Review the Upgrade Requirements and Considerations
Scheduling the Upgrade
The LogRhythm core services – the Mediator, Job Manager, Alarming and Response Manager, and AI Engine (if applicable) – are offline during the upgrade process. LogRhythm recommends that you schedule the upgrade during a period when this downtime is acceptable. The LogRhythm database upgrades must be complete before the core services can be brought back online.
You should reserve one to three hours for the following upgrade tasks. The more recent your deployment is, the less time you will need.
- Synchronize any pending Knowledge Base updates, which takes approximately 30 minutes.
- Back up and upgrade your existing LogRhythm databases. The backup could take as little as 30 minutes or up to several hours, depending on the size and number of your databases.
- Run the Install Wizard, which is a quick process for each appliance.
- (Optional) Install or upgrade the Linux Data Indexer.
Upgrade additional Agents (besides the ones installed on LogRhythm appliances), which is recommended, but not required at the same time as the main upgrade.
FIPS Mode
FIPS certification for LogRhythm SIEM v7.8+ is in progress. The LogRhythm SIEM v7.8 submission covers two specific deployment configurations: XM and DPAWC + DX. For more information, see Federal Information Processing Standards (FIPS).
FIPS mode is not supported on HA/DR deployment configurations.
Core Service and Client Console Compatibility
LogRhythm 7.13 core services – the Mediator, Job Manager, Alarming and Response Manager, and the Client Console – are not compatible with pre-7.13 databases or pre-7.13 LogRhythm software, except for System Monitor Agents. All Client Consoles in your environment must be upgraded to version 7.13 to be compatible with 7.13 core services.
The Client Console is only supported on 64-bit operating systems. For more information, see the LogRhythm Component Compatibility section.
SQL Server Security Hardening Impacts
If your deployment utilizes SQL Server security hardening, this could cause problems during the upgrade or when services attempt to connect to LogRhythm databases after the upgrade.
System Monitor Agent Considerations
- System Requirements. Some System Monitor Agents can only be run on 64-bit systems. For a list of all restrictions, see the System Monitor Operating System Support table in the System Monitor Documentation.
- System Monitor Agent and Core Service Versions. System Monitor Agent versions can be less than or equal to the versions of the core services, but never higher than the versions of the core services. Therefore, if you are upgrading Agents to 7.13, do so after the core services have been upgraded and restarted.
- System Monitor Agent Collection during Upgrade. It is best to leave all System Monitor Agents running during the upgrade, especially if they are configured to receive Syslog or NetFlow messages. These Agents continue to collect log messages that would otherwise be lost and store them locally until the core services are restarted after the upgrade.
Windows Server 2016 or Server 2019 Required for Windows-Based Appliances
Upgrading from Windows Server 2016 to 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments is not supported.
In this version of LogRhythm, Windows Server 2016 or Windows Server 2019 is required for Windows-based appliances.
If you are running Windows Server 2016 on your appliance, there is no need to upgrade to Windows Server 2019.
However, if you do wish to upgrade a standard deployment to Windows Server 2019, see Windows Server 2019 Licensing note below to determine if you are eligible for an upgrade. If you are eligible, select the option to upgrade to Windows Server 2019 when submitting your 7.13 license request form. LogRhythm will then send you a key and the software needed to perform the upgrade. If you are not eligible, you can still upgrade to Windows Server 2019, but you must provide your own Server 2019 license to upgrade.*
Windows Server 2019 Licensing
- If you purchased hardware from LogRhythm on or after Nov. 1, 2020, you purchased a Server 2019 from LogRhythm. This license can be used to upgrade the operating system. You can use and validate your license by looking at the license sticker on top of the server. If you are unable to locate the license, you can open a support case.
If you purchased hardware prior to Nov. 1, 2020, you must provide your own Server 2019 license to upgrade.*
*Customer-provided Windows Server licenses fall outside the scope of LogRhythm Support. LogRhythm will no longer be able to work with Microsoft or Dell on behalf of the customer should there be any operating system issues. Customers will need to work directly with Microsoft.
See the LogRhythm Component Compatibility section for operating system support.
SQL Server 2016 (Standard SP1 or SP2) or SQL Server 2019 Required on Platform Manager
Upgrading from SQL Server 2016 to 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments is not supported.
All Platform Manager databases in this version of LogRhythm require Microsoft SQL Server 2016 Standard SP1 or SP2 (version 13.0.4001.0) or Microsoft SQL Server 2019 (version 15.0.2000.5). Higher cumulative updates and service packs within these versions are also supported.
