Install LogRhythm
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference Platform you selected.
- Make sure your hardware or virtual machine is running Windows Server 2016 or Windows Server 2019 (both 64-bit).
- If necessary, enable .NET Framework 3.5.
- Log in to the server as an administrator.
- Start Server Manager.
- Under Configure this local server, click Add roles and features.
The Add Roles and Features Wizard appears. - Under Installation Type, select Role-based or feature-based installation.
- Under Server Selection, select your local server.
- Under Features, expand the .NET Framework 3.5.1 Features node, select .NET Framework 3.5.1, and then click Next.
- Confirm your selection on the next page, click Install, and follow any additional guidance provided by the installer.
- Initialize and configure disks according to LogRhythm components. For more information, see the volume and disk configurations in the Reference Platform section of this guide.
- Initialize the newly created hard disks via disk management by going to Administrative Tools, Computer Management, Storage, and Disk Management.
- Set up disk partitions and volumes.
- Run Windows Update to ensure the latest patches, updates, and service packs are installed.
- If not installed, download and install .NET Framework 4.7.2 as it is required by the Database Install Tool. You can download the Microsoft .NET Framework 4.7.2 standalone installer here.
The .NET Framework 4.7.2 installation requires 4.5 GB of free disk space.
Shut Down Antivirus and Endpoint Protection Software
Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.
Install the LogRhythm Databases for the Platform Manager or XM
A download link to the LogRhythm Database Install Tool should have been provided to you along with your LogRhythm license. Contact LogRhythm Support if you cannot locate this tool.
The Platform Manager, and therefore an XM setup, contains LogRhythm’s SQL Server databases. Use the LogRhythm Database Install tool to:
- Install SQL Server 2016 Standard SP2 or SQL Server 2019
- Apply the LogRhythm license for SQL Server
- Create the default LogRhythm users
- Create the initial databases, tables, stored procedures, and so on
- Size the databases as a percentage of disk space
The database installation can take up to 30 minutes. If you are installing on a virtual machine, it could take longer.
To install the LogRhythm databases:
- Log in to the Platform Manager or XM server and copy the LogRhythm Database Install Tool archive to a new directory.
- Locate the archive and extract it to a new directory on a local drive.
- Browse to the new directory, right-click LogRhythmDatabaseInstallTool.exe, and then click Run as administrator.
The server role page appears. Select the system’s target role. If you are installing a standalone Platform Manager, select PM. If you are installing an XM server, select XM.
If any of the drives on the server do not have enough space for the installation, the value under Will Use is highlighted in red. You need to reconfigure the system disks to provide enough space for the installation.Click Install.
- If you want to change the default SQL Server password for the sa account, click Change Default SQL Password.
- Type the password for the sa account, and then click Save.
- When you are ready to proceed, click Install.
- The tool installs SQL Server and configures all of the necessary settings. This process may take up to ten minutes, during which the screen appears to be inactive.
- When the installation is finished, click Done to close the Database Install Tool.
Run the LogRhythm Install Wizard
The LogRhythm Install Wizard can be used to install one or more applications or server roles on each server in your deployment. The wizard is designed for simplicity, so you can pick the applications or roles you are installing, and the wizard does everything else.
The installation of one or more applications should not take more than 10 minutes to complete. If you are installing an XM setup with all applications, the installation may take up to 15 minutes depending on your server specifications. If you are installing on a virtual machine, the installation times will be slightly increased.
Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You must run the Install Wizard on each appliance or server in your deployment, and select the appliance configuration that you want to install or upgrade.
- The LogRhythm Install Wizard requires .NET Framework version 4.7.2 or above.
- If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall Service is running before starting the Install Wizard to allow firewall rules to be created and so the Common installer can open port 8300.
- Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
- For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated privileges. The person performing the installation must be in the Local Admin group, unless the domain is managed and the Group Policy Object dictates that only Domain Administrators can run installers.
- When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to install all Web Console services. You may choose to install the Web Console as a stand-alone installation or as part of the XM Appliance or Platform Manager (PM) configurations.
- Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm software.
- Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
- Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as administrator.
The Welcome screen appears. - Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade. - Click one of the following:
- If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM server on 6.3.9 deployments), click Yes to continue.
- If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the wizard, install or upgrade all of the required databases, and then continue with this procedure.
- Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a specific application or set of applications.For certain configurations, you can optionally select to install or upgrade the AI Engine.If you select the Web Console, it is installed to the default location, C:\Program Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a custom location, see the Use the LogRhythm Configuration Manager section in this guide.For each appliance that you install, select the target appliance configuration, according to the following table.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in the Install Wizard, select one of the available configurations and then run the wizard again to install the next configuration.
7.x.x Configuration Select… XM XM
Platform Manager PM Data Processor DP Client Console Client Console Web Console Web Console AI Engine AIE Data Collector/System Monitor DC LogRhythm Diagnostics Tool LRD Tool LogRhythm Diagnostics Tools Agent LRD Agent SecondLook Service SecondLook Service Optional Applications Select LogRhythm Diagnostics Tools Agent LRD Agent LogRhythm Diagnostics Tool LRD Tool SecondLook Service SecondLook Service AI Engine AI Engine Web Console Web Console When you have selected the target configuration, click Install.
