Skip to main content
Skip table of contents

Prepare to Upgrade a LogRhythm Deployment

Record Service Credentials

If the LogRhythm services in your deployment use Windows accounts, you need the account name and password to complete this upgrade.

  1. To see if a service is running under a Windows account, click Start, click All Programs, click Administrative Tools, and then click Services.
  2. Double-click a LogRhythm service.
  3. In Service Properties, select the Log On tab. If the This account option button is selected, this service is running under Windows credentials.
  4. For each LogRhythm service, note the account name and obtain the account password from your network administrator.

  5. This task must be completed in Disaster Recovery deployments only.

    Verify the SQL Server, SQL Server Agent, and LogRhythm Service Registry services are using domain accounts with local admin privileges on each DR server.

Request LogRhythm License File

You must have a license file before you can begin the upgrade process. Request your LogRhythm SIEM license file at this link. If you have an AI Engine, the AI Engine license is included in your LogRhythm license file.

The license file is imported after upgrading the LogRhythm components.

Modify web.config for LR API

If not already done, LR API users who are upgrading need to update web.config as the value for ApplicationAccountKey must be encrypted with LRCrypt. For more information, see the Initialize Users in the Web Configuration topic in the SOAP API Installation Guide.

Note Web Console Environmental Variables

If you are running multiple Web Consoles and you are using environment variables to override Configuration Manager settings on one or more Web Console servers, you should note the values of those variables on each server where used, and then delete the variables. In the current version of LogRhythm SIEM, the Configuration Manager supports individual configurations for multiple Web Consoles. If any of the variables are left in place, they will continue to override settings in the Configuration Manager.

Note Platform Manager IP, LogRhythm Web UI Password, and Login Warning Banner

Following the upgrade, you need to supply the Platform Manager (EMDB) IP address and LogRhythmWebUI password in the Configuration Manager. These values are in the Global, Database Server and Web Global, Database Password fields, respectively. Additionally, if you have a login warning banner configured, you should copy it out to a file so it can be set again after the upgrade.

Synchronize Stored Knowledge Base

If a Knowledge Base has been downloaded but not synchronized, synchronize it before starting the upgrade. If you do not have a downloaded Knowledge Base, you can skip this step.

  1. Log on to a system where the Client Console is installed.
  2. Start the Client Console.
  3. On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
    The Knowledge Base Manager appears. If a downloaded Knowledge Base is ready for synchronization, a notice is displayed at the top of the window.
  4. Click Synchronize Stored Knowledge Base.
    The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The file is checked for compatibility with your current deployment and prepared for import. This may take several minutes.
    When finished, the Unpack Progress: Knowledge Base unpacked message appears.
  5. To Import the Knowledge Base, click Next.
  6. In the Knowledge Base Updated dialog box, click OK.
  7. In the Knowledge Base Import Wizard, click Close.
  8. Perform either of the following procedures as needed:
    • To enable the Knowledge Base Modules and synchronize them, perform the following steps:
      1. Select the Action check boxes next to the modules you want.
      2. Right-click the grid, click Actions, and then click Enable Module.
        The Enable Selected Modules dialogue box appears.
      3. Select the options you want, and then click OK.
        The Enable Modules box displays a confirmation message.
      4. To start the synchronization, click Yes.
      5. When complete, click Close to close the Import Wizard.

    • To Migrate Common Event Changes, perform any of the following steps as needed:

      If you are not familiar with the customizations which have been made to your deployment, you should not proceed with the import until such knowledge is acquired or contact LogRhythm Customer Support for assistance. For more information, see Migrate Common Events.

      If Action Required is displayed, some items need to be updated due to Common Event migration changes. Follow the instructions below. If Action Required is not displayed, go to step 9.

      1. Click Common Event Change Manager.
      2. Perform any of the following procedures as needed:
        • To migrate a Common Event with a preview, select the Action check box for the item. Right-click the grid, click Migrate with Preview, and then click Migrate Common Event to Common Event or Common Event to MPE Rule.
        • To migrate a Common Event without a preview, select the Action check box for the item. Right-click the grid, click Action, and then click Migrate Common Event to Common Event or Migrate Common Event to MPE Rule.
        • To ignore the Common Events, select the Action check box for the item. Right-click the grid, click Action, and then click Ignore. When this option is selected, items checked in the grid are ignored during future Common Event Migration checks. The items no longer appear in the Common Event Change Manager.
      3.  To close the Common Event Change Manager, click Close.
  9. To view the Synchronization History, click View Synchronization History.
  10. Click Close.
  11. To close the Knowledge Base Manager, click OK.

Configure the System Monitor Service

The LogRhythm System Monitor service must start automatically after a reboot. Therefore, you must verify that the LogRhythm System Monitor Service Startup type is set to Automatic.

  1. Log on to the System Monitor host as an administrator.
  2. On the Start menu, click Administrative Tools, and then click Services.
  3. Locate the LogRhythm System Monitor service.
  4. Right-click the service, and then click Properties.
  5. On the General tab, change the Startup type to Automatic.
  6. Click OK.
  7. Close the Services window.

Verify Deployment Status in the LogRhythm Infrastructure Installer

It is critical that you complete the following procedure successfully before starting the upgrade process. If you do not successfully verify your deployment status before upgrading LogRhythm components, your deployment could be left in an unusable state.

The LogRhythm SIEM Infrastructure Installer requires a valid record of your deployment status. To ensure that this record exists, do the following:

  1. Log in to your Platform Manager as a user with administrative privileges.
  2. From Start or under Apps, click LogRhythm Infrastructure Installer under the LogRhythm folder.

  3. On the main page, click the Verify Deployment Status button if it is available.

    If Verify Deployment Status is not available, click Exit and proceed to the next section.

    The installer ensures that the plan file (plan.yml) matches the active hosts in the deployment.

  4. Verify that the deployment status is successful.

  5. Do not proceed if your deployment status cannot be verified. Ensure that all hosts in the plan file are online, and that no new hosts have been added to the deployment since the plan file was created. If any hosts were added, you will need to add them in the Infrastructure Installer, generate a deployment package, and run the package on the new hosts.

    If you still cannot verify your deployment status, you will need to add all of your hosts again, generate deployment packages for all hosts, and run the deployment packages on all hosts. For additional details, see the guide that you used when you upgraded to your current version.
  6. When the status has been verified successfully, click Exit to close the Infrastructure Installer.

Shut Down Antivirus and Endpoint Protection Software

Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.

In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm systems as it has been known to interfere with the LogRhythm solution.

When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.

Exit All Client Consoles

Close all Client Consoles running on all systems.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close