GHz 12 Physical Physical Physical Physical
PM7500 ows
Manager: Core CPU Disk: Disk: Disk: Disk:
Series 2016
• 48 vCPU
• Max x64 • 2 x 240 • 18 x 900 • 4 x 900 • 2 x 1 TB
• 196 GB RAM
LogMar Stand GB M.2 GB 15K GB 15K SSD
• PERC H740
t Rate: ard SSD RPM RPM SATA
Integrated
2,000 Editio • 0.3 SAS SAS • 3 DWPD
RAID
• Max n DWPD • RAID 10 • RAID 10 • RAID 1
Controller
Events • RAID 1 • Hardwa • Hardwa • Hardwar
with 8GB
Rate: • Hardwa re IOPS: re IOPS: e IOPS:
Cache
1,000 re IOPS: 2538 564 85,000
• 2 x 10 Gb/s
85,000 • Recom • Recom • Recom
NICs
• Recom mended mended mended
• 2 x 1 Gb/s
mende IOPS: IOPS: IOPS:
NICs
d IOPS: 2538 564 1,000
150
Virtual Virtual Virtual
Virtual Disk: Disk: Disk:
Disk:
• 7452 GB • 1656 GB • 920 GB
• 220 GB usable usable usable
usable
Logical Logical Logical
Logical Volume: Volume: Volume:
Volume:
• D Drive • L Drive • S Drive
• OS (7452 (1656 (870 GB)
Drive GB) GB) • T Drive
(220 (50 GB)
GB)

Data Processor
LR-DP5500 Windows
Series 2016 x64
Standard
Core CPU
• Max Edition • 2 x 240 • 4 x 2 TB • 2 x 1 TB
• 24 vCPU
Processin GB M.2 7.2K RPM SSD SATA
• 64 GB
g Rate: SSD SAS • 3 DWPD
RAM
15,000 • 0.3 DWPD • RAID 5 + 1 • RAID 1
• PERC
• RAID 1 HS • Hardware
H740
• Hardware • Hardware IOPS:
Integrate
IOPS: IOPS: 148 85,000
d RAID
85,000 • Recomm • Recomm
Controlle
• Recomm ended ended
r with
ended IOPS: 148 IOPS: 750
8GB
IOPS: 150
Cache Virtual Disk: Virtual Disk:
• 2 x 10 Gb/ Virtual Disk:
• 3.6 TB • 920 GB
s NICs
• 220 GB usable usable
• 2 x 1 Gb/s
usable
NICs Logical Logical
Logical Volume: Volume:
Volume:
• D Drive • S Drive
• OS Drive (3.6 TB) (920 GB)
(220 GB)


LR-DP7500 Windows
Series 2016 x64
Standard
Core CPU
• Max Edition • 2 x 240 • 8 x 2 TB • 2 x 2 TB
• 48 vCPU
Processin GB M.2 7.2K RPM SSD SATA
• 128 GB
g Rate: SSD SAS • 3 DWPD
RAM
40,000 • 0.3 DWPD • RAID 5 + 1 • RAID 1
• PERC
• RAID 1 HS • Hardware
H740
• Hardware • Hardware IOPS:
Integrate
IOPS: IOPS: 395 85,000
d RAID
85,000 • Recomm • Recomm
Controlle
• Recomm ended ended
r with
ended IOPS: 395 IOPS:
8GB
IOPS: 150 1500
Cache Virtual Disk:
• 2 x 10 Gb/ Virtual Disk: Virtual Disk:
• 11 TB
s NICs
• 220 GB usable • 1.8 TB
• 2 x 1 Gb/s
usable usable
NICs Logical
Logical Volume: Logical
Volume: Volume:
• D Drive
• OS Drive (11 TB) • S Drive
(220 GB) (1.8 TB)

Data Indexer
LR-DX3500 CentOS 7.6 or

Data Indexer: • 1 x 2.3 GHz Physical Disk: Physical Disk:
Series RHEL 7
12 Core CPU
• Max • 2 x 240 GB • 10 x 1.2 TB
• 24 vCPU
Indexing M.2 SSD 10K RPM
• 64 GB RAM
Rate: 5,000 • 0.3 DWPD SAS
• PERC H740
• RAID 1 • RAID 5 + 1
Integrated
• Hardware HS
RAID
IOPS: 85,000 • Hardware
Controller
• Recommend IOPS: 793
with 8GB
Cache
ed IOPS: 793
• 2 x 10 Gb/s Virtual Disk:
NICs Virtual Disk:
• 220 GB
• 2 x 1 Gb/s
usable • 8.8 TB
NICs
usable
Logical Volume:
Logical Volume:
• OS Drive
(220 GB) • Data Drive
(8.8TB)

Series RHEL 7
14 Core CPU
• Max • 2 x 240 GB • 16 x 1.2 TB
• 28 vCPU
• 128 GB RAM
Rate: 10,000 • 0.3 DWPD SAS
• PERC H740
• RAID 1 • RAID 5 + 1
Integrated
• Hardware HS
RAID
Controller
with 8GB
Cache
ed IOPS:
1410
NICs
• 220 GB
usable
NICs
• 15.45 TB
Logical Volume:
usable
• OS Drive
Logical Volume:
(220 GB)
• Data Drive
(15.45 TB)



Series RHEL 7
14 Core CPU
• Max • 2 x 240 GB • 26 x 1.8 TB
(72.8 GHz
total)
Rate: 20,000 • 0.3 DWDP SAS
• 56 vCPU
• RAID 1 • RAID 5 + 1
• Dedicated
• Hardware HS
Disk Drives
(DAS or SAN)
• 256 GB RAM
• PERC H740P
ed IOPS:
Integrated Virtual Disk:
2750
RAID
• 220 GB
Controller Virtual Disk:
usable
• 2 x 10
• 39 TB usable
Gigabit Logical Volume:
Ethernet Logical Volume:
• OS Drive
NICs
• 2 x 1 Gigabit
(39 TB)
Ethernet Logical Volume:
NICs
• OS Drive
(546 GB)
LR-DXW5120 CentOS 7.6 or

Data Indexer: • 1 x 2. 2 GHz Physical Disk: Physical Disk:
RHEL 7
10 Core CPU
• Max • 2 x 240 GB • 1 2 x 12
Indexing • 2 0 vCPU M.2 SSD TB 7.2K RPM
Rate: 0 • 0.3 DWPD SATA
• 128 GB RAM
RAID 1 • RAID 5 + 1
• PERC H740 • Hardware HS
Integrated RAID IOPS: 85,000 • Hardware
Controller with • Recommend IOPS: 750
8GB Cache ed IOPS: 150 • Recommend
ed IOPS 750
• 2 x 10 Gb/s
NICs Virtual Disk:
Virtual Disk:
• 2 x 1 Gb/s NICs • 108 TB
• 220 GB
usable
usable

Logical Volume:
Logical Volume:
• Data Drive (
• OS Drive
108 TB)
(220 GB)

AI Engine
LR-AIE7500 Windows 2016

• Max MPS: • 2 x 3.0 GHz Physical Disk: Physical Disk:
Series x64 Standard
75,000 12 Core CPU
Edition • 2 x 240 GB • 2 x 2 TB SSD
• Max Number • 48 vCPU
M.2 SSD SATA
of Rules: • 128 GB RAM
• 0.3 DWPD • 3 DWPD
2,000 • PERC H740
• RAID 1 • RAID 1
Integrated
• Hardware • Hardware
RAID
IOPS: 85,000 IOPS: 85,000
Controller
• Recommend • Recommend
with 8GB
ed IOPS: 150 ed IOPS:
Cache
2,000
NICs Virtual Disk:
• 220 GB
• 2 x 1 Gb/s
usable • 1.8 TB
NICs
usable
Logical Volume:
Logical Volume:
• OS Drive
(220 GB) • S Drive (1.8
TB)

Network Monitor
LR-NM3500 1 Gb Network CentOS 7.6 or

• 1 x 2.3 GHz Physical Disk: Physical Disk:
Monitor RHEL 7
12 Core CPU
• 2 x 240 GB • 8 x 600 GB
• 24 vCPU
M.2 SSD 10K RPM
• 64 GB RAM
• 0.3 DWPD SAS
• PERC H740
• RAID 1 • RAID 5 + 1
Integrated
• Hardware HS
RAID
Controller
with 8GB
Cache
ed IOPS: 717
NICs Virtual Disk:
• 220 GB
• 2 x 1 Gb/s
usable • 3312 GB
NICs
usable
Logical Volume:
Logical Volume:
• OS Drive
(3312 GB)
LR-NM5500 5 Gb Network CentOS 7.6 or

• 2 x 2.6 GHz Physical Disk: Physical Disk:
Monitor RHEL 7
14 Core CPU
• 2 x 240 GB • 24 x 600 GB
• 56 vCPU
M.2 SSD 10K RPM
• 128 GB RAM
• 0.3 DWPD SAS
• PERC H740
• RAID 1 • RAID 5 + 1
Integrated
• Hardware HS
RAID
Controller
with 8GB
Cache
ed IOPS:
2115
NICs
• 220 GB
usable
NICs
• 12284 GB
Logical Volume:
usable
• OS Drive
Logical Volume:
(220 GB)
• Data Drive
(12232 GB)

Storage Arrays
SANM5026 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
(direct attached Controller with 8
storage for NM) GB Cache • 24 x 1.2 TB
10K RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 2538
Virtual Disk:
• 24464 GB
usable
Logical Volume:
• Data Drive
(24464 GB)
SAAR5120 12 Gbps SAS PERC H840 RAID not applicable not applicable
Physical Disk:
storage for GB Cache • 24 x 12 TB
archives) 7200 RPM
SAS
• RAID 5 + 1
HS
• Hardware
IOPS: 1135
Virtual Disk:
• 120 TB
usable
Logical Volume:
• Archive
Drive (120
TB)


SAPM5020 12 Gbps SAS PERC H840 RAID not applicable

Physical Disk: Physical Disk:
storage for PM) GB Cache • 20 x 900 GB • 4 x 900 GB
15K RPM 15K RPM
SAS SAS
• RAID 10 • RAID 10
• Hardware • Hardware
IOPS: 2820 IOPS: 564
Virtual Disk: Virtual Disk:
• 8280 GB • 1656 GB
usable usable
• E Drive • M Drive
(8280 GB) (1656 GB)
Cloud Platform Reference Architecture

The following sections provide information about installing LogRhythm on cloud-based platforms including
• Amazon Web Services
• Google Cloud
• Microsoft Azure
Deployments in Amazon Web Services
Installation Overview
It is assumed that the user has experience with Amazon Web Services EC2.
Design
Designing LogRhythm in AWS is similar to on-premise deployments. Assess the volume needs of your
organization and match them to the LogRhythm Reference Architecture provided in this section.
Windows Systems
Create Windows Virtual Machines using the standard EC2 instances from AWS. You will want to select the
newest base operating system supported on your version of LogRhythm.
• Select the size of the instance based on your appliance sizing needs using the AWS reference architecture table.
• Create EBS storage to match the instance mappings for volume type and size.

