Skip to main content
Skip table of contents

Perform Post-Upgrade Procedures on the Upgraded LogRhythm Deployment

After you have upgraded all your appliances, you can perform a few configuration tasks and restart the LogRhythm solution.

Before performing post-upgrade procedures, it is recommended to restart LR Core systems (such as the PM, DP, and DX) that have been upgraded.

Reconfigure CloudAI

The CloudAI configuration changed with LogRhythm 7.6.0. If you have an existing CloudAI installation and are upgrading your LogRhythm 7.5.1 (or earlier) to LogRhythm 7.6.0 (or newer), you must repeat steps 6-10 of the CloudAI configuration on your Platform Manager (or XM) for CloudAI to function properly.

Configure the Data Indexer

Whether your Data Indexer cluster is one node or 3 to 20 nodes, you only have to access the Configuration Manager on the Platform Manager.

Do not attempt to modify any configuration files manually. If you have any issues, contact LogRhythm Support.

To configure the Data Indexer:

  1. Open the Configuration Manager.
  2. On the left, click Data Indexers.
  3. To enable the Advanced View, on the bottom of the page, click Show.
  4. Modify or verify the following settings:

    Cluster Name
    Cluster Name

    Data Indexer Cluster Name.

    If you change the Cluster Name, the name should be less than 50 characters long to ensure it displays properly in drop-down menus.
    Transporter
    Transporter Max Log Size (bytes)Maximum allowable size of a log, above which Transporter rejects the log
    Transporter Webserver PortPort number bound by the Transporter web server
    Transporter Route Handler Timer (sec)Maximum number of seconds that an indexing HTTP request lives before timing out
    Database Information
    Database User IDSQL user name used by the Data Indexer to connect to the LogRhythm database server
    Database PasswordSQL password used the Data Indexer to connect to the LogRhythm database server
    Elasticsearch Data PathFully qualified path where Elasticsearch stores cluster data; value of path.data
    GoMaintain

    GoMaintain TTL Logs (#indices)

    Maximum number of logs indices to store. Default value is -1 to manage automatically based on available resources

    GoMaintain ForceMerge

    Periodic Elasticsearch defragmentation of indices to reduce heap consumption

    Potentially resource intensive.

  5. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left corner of the Configuration Manager.

Information About Automatic Maintenance

Automatic maintenance is governed by several settings in GoMaintain Config:

Disk Utilization Limit

  • Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which means that maintenance starts when the Elasticsearch data disk is 80% full.

    The value for Disk Util Limit should not be set higher than 80. This can have an impact on the ability of Elasticsearch to store replica shards for the purpose of failover.

Maintenance is applied to the active repository, as well as archive repositories created by Second Look. When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, Go Maintain deletes completed restored repositories starting with the oldest date.

The default settings prioritize restored repositories above the active log repository. Restored archived logs are maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for space, set your min indices equal to your max indices. This forces the maintenance process to delete restored repositories first.

Force Merge Config

Do not modify any of the configuration options under Force Merge Config without the assistance of LogRhythm Support or Professional Services.

The force merge configuration combines index segments to improve search performance. In larger deployments, search performance could degrade over time due to a large number of segments. Force merge can alleviate this issue by optimizing older indices and reducing heap usage.

ParameterDefaultValue
Hour Of Day For Periodic MergeThe hour of the day, in UTC, when the merge operation should begin. If Only Merge Periodically is set to false, Go Maintain merges segments continuously, and this setting is not used.1
Merging EnabledIf set to true, merging is enabled. If set to false, merging is disabled.false
Only Merge PeriodicallyIf set to true, Go Maintain only merges segments once per day, at the hour specified by Hour Of Day For Periodic Merge. If set to false, Go Maintain merges segments on a continuous basis.false

Logging of configuration and results for force merge can be found in C:\Program Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

Index Configs

The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning threshold and continues to delete days based on the disk utilization setting of 80% by default.

The default config is -1. This value monitors the systems resources and automanages the time-to-live (TTL). You can configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends a diagnostic warning and starts closing the indices.

Indices that have been closed by GoMaintain are not actively searchable in 7.13 but are maintained for reference purposes. To see which indices are closed, you can run a curl command such as the following:

curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 == "close" {print $2}'

You can also open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.

