Before installing the DR solution, make sure the environment meets all the prerequisites shown in the following table.
|LogRhythm SIEM||The LogRhythm SIEM must be deployed on both the Primary and Secondary sites using the same LogRhythm software version.|
The Enable Password Policy option must be disabled on the LogRhythm SIEM user account or the SA and LRMirror_Login passwords will not synchronize between nodes. If Enable Password Policy is enforced, the passwords must be changed manually on the Secondary Node whenever they are changed on the primary. The Enable Password Policy option can be disabled by modifying the user account login on the People tab in the LogRhythm SIEM.
Service Account Requirements
|Configure the SQL Server, SQL Server Agent, and LogRhythm Service Registry services to run under the same account on both the Primary and Secondary sites. This should be a named, privileged account that is not the sa account, and must be a domain account.|
Configure the network so that:
To create a Failover Cluster, an additional IP address is required on each node participating in the cluster. This IP is used for cluster creation, Failover Clustering node communication, and for providing an IP address to use for providing LogRhythm services. Failover IP addresses should be unused IP addresses on the same network as the management NICs. In a multi-subnet scenario, two distinct, unused IP addresses are needed in DR Setup, one in each respective subnet. In a single-subnet DR scenario, only one unused IP address is needed for the Failover IP — it will be the same for Primary and Secondary. The Failover IP should be on the network adapter that has access to Active Directory in order to update the accompanying Cluster DNS record. This IP address is a virtualized IP address that the underlying Windows Server Failover Cluster will use for facilitating cluster communications.
Use only static IPs for the replication interface. Do not use DHCP.
In Windows Server 2012 R2 and previous versions, a cluster can only be created between member nodes joined to the same domain. Attempting to deploy LogRhythm Disaster Recovery between servers on separate domains using this guide will result in failure. If this configuration is a requirement on your deployment, contact LogRhythm Customer Support.
Ensure that the following ports sites are open — not blocked by a firewall — at both sites. The DR setup automatically opens ports secured by Windows Firewall but not by other types of firewalls.
If network firewalls or Group Policy settings prevent this communication, the DR installation will fail. During installation, the DR setup tool configures these ports to only allow system to system communication.
Domain Name Server (DNS) requirements
In this LogRhythm release, DR installations require the Platform Manager to be bound to an Active Directory domain and a Microsoft DNS server must be in the same Active Directory domain as the PM. The Platform Managers must have DNS entries for each server participating in the DR installation, and accompanying forward and reverse records should be in place.
A new DNS record named LogRhythmDR will be created during Failover Cluster formation. This record can automatically be updated during a failover event with the Failover IP address of the Active node in the cluster. To enable this functionality, the DNS zone hosting the LogRhythmDR record must be configured to allow secure updates from clients.
In order for automatic updates to the Cluster DNS record to function, the network interface hosting the Failover Cluster IP must have the “Register this connection’s address in DNS” feature enabled.
If needed, manual configuration is still supported:
Disk space requirements on Platform Managers
During the DR setup, you must back up the Primary Platform Manager’s databases and copy them to the Secondary system. The DR installation program will check your database sizes and give you an estimate for the disk space requirements. You can also use a network drive for the backup, provided that the SQL Agent service account has write access to the share.
The database backup may take hours to complete, depending on the data size and the write-speed of the backup media.
|During installation with the Install Wizard, the LogRhythm Deployment Tool needs to be configured as New Multi-Host Deployment, and the generated deployment package executed on the secondary node.|
|Data Processors, Data Indexers, the LogRhythm Configuration Manager, and AI Engines||These systems point to the Platform Manager using a DNS name rather than an IP address. Remote components should also support DNS for connecting to either a Primary or Secondary site.|
Infoblox DNS for LogRhythm Disaster Recovery
This prerequisite is only for customers who use Infoblox DNS.
Infoblox requires configuration to allow updates from the domain controller to register and update DNS records used in the LogRhythm Disaster Recovery solution. This section describes the Infoblox configurations needed for dynamic DNS updates.
- Infoblox DNS must have a zone for the domain on which the DR servers are located. This is typically present if Active Directory is being resolved through Infoblox. If not, a new zone must be created for the domain.
- The zone must allow queries from the DR servers. In the settings of the zone, select the Queries tab and verify queries are allowed. By default, queries are allowed from “Any”, but this also works if the DR servers are included in a Named ACL or set of ACEs.
- The zone must allow updates from the DR servers as well as from the Domain Controller. This is configured in the same way as the query permissions.
- For InfoBlox DNS servers with no GSS-TSIG members or configuration, the zone must “Allow unsigned updates from these Domain Controllers”. This is configured within the Active Directory tab of the zone settings, where the IP of the Domain Controller can be added.
- If a shared DNS record already exists for DR (“logrhythmdr”, by default), it must be available for updates and be set to a “dynamic record”. To do this, locate the A record for LogRhythm DR within the Domain’s zone. Edit the record’s settings and select the Updates tab. Set the Record Source to Dynamic and clear the Protected checkbox. Leave the Principal field blank.