• Root instance store volumes should not be used for LogRhythm storage.
Linux Systems (Data Indexer)

LogRhythm recommends installing a CentOS Minimal image or or RHEL 7 and adhering to the following
steps:
1. Select the size of the instance based on your appliance sizing needs using the AWS reference architecture table.
2. Create EBS storage to match the instance mappings for volume type and size. For storage, SSD GP2 is
recommended for best performance.
Root instance store volumes should not be used for LogRhythm storage.
3. Create a LogRhythm user.

a. Log into the AWS instance and elevate to the root user:
# sudo su
b. Add new user called logrhythm:
# adduser logrhythm
c. Set the password for the logrhythm user:
# passwd logrhythm
d. Provide and confirm the password for the logrhythm user.

e. Add the logrhythm user to the wheel group:
# usermod -aG wheel logrhythm
f. Navigate to the logrhythm user:
# su - logrhythm
4. Configure the SSH key.

a. Generate the SSH key:
# ssh-keygen -t rsa
b. Accept all defaults and do not enter a password.

c. Navigate to the ssh key:

# cd /home/logrhythm/.ssh
d. Copy and authorize the key:
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
f. Enter yes when prompted to continue connecting.

g. Log in as the newly created logrhythm user.
5. Install the Data Indexer.
a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:
# sudo mv <filename> /home/logrhythm/Soft
b. Run the DX installer:
# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/plan.yml
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.
d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
Platform Reference Architecture for AWS
LR-DC3400 (Data Collector)

• Max Collection Rate: 15,000
• Max Remote Windows Log Sources: 500

Instance Operating Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type System Config 1 Config 2 Config 3 Config 4 Config 5
Windows (none) (none) (none)

AWS: Disk Type: Disk Type:
2016 x64
m4.xlarge
Standard gp2 gp2
Edition Volume Size: Volume Size:
C Drive: 200 D Drive: 78
GB GB
Description: Description:
Operating State
System
LR-XM4500 Series (combined PM/DP/DX/AIE server)

Data Processor/Data Indexer:
• Max Processing Rate: 2,000
• Indexing Rate: 2,000
Platform Manager:
• Max LogMart Rate: 20
• Max Events Rate: 20

AWS: Windows Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
2016 x64
r4.4xlarge gp2 gp2 st1 gp2 gp2
Standard
Edition Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 200 D Drive: 500 E Drive: 1500 L Drive: 150 T Drive: 50 GB
GB GB GB GB
Description:
Description: S Drive: 100 Description: Description:
SQL Temp
GB
Operating ElasticSearch SQL Logs
System Description: Data
SQL
Databases
and LR
State


Platform Manager:

2016 x64
r4.8xlarge gp2 gp2 st1 gp2 gp2
Standard
GB GB GB GB
Description:
SQL Temp
GB
SQL
Databases
and LR
State

Platform Manager:


2016 x64
m4.10xlarge gp2 gp2 st1 gp2 gp2
Standard
GB GB GB GB
Description:
SQL Temp
GB
SQL
Databases
and LR
State
LR-PM5500 Series (dedicated Platform Manager)


(none) Disk Type:

AWS: Windows Disk Type: Disk Type: Disk Type:
2016 x64 gp2
r4.4xlarge gp2 gp2 gp2
Standard
Volume Size:
Edition Volume Size: Volume Size: Volume Size:
L Drive: 400
C Drive: 200 D Drive: 1600 T Drive: 50 GB
GB
GB GB
Description:
Description:
Description: S Drive:
SQL Temp
200GB SQL Logs
Operating
System Description:
SQL
Databases
and LR
State


• Max LogMart Rate: 2,000
• Max Events Rate: 1,000

(none) Disk Type:

2016 x64 gp2
r4.8xlarge gp2 gp2 gp2
Standard
Volume Size:
L Drive: 800
C Drive: 200 D Drive: 5000 T Drive: 50 GB
GB
GB GB
Description:
Description:
Description: S Drive: 500
SQL Temp
GB SQL Logs
Operating
System Description:
SQL
Databases
and LR
State
LR-DP5500 Series (dedicated Data Processor)


(none) (none)
2016 x64
m5.4xlarge gp2 gp2 sc1
Standard
C Drive: 200 D Drive: 500 E Drive: 2000
GB GB GB
Description: Description: Description:
Operating Active Inactive
System Archives and Archives
LR
(adjustable)
State



(none) (none)
2016 x64
m5.12xlarge gp2 gp2 sc1
Standard
GB GB GB
System Archives and Archives
LR
(adjustable)
State
LR-AIE7500 Series (dedicated AIE server)

• Max MPS: 75,000
• Max Number of Rules: 2,000

(none) (none) (none)

AWS: Windows Disk Type: Disk Type:
2016 x64
m4.10xlarge gp2 gp2
Standard
Edition Volume Size: Volume Size:
GB GB
Operating AIE State/
System Data
LR-DX3500 Series (dedicated Data Indexer)

Indexing Rate: 5,000


CentOS 7.6 or Disk Type: (none) (none) (none)

AWS: Disk Type:
RHEL 7
m4.4xlarge gp2
gp2
Volume Size:
Volume Size:
/
/usr/local/
200 GB logrhythm
Description: 8800 GB
Operating Description:
System
Elasticsearch
Data



AWS: Disk Type:
RHEL 7
h1.8xlarge gp2
gp2
Volume Size:
Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data



CentOS 7.6 or Disk Type: (none) (none)

AWS: Disk Type: Disk Type:
RHEL 7
m4.16xlarge gp2
gp2 st1
Volume Size:
Volume Size: Volume Size:
/
/usr/local/ /usr/local/
200 GB logrhythm logrhythm/01
Description: 16000 GB 16000 GB
Operating Description: Description:
System
Elasticsearch Elasticsearch
Data Data
LR-DXW5120 Series (dedicated warm tier)

Indexing Rate: 0
Instanc Operati Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol
e Type ng Config 1 Config 2 Config 3 Config 4 Config 5 Config 6 Config 7 Config 8
System
CentOS Disk
AWS: Disk Disk Disk Disk Disk Disk Disk
7.6 or Type:
m4.10xl Type: Type: Type: Type: Type: Type: Type:
RHEL 7
arge gp2
sc1 sc1 sc1 sc1 sc1 sc1 sc1
Volume
Volume Volume Volume Volume Volume Volume Volume
Size:
Size: Size: Size: Size: Size: Size: Size:
/
/usr/ /usr/ /usr/ /usr/ /usr/ /usr/ /usr/
200 GB local/ local/ local/ local/ local/ local/ local/
logrhyth logrhyth logrhyth logrhyth logrhyth logrhyth logrhyth
Descript
m m/01 m.02 m/03 m/04 m/05 m/06
ion:
16000 16000 16000 16000 16000 16000 16000
Operatin
GB GB GB GB GB GB GB
g
System Descript Descript Descript Descript Descript Descript Descript
ion: ion: ion: ion: ion: ion: ion:
Elasticse Elasticse Elasticse Elasticse Elasticse Elasticse Elasticse
arch arch arch arch arch arch arch
Data Data Data Data Data Data Data

Deployments in Google Cloud
It is assumed that the user has experience with Google Cloud and Google Compute.
Design
Designing LogRhythm in GCP is similar to on-premise deployments. Assess the volume needs of your
organization and match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the Compute Engine VM instances from GCP. Select the newest base
operating system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the GCP reference architecture table.
• Create disk storage to match the instance mappings for volume type and size.

1. Create a CentOS or or RHEL 7 virtual machine using the Compute Engine VM instances from GCP.
• Select the newest base operating system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the GCP reference architecture
table.
• Create disk storage to match the instance mappings for volume type and size.
2. Create a Logrhythm user.
a. Log into the DX using root.
b. Add new user called logrhythm:
# adduser logrhythm
c. Set password for the logrhythm user:
# passwd logrhythm
d. Set and confirm the logrhythm users's password.


# su - logrhythm
Platform Reference Architecture for GCP



n1- Disk Type: (none)
2016 x64
standard-4
Standard Standard
Persistent
Edition
Disk
Volume Size:
C Drive: 200
GB
D Drive: 100
GB
Description:
Operating
System/LR
State
LR-XM4500 Series (Combined PM/DP/DX/AIE Server)

Platform Manager:


Custom Windows Disk Type: Disk Type: (none) (none) (none)

Machine 2016 x64
Standard Standard
Standard
20 Cores Persistent Persistent
Edition
Disk Disk
96GB Memory
GB GB
Description: L Drive: 150
GB
Operating
System S Drive: 100
GB
T Drive: 50 GB
Description:
SQL
Databases/ES
Data/SQL
Logs/LR
State/SQL
Temp

Platform Manager:

Instance Operating Disk/Vol Disk/Vol Config 2 Disk/Vol Disk/Vol Disk/Vol

Type System Config 1 Config 3 Config 4 Config 5
Custom Windows Disk Type: Disk Type: Disk Type: Disk Type : (none)
Machine 2016 x64
Standard Standard Standard SSD Persistent
Standard
40 Cores Persistent Persistent Disk Persistent Disk
Edition
Disk Disk
192GB Volume Size: Volume Size:
Memory Volume Size: Volume Size:
D Drive: 2750 GB S Drive: 250 GB
C Drive: 200 E Drive: 9000
L Drive: 250 GB Description:
GB GB
T Drive: 50 GB LR State
Description:
Operating ElasticSearch
System SQL Databases/ Data
SQL Logs/SQL
Temp

Platform Manager:

Instance Operating System Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

Type Config 1 Config 2 Config 3 Config 4 Config 5
Custom Windows 2016 x64 Disk Type: Disk Type: Disk Type: (none) (none)
Machine Standard Edition
Standard Standard SSD
48 Cores Persistent Persistent Disk Persistent
Disk Disk
256GB Volume Size:
Memory Volume Volume Size:
D Drive: 4500
Size:
GB E Drive:
C Drive: 200 18000 GB
L Drive: 1000
GB
GB S Drive: 500
Description: GB
T Drive: 50 GB
Description:
System
ElasticSearc
SQL
h Data/ LR
Databases/SQL
State
Logs/SQL
Temp
LR-PM5500 Series (Dedicated Platform Manager)


Instance Operating Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol Disk/Vol

Type System Config 1 2 Config 3 Config 4 Config 5
Disk Type : (none)

Custom Windows 2016 Disk Type: Disk Type: (none)
Machine x64 Standard SSD
Standard Standard
Edition Persistent
20 Cores Persistent Disk Persistent Disk
Disk
128GB Volume Size: Volume Size:
Volume
Memory
C Drive: 200 GB D Drive: 1600 Size:
GB
Description: S Drive: 250
L Drive: 200 GB GB
Operating
System Description: T Drive: 50
GB
SQL Databases/
SQL Logs Description:
LR State/
SQL Temp
LR-PM7500 Series (Dedicated Platform Manager)


Disk Type : (none)

Custom Windows Disk Type: Disk Type: (none)
Machine 2016 x64 SSD
Standard Standard
Standard Persistent
Edition Disk
Disk Disk
196GB
Volume Size:
S Drive: 500
GB
GB GB
T Drive: 50 GB
Description: L Drive: 500
GB Description:
Operating
System Description: LR State/SQL
Temp
SQL
Databases/
SQL Logs

LR-DP5500 Series (Dedicated Data Processor)


(none) (none)
Custom Windows Disk Type: Disk Type: Disk Type:
Machine 2016 x64
Standard SSD Standard
Standard
24 Cores Persistent Persistent Persistent
Edition
Disk Disk Disk
64GB Memory
Volume Size: Volume Size: Volume Size:
C Drive: 200 S Drive: 500 E Drive: 2000
GB GB GB
System Archives/LR Archives
State (adjustable)
LR-DP7500 Series (Dedicated Data Processor)