Indices can be reopened with the following query as long as you have enough heap memory and disk space to support this index. If you do not, it immediately closes again.

curl -XPOST 'localhost:9200/<index>/_open?pretty'

After you open the index in this way, you can investigate the data in either the Web Console or Client Console.

Import the License File

This section describes how to import a license file and run the licensing wizard for each Data Processor in your deployment to ensure that the correct license has been assigned.

You must import a new license file and perform steps 5-7 on each Data Processor in your deployment.

For more information about licensing or the licensing wizard, see Assign LogRhythm Licenses.

  1. Copy your LogRhythm 7.13.x license file to the Platform Manager or to a network location that is accessible from the Platform Manager.
  2. Log on to a system where the 7.13.x LogRhythm Client Console is installed.
  3. Import the 7.13.x license file:
    1. Start the Client Console and click Deployment Manager.
    2. On the File menu, click Import License File.
    3. Browse to and select your 7.13.x license file, and then click Open.
      The License Import Warning is displayed: Importing a license synchronizes your licenses with the licenses in the file. It is important that you only import the latest license file issued you by LogRhythm. Importing an older license or one with a different master license ID may cause undesired results such as existing licensed components becoming unlicensed. Are you sure the selected file is your latest?
    4. Click Yes to continue importing the file.
    5. When the import is complete, click OK to close the Import Successful dialog box.
  4. Click the Data Processors tab.
  5. Double-click one of the Data Processors in the list.
    The Data Processor Properties dialog box appears.
  6. Select a cluster from the Cluster Name list, and then click OK.

    Cluster information is sent out when applying configuration changes on the Data Indexer. For more information, see Configure the Data Indexer.

  7. Review the current License Status and run the licensing wizard if necessary, and then click OK.
  8. Repeat steps 5-7 on each Data Processor in your deployment.

Start the LogRhythm Solution

You need to do the following on each of the appliances in your deployment.

  1. Log on to the appliance as an administrator.
  2. On the Windows Data Indexer, run C:\Program Files\LogRhythm\Data Indexer\tools\start-allservices.bat as an administrator.
  3. Open the Services Control Panel/App.
  4. For any LogRhythm services that are not running, right-click the service name, and then click Start. These services include:
    • LogRhythm core services (AI Engine services, Alarming and Response Manager, Job Manager, Mediator Server Service, System Monitor)
    • All LogRhythm Web Console services
    • Any other “LogRhythm” services
  5. Press F5 to refresh the list and verify that the services are started.
  6. On Linux Data Indexers, run /usr/local/logrhythm/tools/start-all-services-linux.sh using sudo.

Upgrade and Start Other Agents

Agents on other collectors and aggregators can be upgraded at any time, although we recommend upgrading them now.

Windows and Linux System Monitors can be upgraded in bulk using the System Monitor Package Manager in the Client Console. For additional information about this and about general System Monitor installation and upgrades, see the SYSMON documentation.

Windows hosts running System Monitors prior to version 7.2.x may not have .NET Framework 4.7.2 installed. If your Windows host does not have .NET Framework 4.7.2 installed, we do not recommend using the System Monitor Package Manager automatic update option. Since installing .NET Framework 4.7.2 requires a system reboot, the automatic update process will be disrupted and the Package Manager will not complete the installation process.

For additional information on System Monitor Agent installation, see the Set Up an Initial System Monitor Agent topic in the the SYSMON documentation.

Windows

Users who attempt to upgrade the 32-bit System Monitor on a system having MS KB2918614 applied may encounter a software restriction policy error. In this case, the existing System Monitor should be uninstalled before attempting the upgrade.

To upgrade System Monitor Agent, do the following:

  1. Log on with the Administrator account, or an account having administrative privileges, to the system where the System Monitor Agent is installed.
  2. Before removing System Monitor, verify the account used for the System Monitor Service. In Windows Services console, right-click and view Properties, and click the Log On tab. If the service does not use Local System account, you will need the password to that account when installing the Agent, or you need a new account and password.
  3. To open Windows Services, click Start, Administrative Tools, and Services.
  4. Stop the service called LogRhythm System Monitor service.
  5. Run the installer for the 32-bit or 64-bit System Monitor Agent, LRSystemMonitor_#.#.#.#.exe.

