Skip to main content
Skip table of contents

Amazon Web Services Installations

This section provides information about how to design and deploy LogRhythm in Amazon Web Services.

It is assumed that the user has experience with Amazon Web Services EC2.

Design

Designing LogRhythm in AWS is similar to on-premise deployments. However, there are some areas of optimization that can reduce OS and SQL licensing costs, which are per-core. In most cases where an all-in-one XM would be used on physical hardware, it doesn't make sense when you are effectively renting licensing for the OS and SQL. In public cloud environments, it's often more cost-effective to split the deployment into separate small components, such as a small PM (less vCPU for SQL licensing) + DPAWC (remaining Windows based services) + DX (Linux services). Assess the volume needs of your organization and match them to the LogRhythm Reference Architecture provided in this section.

Windows Systems

Create Windows Virtual Machines using the standard EC2 instances from AWS. You will want to select the newest base operating system supported on your version of LogRhythm.

  • Select the size of the instance based on your appliance sizing needs using the Amazon Web Services Reference Architecture table in the Reference Architecture topic.
  • Create EBS storage to match the instance mappings for volume type and size. We primarily recommend using GP3 disks which default to 3000 IOPS and 125MB/s throughput. These default values are enough for most workloads however in some cases they need to be overridden on larger DX machines which is specified in the reference architecture sheets. In some cases environmental factors such as larger than average log sizes may require these values to be increased to achieve the required performance. LogRhythm recommends monitoring disk throughput and IOPS in your environment to determine if performance bottlenecks exist.
  • Root instance store volumes should not be used for LogRhythm storage.

Linux Systems (Data Indexer)

LogRhythm recommends installing a Rocky 9.x Minimal system or Red Hat Enterprise Linux (RHEL) 9 and adhering to the following steps:

  1. Select the size of the instance based on your appliance sizing needs using the Amazon Web Services References Architecture table in the Reference Architecture topic.
  2. Create EBS storage to match the instance mappings for volume type and size. Additional disks must be configured after launching the instance and prior to installing the LogRhythm Data Indexer software. All data disks should be mounted to /usr/local/logrhythm. For Data Indexers with a single volume:

    Root instance store volumes should never be used for LogRhythm storage. Dedicated disk(s) should be mounted to /usr/local/logrhythm prior to installation of software.
    1. For Single Data Disk DX Instances:

      1. Confirm all disks are visible within the EC2 instance, you should see your additional storage as /dev/xvdb or /dev/xvdc.
        This can vary depending on instance type, but should follow a pattern where the first disk ends with a, second disk with b, third disk with c, etc.

        CODE
        # sudo lsblk | grep disk
      2. Enter the following command to configure a partition on the disk. This will match your disk name from above.
        For example, "sudo parted /dev/xvdb"

        CODE
        # sudo parted /dev/xvdbmklabel gpt
        mkpart
        Partition Name = Leave Blank
        File System Type = ext2
        Start = 1
        End = The size of this partition, for a 16TB drive enter 16000GB
        pr
        This will print the output, confirm this looks correct
        quit
      3. Build the file system using this command, specifying the disk you used in the previous step:

        CODE
        # sudo mkfs.ext4 -m 0 /dev/xvdb
        
      4. Create the directory to which you wish to mount the disk.
        This should always be /usr/local/logrhythm.

        CODE
        # sudo mkdir -p /usr/local/logrhythm/
      5. Record the block UUID for the disk that you wish to mount:

        CODE
        # sudo blkid

        This is a necessary step. Never mount using the device name, always the UUID, or else the drive mapping will fail following an instance change.