(none) (none)
Custom Windows Disk Type: Disk Type: Disk Type:
Machine 2016 x64
Standard SSD Standard
Standard
48 Cores Persistent Persistent Persistent
Edition
Disk Disk Disk
128GB
Memory Volume Size: Volume Size: Volume Size:
C Drive: 200 S Drive: 1000 E Drive: 8000
GB GB GB
System Archives/LR Archives
State (adjustable)

LR-AIE7500 Series (Dedicated AIE server)

• Max MPS: 75,000

(none) (none) (none)

Custom Windows Disk Type: Disk Type:
Machine 2016 x64
Standard SSD
Standard
Edition
Disk Disk
128GB
C Drive: 200 S Drive: 500
GB GB
Operating AIE State/
System Data
LR-DX3500 Series (Dedicated Data Indexer)



Custom Disk Type:
RHEL 7
Machine Standard
Standard
Persistent
24 Cores Persistent
Disk
Disk
64GB Memory
Volume Size:
Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data




Custom Disk Type:
RHEL 7
Machine Standard
SSD
Persistent
28 Cores Persistent
Disk
Disk
128GB
Volume Size:
Memory Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data



Custom Disk Type: (none)
RHEL 7
Machine Standard
SSD
Persistent
56 Cores Persistent
Disk
Disk
256GB
Volume Size:
Memory Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data
LR-DXW5120 Series (Dedicated Warm Tier)

Indexing Rate: 0



Custom *Disk Type: (none)
RHEL 7
Machine Standard
Standard
Persistent
20 Cores Persistent
Disk
Disk
128GB
Volume Size:
Memory Volume Size:
/
/usr/local/
200 GB logrhythm
System
Elasticsearch
Data
*GCP only allows for a max volume of 64TB per instance. You will need to add multiple instances to meet the
DXW5120 hardware appliance.
Deployments in Microsoft Azure

This section provides information about reference architectures for LogRhythm appliances and information
about how to design and deploy LogRhythm in Microsoft Azure.
It is assumed that the user has experience with Microsoft HyperV and Azure services.
Design
Designing LogRhythm in Azure is similar to on-premise deployments. Assess the volume needs of your
organization and match them to the LogRhythm Reference Architecture.
Windows Systems
Create Windows Virtual Machines using the standard compute instances from Azure. Select the newest
operating system supported on your version of LogRhythm.
• VM disk type should be SSD.
• Select the size of the instance based on your appliance sizing needs using the Azure reference architecture table.
• Storage should be set to use managed disks.

After creating the instance, you will need to add data disks to match the reference architecture. By default,
the Windows instances will create a temporary OS disk that is used for swap and emptied with every
shutdown.
On the Platform Manager, you must change the drive letter of the swap space disk from D to
something else. The LogRhythm Database Install Tool requires the D drive be used for database
storage. If you install to this swap disk, all of the databases will be removed with the virtual
machine is shut down.

LogRhythm recommends installing a CentOS minimal image or RHEL 7 and adhering to the following steps:
1. Use SSD for the VM disk type.
2. Select the size of the instance based on your appliance sizing needs using the Azure reference architecture table.
3. Set storage to use managed disks.
4. Set up VM access as SSH with the logrhythm user. Doing so makes step 5 unnecessary and you can skip to set 6.
5. Create LogRhythm user.
Skip this section if the LogRhythm user was already created to access the VM. If the user already exists
with SSH access, skip to the Install the Data Indexer section below.
a. Log into the Azure instance and elevate to the root user:
# sudo su
b. Add a new user called logrhythm:
# adduser logrhythm
c. Set the password for the logrhythm user:
# passwd logrhythm
d. Provide and confirm the desired password for the logrhythm user.
# su - logrhythm

6. Configure the SSH key.

a. Generate the SSH key:
# ssh-keygen -t rsa
b. Accept all defaults and do not enter a password.

c. Navigate to the ssh key:
# cd /home/logrhythm/.ssh
d. Copy and authorize the key:
# cp id_rsa.pub authorized_keys
e. SSH into the instance and add the SSH key to the list of known hosts:
# ssh localhost
f. Enter yes when prompted to continue connecting.

g. Log in as the newly created logrhythm user.
7. Install the Data Indexer.
a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:
# sudo mv <filename> /home/logrhythm/Soft
b. Run the DX installer:
# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/plan.yml
c. When prompted for the SSH password, press Enter with no input or enter the logrhythm user password.
d. When prompted for the Sudo password, enter the password for the logrhythm user created in earlier
steps.
Platform Reference Architecture for Azure
For all platforms, use only Read host cache on data disks, such as SQL data or Elasticsearch data.




D4S_v3 Disk Type: Disk Type:
2016 x64
Standard P10 S10
Edition
GB GB
Operating State
System

Platform Manager:


Windows (none) (none)

D16S_v3 Disk Type: Disk Type: Disk Type:
2016 x64
Standard P10 P40 P40
Edition
GB GB GB
Description: L Drive: 150 Description:
GB
Operating Elasticsearch
System S Drive: 100 Data
GB
T Drive: 50 GB
Description:
SQL Data/
SQL Logs/LR
State/SQL
Temp

Platform Manager:



2016 x64
Edition
GB GB GB
Description: L Drive: 150 Description:
GB
Operating Elasticsearch
System S Drive: 100 Data
GB
T Drive: 50 GB
Description:
SQL Data/
SQL Logs/LR
State/SQL
Temp

Platform Manager:


Windows (none)
D64S_v3 Disk Type: Disk Type: Disk Type: Disk Type:
2016 x64
Standard P10 P50 P50 P50
Edition
Volume Size: Volume Size: Volume Size: Volume Size:
C Drive: 128 D Drive: 3645 E Drive: 4095 F Drive: 4095
GB GB GB GB
Description: L Drive: 150 Description: Description:
GB
Operating Elasticsearch Elasticsearch
System S Drive: 250 Data Data
GB
T Drive: 50 GB
Description:
SQL Data/
SQL Logs/LR
State/SQL
Temp




E16S_v3 Disk Type: Disk Type: Disk Type:
2016 x64
Edition
C Drive: 128 D Drive: 2048 L Drive: 312
GB GB GB
Description: Description: S Drive: 100
GB
Operating SQL Data
System T Drive: 100
GB
Description:
SQL Logs/LR
State/SQL
Temp



2016 x64
Edition
C Drive: 128 D Drive: 4095 L Drive: 674
GB GB GB
Description: Description: S Drive: 250
GB
Operating SQL Data
System T Drive: 100
GB
Description:
SQL Logs/LR
State/SQL
Temp




D32S_v3 Disk Type: Disk Type: Disk Type &
2016 x64
Standard P10 P20 Volume Size1
Edition
Description:
GB GB Inactive
Archives
Operating LR State
System
1
Inactive archives should use File Storage or can use standard disk.



D64S_v3 Disk Type: Disk Type: Disk Type &
2016 x64
Standard P10 P30 Volume Size1
Edition
Description:
GB GB Inactive
Archives
Operating LR State
System
1
Inactive archives should use File Storage or can use standard disk.
LR-AIE7500 Series (dedicated AIE server)

• Max MPS: 75,000



2016 x64
Standard P10 P10
Edition
GB GB
Operating State
System


CentOS 7.6 or Disk Type : (none) (none) (none)

D16S_v3 Disk Type:
RHEL 7
P10
P50
Volume Size:
Volume Size:
/
/usr/local/
128 GB logrhythm
System
Elasticsearch
Data



Type System Config 1 Config 2 Config 3* Config 4 Config 5

RHEL 7
P10
P50 P50
Volume Size:
/
/usr/local/ /usr/local/
128 GB logrhythm logrhythm/01
Description: 4096 GB 4096 GB
Operating Description: Description:
System
Elasticsearch Elasticsearch
Data Data
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit
of 16TB total on DX5500.

Instance Operating Disk/Vol Disk/Vol Disk/Vol Config Disk/Vol Disk/Vol

Type System Config 1 Config 2 3 Config 4 Config 5*
CentOS 7.6 or Disk Type :

D64S_v3 Disk Type: Disk Type: Disk Type: Disk Type:
RHEL 7
P10
P50 P50 P50 P50
Volume Size:
Volume Size: Volume Size: Volume Size: Volume Size:
/
/usr/local/ /usr/local/ /usr/local/ /usr/local/
128 GB logrhythm logrhythm/01 logrhythm/02 logrhythm/03
Description: 4096 GB 4096 GB 4096 GB 4096 GB
Operating Description: Description: Description: Description:
System
Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data
*The DX storage values do not match to appliances and can be adjusted based on customer need with a limit
of 32TB total on DX7500.
LR-DXW5120 Series (dedicated warm tier)

Indexing Rate: 0

Insta Operati Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

nce ng Config 1 Config 2-5 Config 6-9 Config 10-14 Config 15-19 Config 20-24
Type System
CentOS Disk
D32S_ Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
7.6 or Type:
v3
RHEL 7 P50 P50 P50 P50 P50
P10
Volume Size: Volume Size: Volume Size: Volume Size: Volume Size:
Volume
Size: /usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm logrhythm/05 logrhythm/10 logrhythm/15 logrhythm/20
/
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
128 GB
Description: Description: Description: Description: Description:
Descript
ion: Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
Data Data Data Data Data
Operatin
g System
Disk Type: Disk Type: Disk Type: Disk Type: Disk Type:
P50 P50 P50 P50 P50
/usr/local/ /usr/local/ /usr/local/ /usr/local/ /usr/local/
logrhythm/01 logrhythm/06 logrhythm/11 logrhythm/16 logrhythm/21
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
Elasticsearch Elasticsearch Elasticsearch Elasticsearch Elasticsearch
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB

Insta Operati Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol Disk/Vol

nce ng Config 1 Config 2-5 Config 6-9 Config 10-14 Config 15-19 Config 20-24
Type System
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
P50 P50 P50 P50 P50
4096 GB 4096 GB 4096 GB 4096 GB 4096 GB
*The DX warm storage values do not match to appliances and can be adjusted based on customer need with
a limit of 120TB total on DXW5120.