    If running Windows 2008, Vista, or Windows 7, you must run the installer as administrator.
  6. If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click Install.
  7. Follow the instructions in the Install Wizard.
  8. If prompted, accept the license agreement.
  9. Choose the default installation path, and then click Next.
  10. To determine if you have sufficient space for installation, click Space and then click OK.
  11. (Optional) Install the Realtime FIM driver.

    Realtime FIM is included with the System Monitor Lite license for desktop operating systems only. A System Monitor Pro or Collector license is required for servers. For more information, see LogRhythm System Monitor Compatibility and Functionality.

  12. On the Install Wizard Completed screen, clear the Launch System Monitor Configuration Manager check box.
  13. If your LogRhythm Windows System Monitor Agent service uses Windows accounts, open Windows Services Control Panel.
  14. Click the Log On tab and add the service account and password in the service properties.
  15. To start the Agent, click Start, Administrative Tools, and Services. Right-click the agent and select Start.
  16. Repeat these steps for other Windows System Monitor Agents in your deployment.

(Optional) *NIX

Only Linux 2.4 & 2.6 can be upgraded directly. Other *NIX agents must be uninstalled and reinstalled.

Read the instructions included with the installer package for your particular operating system.
  1. Copy the files from the installer package to the *NIX system.
  2. Follow the instructions in the scsm_<operating_system>.txt file to uninstall the old version.
  3. Decompress the file with the .tar extension, using tar xf scsm_<operating_system>.tar.
  4. Follow the instructions in the scsm_<operating_system>.txt file to install the new *NIX System Monitor Agent.
  5. Start the *NIX System Monitor Agent according to the instructions in the scsm_<operating_ system>.txt file.
  6. Repeat for all *NIX Agents in your deployment.

Configure or Verify Communication Ports

LogRhythm installers should open the TCP ports required for component communications. Additional configuration may be required, as described in this section. For more information on ports, see the Networking and Communication topic in the Enterprise SIEM Help.

If you need assistance with any of the procedures listed below, contact your system or network administrator.

Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to 7.13.x.

If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is not already allowed by applied policies:

ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132

Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm and run the following command:

CODE
sudo firewall-cmd --permanent --zone=public --list-all


This lists all the public ports opened for DX: 

  • 8501/tcp
  • 8300/udp
  • 8301/udp
  • 8300/tcp
  • 8301/tcp

If you need to open any incoming ports on the Linux Indexer, do the following:

  1. Log on to the Indexer node as logrhythm and run the following commands:

    CODE
    sudo firewall-cmd --zone=public --add-port=port/tcp --permanent
    sudo firewall-cmd –-reload
  2. Repeat the steps above on each Linux Data Indexer.

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:

  1. Log on to the Windows server as an administrator.
  2. Open a command prompt and run the following command:

    CODE
    netsh firewall show state


    Ports that are currently open on all interfaces are displayed below the firewall status.

    The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2, and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current server.

If you need to allow any ports on a Windows server host:

  1. Log on to the Windows server as an administrator.
  2. Open a command prompt and run the following command:

    CODE
    netsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port

Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.

The following lists include the default directories. However, the location of any State folder (including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The locations of these folders need to be excluded.

XM Appliance

If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed). 

PM Appliance

  • D:\*.mdf
  • L:\*.ldf
  • T:\*.mdf
  • T:\*.ldf
  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
  • C:\tmp\indices\ (if Web Console is installed on the PM)
  • If the Threat Intelligence Service (TIS) is installed:
    • C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
    • C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

  • All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%, %DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To view the environment variables, go to the Advanced System Settings, and click Environment Variables.
  • D:\LogRhythmArchives\Active\*.lua
  • X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
  • X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state folder)
  • X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state folder)

  • C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
  • C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
  • C:\Windows\Temp\jtds*.tmp

DX Appliance (Linux)

  • /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)

AIE Appliance

  • C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
  • C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

If the AIE service is running on the PM appliance, exclude these directories on the PM.

Collector Appliance or Agents Deployed on Servers

  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a different location (for example, D:\), update the exclusion as required.

