Review the Requirements for a New LogRhythm Deployment
LogRhythm Licensing
The LogRhythm Solution requires a LogRhythm license file which contains a LogRhythm Master License and Component Licenses. The Master License is tied to an individual customer for a single deployment of LogRhythm (1 Platform Manager and 1 or more Data Processors). Component Licenses fall within the Master License and are used to license specific LogRhythm components within the same LogRhythm deployment.
A LogRhythm license file can contain the following component and subscription licenses:
- Platform Manager License (always included)
- Data Processor License(s)
- Software License
- Appliance License
- Log Message Source License(s)
- Quantity License
- Unlimited License
- System Monitor Lite License
- System Monitor Pro License
- System Monitor Collector license
- Advanced Intelligence Engine License (separate volume license)
- GeoIP Resolution Subscription License
To learn more about LogRhythm Licensing, see the Licensing topic in the Enterprise SIEM Help. The LogRhythm End User Licensing Agreement (EULA) contains specific details regarding licensing and is the legal agreement for the solution you purchased.
SQL Server Licensing
Your LogRhythm Software includes a SQL Server license. However, you must also acquire a Client Access Licenses (CAL) for every LogRhythm user, as outlined in the SQL Server End User License Agreement (EULA). An initial number of CALs are included at the time of purchase. To understand how many CALs you have purchased or to purchase additional CALs, contact LogRhythm Support or your sales representative. The SQL Server EULA contains specific details regarding licensing and the legal agreement between you and Microsoft. It serves as your proof of purchase.
LogRhythm Component Compatibility
All LogRhythm components in a deployment, except for System Monitor, must be versioned with the same major and minor number. System Monitor versions 6.x and 7.x are supported.
Database and SQL Server Versions
This LogRhythm version requires Microsoft SQL Server 2016 Standard SP1 (version 13.0.4001.0) or Microsoft SQL Server 2019 (version 15.0.2000.5). Higher cumulative updates and service packs within these versions are also supported. In this LogRhythm 7.x release, the schema version of all LogRhythm SQL databases is the same: 7.x.x.yyyy.
LogRhythm 7.9.0 introduced support for SQL Server 2019 on standard deployments. If you are running Microsoft SQL Server 2016 Standard on your appliance, there is no need to upgrade to Microsoft SQL Server 2019. If you want to upgrade to SQL Server 2019, see Upgrade SQL Server 2016 to SQL Server 2019.
System Monitor Component Support
Earlier versions of System Monitor are compatible with this version of LogRhythm. The table below lists the System Monitor versions that are compatible with LogRhythm 7.x.
System Monitor Versions Compatible with LogRhythm 7.x | ||
|---|---|---|
System Monitor | v6.x | v7.x |
System Monitor (Windows) | Yes | Yes |
System Monitor (*NIX) | Yes | Yes |
Component Operating System Support
This section describes operating systems and LogRhythm component compatibility for LogRhythm 7.12. The following table defines the LogRhythm support levels used in subsequent tables.
LogRhythm 7.9.0 introduced support for Windows Server 2019 on standard deployments. If you are running Windows Server 2016 on your appliance, there is no need to upgrade to Windows Server 2019. For a guide on upgrading to Windows Server 2019, see Upgrade Windows Server 2016 to Windows Server 2019.
Upgrades to existing High Availability (HA) and Disaster Recovery (DR) environments are not supported. LogRhythm 7.12.0 supports Windows Server 2019 on new installations of HA and DR deployments only.
Certified Support (CS)
|
Limited Support (LS)
|
Unsupported (US)
|
|---|---|---|
| Fully tested per LogRhythm quality assurance processes. | Limited testing, but likely to work based on engineering assessment and/or field verification. | Not tested. |
| LogRhythm patches bugs. | LogRhythm may patch bugs. | LogRhythm does not patch bugs. |
| Full LogRhythm Technical Support. | Limited LogRhythm Technical Support. | No LogRhythm Technical Support. |
The following table shows the support levels for LogRhythm components on various 64-bit operating systems.
Any operating system not included in the following table is not supported.
| LogRhythm 7.12 Operating System Support Levels | ||||||||
|---|---|---|---|---|---|---|---|---|
| 64-bit Operating System | Data Indexer | Data Processor | Platform Manager | AI Engine | LogRhythm API | Web Console | Client Console | Open Collector |
| Windows 7 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows 8/8.1 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows 10 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows 11 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows Server 2008 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows Server 2008 R2 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows Server 2012 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| Windows Server 2012 R2 |
LS
|
LS
|
LS
|
LS
|
LS
|
LS
|
LS
|
US
|
| Windows Server 2016 |
CS1
|
CS
|
CS
|
CS
|
CS
|
CS
|
CS
|
US
|
| Windows Server 2016 Core |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
| Windows Server 20192 |
CS1
|
CS
|
CS
|
CS
|
CS
|
CS
|
CS
|
US
|
| Windows Server 2019 Core |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