Download Software to Install a New LogRhythm Deployment

Before starting the installation process, you should download the LogRhythm tools and software that will be
needed during setup, as follows:
1. Ensure you have access to the LogRhythm Database Install Tool. A download link should have been provided
along with your LogRhythm license. If you cannot locate this tool, contact LogRhythm Support.
2. Download the LogRhythm Installation Wizard, available on the LogRhythm Community.
3. If you are installing a Data Indexer or cluster of Indexers on Linux, download the Installation ISO from the link
provided with your LogRhythm license.
4. Download TLS 1.2 Patches and Hotfixes, available on the LogRhythm Community.
To enable communication over TLS 1.2 for all LogRhythm 7.4.x components, your base deployment must
meet the following requirements:
• Platform Manager is running SQL Server 2016 Standard SP1 or higher.
• LogRhythm 7.4.x core components on Windows are running Microsoft .NET Framework 4.5.2 — the Database
Upgrade Tool will install .NET 4.6.1 on the Platform Manager.
.NET 4.5.2 will be installed by component installers that require it.
After ensuring that your base deployment meets the above requirements, .NET 4.5.x rollup updates are
required on all Windows appliances or servers running LogRhythm components — the Platform Manager is
excepted.
If the target appliance is up-to-date with important Windows updates, some hotfixes may not be
required. If this is the case, the installer indicates that.
Installers for all the required patches and hotfixes are available in a .ZIP file on the Downloads page, under
TLS 1.2 Support. You should download LR_74x_TLS_support.zip, extract its contents, and then distribute the
required installers to the required appliances or computers in your deployment.
The following patches are not required on systems running only the System Monitor Agent or on
systems where .NET 4.6 is already installed.
Installer Description Do this...
NDP452-KB3099845x86-x64- .NET Framework 4.5.2 Hotfix Copy the hotfix installer to all LogRhythm
ENU.exe Rollup component hosts running on Windows
appliances or computers running Windows 7
SP1, Windows Server 2008, or Windows
Server 2008 R2.
Download Software to Install a New LogRhythm Deployment 76

Installer Description Do this...
x64-Windows8.1KB3099842- Windows Update Installer for .NET Copy the installer to all LogRhythm hosts
x64.msu Framework 4.5.2 Hotfix Rollup running on Windows appliances or
computers running Windows 8.1 or Windows
Server 2012 R2.
Download Software to Install a New LogRhythm Deployment 77

Install LogRhythm
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference
Platform you selected.
1. Make sure your hardware or virtual machine is running Windows Server 2012 R2 Standard or Enterprise Edition,
or Windows Server 2016 (both 64-bit).
2. If necessary, enable .NET Framework 3.5.
a. Log in to the server as an administrator.
b. Start Server Manager.
c. Under Configure this local server, click Add roles and features.
The Add Roles and Features Wizard appears.
d. Under Installation Type, select Role-based or feature-based installation.
e. Under Server Selection, select your local server.
f. Under Features, expand the .NET Framework 3.5.1 Features node, select .NET Framework 3.5.1, and
then click Next.
g. Confirm your selection on the next page, click Install, and follow any additional guidance provided by
the installer.
3. Initialize and configure disks according to LogRhythm components. For more information, see Volume/Disk
Configurations.
a. Initialize the newly created hard disks via disk management by going to Administrative Tools,
Computer Management, Storage, and Disk Management.
b. Set up disk partitions and volumes.
4. Run Windows Update to ensure the latest patches, updates, and service packs are installed.
5. If not installed, download and install .NET Framework 4.5.2 as it is required by the Database Install Tool. You can
download the Microsoft .NET Framework 4.5.2 standalone installer here.
The .NET Framework 4.5.2 installation requires 4.5 GB of free disk space.
Shut Down Antivirus and Endpoint Protection Software

Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
In the case of endpoint protection software, you may need to uninstall the software from all
LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection
software again.
Install LogRhythm 78
Install the LogRhythm Databases for the Platform Manager or XM
A download link to the LogRhythm Database Install Tool should have been provided to you along
with your LogRhythm license. Contact LogRhythm Support if you cannot locate this tool.
The Platform Manager, and therefore an XM setup, contains LogRhythm’s SQL Server databases. Use the
LogRhythm Database Install tool to:
• Install SQL Server 2016 Standard SP2
• Apply the LogRhythm license for SQL Server
• Create the default LogRhythm users
• Create the initial databases, tables, stored procedures, and so on
• Size the databases as a percentage of disk space
The database installation can take up to 30 minutes. If you are installing on a virtual machine, it
could take longer.
To install the LogRhythm databases:

1. Log in to the Platform Manager or XM server and copy the LogRhythm Database Install Tool archive to a new
directory.
2. Locate the archive and extract it to a new directory on a local drive.
3. Browse to the new directory, right-click LogRhythmDatabaseInstallTool.exe, and then click Run as
administrator.
The server role page appears.
4. Select the system’s target role. If you are installing a standalone Platform Manager, select PM. If you are
installing an XM server, select XM.
If any of the drives on the server do not have enough space for the installation, the value under Will
Use is highlighted in red. You need to reconfigure the system disks to provide enough space for the
installation.
5.Click Install.
6.If you want to change the default SQL Server password for the sa account, click Change Default SQL Password.
7.Type the password for the sa account, and then click Save.
8.When you are ready to proceed, click Install.
9.The tool installs SQL Server and configures all of the necessary settings. This process may take up to ten
minutes, during which the screen appears to be inactive.
10. When the installation is finished, click Done to close the Database Install Tool.
Run the LogRhythm Install Wizard

The LogRhythm Install Wizard can be used to install one or more applications or server roles on each server
in your deployment. The wizard is designed for simplicity, so you can pick the applications or roles you are
installing, and the wizard does everything else.
The installation of one or more applications should not take more than 10 minutes to complete. If you are
installing an XM setup with all applications, the installation may take up to 15 minutes depending on your
server specifications. If you are installing on a virtual machine, the installation times will be slightly
increased.
Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You
must run the Install Wizard on each appliance or server in your deployment, and select the appliance
configuration that you want to install or upgrade.
• The LogRhythm Install Wizard requires .NET Framework version 4.5.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.
• Before installing or upgrading the Web Console, ensure that Windows Firewall is running so the
Common installer can open port 8300.
When the Client Console is installed on a fresh system, additional software packages must be
installed such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime
engine, and .NET Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes
or more to complete.
1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm
software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.
For certain configurations, you can optionally select to install or upgrade the AI Engine.
If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see Use the LogRhythm Configuration Manager.
8. For each appliance that you install, select the target appliance configuration, according to the following table.
The following information applies to upgrades from 7.x only.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in
the Install Wizard, select one of the available configurations and then run the wizard again to install
the next configuration.
7.x.x Configuration Select…
XM
XM
Platform Manager PM
Data Processor + Data Indexer DPX
Data Processor DP
Client Console Client Console
Web Console Web Console
AI Engine AIE
Data Collector/System Monitor DC
The following information applies to upgrades from 6.3.9 only.

If you are upgrading an existing XM appliance and want to add the Linux Data Indexer to your
deployment, you need to install the PM configuration and then run the Install Wizard again to install
the DP configuration. For more information about installing the Linux Indexer, see Install a New
LogRhythm 7.4.8 Deployment. Similarly, to install another configuration that is not represented in the
Install Wizard, select one of the available configurations and then run the wizard again to install the
next configuration.
6.3.9 Configuration Select...
XM XM
Event Manager PM
Log Manager (keeping persistence) DPX
Log Manager (Mediator only) DP
Client Console Client Console
Web Console Web Console
AI Engine AIE
Site Log Forwarder/System Monitor DC
If you are upgrading the LogRhythm Web Console, pay attention to the following:
• Upgrades from Web Console 6.1.x and 6.2.x are not supported. Uninstall your Web Console and
complete a fresh installation.
• If you have a 7.2.0 deployment, close the Web Services Configuration Manager prior to
beginning the upgrade.
9. When you have selected the target configuration, click Install.

The LogRhythm Deployment Tool appears.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade Deployment,
depending on your situation.
When upgrading a deployment older than LogRhythm 3.0, you may only see the option to
install a new deployment, rather than to upgrade. In that case, select the option to install a
new deployment.
10. Follow the on-screen instructions to create a Deployment Package. Additional help is available by clicking the
question mark icon in the upper-right of the tool.
For more information, see Use the LogRhythm Deployment Tool before proceeding.
When you are finished preparing your deployment, you will be returned to the Install Wizard.
11. Observe for any failures as the wizard installs or upgrades the applications according to the selected
configurations.
When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.5.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.
Progress in the installation screen is indicated as follows:

Color Meaning
Green The application was installed successfully. A message about the application
and installed version
is also printed below the status indicators.
Blue The application is being installed.
Yellow The current or a newer version of the application is already installed.
Red Something went wrong and the application was not installed. Additional
details will be printed
below the status indicators. If something went wrong, check the installer logs
located in the following location:
C:\LogRhythm\Installer Logs\<install date and time>\
During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
12. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see Use the LogRhythm
Configuration Manager.
While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.
• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the
Configuration Manager.
After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.
13. To close the LogRhythm Install Wizard, click Exit.
If you need to install additional components that were not included in the selected configuration,
run the Install Wizard again and select the necessary components.
Use the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental
variables and configure them as needed during the lifetime of a deployment. It automatically appears when
installation or upgrade of the a deployment is complete. It can also be accessed in the Configuration
Manager folder on the server where LogRhythm is installed (C:\Program Files\LogRhythm\LogRhythm
Configuration Manager) or by searching for LogRhythm Configuration Manager in the Windows Search box.
The Configuration Manager is not available remotely or online, so no login is required.
The LogRhythm Configuration Manager requires the following services:
• LogRhythm Web Services Host API
If any of those services are not functioning, you will receive an error message and the LogRhythm
Configuration Manager will not load. To resolve this issue, see the troubleshooting section below.
Configure your Deployment
If you are using multiple Web Console instances, the Configuration Manager lets you apply
individual configurations to each instance. Each instance, for single or multiple Web Consoles, will
be identified in the Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is
the Windows host name of the server where the Web Console is installed.
Until you have had a chance to tune your deployment, and to avoid potential performance issues
with AIE Cache Drilldown, you should disable the AIE Drill Down Cache API after upgrading to
LogRhythm 7.4.8.
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic
mode, grouped according to which service they affect. You can filter the settings that are displayed by
clicking one of the options on the left — All (no filtering), Authentication, or Web Services. When settings are
filtered, you should enable the Advanced view to ensure you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the
LogRhythm Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which
Services are active or inactive. A blue light indicates that all services are up. A red light indicates that one or
more services are down. You can hover the mouse over the indicator to see a list of which services are down.
In Advanced mode, the indicator light also appears next to each group header.
If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font
Smoothing. You can read how to do so here: http://www.microsoft.com/typography/
ClearTypeFAQ.mspx
To configure settings in the LogRhythm Configuration Manager:

1. Find the setting you want to configure by doing one of the following:
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
• Scroll through the Basic or Advanced configuration mode until you find the option you want. The
Configuration Manager is used to configure settings such as user ID, password, authentication strategy,
and log level for the following components:
• LogRhythm Database
• Admin API
• AIE Drilldown Cache API
• API Gateway
• Authentication API
• Case API
• Notification Service
• SQL Service
• Web Console API
• Web Console UI
• Web Indexer
• Web Services Host SPI
• Windows Authentication Service
2. Enter the configuration you want. Note the following features:
• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see Log in to the Web Console.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.
If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60
seconds is normal.
Troubleshoot the LogRhythm Configuration Manager

If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not
running, you receive an error message and the LogRhythm Configuration Manager does not load. If you are
not running the LogRhythm version of SQL server, one of the following error messages displays:
• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6]
[class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied
on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.
To resolve this issue:
1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
3. Open the LogRhythm Configuration Manager.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).
The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in
Internet Explorer.
To change the proxy server settings for Internet Explorer:
1. On the Internet Options dialog box, click the Connections tab.
2. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)
check box.
4. Click OK.
If you require a proxy server for LAN connections, contact LogRhythm Support.
Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to
%APPDATA%\LogRhythm Configuration Manager\presets. However, you can create a backup of any
configuration and save it to any location to use later to restore a given configuration or share with other
users.
To back up a configuration:
1. Make any changes you want. Boxes with changes are outlined blue.
2. Select Backup/Restore in the menu.
3. Click Backup to File.
4. Name the file and save it to the location you want.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:
2. Select from one of the following:
• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
changes are outlined blue.
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.
For more information on the LogRhythm Configuration Manager, see Use the LogRhythm Configuration
Manager.
Install .NET 4.5.2 Hotfixes to Support TLS 1.2 Communication

