Supplemental Information for Upgrades

Troubleshoot the LogRhythm Configuration Manager

If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not running, you receive an error message and the LogRhythm Configuration Manager does not load. If you are not running the LogRhythm version of SQL server, one of the following error messages displays:

• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6] [class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.

To resolve this issue:

1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
3. Open the LogRhythm Configuration Manager.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).

The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in Internet Explorer.

To change the proxy server settings for Internet Explorer:

1. On the Internet Options dialog box, select the Connections tab.
2. Click LAN Settings.
   The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections) check box.
4. Click OK.

If you require a proxy server for LAN connections, contact LogRhythm Support.

Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to %APPDATA%\LogRhythm Configuration Manager\presets. However, you can create a backup of any configuration and save it to any location to use later to restore a given configuration or share with other users.

To back up a configuration:

1. Make any changes you want. Boxes with changes are outlined in blue.
2. Select Backup/Restore from the menu.
3. Click Backup to File.
4. Name the file and save it to the location you want.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes immediately.

To restore a configuration:

1. Select Backup/Restore from the menu.
2. Select one of the following:
   • Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with changes are outlined blue.
   • Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with changes are outlined blue.
   • Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.

Add Additional Components to an Existing Deployment

The LogRhythm Infrastructure Installer assists in the installation of Common Components across all LogRhythm appliances and runs as the LogRhythm Infrastructure Installer (LRII) in the Install Wizard. The Common Components are required on each appliance (Platform Manager, Data Processor, Data Indexer, Web Console, and AI Engine) to enable communication between components. The Infrastructure Installer builds a deployment package that you can use to manually deploy the Common Components on each appliance in a distributed configuration. Using this method, there is no need to relax security posture of your deployment to install Common Components. The tool is required every time you install or upgrade a LogRhythm component to ensure that all components are communicating properly. If the tool is not utilized during an installation or upgrade, the deployment will not be functional and you will not be able to index or retrieve data.

You must have the IP address of each LogRhythm server in your deployment, with the exception of those running the Client Console or standalone System Monitors. You will also need SQL database credentials (sa or equivalent user) for the EMDB and the ability to log in to each of the LogRhythm servers to run the deployment package that the Deployment Tool generates.

1. In the Start menu on the machine where you have LogRhythm installed, click LogRhythm, and then LogRhythm Infrastructure Installer.
2. Click Add/Remove Hosts.
3. Click Add Host.
4. Enter the information for the new host and click Save.
5. Click Deployment Properties.
6. If necessary, change the Deployment Properties to match your deployment, and then click OK.
7. Click Create Deployment Package.
8. Follow the instructions provided by the Infrastructure Installer.
9. When you have finished, return to the home page of the Infrastructure Installer and click Verify Deployment Status.
10. When the Infrastructure Installer indicates that your deployment is healthy, use the LogRhythm Installation Wizard to install your new component.
11. License, configure, and add the new component according the instructions provided in the LogRhythm Client Console Help or LogRhythm Web Console Help.

Logs

Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the installation. The _LIW will show basic information about the Install Wizard, and the LogRhythm_ Infrastructure_Installer_Silent will show more information about the Deployment Tool.

In addition, you can find more information about the Deployment Tool install at C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at %Temp%.

The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log or lorhythm-node-install.sh.log to view the contents of these logs.

Troubleshooting

Below are some potential issues that may arise when running the Deployment Tool.

Not all servers are shown in the EMDB results

The search does not find standalone Web Consoles or System Monitors. You must manually add your standalone Web Consoles. There is no need to add the standalone System Monitors.

Linux deployment package will not run

You may have to switch to the directory where the package is located and run the following command prior to running the Linux installer:

sudo chmod +x LRII_linux

After this has been completed, you can run the Linux package with the following command:

sudo ./LRII_linux

The Deployment Tool was successful, but cannot index or process

Ensure that you also run the Install Wizard on all of your nodes and/or the Linux DX upgrade package. These are still required to be run on your nodes in addition to the Deployment Package.

My Deployment Status Verification says that not everything is active

Check your list of hosts in the Deployment Tool for accuracy. You may need to run the Deployment Package on the inactive servers again. Follow the instructions above to run the packages.

My upgrade won't start because Elasticsearch is not running

You may see a message stating: You cannot upgrade: Please run 'sudo systemctl start elasticsearch'.

Elasticsearch needs to be running to check your indices for incompatible versions. Start the service as indicated, run the curl command mentioned in the error until the cluster health is green, and then try the install again.

When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid

You may not have added the plan file location to the executable path. Make sure you use the full execution path. It should be similar to the following:

sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts

/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml

The LogRhythm Service Registry can't start during an upgrade

This error occurs when the Service Registry service is not started when LRII runs or it was started after the Deployment Tool loaded. The C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\data directory is cleared prior to running LRII because it recreates a new configuration for this upgrade.

There is a backup script that saves all key values prior to running the Deployment Tool so that the data directory can be recovered if necessary. If needed, these files are in the depconf folder.

Unable to query for legacy deploymentType value

This error message may appear if your key values have been removed. It should automatically restore them for you, but if you run into this issue, you can run the following steps to restore the key values.

1. Open PowerShell.

2. Type the following:

   cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-backup

3. Run the following:

   $ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"

4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
   Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.

5. Run the following script:

   Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -

6. Restart the LogRhythm Deployment Tool.

Add Additional Web Consoles

You should only install the Web Console with the LogRhythm Install Wizard, regardless of whether or not you are adding it to the PM or as a standalone appliance/server. For a standalone installation, be sure to follow the instructions regarding the LogRhythm Infrastructure Installer — run your deployment package on the Web Console server and then run the Install Wizard to install the single Web Console configuration.