| Windows Server 2022 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
| CentOS 7.x Minimal |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
| CentOS 7.6 or greater |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
| CoreOS |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
| RHEL 7 |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
1 The Data Indexer is only supported on Windows operating systems for XMs and Gen3 appliances.
2 Upgrading from Windows Server 2016 to 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments is not supported.
Platform Requirements
Server Roles
Different LogRhythm server roles perform key tasks for log collection, analysis, and reporting in the LogRhythm SIEM. When you install LogRhythm on your own systems, you need the following server roles:
- Platform Manager. The Platform Manager provides the central event management and administration of the LogRhythm SIEM, including:
- Configuration information for all agents, log sources, and log source types.
- Knowledge Base, which includes all processing rules, built-in reports (for compliance), built-in alarms, and other processing-related information.
- The Alarming and Response Manager, which is a Windows service responsible for processing alarm rules and taking appropriate response such as sending e-mails to those on a notification list or sending SNMP traps to an SNMP server.
- The Job Manager, which is responsible for scheduled report job generation, Agent and Data Processor heartbeat monitoring, Active Directory synchronization, and health monitoring.
- Data Processor. The Data Processor provides high-performance, distributed, and highly available processing of machine and forensic data. Data Processors receive machine and forensic data from Collectors and Forensic Sensors. The Data Processor archives data and distributes both the original copy and the structured copy to other LogRhythm components for indexing, machine based analytics, and alarming.
- Data Indexer. The Data Indexer provides high-performance, distributed, and highly scalable indexing and searching of machine and forensic data. Data Indexers store both the original and structured copies of data to enable search-based analytics. The Data Indexer can be installed in an XM configuration on Windows, Red Hat Enterprise Linux 7, or CentOS 7.x Minimal using our distributed CentOS 7.x ISO image.
- AI Engine. The AI Engine is an optional component that detects conditions occurring over multiple data sources and time ranges. It provides real-time visibility into risks, threats, and critical operations issues. AI Engine includes more than 100 preconfigured rule sets that you can use in the wizard-based, drag-and-drop interface. You can install the AI Engine on the same system as the Platform Manager or you can install it on a dedicated system.
System Monitor. The System Monitor collects all log, flow, and machine data, then transfers that data to the Data Processor. Because a System Monitor is required on each LogRhythm appliance, the LogRhythm installer automatically deploys it with other applicable roles. You can also deploy the System Monitor using a separate installer file (for example, silent installations in large environments).
The LogRhythm dedicated appliance for remote log collection is called a Data Collector appliance.
Volume/Disk Configurations
LogRhythm requires specific volume/disk configurations, which can consist of physical disks or virtual disks with logical volumes.
- Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a specific volume. The amount can range from a minimum of 2 up to 98 disks per system.
- Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and performance improvements through hardware RAID technology. The amount can range from 2 to 10 virtual disks per system.
- Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique drive letter in Windows (for example, drive C or drive D). The logical volumes contain specific files and data related to the installation (see the following table for more information about the contents of each drive). Any LogRhythm server that contains a Platform Manager includes four logical volumes. The Windows Indexer should include at least two logical volumes, and the logical volume that contains log data should be on a dedicated virtual disk using dedicated physical disks.
| Component | Logical Volume | Volume Label | Label Contents |
|---|---|---|---|
| Platform Manager | C Drive (C:\) | n/a | Operating System, SQL Server program files, and LogRhythm program files |
| D Drive (D:\) | Data | LogRhythm SQL Server data files (Requires NTFS allocation unit size of 64k Bytes) | |
| L Drive (L:\) | Log Files | LogRhythm SQL Server transaction log files (Requires NTFS allocation unit size of 64k Bytes) | |
| T Drive (T:\) | Temp DB | SQL Server Temp DB data file and SQL Server Temp DB transaction log file (Requires NTFS allocation unit size of 64k Bytes) | |
| S Drive (S:\) | n/a | LogRhythm Application State for High IOPS | |
| Data Processor, AI Engine, System Monitor | C Drive (C:\) | n/a | Operating System and LogRhythm program files |
| S Drive (S:\) | n/a | LogRhythm Application State for High IOPS | |
| Web Console | C Drive (C:\) | n/a | Operating System and LogRhythm program files |
| D Drive (D:\) | n/a | Web Console Indicies | |
| Data Indexer | vgroup1 | n/a | Operating System and LogRhythm program files |
| vg_data | /usr/local/logrhythm | Elasticsearch Data, mapped to /usr/local/logrhythm |
Performance Requirements
The performance specifications are based on the following assumptions:
- 100% of logs are from Syslog
- Average raw log message size = 400 Bytes
- Average online log row size (includes index) = 900 Bytes
- Average online event row size (includes index) = 1,035 Bytes
- Average archive entry size = 400 Bytes
- Average archive compression rate = 20:1
- 100% of logs are archived
- 2% of logs processed by the deployment that are considered an Event (data of interest)
- 10% of Events that are considered a Monitored Event based on Risk Based Priority (RBP)
Additional notes regarding performance specifications:
- Virtual Machines. Deploying on virtual machines incurs overhead. As a result, your actual performance will vary. A performance degradation of 10-15% is expected when compared to running on a dedicated physical machine.