The following requirements and procedures apply only to Windows-based appliances and servers.
These patches are not required on Linux systems, on the Platform Manager, on systems running
only the System Monitor Agent, or on systems where .NET 4.6 is already installed.
To enable communication over TLS 1.2, LogRhythm 7.4 core components on Windows must be running
Microsoft .NET Framework 4.5.2 — .NET 4.6 is acceptable, though this version is only installed on the
Platform Manager.
• .NET 4.5.2 will be installed for any LogRhythm component that requires it.
• The .NET 4.5.2 hotfixes are available in a .zip file under Documentation & Downloads on the LogRhythm
Community.
Apply .NET 4.5.2 Hotfix for Windows 7 SP1, Windows Server 2008, Windows Server 2008
R2
The .NET 4.5.2 rollup hotfix, is provided in the TLS 1.2 Support package on the LogRhythm Community. To
apply the hotfix, do the following on all appliances or computers running LogRhythm core components on
Windows 7 SP1, Windows Server 2008, or Windows Server 2008 R2:
1. Log in to the appliance or computer as an administrator.
2. Browse to the directory where you copied NDP452-KB3099845-x86-x64-ENU.exe.
3. Right-click NDP452-KB3099845-x86-x64-ENU.exe, and then click Run as administrator.
The Microsoft .NET Framework 4.5.2 Hotfix Rollup Setup wizard appears.
4. Accept the license agreement and then click Install to apply the hotfix.
When the installation is complete, restart the appliance or server.
Apply .NET 4.5.2 Update for Windows 8.1 or Windows Server 2012 R2
The .NET 4.5.2 update, x64-Windows8.1-KB3099842-x64.msu, is provided in the TLS 1.2 Support package on
the LogRhythm Community. To apply the update, do the following on all appliances or computers running
LogRhythm core components on Windows 8.1 or Windows Server 2012 R2:
1. Log in to the appliance or computer as an administrator.
2. Browse to the directory where you copied x64-Windows8.1-KB3099842-x64.msu.
3. To launch the installer, double-click x64-Windows8.1-KB3099842-x64.msu.
If the update needs to be applied, the Windows Update Standalone Installer appears.
4. To install the update, click Yes.
5. When prompted, click Restart Now to complete the installation and restart the appliance or computer.
Restart the appliance or server when the installation is complete, regardless of whether you are
prompted to restart.
Install the LogRhythm Data Indexer

(Optional) Deploy ISO image to Each Linux Data Indexer Node
The Linux Data Indexer can be installed with a CentOS 7.x Minimal system or Red Hat Enterprise Linux (RHEL)
7. To simplify the installation, LogRhythm provides an ISO image that contains the CentOS operating system
and the Data Indexer installer package. To use RHEL 7, you need to download and install it from the Red Hat
website, and then follow the configuration instructions in this guide.
Before powering on and configuring a Linux Indexer appliance for the first time, ensure that only
one of the network interfaces is connected to your active network with an Ethernet cable. If you are
using a virtual machine, ensure that only one network interface is configured to connect or come up
when the virtual machine is powered on.
Prepare for the Installation

Before you begin, make sure you have done the following:
• Download the ISO from the link provided with your LogRhythm license. The installation ISO requires two
physical disks in the Data Indexer system.
• For a virtual installation, create a new virtual machine that meets the following requirements:
• OS Type is Linux
• OS Version is Red Hat 64-bit
• Hard drive, RAM, and processor meet the requirements stated above
• Two disks
• In the boot order of the system, Hard Disk should be listed before the CD/optical drive
• Note the IP address to be applied to each node, the netmask, the IP address of your default gateway, and the IP
address of two NTP servers to use.
• If you are installing a cluster of Data Indexers, note the following:
• Each Data Indexer server must be of identical specification. For example, the same appliance model, or
same configuration of processors, hard drives, network interfaces, and RAM.
• You must image each node with CentOS 7.x or RHEL 7, but you only need to run the package installer on
one of the cluster nodes.
• Your cluster must contain at least 3 nodes but no more than 10 nodes.
Install CentOS Minimal
If you are using a Red Hat Enterprise Linux 7 system, skip this procedure and go to Create the
LogRhythm User.
Install the LogRhythm Data Indexer 90

1. If you are installing on a physical computer, burn the ISO image to a DVD. For a virtual install, you can mount the
ISO for the installation.
2. Boot the computer from the DVD, or start the virtual machine with the mounted ISO.
3. When the boot screen appears, use the arrow keys and the Enter key to select Install CentOS 7.
The operating system will be installed, which can take up to 10 minutes.
4. When prompted to log in, type logrhythm for the login and the default LogRhythm password for the password.
You are prompted to run the initial configuration script. The script is optional, but your Indexer will be
configured to use DHCP on the primary Ethernet adapter, which is not a supported configuration for a
production environment.
5. To run the script, press y.
You are prompted for network, DNS, and NTP details. At each prompt, detected or default values are displayed
in parentheses.
6. To accept these values, press Enter.
7. Enter the network and NTP information, as follows:
Prompt Description
IP Address The IP address that you want to assign to this Data Indexer node.
Netmask The netmask to use.
Default Gateway The IP address of the network gateway.
Domain name servers The IP address of one or more domain name servers (DNS). If any
servers were found via DHCP, they will be displayed as the defaults.
If no servers were found, the Google DNS servers will be displayed as
the defaults.
NTP servers The IP address of one or more NTP servers. Enter the IP address of
each server one at a time, followed by Enter. When you are finished,
press Ctrl + D to end.
After completing the items in the configuration script, the system tests connectivity to the default gateway and
the NTP servers. If any of the tests fail, press n when prompted to enter addresses again.
If you plan to deploy the Indexer in a different network environment and you expect the connectivity
tests to fail, you can press y to proceed.
After confirming the NTP values, you will be logged in as the logrhythm user.
8. Restart the network interfaces to apply the new settings: sudo systemctl restart network
9. Restart chrony to apply NTP changes: sudo systemctl restart chronyd
10. If you are installing a cluster of Data Indexers, repeat the ISO installation on each Data Indexer node.
The ISO installation creates the required “logrhythm” user, create and size all of the required partitions, and
prompt you for network, DNS, and NTP settings upon first login.

Create the LogRhythm User on the RHEL 7 System
If you are using a CentOS Minimal system, you can skip this step. The ISO installation creates the
user automatically.
1. Log into the host and elevate to the root user:
# sudo su
2. Add a new user called logrhythm:
# adduser logrhythm
3. Set the password for the logrhythm user:
# passwd logrhythm
4. Provide and confirm the desired password for the logrhythm user.
5. Add the logrhythm user to the wheel group:
6. Navigate to the logrhythm user:
# su - logrhythm
Install the Data Indexer on Linux
Install a Single-node Cluster
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld
1. Log in to your Indexer appliance or server as logrhythm.

2. Change to the /home/logrhythm/Soft directory where you copied the updated installation script.

You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
Ensure that you specify the current Data Indexer hostname if you are creating a new file.
The hosts file must follow a defined pattern of <IPv4 address> and <hostname> on each line. You must separate
the address and hostname with a space. The file might look like the following:
10.1.23.91 LRLinux1
Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer with the hosts file argument, as follows:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/Soft/hosts --plan /home/logrhythm/plan.yml
You can press the Tab key after starting to type out the installer name, and the filename autocompletes for you.
5. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs the Data Indexer.
The installation process may take up to 10 minutes.
When the installation is complete, a confirmation message appears.

6. Check the status of services by typing sudo systemctl at the prompt, and then look for failed services.
If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld

Install a Multi-node Cluster
You only need to run the upgrade on one of your cluster nodes. Run it on the same machine where
you ran the original installer. The package installer installs a Data Indexer on each node.
Before starting the Data Indexer upgrade, ensure that firewalld is running on all cluster nodes. To
do this, log in to each node and run the following command: sudo systemctl start firewalld
1. Log in to your Indexer appliance or server as logrhythm.

2. Change to the /home/logrhythm/Soft directory where you copied the updated installation script.
You can only run the installation script from a partition on which the logrhythm user has execute
privileges. It is recommended that you run the script from somewhere within /home/logrhythm.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation. The hosts file must follow a defined pattern of {IPv4 address} and {hostname} on each line. You
must separate the address and hostname with a space.
The contents of the file might look like the following:
10.1.23.65 LRLinux1
10.1.23.67 LRLinux2
10.1.23.91 LRLinux3
Do not use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead of
LRLinux1.myorg.com.
3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi:
a. To create the hosts file and open for editing, type vi hosts.
b. To enter INSERT mode, press the i key.
c. Enter the IPv4 address and hostname to use for the Indexer, separated by a space.
d. Press the Esc key.
e. Enter the following characters to exit and save your hosts file: :wq
4. Run the installer using the original or updated hosts file, as follows:
When upgrading a DX7500 that is already running as a 2XDX, only run the regular
LRDataIndexer.run file, as described below. Do not run the 2XDX installer.
sudo sh LRDataIndexer-version.centos.x86_64.run --hosts

/home/logrhythm/Soft/hosts --plan /home/logrhythm/plan.yml
You can press the Tab key after starting to type out the installer name, and the filename autocompletes for you.

5. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs the Data Indexer on each of the DX machines.
The installation process may take up to 30 minutes.
When the installation is complete, a confirmation message appears.

6. Check the status of services by typing sudo systemctl at the prompt, looking for “failed” services.
If the installation fails with the following error — failed to connect to the firewalld daemon — ensure
that firewalld is running on all cluster nodes and start the installation again. To do this, log in to each
node and run the following command: sudo systemctl start firewalld
Validate the Linux Indexer Installation

To validate a successful upgrade of the Linux Indexer, check the following logs in /var/log/persistent:
• ansible.log echoes console output from the upgrade, and should end with details about the number of
components that upgraded successfully, as well as any issues (unreachable or failed)
• logrhythm-node-install.sh.log lists all components that were installed or updated, along with current versions
• logrhythm-cluster-install.sh.log should end with a message stating that the Indexer was successfully installed
Additionally, you can issue the following command and verify the installed version of various LogRhythm
services, tools, and libraries, as well as third party tools: sudo yum list installed | grep -i logrhythm
1. Verify that the following LogRhythm services are at the same version as the main installer version:
• AllConf
• Bulldozer
• Carpenter
• Columbo
• Configuration Server
• GoMaintain
• HeartThrob
• Spawn
• Transporter
• Vitals
• Watchtower
2. Verify that the following tools/libraries have been updated to the version matching the installer name:
• Cluster Health
• Conductor
• DX Config Files
• ES Templater
• Merge Control
• Persistent
• Silence
• Unicon

• Unique ID
• Upgrade Checker
3. Verify the following versions of these services and third party tools:
• consul-template 0.19.0
• consul-ui 1.0.1
• consul-utils 1.0.1
• elasticsearch 5.6.6
• grafana 4.6.3_1
• influxdb 1.4.2
• LogRhythmAPIGateway 2.4.2
• LogRhythmMetricsCollection 1.0.0
• LogRhythmServiceRegistry 1.5.1
• nginx 1.10.1
• zeromq 4.0.5
Configure the Data Indexer

Accessing and configuring the Data Indexer differs slightly between Windows and Linux. Refer to the
appropriate procedure below according to your Data Indexer operating system.
Configure the Data Indexer on Windows

You can configure the Indexer using the configuration web page — AllConf — that is hosted on the Indexer
Appliance or server. Please note the following requirements:
• For Windows Indexers, you must perform these steps for each Indexer in your deployment.
• Ensure that the LogRhythm DX – AllConf and LogRhythm DX – Configuration Server services are running on the
appliance before trying to connect to the Indexer.
• You can only access AllConf locally or through a remote desktop/terminal services session to the appliance.
• You can only access AllConf using Google Chrome (latest version), Mozilla Firefox (latest version), or Internet
Explorer 11.
Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to the DPX appliance as an administrator.
2. Start one of the supported browsers and type the following in the address bar: http://localhost:9100
The Data Indexer Configuration sign in page appears.
3. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.

