Prerequisites to Install a DR Solution
Before installing the DR solution, make sure the environment meets all the prerequisites shown in the following table.
| LogRhythm SIEM | The LogRhythm SIEM must be deployed on both the Primary and Secondary sites using the same LogRhythm software version. The Enable Password Policy option must be disabled on the LogRhythm SIEM user account or the SA and LRMirror_Login passwords will not synchronize between nodes. If Enable Password Policy is enforced, the passwords must be changed manually on the Secondary Node whenever they are changed on the primary. The Enable Password Policy option can be disabled by modifying the user account login on the People tab in the LogRhythm SIEM. | |||||||||||||||||||||||||||||||||
Service Account Requirements | Configure the SQL Server, SQL Server Agent, and LogRhythm Service Registry services to run under the same account on both the Primary and Secondary sites. This should be a named, privileged account that is not the sa account, and must be a domain account. | |||||||||||||||||||||||||||||||||
Network recommendations | Configure the network so that:
To create a Failover Cluster, an additional IP address is required on each node participating in the cluster. This IP is used for cluster creation, Failover Clustering node communication, and for providing an IP address to use for providing LogRhythm services. Failover IP addresses should be unused IP addresses on the same network as the management NICs. In a multi-subnet scenario, two distinct, unused IP addresses are needed in DR Setup, one in each respective subnet. In a single-subnet DR scenario, only one unused IP address is needed for the Failover IP — it will be the same for Primary and Secondary. The Failover IP should be on the network adapter that has access to Active Directory in order to update the accompanying Cluster DNS record. This IP address is a virtualized IP address that the underlying Windows Server Failover Cluster will use for facilitating cluster communications.
Use only static IPs for the replication interface. Do not use DHCP.
In Windows Server 2012 R2 and previous versions, a cluster can only be created between member nodes joined to the same domain. Attempting to deploy LogRhythm Disaster Recovery between servers on separate domains using this guide will result in failure. If this configuration is a requirement on your deployment, contact LogRhythm Customer Support.
| |||||||||||||||||||||||||||||||||
| Ports/Firewall | Ensure that the following ports sites are open — not blocked by a firewall — at both sites. The DR setup automatically opens ports secured by Windows Firewall but not by other types of firewalls.
If network firewalls or Group Policy settings prevent this communication, the DR installation will fail. During installation, the DR setup tool configures these ports to only allow system to system communication.
For additional information on the ports used by LogRhythm, see the Networking and Communication topic in the SIEM Help. | |||||||||||||||||||||||||||||||||
Domain Name Server (DNS) requirements | In this LogRhythm release, DR installations require the Platform Manager to be bound to an Active Directory domain and a Microsoft DNS server must be in the same Active Directory domain as the PM. The Platform Managers must have DNS entries for each server participating in the DR installation, and accompanying forward and reverse records should be in place. A new DNS record named LogRhythmDR will be created during Failover Cluster formation. This record can automatically be updated during a failover event with the Failover IP address of the Active node in the cluster. To enable this functionality, the DNS zone hosting the LogRhythmDR record must be configured to allow secure updates from clients. In order for automatic updates to the Cluster DNS record to function, the network interface hosting the Failover Cluster IP must have the “Register this connection’s address in DNS” feature enabled. If needed, manual configuration is still supported:
| |||||||||||||||||||||||||||||||||
Disk space requirements on Platform Managers | During the DR setup, you must back up the Primary Platform Manager’s databases and copy them to the Secondary system. The DR installation program will check your database sizes and give you an estimate for the disk space requirements. You can also use a network drive for the backup, provided that the SQL Agent service account has write access to the share.
The database backup may take hours to complete, depending on the data size and the write-speed of the backup media.
| |||||||||||||||||||||||||||||||||
Infrastructure Installer | During installation with the Install Wizard, the LogRhythm Deployment Tool needs to be configured as New Multi-Host Deployment, and the generated deployment package executed on the secondary node. | |||||||||||||||||||||||||||||||||
| Data Processors, Data Indexers, the LogRhythm Configuration Manager, and AI Engines | These systems point to the Platform Manager using a DNS name rather than an IP address. Remote components should also support DNS for connecting to either a Primary or Secondary site. |