The LogRhythm Deployment Tool appears.The options available on the main page of the Deployment Tool depend on whether you are upgrading an existing deployment or installing a new one.Select either Configure New Deployment or Upgrade Deployment, depending on your situation.
select the Deployment properties and click OK.
Follow the on-screen instructions to create a Deployment Package.
Additional help is available by clicking the question mark icon in the upper-right of the tool.When you are finished preparing your deployment, click Create Deployment Package.
Follow the on-screen instructions for Next Steps.
Once the steps are completed, click Exit to Install wizard.
Additional help is available by clicking the question mark icon in the upper-right of the tool.
Observe for any failures as the wizard installs or upgrades the applications according to the selected configurations.
When the Client Console is installed on a fresh system, additional software packages must be installed such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET Framework 4.7.2. For this reason, the Client Console installer may take 30 minutes or more to complete.Progress in the installation screen is indicated as follows:
Color Meaning Green The application was installed successfully. A message about the application and installed version is also printed below the status indicators.
Blue The application is being installed. Yellow The current or a newer version of the application is already installed. Red Something went wrong and the application was not installed. Additional details will be printed below the status indicators. If something went wrong, check the installer logs located in the following location:
C:\LogRhythm\Installer Logs\<install date and time>\During the Web Console installation or upgrade, if you receive a message that notifies you of an error with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.By default, the wizard installs the LogRhythm Diagnostics Tool, and it can be configured prior to the next step. For more information, refer to LogRhythm Diagnostics Tool.
Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure you can see all settings. For more information, see the Use the LogRhythm Configuration Manager section in this guide.
While the Configuration Manager is still open, review your previous Web Console configuration values (backed up before starting the upgrade), turn on the advanced view, and validate or set all of the values in the Configuration Manager, especially the following:- Global, Database Server. This is the IP address of your Platform Manager where the EMDB is installed.
- Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will display an error.
- Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the Configuration Manager.
After you validate and save your configuration, it is strongly recommended that you make a new back up. Save the file in a safe location in case you need to restore it later.To close the LogRhythm Install Wizard, click Exit.
Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm SIEM for information on logging into the console, completing the new deployment wizard, and assigning licenses.
Use the LogRhythm Configuration Manager
If you are using multiple Web Console instances, the Configuration Manager lets you apply individual configurations to each instance. Each instance, for single or multiple Web Consoles, will be identified in the Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is the Windows host name of the server where the Web Console is installed.
Configuring the Data Indexer for Windows and Linux has moved from the individual clusters to the Configuration Manager on the Platform Manager.
Each Cluster has it’s own section under Data Indexers that looks like this:
Data Indexer - Cluster Name: <ClusterName> Cluster Id: <ClusterID>
The Cluster Name and Cluster ID come from the Environment variables, DX_ES_CLUSTER_NAME and DXCLUSTERID on each server. The Cluster Name can be modified in the Configuration Manager. If you change the Cluster Name, the name should be less than 50 characters long to ensure it displays properly in drop-down menus. The DXCLUSTERID is automatically set by the software and should not be modified.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the LogRhythm Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which Services are active or inactive. A blue light indicates that all services are up. A red light indicates that one or more services are down. You can hover the mouse over the indicator to see a list of which services are down. In Advanced mode, the indicator light also appears next to each group header.
To configure settings in the LogRhythm Configuration Manager:
- Find the setting you want to configure by doing one of the following:
- In the Search box, type a term that appears in either the name or description of the configuration. Note that headers and user input data won't be searched. Search returns results from both Basic and Advanced modes, even if Advanced is not toggled on.
- Scroll through the Basic or Advanced configuration mode until you find the option you want. The Configuration Manager is used to configure settings such as user ID, password, authentication strategy, and log level for the following components:
- LogRhythm Database
- Admin API
- AIE Drilldown Cache API
- Alarm API
- API Gateway
- Authentication API
- Case API
- CloudAI
- Data Indexer - (one section per cluster)
- Help and Documentation
- Search API
- Notification Service
- SQL Service
- Web Console API
- Web Console UI
- Web Indexer
- Web Services Host SPI
- Windows Authentication Service
- Enter the configuration you want. Note the following features:
- The LogRhythm Configuration Manager provides informational text as appropriate about what the settings do and what unit data must be entered in.
- Configuration changes that could affect the performance of the environment include a written warning beneath the input box.
- For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be increased from the default of zero.
- Upgrading to a new SIEM version may cause the LogRhythmWebUI Database Password to reset to the default password in the Alarm API section in the Configuration Manager. If you had previously changed this password, you must reenter your LogRhythmWebUI Database Password in the Alarm API section in the Configuration Manager.
- When Web Console Smart Card Authorization is enabled, the other Authentication API settings will become unavailable.
- Multi-factor authentication requires users to set up authentication tools on their devices.
Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration Manager\presets. You can make additional configuration backups. For more information, see Back Up and Restore section below.
If you make a configuration change and then change that configuration again back to the previously saved setting, the Save button will be deactivated and the last saved values persist. To undo a single configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once, clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.
The affected service or services restart automatically and the changes are applied. A restart time of up to 60 seconds is normal.