If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
4. Modify or verify the following settings:

CloudAI Config
These configuration values apply only to users of the LogRhythm CloudAI solution.
Enable CloudAI Enables (true) or disables (false) CloudAI in your LogRhythm

deployment.
All Conf Config
Administrator Password
Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Passwords must be at least six (6) characters long. It is

recommended that you create a strong password using a
combination of numbers, letters, and special characters,
and use both uppercase and lowercase letters.
Carpenter Config
Db Password
This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
It is highly recommended and LogRhythm best practice to

change all MS SQL account passwords when setting up a
deployment. After you change the LogRhythmNGLM password
in Microsoft SQL Server Management Studio, you must set Db
Password to the same value. You should change the password
in Microsoft SQL Server Management Studio first, then change it
on the Data Indexer page.

Carpenter Config
Db Username
This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
When in FIPS mode, Windows authentication is required (local

or domain). When using a domain account, Db Username must
be in the domain\username format.
Emdb Host
This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
In High Availability deployments, this must be set to the HA

Shared IP.
Minutes to Rest This can be left at the default value.
Sql Paging Size This can be left at the default value.
Cluster Node Config
Node Info [n]
Hostname
Cannot be changed.
Public IP This must be set to the external IP address of your DPX appliance or server.
Elasticsearch Server Config
Elasticsearch Server Settings [n]

cluster.name
If you only have one DPX appliance, you can leave this value at the default
(logrhythm). If you have more than one DPX appliance, change this value
so that each cluster name is unique. For example, logrhythm01,
logrhythm02, and logrhythm03.
In an MSSP environment, DX Cluster names are visible to all

Users of a Web Console, regardless of Entity segregation. For
privacy reasons, you may want to avoid using cluster names that
could be used to identify clients. Data and data privacy are still
maintained; only the cluster name is visible.
The cluster name for each DPX appliance must be different. When you
have finished making changes on the Data Indexer Configuration page,
ensure that you assign the correct cluster to each Data Processor. For
multiple DPX appliances, ensure that the cluster is assigned to the Data
Processor running on the same appliance.
For example, if clusters are named as follows: DPX-A = dxa, DPX-B = dxb,
and DPX-C = dxc, Data Processor A should point to cluster dxa, Data
Processor B should point to cluster dxb, and Data Processor C should
point to cluster dxc.
${DXDATAPATH} and ${DXPATH} are system variables that are created when the Data Indexer is installed. By
default, these variables are set to D:\LogRhythm\Data Indexer.
path.data
This is the directory where Elasticsearch data is stored.
Default value: ${DXDATAPATH}\elasticsearch\data
Default full path: D:\LogRhythm\Data Indexer\elasticsearch\data
You can use any directory you want for storing Elasticsearch data, but it should not be on the C:
drive. You should change the data path to something like the following:
D:\LRIndexer\elasticsearch\data
If you have more than one drive for data, you can specify multiple locations separated by a comma:
D:\LRIndexer\elasticsearch\data,E:\LRIndexer\elasticsearch\data.

path.logs
This is the directory location where Elasticsearch logs are stored.
Default value: ${DXPATH}\elasticsearch\logs
Default full path: C:\LogRhythm\Data Indexer\elasticsearch\logs
You can use any directory you want for storing Elasticsearch logs, but it should not be on the C:
drive. You should change the log path to something like the following:
D:\LRIndexer\elasticsearch\logs
FIPS Config
Enabled
Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
5. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
Configure the Data Indexer on Linux

Whether your Linux Data Indexer cluster is one node or 3 to 10 nodes, you only have to log in to the
configuration page on one of the nodes. Note the following requirements:
• On a Linux Data Indexer, you can only access the web page from an external computer that has access to the
Data Indexer network.
• You can only access the web page using Google Chrome, Mozilla Firefox (latest versions of each), or Internet
Explorer 11.
Do not attempt to modify any configuration files manually. If you have any issues, contact
LogRhythm Support.
To access AllConf and configure the Data Indexer:Log in to the DPX appliance as an administrator.
1. Log in to a Windows server with network access to the Data Indexer nodes.
2. Start one of the supported browsers.
3. Type the IP address of one of the cluster nodes in the address bar, and then press Enter.
The Data Indexer Configuration sign in page appears.
4. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign
In.

If you make any changes to the existing Indexer configuration, ensure that you click Submit
before signing out or leaving the page.
5. Modify or verify the following settings:

CloudAI Config
These configuration values apply only to users of the LogRhythm CloudAI solution.
Enable CloudAI Enables (true) or disables (false) CloudAI in your LogRhythm

deployment.
All Conf Config
Administrator Password
Best practice is to change the default password for the admin user.
Click Change Password, then use the Update Password dialog box
to enter and confirm a new password.
Passwords must be at least six (6) characters long. It is

recommended that you create a strong password using a
combination of numbers, letters, and special characters,
and use both uppercase and lowercase letters.
Carpenter Config
Db Password
This is the password used by the LogRhythmNGLM SQL account. Services
on the Data Indexer use this account to connect to the EMDB and read/
update tables.
It is highly recommended and LogRhythm best practice to

change all MS SQL account passwords when setting up a
deployment. After you change the LogRhythmNGLM password
in Microsoft SQL Server Management Studio, you must set Db
Password to the same value. You should change the password
in Microsoft SQL Server Management Studio first, then change it
on the Data Indexer page.

Carpenter Config
Db Username
This should be left unchanged unless you have renamed the
LogRhythmNGLM SQL account in SQL Server Management Studio.
When in FIPS mode, Windows authentication is required (local

or domain). When using a domain account, Db Username must
be in the domain\username format.
Emdb Host
This must be set to the external IP address of your Platform Manager
appliance, where the EMDB database is hosted.
In High Availability deployments, this must be set to the HA

Shared IP.
Minutes to Rest This can be left at the default value.
Sql Paging Size This can be left at the default value.
Cluster Node Config
Node Info [n]
Hostname
Cannot be changed.
Public IP For each node, this must be set to the external IP address of your Data
Indexer appliance or server.
Name
cluster.name

Value
If you only have one cluster, you can leave this value at the default: logrhythm
If you have more than one cluster, change this value so that each cluster name is
unique. For example, logrhythm01, logrhythm02, and logrhythm03.
In an MSSP environment, DX Cluster names are visible to all Users of a Web

Console, regardless of Entity segregation. For privacy reasons, you may
want to avoid using cluster names that could be used to identify clients.
Data and data privacy are still maintained; only the cluster name is visible.
Name
path.data
Value
This is the directory where Elasticsearch data is stored. You can change this location
if you like, but it is OK to leave the default location.
If you have more than one path for data, you can specify multiple locations
separated by a comma: /usr/local/logrhythm/db/data, /usr/local/logrhythm/db/
data1/
Name
path.logs
Value This is the directory where Elasticsearch logs are stored. You can change this
location if you like, but it is OK to leave the default location.
FIPS Config
Enabled
Enables or disables FIPS on the Data Indexer cluster. Set to false to
disable FIPS, or set to true to enable FIPS. The default value is false.
6. Click Submit.
Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer
services start or restart.
Information about Automatic Maintenance

Automatic maintenance is governed by several settings in Go Maintain Config:

Disk Utilization Limit

• Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which
means that maintenance starts when the Elasticsearch data disk is 80% full.
The value for Disk Util Limit should not be set higher than 80. This can have an impact on the
ability of Elasticsearch to store replica shards for the purpose of failover.
Maintenance is applied to the active repository, as well as archive repositories created by Second Look.
When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point,
Go Maintain deletes completed restored repositories starting with the oldest date.
The default settings prioritize restored repositories above the active log repository. Restored archived logs
are maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for
space, set your min indices equal to your max indices. This forces the maintenance process to delete
restored repositories first.
Force Merge Config
Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.
The force merge configuration combines index segments to improve search performance. In larger
deployments, search performance could degrade over time due to a large number of segments. Force merge
can alleviate this issue by optimizing older indices and reducing heap usage.
Parameter Default Value
Hour Of Day For Periodic Merge The hour of the day, in UTC, when the merge operation 1
should begin. If Only Merge Periodically is set to false, Go
Maintain merges segments continuously, and this setting
is not used.
Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.
Only Merge Periodically If set to true, Go Maintain only merges segments once per false
day, at the hour specified by Hour Of Day For Periodic
Merge. If set to false, Go Maintain merges segments on a
continuous basis.
Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

Index Configs
The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the
nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices
by closing the index. Closing the index removes the resource needs of managing that data and relieves the
heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning
threshold and continues to delete days based on the disk utilization setting of 80% by default.
The default config is -1. This value monitors the systems resources and automanages the time-to-live (TTL).
You can configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends
a diagnostic warning and starts closing the indices.
Indices that have been closed by GoMaintain are not active searchable in 7.4.0 but are maintained for
reference purposes. To see which indices are closed, you can run a curl command such as the following:
curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 ==
"close" {print $2}'
You can also open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.
Indices can be reopened with the following query as long as you have enough heap memory and disk space
to support this index. If you do not, it immediately closes again.
curl -XPOST 'localhost:9200/<index>/_open?pretty'
After you open the index in this way, you can investigate the data in either the Web Console or Client
Console.

Complete Additional LogRhythm Installation Tasks

Configure or Verify Communication Ports
LogRhythm installers should open the TCP ports required for component communications. Additional
configuration may be required, as described in this section. For more information on ports, see Networking
and Communication.
If you need assistance with any of the procedures listed below, contact your system or network
administrator.
Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local
workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM
or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be
required after upgrading to 7.4.8.
If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows
Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data
Indexer IP address is not already allowed by applied policies:
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132
Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log in to the Indexer node as
logrhythm and run the following command:
sudo firewall-cmd --permanent --zone=public --list-all
This lists all the public ports opened for DX:
• 8501/tcp
• 8300/udp
• 8301/udp
• 8300/tcp
• 8301/tcp
If you need to open any incoming ports on the Linux Indexer, do the following:
1. Log in to the Indexer node as logrhythm and run the following commands.
sudo firewall-cmd --zone=public --add-port=port/tcp --permanent
sudo firewall-cmd –-reload
2. Repeat the steps above on each Linux Data Indexer.
Complete Additional LogRhythm Installation Tasks 106

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:
1. Log in to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh firewall show state
Ports that are currently open on all interfaces are displayed below the firewall status.
The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, you can start Windows Firewall and search for the ports that are allowed on the
current server.
If you need to allow any ports on a Windows server host:

1. Log in to the Windows server as an administrator.
2. Open a command prompt and run the following command:
netsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port
Verify SQL Server Authentication and LogRhythm Databases

To verify authentication on the Platform Manager or XM server:
1. Click Start, Apps, and then Microsoft SQL Server Management Studio.
2. In the Connect to Server window, enter the following information:
a. Authentication. SQL Server Authentication
b. Login. sa
c. Password. Enter the appropriate password
3. Click Connect.
The Microsoft SQL Server Management Studio window opens.
4. Expand the Databases folder. You should see the following LogRhythm Databases:
• LogRhythm_Alarms
• LogRhythm_CMDB
• LogRhythm_Events
• LogRhythm_LogMart
• LogRhythmEMDB
5. Exit Microsoft SQL Server Management Studio.
Verify LogRhythm Installation

Verify that the installation completed successfully by checking for the LogRhythm components in Add/
Remove Programs.
1. Click Start, Control Panel, and Add/Remove Programs.
2. Search for the following LogRhythm components on each server type and verify the version within the
support information link.