If you are running Microsoft SQL Server 2016 Standard on your appliance, there is no need to upgrade to Microsoft SQL Server 2019.
However, if you do wish to upgrade a standard deployment to Microsoft SQL Server 2019, see the SQL Server 2019 Licensing note below to determine if you are eligible for an upgrade. If you are eligible, select the option to upgrade to Microsoft SQL Server 2019 when submitting your 7.13 license request form. LogRhythm will then send you a key and the software needed to perform the upgrade. If you are not eligible, you can still upgrade to Microsoft SQL Server 2019, but you must provide your own SQL 2019 installer and license to upgrade.*
SQL Server 2019 Licensing
If you purchased hardware through LogRhythm and wish to upgrade SQL, you must provide your own SQL 2019 installer and license.*
Software-only purchases allow customers to either bring their own SQL license or purchase one through LogRhythm. See the table below to determine whether your software purchase includes a SQL 2019 license.
SQL Purchase Date | LogRhythm SKU | SQL 2019 License | Customer Action |
---|---|---|---|
On or after February 1, 2022 | LR-ACC-MSSQL-P | Included | If you wish to upgrade SQL, you can request SQL 2019 license and installer through a support case. |
Prior to February 1, 2022 | LR-ACC-MSSQL-P | Not included | If you wish to upgrade SQL, you must provide your own SQL 2019 license and installer.* |
See the LogRhythm Component Compatibility section for SQL Server support documentation.
Microsoft .NET Framework 4.7.2
Microsoft .NET Framework 4.7.2 is required on the LogRhythm Platform Manager and other core components. When you update LogRhythm components with the LogRhythm Install Wizard, .NET 4.7.2 is installed when required. Before upgrading LogRhythm components, however, the Database Upgrade Tool also checks for .NET 4.7.2. If you are not already running this version of the .NET Framework, you should upgrade before you continue.
You can download the Microsoft .NET Framework 4.7.2 standalone installer from the Microsoft website. The .NET Framework installation requires 4.5 GB of free disk space. If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET installers from Microsoft Support before beginning the upgrade. Otherwise, the Web Services Installer will attempt to download it during the upgrade and the upgrade will fail without internet connectivity.
Administrator Credentials
To reduce downtime, ensure the following items are available before you begin the upgrade process:
Local administrator privileges for the LogRhythm servers.
For Disaster Recovery deployments, this must be a domain account, which has administrative privileges on both boxes. This account is used to set up the failover cluster and is used as a service account for SQL Server, SQL Agent, and LogRhythm Service Registry services.
- The SQL Server password for the LogRhythmAdmin account.
- The SQL Server sa password for the LogRhythm databases.
- The following user permissions must be assigned to the user executing the SQL Server upgrade.
- The Database Upgrade Tool verifies that you have the following permissions:
- Back up/restore files and directories
- Manage auditing and security log
- Take ownership of files or other objects
- Shut down the system and debug programs
- Sufficient time to perform the upgrade. Generally, the upgrade process can be completed in under two hours, but it may take much longer for very large databases.
Power Supply
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A power cut may cause an Elasticsearch failure that leads to a loss of indices.
Web Console Prerequisites
Before upgrading the Web Console, verify the following:
- If you are running the Web Console on a LogRhythm XM6300 appliance, be sure you have at least 128 GB of RAM installed.
- Make sure the Platform Manager (EMDB) is configured before you install the Web Console.
- During installation, you need the IP address or server name of the Platform Manager and the administrator login credentials.
- Ensure that Windows Firewall is running so that the Common installer can open port 8300.
- Clear the cache on all browsers you use to access the Web Console, and then close any open browser windows.
If you have previously installed the Web Console to a custom location, rather than the default C:\Program Files\LogRhythm, upgrading is not recommended. You should uninstall your previous version and perform a clean installation of version 7.13 following the steps described in LogRhythm Software Installation Guide.
LogRhythm Infrastructure Installer Prerequisites
The LogRhythm Deployment Tool, also called the Infrastructure Installer, coordinates the installation and configuration of the LogRhythm Common Components (LR Common) across a set of machines.
LRCommon currently contains:
- LogRhythm API Gateway
- LogRhythm Service Registry
- LogRhythm Metrics Collection
Note the following requirements of the Infrastructure Installer:
- User Access. The user needs to be able to log on to each host in the deployment in order to run the Host Infrastructure Installer.
- Elevated Execution. The tool executes local commands under an elevated context. The user running the tool must have permission to elevate the execution.