Agents Deployed Linux Servers

  • /opt/logrhythm/scsm/state/*.pos
  • /opt/logrhythm/scsm/state/*.suspense

Web Console

  • D:\tmp\indices

High Availability Deployments

Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you should ensure that these processes are running by doing the following:

  1. Go to Services on your machines.
  2. Verify that the following services have started:
    • LogRhythm API Gateway
    • LogRhythm Authentication API
    • LogRhythm Case API
    • LogRhythm Service Registry
    • LogRhythm Threat Intelligence API
    • LogRhythm Web Console API
    • LogRhythm Web Console UI
    • LogRhythm Web Indexer
    • LogRhythm Web Services Host API
  3. Go to Task Manager on your machine.
  4. Verify that the following services have started:
    • java.exe (one instance)
    • LogRhythm.Web.Services.ServicesHost.exe
    • LogRhythmAPIGateway.exe
    • LogRhythmAuthenticationAPI.exe
    • LogRhythmCaseAPI.exe
    • LogRhythmServiceRegistry.exe
    • LogRhythmThreatIntelligence.exe
    • lr-threat-intelligence-api.exe (32 bit)
    • LogRhythmWebConsoleAPI.exe
    • LogRhythmWebConsoleUI.exe
    • LogRhythmWebIndexer.exe
    • LogRhythmWebServicesHostAPI.exe
    • nginx.exe *32 (a minimum of two instances)
    • node.exe (four instances)
    • procman.exe (eight instances)
    • NSSM Service Manager

    NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper around Java, Go, and other services to ensure that they run properly on Windows and that they are restarted when they stop.

Update Dashboards

In 7.6, LogRhythm updated the default dashboards in the Web console for new deployments. The Executive, IT Operations, and Security Analyst dashboards, along with the default Analyze pages, have been updated to include new widgets and added colors.

Because some dashboards have been customized in user environments, existing LogRhythm users cannot access this feature automatically. To import these dashboards in an existing deployment, choose one of the following options:

  1. Run any of the deploy scripts to update the existing dashboard with the new one. These scripts include:
    • Web system update default Analyze Dashboard workscript.sql
    • Web system update default Executive Dashboard workscript.sql
    • Web system update default Security Analyst Dashboard Dashboard workscript.sql
    • Web system update default IT Operations Dashboard workscript.sql
  2. Import the dashboards as new:
    • Analyze Dashboard.wdlt
    • Executive Dashboard.wdlt
    • Security Analyst Dashboard.wdlt
    • IT Operations Dashboard.wdlt

For instructions on how to import dashboards, see Import and Export Dashboards.

To download the dashboard files, visit the "Documentation & Downloads" section of the LogRhythm Community.

Remove Generic Web Console UI Entry from the Configuration Manager

Not applicable to every deployment.

Web Console users who upgraded from LogRhythm 7.2 or 7.3 will have a section in the LogRhythm Configuration Manager for Web Console UI, without a hostname designation to identify the Web Console server. This section should be removed from the Configuration Manager.

  1. Log in to any server where the Web Console is installed as a user with administrative privileges.
  2. Open a PowerShell window and run the following command:

    Invoke-RestMethod -Method Delete http://localhost:8500/v1/kv/services/lr-web-console-ui/CONFIG_OPTIONS
  3. Restart the LogRhythm Web Console UI service on all Web Console servers.

Set KB Downloads to Automatic

Not applicable to every deployment.

LogRhythm recommends that you configure automatic download and synchronization of your KB. If you did not already set this option when synchronizing the latest KB, do the following:

  1. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
    The Knowledge Base Manager appears.
  2. Click Synchronization Settings.
  3. Select the following check boxes:
    1. Enable Automatic Knowledge Base Download.
    2. Enable Automatic Knowledge Base Core Synchronization.
    3. Enable Automatic Knowledge Base Module Synchronization.
  4. If a proxy is required, click the Proxy Settings tab.
    1. Enter the Proxy Server Address and Proxy Server Port.
    2. If the proxy server requires authentication, select that check box and provide a valid User Name, Password, and Domain.
  5. Click OK.
  6. To force an immediate download, click Check for Knowledge Base Updates.

Remove FIM State File

Not applicable to every deployment.

In a previous release, if the name of any FIM policies contained one or more colon ":" characters, *NIX Agents were unable to load state files. This issue has been fixed. To eliminate any further error messages following the upgrade, delete the existing Agent state file (../state/.filemon.log).

Reconfigure Force Merge

Not applicable to every deployment.

Force Merge settings are not preserved during an upgrade. They must be re-enabled in AllConf after performing an upgrade.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.