LogRhythm Component X P D D AIE Collector

M M P X
Advanced Intelligence (AI) Engine X X X
Alarming Manager X X
Console* X X
Data Indexer (DX) X X
Job Manager X X
Mediator Server Service X X
System Monitor Service** X X X X X
Common X X
• The Console can be installed on any supported system.

** The System Monitor can be installed on any supported system. At a minimum, you must install it on the
XM or PM.
If you have any issues with the installation, contact LogRhythm Support. C:\LogRhythm\InstallLogs contains
the install logs that may supply useful error messages for support.
Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you
should ensure that these processes are running by doing the following:
1. Go to Services on your machines.
2. Verify that the following services have started:
• LogRhythm Authentication API
• LogRhythm Case API
• LogRhythm Threat Intelligence API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
3. Go to Task Manager on your machine.
4. Verify that the following services have started:
• java.exe (one instance)

• LogRhythm.Web.Services.ServicesHost.exe
• LogRhythmAPIGateway.exe
• LogRhythmAuthenticationAPI.exe
• LogRhythmCaseAPI.exe
• LogRhythmServiceRegistry.exe
• LogRhythmThreatIntelligence.exe
• lr-threat-intelligence-api.exe (32 bit)
• LogRhythmWebConsoleAPI.exe
• LogRhythmWebConsoleUI.exe
• LogRhythmWebIndexer.exe
• LogRhythmWebServicesHostAPI.exe
• nginx.exe *32 (a minimum of two instances)
• node.exe (four instances)
• procman.exe (eight instances)
• NSSM Service Manager
NSSM is not a LogRhythm application, but a third-party service manager that provides a
wrapper around Java, Go, and other services to ensure that they run properly on Windows
and that they are restarted when they stop.
Install Other Agents

To install the LogRhythm System Monitor Agent on other machines, or to install the non-Windows System
Monitor Agents, follow the steps below.
1. System Monitor installer files are available in the LogRhythm Install Wizard, in the Installers subfolder. Make
sure to use the appropriate file for 32-bit or 64-bit systems:
• LRSystemMonitor_7.4.x.xxxx.exe
• LRSystemMonitor_64_7.4.x.xxxx.exe
You can also download the Windows System Monitor installers from the release downloads page on the
LogRhythm Community.
2. Download *NIX System Monitor Agent packages from the release downloads page on the LogRhythm
Community. Text-based installation instructions for each package and platform are available.
3. Additional installation instructions are available in Install a System Monitor on Windows or Install a System
Monitor on UNIX/Linux.
For all *NIX operating systems that support Realtime FIM, the System Monitor requires root
privileges.

Configure the LogRhythm Software

You can work directly with Professional Services to configure your LogRhythm Solution, or you can follow
the steps in the New Deployment Wizard topic in the LogRhythm Client Console Reference Guide. You can
find additional resources on the LogRhythm Community.
The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall)
configurations that are important to your deployment. You may want to review those guides to
ensure that at least the following items are addressed:
• Ensure that all Data Processors are assigned to a cluster
• Verify the IP Address of the LogMart Database Server
You need the following items for the deployment, whether you configure LogRhythm yourself or you work
with Professional Services:
• LogRhythm License File that is sent via email
• LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB
Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation,
reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor
Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these
directories has a major impact on the performance of the LogRhythm platform. However, these locations
should be scanned on a regularly scheduled basis.
The following lists include the default directories, however, the location of any State folder
(including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any
location (for example, D:\). The locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

• C:\tmp\indices\ (if Web Console is installed on the PM)

• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*
DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%,
%DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To
view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state
folder)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state
folder)
• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Windows\Temp\jtds*.tmp
DX Appliance (Linux)
• /var/log/elasticsearch
• /usr/local/logrhythm
AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
If the AIE service is running on the PM appliance, exclude these directories on the PM.
Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense
The above path is the default installation locations for the System Monitor Agent. If you install the
Agent in a different location (for example, D:\), update the exclusion as required.

Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense
High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/
TechDoc/index.htm#DataKeeper/Administration/
Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10

Supplemental Information for Installations

Use the LogRhythm Deployment Tool
The LogRhythm Deployment Tool assists in the installation of Common Components across all LogRhythm
appliances and runs as the LogRhythm Infrastructure Installer (LRII) in the Install Wizard. The Common
Components are required on each appliance (Platform Manager, Data Processor, Data Indexer, Web Console,
and AI Engine) to enable communication between components.
The LogRhythm Deployment Tool builds a Deployment Package that you can use to manually deploy the
Common Components on each appliance in a distributed configuration. Using this method, there is no need
to relax security posture of your deployment to install Common Components.
The Deployment Tool improves the method for installing or upgrading a distributed deployment.
The tool is required every time you install or upgrade a LogRhythm component to ensure that all
components are communicating properly. If the tool is not utilized during an installation or
upgrade, the deployment will not be functional and you will not be able to index or retrieve data.
For more information, see Add a Component to an Existing LogRhythm Deployment.
Installation Considerations
Running the Deployment Tool is required for all installations and upgrades. After installing or upgrading the
LogRhythm SQL databases on the PM or XM, run the Install Wizard on the PM or XM, and the Deployment
Tool will walk you through the process of preparing all of the other servers in your deployment.
You must have the IP address of each LogRhythm server in your deployment, with the exception of
those running the Client Console or standalone System Monitors. You will also need SQL database
credentials (sa or equivalent user) for the EMDB and the ability to log in to each of the LogRhythm
servers to run the deployment package that the Deployment Tool generates.
Install a New Deployment or Upgrade to a New Version of LogRhythm

After successfully running the Database Upgrade Tool, run the Install Wizard on your PM or XM. When you
select one of the available appliance configurations and proceed with the installation, the Deployment Tool
launches first.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade
Deployment, depending on your situation. Then, following the on-screen instructions to create a
Deployment Package. Additional help is available by clicking the question mark icon in the upper-right of the
tool.
Supplemental Information for Installations 113

When you are upgrading a deployment, the Deployment Tool prompts you to indicate if you have a
High Availability or Disaster Recovery deployment. If you have either deployment type, you should
use the appropriate upgrade guide for those deployments and your version. These guides are
available on the Install or Upgrade a Deployment or an Appliance page.
When you are sure that all hosts have been added, click Create Deployment Package. When prompted,
select the location where you want to save the Deployment Package. You should save the Deployment
Package on a file share or some place you will be able to access it from all hosts. Make a note of the
Deployment Package location.
Click Next Step to and then follow the on-screen instructions and additional help to install the Deployment
Package on all hosts.
After you begin installing the Deployment Package on your hosts, your LogRhythm Deployment will
be down until you successfully complete the rest of the LogRhythm Deployment installation
process. Be sure you have alloted enough time and informed all affected parties.
After you have completed the final Verify Deployment Status step, click Exit to Install Wizard.
You still need to run the Install Wizard on all other components, and if you have a Linux DX, you will
also need to run that installer to complete your LogRhythm upgrade. These items can be started
after the Deployment Tool installation has completed.
Add a Component to an Existing LogRhythm Deployment

Any time you add a new component (Data Processor, Data Collector, AI Engine, Web Console, or Data
Indexer) to an existing LogRhythm deployment, you must rerun the LogRhythm Infrastructure Installer for
the new component to be able to communicate.
1. In the Start menu on the machine where you have LogRhythm installed, click LogRhythm, and then LogRhythm
Infrastructure Installer.
2. Click Add/Remove Hosts.
3. Click Add Host.
4. Enter the information for the new host and click Save.
5. Click Deployment Properties.
6. If necessary, change the Deployment Properties to match your deployment, and then click OK.
7. Click Create Deployment Package.
8. Follow the instructions provided by the Infrastructure Installer.
9. When you have finished, return to the home page of the Infrastructure Installer and click Verify Deployment
Status.
10. When the Infrastructure Installer indicates that your deployment is healthy, use the LogRhythm Installation
Wizard to install your new component. For more information, see the Install a New LogRhythm 7.4.3
Deployment.

11. License, configure, and add the new component according the instructions provided in the p.LogRhythm Client
Console Help or LogRhythm Web Console Help.
Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the
installation. The _LIW will show basic information about the Install Wizard, and the LogRhythm_
Infrastructure_Installer_Silent will show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at
%Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log
or lorhythm-node-install.sh.log to view the contents of these logs.
Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.
Not all servers are shown in the EMDB results

The search does not find standalone Web Consoles or System Monitors. You must manually add your
standalone Web Consoles. There is no need to add the standalone System Monitors.
Linux deployment package will not run

You may have to switch to the directory where the package is located and run the following command prior
to running the Linux installer:
sudo chmod +x LRII_linux
After this has been completed, you can run the Linux package with the following command:
sudo ./LRII_linux
The Deployment Tool was successful, but cannot index or process

Ensure that you also run the Install Wizard on all of your nodes and/or the Linux DX upgrade package. These
are still required to be run on your nodes in addition to the Deployment Package.
My Deployment Status Verification says that not everything is active

Check your list of hosts in the Deployment Tool for accuracy. You may need to run the Deployment Package
on the inactive servers again. Follow the instructions above to run the packages.

My upgrade won't start because Elasticsearch is not running

You may see a message stating: You cannot upgrade: Please run 'sudo systemctl start elasticsearch'.
Elasticsearch needs to be running to check your indices for incompatible versions. Start the service as
indicated, run the curl command mentioned in the error until the cluster health is green, and then try the
install again.
When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution
path. It should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml
The LogRhythm Service Registry can't start during an upgrade

This error occurs when the Service Registry service is not started when LRII runs or it was started after the
Deployment Tool loaded. The C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\data
directory is cleared prior to running LRII because it recreates a new configuration for this upgrade.
There is a backup script that saves all key values prior to running the Deployment Tool so that the data
directory can be recovered if necessary. If needed, these files are in the depconf folder.
Unable to query for legacy deploymentType value

This error message may appear if your key values have been removed. It should automatically restore them
for you, but if you run into this issue, you can run the following steps to restore the key values.
1. Open PowerShell.
2. Type the following:
cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-
backup
3. Run the following:
$ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"
4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.
5. Run the following script:
Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -
6. Restart the LogRhythm Deployment Tool.
Use the LogRhythm Configuration Manager

variables and configure them as needed during the lifetime of a deployment. It automatically appears when

installation or upgrade of the a deployment is complete. It can also be accessed in the Configuration
Manager folder on the server where LogRhythm is installed (C:\Program Files\LogRhythm\LogRhythm
Configuration Manager) or by searching for LogRhythm Configuration Manager in the Windows Search box.
The Configuration Manager is not available remotely or online, so no login is required.
The LogRhythm Configuration Manager requires the following services:
If any of those services are not functioning, you will receive an error message and the LogRhythm
Configuration Manager will not load. To resolve this issue, see the troubleshooting section below.
Configure your Deployment
If you are using multiple Web Console instances, the Configuration Manager lets you apply
individual configurations to each instance. Each instance, for single or multiple Web Consoles, will
be identified in the Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is
the Windows host name of the server where the Web Console is installed.
Until you have had a chance to tune your deployment, and to avoid potential performance issues
with AIE Cache Drilldown, you should disable the AIE Drill Down Cache API after upgrading to
LogRhythm 7.4.8.
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic
mode, grouped according to which service they affect. You can filter the settings that are displayed by
clicking one of the options on the left — All (no filtering), Authentication, or Web Services. When settings are
filtered, you should enable the Advanced view to ensure you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the
LogRhythm Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which
Services are active or inactive. A blue light indicates that all services are up. A red light indicates that one or
more services are down. You can hover the mouse over the indicator to see a list of which services are down.
In Advanced mode, the indicator light also appears next to each group header.
If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font
Smoothing. You can read how to do so here: http://www.microsoft.com/typography/
ClearTypeFAQ.mspx
To configure settings in the LogRhythm Configuration Manager:

1. Find the setting you want to configure by doing one of the following:
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
• Scroll through the Basic or Advanced configuration mode until you find the option you want. The
Configuration Manager is used to configure settings such as user ID, password, authentication strategy,
and log level for the following components:
• LogRhythm Database
• Admin API
• AIE Drilldown Cache API
• API Gateway
• Authentication API
• Case API
• Notification Service
• SQL Service
• Web Console API
• Web Console UI
• Web Indexer
• Web Services Host SPI
• Windows Authentication Service
2. Enter the configuration you want. Note the following features:
• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see Log in to the Web Console.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.
If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60
seconds is normal.