Any time you add a new Web Console to an existing LogRhythm deployment, you must rerun the LogRhythm Infrastructure Installer for the new component to be able to communicate. For further instructions, see Add a Component to an Existing LogRhythm Deployment.

The Web Console can be accessed on Google Chrome (version 54 or higher is recommended), Mozilla Firefox (version 50.0.1 or higher is recommended), or Internet Explorer 11. The Web Console is not supported on tablets, mobile devices, or touch screens.

Configure the Web Console With the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental variables and configure them as needed during the lifetime of the Web Console.

Configure Smart Card/CAC Authentication

Smart Card/CAC authentication is not supported on Firefox.

To configure Smart Card/CAC authentication:

1. To obtain the environment's Certificate Authority Trust chain, concatenate the set of all SSL certificates including the root certificates, the certificates that sign the end-user certificates, and all intermediate certificates into a single file.

   

   Do not manually insert line breaks within the certificates. The certificates do not need to be in any specific order.
2. In the Web Services Configuration Manager, complete the following:
   1. In the Certificate Authority Trust section, click Choose file.
   2. Select the single certificates file created in step 1. The contents of the certificate file populate the Certificate Authority Trust field.
   3. In the Authentication section, set the Web Console Multi-factor Authentication Type to Smart Card.

Generate Self-Signed Certificates for the Web Console

The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.

However, it is best practice to generate your own self-signed certificates or import certificates signed by a third party. When configuring your own SSL Certificates for the Web Console, each certificate needs to be configured separately. Some guidance on doing so can be found on the Digital Ocean website and the OpenSSL website, but your IT department should follow their own policies and security practices.

Your IT department should set up proper certificates for your domain, install those on the internal systems, and maintain them appropriately.

The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using OpenSSL, be sure to use the -nokeys flag.

1. Ensure the private key is unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file browser.
6. Save your changes, and restart services, if necessary.

Trust the Self-Signed Certificate from a Client PC

Untrusted self-signed certificates can cause the Web Console to perform poorly. Self-signed certificates that are not trusted prevent browsers from caching https requests, which causes Web Console pages to load slowly.

To prevent this problem by configuring trusted certificates:

1. Delete the following folders:
   • C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls
   • C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp
2. Run the installer for the latest version of the Web Console on a Windows machine. If you have already installed the Web Console, run the following script as an administrator: C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web ConsoleUI\generate_keys.bat
3. Do one of the following:
   • Method 1. Certificate trusted for all users of a system
     1. From the Web Console server, run the Microsoft Management Console (mmc.exe).
     2. On the File menu, click Add/Remove Snap-in.
     3. Add the Certificates Snap-in.
     4. Select Computer account > Local computer.
     5. Run the Microsoft Management Console with the Certificate Snap-in on the client system.
     6. Import the LogRhythm Self-Signed Certificate file from C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp (or your own Self-Signed Certificate) file into the Trusted Root Certification Authorities store. The certificate will be trusted for all users of this system.
   • Method 2. Certificate trusted for current user only
     • In Internet Explorer 11
       1. Run Internet Explorer as an administrator.
       2. Go to your Web Console deployment.
       3. Click Continue to this website (not recommended).
       4. Click Certificate error in the address bar.
       5. In dialog box, click View certificates.
       6. On the General tab, click Install Certificate, and then click Next when the wizard opens.
       7. Select Place all certificates in the following store.
       8. Click Browse and select Trusted Root Certification Authorities.
       9. Click OK and Next.
       10. Click Finish.
     • In Firefox
       1. Go to the Web Console.
          A security certificate error page appears.
       2. Click the arrow next to I Understand the Risks to expand the section.
       3. Click Add Exception.
       4. At the bottom of the dialog box, select Permanently store this exception.
       5. Click Confirm Security Exception.
     • In Chrome
       1. Browse to the Web Console.
          A security certificate error page appears.
       2. Click Advanced, and then click Proceed to [Web Console].
       3. In the address bar, click the broken padlock icon.
       4. Next to the Your connection to this site is not private warning, click Details.
       5. Click View certificate.
       6. Select the Details tab.
       7. Click Copy to File.
       8. Follow the steps in the wizard to save the certificate as a PKCS #7 (.P7B) certificate in a place you can easily locate it.
       9. After you finish exporting the certificate, go to Settings in your browser.
       10. At the bottom of the screen, click Show advanced settings.
       11. In the HTTPS/SSL section, click Manage certificates.
       12. Select the Trusted Root Certification Authorities tab.
       13. Click Import.
       14. Follow the steps in the wizard to import the certificate you saved in Step h. You must save the certificate to the Trusted Root Certificate Authorities store.
       15. Select the newly imported certificate in the Trusted Root Certification Authorities tab, and then click Advanced.
       16. At the bottom of the dialog box, select Include all certificates in the certification path, and then click OK.
       17. Restart Chrome.

Remove the Web Console

If you need to uninstall the Web Console, log in as an Administrator, go to Add/Remove Programs, and uninstall the LogRhythm Web Console. During the uninstallation, the following components are stopped and removed:

• LogRhythm Case API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Web Services Host API
• LogRhythm Threat Intelligence API
• LogRhythm Web Services Configuration Manager (program)

After removing the Web Console, any files that were generated by the runtimes of the services above remain. All installation directories are still present. Below are some examples of the types of files that remain on the system:

• log files
• temporary or buffer files
• generated keys or certificates
• .pid files

If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services directory. If you plan to reinstall Web Services, it is not necessary to remove the Web Console folder structure.