LR7/LRCloud to Axon Migration Guide

The following guide is intended for current or former LR7 SIEM or LR Cloud customers who are migrating to Axon. This guide informs you how to set up log forwarding in LR7/LR Cloud, how to adjust your firewall, how to create Axon API keys, and how to set up log collection in Axon.

Send Logs to Axon from LogRhythm SIEM

While Axon has its own Agent, in order to ease customer transitions, you can easily forward logs to Axon while still maintaining your current LogRhythm SIEM deployment until the migration is complete and a “cutover” has been planned. This speeds up the ability to get logs into Axon by sending logs to both the LogRhythm SIEM and Axon.

Firewall Rule Considerations

Depending on the region in which your tenant resides, ensure communication is allowed from the LogRhythm SIEM Agent host to the base URL of Axon API over port 443:

Create an API Key in Axon

Before setting up the log forwarding to Axon from LR SIEM, create an API key in Axon under the data-submission-sysmon default user:

1. From the Axon Dashboard, click the Administration cog in the bottom-left corner.

2. Under the Access Control header, click Users.

3. In the User column, type “data-submission-sysmon” to display that user account in the column.

4. Click the data-submission-sysmon user account.

5. Click the API Keys tab, and then click on the Add New API Key button.
   The Add New API Key pop-up appears.

6. Enter a unique name for the API key and hit Generate Key.

7. Copy and paste the key into a text document for later.
   This key will be used to forward the logs to Axon from LR SIEM.

This is the only time the key will display, so be sure to save the text document containing the key.

You can create a single key for all the LR SIEM Agents or an individual key for each Agent. Having a single key simplifies the key management process. However, a benefit to using separate keys is that if you need to retire a single Agent, you can simply disable or delete the API key to stop log collection from the respective LR SIEM Agent.

Setup Log Forwarding in LogRhythm SIEM

7.14.0 GA or Higher

To setup log forwarding for LR SIEM deployments on version 7.14.0 or higher:

1. From the LR Console, click Deployment Manager.

2. Click System Monitors.

3. Right-click the agent for which you would like to forward logs, and then select System Monitor Agent Properties.

4. Click the Axon Settings tab.

5. Check the Enable log forwarding to Axon box.

6. Fill in the following details:

Field	Description
Base URL of Axon APIs	Enter the base URL for your Axon tenant, obtained from the table in the Firewall Rule Considerations section above.
API Key	Enter the API key obtained above. The key will be saved in an encrypted format.
Tenant ID	Enter your Axon tenant ID.
Batch Size	Enter a value between 1000 and 10000 to determine the batch size.

7. Click Apply and then OK to save the Settings.
   An Agent service restart may be required if you don’t see the LR SIEM Agent in the Axon WebUI.

7.13.0 GA or Lower

To setup log forwarding for LR SIEM deployments on version 7.13.0 or lower:

1. Ensure the LR SIEM Agent for which you wish to send logs to Axon has been upgraded to version 7.8.0.8012, which was released 30 March 2022.

2. Open Notepad or a text processor of your choice and save a new file called SIP.ini to the LR SIEM Agent configuration folder.
   The default path for the LR SIEM Agent configuration folder is:
   C:\Program Files\LogRhythm\LogRhythm System Monitor\config

3. Copy the code below into the SIP.ini file.

[SignalIngestSvc]
RequestURL=https://api.na01.prod.boreas.cloud/signal-ingest-svc/v1/tenants/<TenantID_ChangeMe>/batches
# APIKey should be encrypted using lrcrypt
APIKey=<SignalIngestKey_ChangeMe>

[TopologySvc]
TopologyRequestURL=https://api.na01.prod.boreas.cloud/topology-svc/v1/tenants/<TenantID_ChangeMe>/collectors/
# Topology Key should be encrypted using lrcrypt
TopologyAPIKey=<TopologyKey_ChangeMe>

4. Replace TenantID in the RequestURL and TopologyRequestURL with your Tenant ID found in the Axon User Settings menu.

5. Next, to encrypt the API key using the lrcrypt tool, open the Command Prompt as an administrator.

6. cd to the LR SIEM Agent installation folder (default path: C:\Program Files\LogRhythm\LogRhythm System Monitor) and run the following command to encrypt the key:

lrcrypt -e <Generated-API-Key>

7. Copy the Encrypted password.

8. Paste the Encrypted password in the SIP.ini file to replace the ChangeMe values for APIKey and TopologyAPIKey.

9. Save the completed SIP.ini file.
   An Agent service restart may be required if you don’t see the LR SIEM Agent in the Axon WebUI.

Log Collection in Axon

Once an LR SIEM Agent has been configured to forward into Axon, they begin to populate in the Axon WebUI. All the out-of-the box supported log sources also start auto-populating in the Axon WebUI. A log not matching any of the Identification Rules in Axon shows as Unidentified.

To see the Agents onboarded into Axon:

1. From the Axon Dashboard, click the Administration cog in the bottom-left corner.

2. Under the Integrations header, click Collectors.

3. If successfully onboarded, your LR SIEM Agent(s) will show up in this list with the following information:

You can edit and change the name of the Agent. However, restarting the Agent re-adds the GUID.

To see the logs onboarded into Axon:

1. From the Axon Dashboard, click the Administration cog in the lower-left hand corner.

2. Under the Integrations header, select Log Sources.

3. If successfully onboarded, your LR SIEM Agent log source(s) will show up in this list with the following information:

All the out-of-the box supported LR SIEM Agents start auto-populating in the Axon WebUI.