Troubleshoot the LogRhythm Configuration Manager

If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not
running, you receive an error message and the LogRhythm Configuration Manager does not load. If you are
not running the LogRhythm version of SQL server, one of the following error messages displays:
• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6]
[class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied
on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.
To resolve this issue:
1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).
The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in
Internet Explorer.
To change the proxy server settings for Internet Explorer:
1. On the Internet Options dialog box, click the Connections tab.
2. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)
check box.
4. Click OK.
If you require a proxy server for LAN connections, contact LogRhythm Support.
Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to
%APPDATA%\LogRhythm Configuration Manager\presets. However, you can create a backup of any
configuration and save it to any location to use later to restore a given configuration or share with other
users.
To back up a configuration:
1. Make any changes you want. Boxes with changes are outlined blue.
3. Click Backup to File.
4. Name the file and save it to the location you want.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:

2. Select from one of the following:

• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.
Install and Configure the Web Console

The following sections provide information about installing the Web Console and additional configuration
options.
Install the Web Console

You should only install the Web Console with the LogRhythm Install Wizard, regardless of whether or not you
are adding it to the PM or as a standalone appliance/server. For a standalone installation, be sure to follow
the instructions regarding the LogRhythm Infrastructure Installer — run your deployment package on the
Web Console server and then run the Install Wizard to install the single Web Console configuration.
Any time you add a new Web Console to an existing LogRhythm deployment, you must rerun the LogRhythm
Infrastructure Installer for the new component to be able to communicate. For further instructions, see Add
a Component to an Existing LogRhythm Deployment.
Configure the Web Console With the LogRhythm Configuration Manager

variables and configure them as needed during the lifetime of the Web Console. For more information, see
Use the LogRhythm Configuration Manager.
Configure Smart Card/CAC Authentication
Smart Card/CAC authentication is not supported on Firefox.
To configure Smart Card/CAC authentication:

1. To obtain the environment's Certificate Authority Trust chain, concatenate the set of all SSL certificates
including the root certificates, the certificates that sign the end-user certificates, and all intermediate
certificates into a single file.

Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.
2. In the Web Services Configuration Manager, complete the following:

a. In the Certificate Authority Trust section, and click Choose file. Select the single certificates file created
in step 1. The contents of the certificate file populate the Certificate Authority Trust field.
b. In the Authentication section, set the Web Console Multi-factor Authentication Type to Smart Card.
Remove the Web Console

If you need to uninstall the Web Console, log in as an Administrator, go to Add/Remove Programs, and
uninstall the LogRhythm Web Console. During the uninstallation, the following components are stopped and
removed:
• LogRhythm Case API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Threat Intelligence API
• LogRhythm Web Services Configuration Manager (program)
After removing the Web Console, any files that were generated by the runtimes of the services above remain.
All installation directories are still present. Below are some examples of the types of files that remain on the
system:
• log files
• temporary or buffer files
• generated keys or certificates
• .pid files
If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services
directory. If you plan to reinstall Web Services, it is not necessary to remove the Web Console folder
structure.
Certificates
Generate Your Own SSL Certificate for the Web Console

The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:
\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.
However, it is best practice to generate your own self-signed certificates or import certificates signed by a
third party. When configuring your own SSL Certificates for the Web Console, each certificate needs to be
configured separately. Some guidance on doing so can be found on the Digital Ocean website and the
OpenSSL website, but your IT department should follow their own policies and security practices.

Your IT department should set up proper certificates for your domain, install those on the internal systems,
and maintain them appropriately.
The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using
OpenSSL, be sure to use the -nokeys flag.
1. Ensure the private key unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.
Trust the Self-Signed Certificate from a Client PC

Untrusted self-signed certificates can cause the Web Console to perform poorly. Self-signed certificates that
are not trusted prevent browsers from caching https requests, which causes Web Console pages to load
slowly.
To prevent this problem by configuring trusted certificates:
1. Delete the following folders:
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp
2. Run the installer for the latest version of the Web Console on a Windows machine. If you have already installed
the Web Console, run the following script as an administrator: C:\Program Files\LogRhythm\LogRhythm Web
Services\LogRhythm Web ConsoleUI\generate_keys.bat
3. Do one of the following:
• Method 1. Certificate trusted for all users of a system
i. From the Web Console server, run the Microsoft Management Console (mmc.exe).
ii. On the File menu, click Add/Remove Snap-in.
iii. Add the Certificates Snap-in.
iv. Select Computer account > Local computer.
v. Run the Microsoft Management Console with the Certificate Snap-in on the client system.
vi. Import the LogRhythm Self-Signed Certificate file from C:\Program Files\LogRhythm\LogRhythm
Web Services\LogRhythm Web Console UI\tls_temp (or your own Self-Signed Certificate) file into
the Trusted Root Certification Authorities store. The certificate will be trusted for all users of this
system.
• Method 2. Certificate trusted for current user only
• In Internet Explorer 11
1. Run Internet Explorer as an administrator.

2. Go to your Web Console deployment.

3. Click Continue to this website (not recommended).
4. Click Certificate error in the address bar.
5. In dialog box, click View certificates.
6. On the General tab, click Install Certificate, and then click Next when the wizard opens.
7. Select Place all certificates in the following store.
8. Click Browse and select the Trusted Root Certification Authorities.
9. Click OK and Next.
10. Click Finish.
• In Firefox
1. Go to the Web Console.
2. A security certificate error page appears.
3. Click the arrow next to I Understand the Risks to expand the section.
4. Click the Add Exception button.
5. At the bottom of the dialog box, select Permanently store this exception.
6. Click Confirm Security Exception.
• In Chrome
1. Browse to the Web Console.
A security certificate error page appears.
2. Click Advanced, and then click Proceed to [Web Console].
3. In the address bar, click the broken padlock icon.
4. Next to the Your connection to this site is not private warning, click Details.
5. Click the View certificate button.
6. Click the Details tab.
7. Click Copy to File.
8. Follow the steps in the wizard to save the certificate as a PKCS #7 (.P7B) certificate in a
place you can easily locate it.
9. After you finish exporting the certificate, go to Settings in your browser.
10. At the bottom of the screen, click Show advanced settings.
11. In the HTTPS/SSL section, click Manage certificates.
12. Click the Trusted Root Certification Authorities tab.
13. Click Import.
14. Follow the steps in the wizard to import the certificate you saved in Step h. You must save
the certificate to the Trusted Root Certificate Authorities store.
15. Select the newly imported certificate in the Trusted Root Certification Authorities tab, and
then click Advanced.
16. At the bottom of the dialog box, select Include all certificates in the certification path, and
then click OK.
17. Restart Chrome.

LogRhythm Software Install Guide 7.4.8 RevA

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LogRhythm Software Install Guide 7.4.8 RevA

Uploaded by

Copyright:

Available Formats

Install a New LogRhythm 7.4.

August 12, 2019

Phone Support (7am - 6pm, Monday-Friday)

LogRhythm, Inc. | Contents 3

Download Software to Install a New LogRhythm Deployment ................................. 76

Install the LogRhythm Data Indexer ........................................................................... 90

LogRhythm, Inc. | Contents 4

Complete Additional LogRhythm Installation Tasks ............................................... 106

LogRhythm, Inc. | Contents 5

LogRhythm, Inc. | Contents 6

The LogRhythm Infrastructure Installer

Review the Requirements for a New LogRhythm Deployment

SQL Server Licensing

Review the Requirements for a New LogRhythm Deployment 8

Review the Requirements for a New LogRhythm Deployment 9

You should configure and use the logical volumes as documented.

Component Logical Volume Volume Label Label Contents

Platform Manager C Drive (C:\) n/a

D Drive (D:\) Data LogRhythm SQL Server data files

T Drive (T:\) Temp DB

S Drive (S:\) n/a LogRhythm Application State for High IOPS

Review the Requirements for a New LogRhythm Deployment 10

The performance specifications are based on the following assumptions:

Web Console Requirements

Review the Requirements for a New LogRhythm Deployment 11

• Do not install the Web Console on older generation

Your own server

Review the Requirements for a New LogRhythm Deployment 12

SSL Default Port (8443/443)

Virtualization Platform Considerations

Review the Requirements for a New LogRhythm Deployment 13

Virtualization Resource Considerations

Virtualization Deployment Best Practices

Review the Requirements for a New LogRhythm Deployment 14

Virtual Host (Hypervisor) Requirements

Virtual Machine System Requirements

Virtualization Redundancy and High Availability

Virtualization Snapshots and Backups

Networking and Communication

LogRhythm Networking Considerations

LogRhythm Server IP Addresses

Review the Requirements for a New LogRhythm Deployment 15

Remote Event Log Collection User Account

LogRhythm Networking Communications

Review the Requirements for a New LogRhythm Deployment 16

Review the Requirements for a New LogRhythm Deployment 17

Client Client Port Server Server Port Protocol Purpose

AI Engine 8300 Platform 8300 TCP Incoming

AI Engine 8501 Platform 8501 HTTPS Auth/config/

AI Engine 8301 Platform 8301 TCP/UDP Cluster

AI Engine Random Platform 1433 TCP Configuration

All (common Random Platform 8076 TCP Sending metrics

Client Console 8501 Data Indexer 8501 HTTPS Auth/config/

Client Console 8501 Platform 8501 HTTPS Auth/config/

Review the Requirements for a New LogRhythm Deployment 18

Client Client Port Server Server Port Protocol Purpose

Client Console Random Platform 1433 TCP Console SQL

Client Web Random Data Indexer 8111 HTTPS Web UI for

Client Web Random Data Indexer 8110 HTTPS Web UI for

Client Web Random Data Indexer 9100 HTTPS Configuration of

Client Web Random Data Indexer 80, 443 HTTPS Configuration of

Data Indexer Random Platform 1433 TCP DX SQL Server

Data Indexer 8501 Platform 8501 HTTPS Auth/config/

LogRhythm McAfee ePO