Network Time. The times on the hosts must be synchronized. This is a requirement for SSL certificates that are shared among the hosts in the deployment. If times are not synchronized, this tool will likely report that consul is unable to elect a leader.
If this prerequisite is not met, the deployment may not function properly after installation is complete.
LogRhythm Component Compatibility
All LogRhythm components in a deployment, except for System Monitor, must be versioned with the same major and minor number. System Monitor versions 6.x and 7.x are supported.
Database and SQL Server Versions
This LogRhythm version requires Microsoft SQL Server 2016 Standard SP1 (version 13.0.4001.0) or Microsoft SQL Server 2019 (version 15.0.2000.5). Higher cumulative updates and service packs within these versions are also supported. In this LogRhythm 7.x release, the schema version of all LogRhythm SQL databases is the same: 7.x.x.yyyy.
LogRhythm 7.9.0 introduced support for SQL Server 2019 on standard deployments. If you are running Microsoft SQL Server 2016 Standard on your appliance, there is no need to upgrade to Microsoft SQL Server 2019. If you want to upgrade to SQL Server 2019, see Upgrade SQL Server 2016 to SQL Server 2019.
System Monitor Component Support
Earlier versions of System Monitor are compatible with this version of LogRhythm. The table below lists the System Monitor versions that are compatible with LogRhythm 7.x.
System Monitor Versions Compatible with LogRhythm 7.x | ||
---|---|---|
System Monitor | v6.x | v7.x |
System Monitor (Windows) | Yes | Yes |
System Monitor (*NIX) | Yes | Yes |
Component Operating System Support
This section describes operating systems and LogRhythm component compatibility for LogRhythm 7.13. The following table defines the LogRhythm support levels used in subsequent tables.
LogRhythm 7.9.0 introduced support for Windows Server 2019 on standard deployments. If you are running Windows Server 2016 on your appliance, there is no need to upgrade to Windows Server 2019. For a guide on upgrading to Windows Server 2019, see Upgrade Windows Server 2016 to Windows Server 2019.
Upgrades to existing High Availability (HA) and Disaster Recovery (DR) environments are not supported. LogRhythm 7.13.0 supports Windows Server 2019 on new installations of HA and DR deployments only.
Certified Support (CS)
|
Limited Support (LS)
|
Unsupported (US)
|
---|---|---|
Fully tested per LogRhythm quality assurance processes. | Limited testing, but likely to work based on engineering assessment and/or field verification. | Not tested. |
LogRhythm patches bugs. | LogRhythm may patch bugs. | LogRhythm does not patch bugs. |
Full LogRhythm Technical Support. | Limited LogRhythm Technical Support. | No LogRhythm Technical Support. |
The following table shows the support levels for LogRhythm components on various 64-bit operating systems.
Any operating system not included in the following table is not supported.
LogRhythm 7.13 Operating System Support Levels | |||||||||
---|---|---|---|---|---|---|---|---|---|
64-bit Operating System | Data Indexer | Data Processor | Platform Manager | AI Engine | LogRhythm API | Web Console | Client Console | Open Collector | SecondLook API |
Windows 7 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows 8/8.1 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows 10 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows 11 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows Server 2008 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows Server 2008 R2 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows Server 2012 |
US
|
US
|
US
|
US
|
US
|
US
|
LS
|
US
|
US
|
Windows Server 2012 R2 |
LS
|
LS
|
LS
|
LS
|
LS
|
LS
|
LS
|
US
|
US
|
Windows Server 2016 |
CS1
|
CS
|
CS
|
CS
|
CS
|
CS
|
CS
|
US
|
US
|
Windows Server 2016 Core |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
Windows Server 2019 |
CS1
|
CS
|
CS
|
CS
|
CS
|
CS
|
CS
|
US
|
CS
|
Windows Server 2019 Core |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
US
|
Windows Server 2022 |
CS1
|
CS
|
CS
|
CS
|
CS
|
CS
|
CS
|
US
|
CS
|
Rocky 9.0 or greater |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
US
|
CentOS 7.6 or greater |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
US
|
RHEL 9.0 or greater |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
US
|
RHEL 8.2 or greater |
US
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
US
|
RHEL 7.6 or greater |
CS
|
US
|
US
|
US
|
US
|
US
|
US
|
CS
|
US
|
1 The Data Indexer is only supported on Windows operating systems for XMs and Gen3 appliances.
Networking and Communication
There are a large number of ports that need to be open for the difference LogRhythm components to communicate. For more information, see the Networking and Communication topic in the Enterprise SIEM Help.