- Dedicated drives. LogRhythm is an I/O-intensive solution that requires dedicated physical drives to achieve the published rates specified. LogRhythm makes no distinction between Direct Attached Storage (DAS) or Storage Area Network (SAN), but the disk volumes must be dedicated.
Power Supply/Mode
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A power cut may cause an Elasticsearch failure that leads to a loss of indices.
All systems hosting LogRhythm Services (Virtual or Physical) must have their power mode configured for "High-Performance", this disables power saving features in order to ensure optimal CPU ready states. Negative performance impacts will be observed in a power-save mode profile.
For example, for HP ProLiant servers:
1. Set the Power Regulator Mode to Static High Mode.
2. Disable Processor C-State Support.
3. Disable Processor C1E Support.
4. Disable QPI Power Management.
5. Enable Intel Turbo Boost.
For Dell PowerEdge servers:
1. Set the Power Management Mode to Maximum Performance.
2. Set the CPU Power and Performance Management Mode to Maximum Performance.
3. Processor Settings: set Turbo Mode to enabled.
4. Processor Settings: set C States to disabled.
Web Console Requirements
You can install the Web Console software on a server, virtual server, or LogRhythm appliance that meets the requirements listed in the following table.
LogRhythm currently supports up to three Web Console instances with 60 concurrent users.
To avoid conflicts, it is recommended that Web Console users are either created manually or through Active Directory (AD), but not both.
| System Requirements | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| LogRhythm Appliance | Install the Web Console on any of the following LogRhythm appliance models:
| ||||||||
| Your own server | Install the Web Console on a server or virtual environment that meets the following specifications:
| ||||||||
| Web Console UI | You can access the Web Console UI from any computer running Google Chrome, Mozilla Firefox, Microsoft Edge, or Internet Explorer 11. | ||||||||
The Web Console requires certain ports for its use, as listed in the following table.
| Port Requirements | |
|---|---|
| SSL Default Port (8443/443) | The Web Console is configured to use Port 8443 for SSL by default. This avoids potential conflicts with the LogRhythm Mediator that uses Port 443 on XM systems. If you are not installing the Web Console on the same system as the LogRhythm Mediator, you can change the port to 443 or to another port number during the installation. |
| Port 8501 | During installation, the 8501 port is opened for the LogRhythm API Gateway. This port provides routing, load balancing, SSL termination, and authentication termination to deployed Web Services. |
| Port 43 | To execute a whois query using contextualization, port 43 must be opened. For more information on using contextualization, see the Use Contextualize topic in the Web Console User Guide. |
Virtualization Platform Considerations
The LogRhythm software can be deployed on physical, virtual or cloud environments. The LogRhythm Appliance Platforms are validated and tested using known resource quantities at specific log processing and indexing rates. When deploying LogRhythm on virtualized or cloud environments, it is important to adhere to performance best practices for the selected hypervisor for highly resource intensive workloads.
- Data Collectors. Receive, collect and forward log data. Operating under a light footprint make these systems good candidates for virtualization.
- Data Processors. Handle processing, data enrichment, and data distribution to the other LogRhythm components. These systems rely heavily on CPU and Memory resources while also needing access to large disks for Long Term Archives.
Data Indexers. Indexing and search of log data through Elasticsearch. These systems can be run in a clustered configuration with resource utilization focused on CPU and disk I/O.
New installations of the Data Indexer on Windows are only supported in an XM configuration.- Platform Manager. Centralized configuration management, knowledge base data, alarming and reporting, runs on a SQL backend. Standalone Platform Managers focus on memory and disk I/O utilization. In smaller environments, however, AIE and Web Console may be run on these systems, increasing the resource requirements
- AIE. Advanced real-time correlation engine requires CPU and memory resources for long term trend analysis.
- Web Console. User-friendly Web interface to the threat lifecycle, requires mostly CPU and memory resources.
Planning system resources for each of these components will depend on the data volume and use-cases for each component. LogRhythm Appliance Platforms provide known performance and resource allocations, allowing customers to scale using known quantities. In many cases, a customer will elect to split up LogRhythm roles onto their own individual systems rather than running a single, very large instance (XM).
Please refer to VMware Best Practices for Performance Tuning of Latency-Sensitive Workloads for best practices that should be followed if LogRhythm is hosted on a vSphere hypervisor
Please refer to Microsoft Performance Tuning for Hyper-V Servers if you are using Microsoft Hyper-V
Virtualization or Hyperconverged Platform Considerations
LogRhythm performs testing and validation of all components using physical hardware. However, the entire LogRhythm ecosystem can be run virtually or in the cloud when provided with adequate resourcing.
- CPU. When planning CPU resources in a shared environment, you must consider context switching and wait-times associated with CPU core availability through the hypervisor. For this reason, LogRhythm recommends using vCPU reservations through the hypervisor to ensure appliance specification rates can be met.
- Considerations should be made when hyperthreading is being used — LogRhythm vCPU counts assume hyperthreaded cores.
- CPU Ready time is a metric that records the amount of time a virtual machine is ready to use CPU but was unable to schedule time because all CPU resources are busy. It is important to observe percentage of CPU ready time on each hypervisor when under peak load. A value more than 10% of CPU ready time is an indication of vCPU oversubscription on the hypervisor which will negatively impact LogRhythm performance.
- Memory. Memory management within virtualized environments should always provide enough memory for all guests on the hypervisor with overhead available for the hypervisor itself. Overcommitting memory will result in poor performance and stability issues within the LogRhythm ecosystem. For LogRhythm Appliances requiring large memory footprints, non-uniform memory access (NUMA) boundaries should be considered. Guests should not be allocated CPU or memory resources beyond that which can be provided within a single NUMA boundary.
- Disk Volumes. Data Indexers and Platform Managers rely heavily on disk size, IOPS, random seek, and overall capacity.
- The Data Indexer will use all disk resources available to the system, and it requires a high baseline of resources based on the Appliance Platform. For this reason, LogRhythm requires dedicated disk resources be committed to the system.
- Shared storage removes any benefit associated with Data Indexer clustering since all systems in the cluster participate in searching and indexing of data — the use of shared disks is not supported.
- Many flash-optimized storage solutions provide IOPS rates based on optimized data, which is usually a small subset of the data on the SAN/blended storage. For this reason, it is recommended to use IOPS calculations for the disks where LogRhythm data stores exist, not the small flash-optimized data. This is particularly true of Data Indexers because data used for searching will most certainly exceed the flash optimized storage tier.
- All Flash storage is recommended for any virtualization environment
- Each LogRhythm logical volume should be provisioned on its own logical unit number (LUN) and not shared with other virtual infrastructure or other LogRhythm components.
- Storage connectivity should realize an average latency of 10ms or less. Higher latencies can cause unpredictable behavior, particularly with the Platform Manager and Data Indexer.
- Networking. Communication between LogRhythm Core Components, particularly Data Indexer clusters, requires low latency and line-speed 1Gb/s links, at a minimum.
Virtualization Deployment Best Practices
The following best practices will allow LogRhythm to make the most of the resources available in a virtualized environment. Note, however, that the performance and stability of the system relies 100% on the quality of the underlying hardware.
Virtual Host (Hypervisor) Requirements
- Intel or AMD server class x86-64-bit chip architecture with hyperthreading.
- Dedicated disk volumes following IOPS/RAID specifications of the appliance platform.
- IOPS numbers should be compared using disks that store LogRhythm data and using nonoptimized random seek per second, not sequential — automated storage tiering solutions are strongly discouraged.
Virtual Machine System Requirements
Full reservations for vCPU and vMemory with no CPU or memory over-commitment on the physical hosts.
- Where applicable, install hypervisor integration services/tools on platform guest VMs (PM, DP, AIE, DX, DC, etc.).
- Where applicable, enhanced network controllers should be used.
- Provision virtual disks as Eager Zero Thick where applicable.
- Avoid NFS disks due to higher latency, network variations, and file locking issues.
Virtualization Redundancy and High Availability
There are a number of solutions native to hypervisors that are designed to provide high availability and dynamic resource migrations. While these solutions are not formally tested with the LogRhythm ecosystem, users should be aware of the additional overhead associated with these servers and the impact that they could have on LogRhythm
Virtualization Snapshots and Backups
LogRhythm provides native backup mechanisms for SQL databases on the PM and archives. When combined, these two can be used to restore a LogRhythm deployment back to 100% functionality and historical data. For this reason, and due to the disk I/O penalties associated with snapshots, customers are strongly discouraged from taking snapshots of their LogRhythm systems in a virtual environment. If needed, OS-level backups can be done using 3rd party software, but is not required for LogRhythm system restoration.
Networking and Communication
There are a large number of ports that need to be open for the different LogRhythm components to communicate. For more information, see the Networking and Communication topic in the Enterprise SIEM Help.