      6. Edit fstab and add this drive to be mounted to the directory you created previously "/usr/local/logrhythm":

        CODE
        # sudo vi /etc/fstab
        UUID=#########-####-####-####-############ /usr/local/logrhythm ext4 nodev,nosuid,nofail 1 2
      7.  Mount the new drive:

        CODE
        # sudo mount -a
    2. For Multiple Data Disk DX Instances (LVM)

      1. Confirm all disks are visible within the EC2 instance.
        You should see your additional storage as /dev/xvdb, /dev/xvdc, etc. This can vary depending on instance type, but should follow a pattern where the first disk ends with a, second disk with b, third disk with c, etc. Record these values, as you will use them in the next step.

        CODE
        # sudo lsblk | grep disk
      2. Create a volume group containing all data disks.
        In this command, you will need to edit the disks based on your individual system recorded from the previous step

        CODE
        # sudo vgcreate vg_lrdata /dev/xvdb /dev/xvdc /dev/xvdd
      3. Create a logical volume with data stripping for optimal performance.
        In this command, the stripes quantity (-i) should match the number of disks in the volume group. For example, if you have created a volume group with two disks, you should use two here. 

        CODE
        # sudo lvcreate -i # -I 32 -l 100%FREE -n lv_lrdata vg_lrdata
      4. Format the filesystem:

        CODE
        # sudo mkfs.ext4 /dev/vg_lrdata/lv_lrdata
      5. Record the block UUID for the disk that you wish to mount:

        CODE
        # sudo blkid
      6. Reload the System Daemon to permit mounting of the new volume:

        CODE
        # sudo systemctl daemon-reload
      7. Edit fstab and add this drive to be mounted to the directory you created previously "/usr/local/logrhythm":

        CODE
        # sudo vi /etc/fstab
        UUID=#########-####-####-####-############ /usr/local/logrhythm ext4 nodev,nosuid,nofail 1 2
      8. Create the directory to which you wish to mount the disk.
        This should always be /usr/local/logrhythm.

        CODE
        # sudo mkdir -p /usr/local/logrhythm/
      9. Mount the new drive:

        CODE
        # sudo mount -a
  3. Create a LogRhythm user.

    1. Log into the AWS instance and elevate to the root user: 

      CODE
      # sudo su
    2. Add new user called logrhythm:

      CODE
      # adduser logrhythm
    3. Set the password for the LogRhythm user:

      CODE
      # passwd logrhythm
    4. Provide and confirm the password for the LogRhythm user.

    5. Add the LogRhythm user to the wheel group:

      CODE
      # usermod -aG wheel logrhythm
    6. Ensure permissions on the /usr/local/logrhythm path are correct for your LogRhythm user:

      CODE
      # sudo chown -R logrhythm.logrhythm /usr/local/logrhythm/
    7. Navigate to the LogRhythm user:

      CODE
      # su - logrhythm
  4. Configure the SSH key.
    1. Generate the SSH key:

      CODE
      # ssh-keygen -t rsa
    2. Accept all defaults and do not enter a password.

    3. Navigate to the ssh key:

      CODE
      # cd /home/logrhythm/.ssh
    4. Copy and authorize the key:

      CODE
      # cp id_rsa.pub authorized_keys
    5. SSH into the instance and add the SSH key to the list of known hosts:

      CODE
      # ssh localhost
    6. Enter yes when prompted to continue connecting. 

    7. Log in as the newly created LogRhythm user.

  5. Install pre-requisite packages for the LogRhythm Data Indexer

    CODE
    # sudo yum install firewalld
    # sudo yum install sshpass
    # sudo yum install chrony
    # sudo yum install tar
  6. Install the Data Indexer.
    1. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:

      CODE
      # sudo mv <filename> /home/logrhythm/Soft
    2. Run the installer with the hosts file argument:

      CODE
      sudo sh LRDataIndexer-<version>.x86_64.run --hosts <absolute path to .hosts file> --plan /home/logrhythm/Soft/plan.yml --es-cluster-name <cluster_name>

      Press Tab after starting to type out the installer name, and the filename autocompletes for you.

      **--es-cluster-name is required only for fresh setup not for an upgrade.
    3. When prompted for the SSH password, press Enter with no input.
    4. When prompted for the Sudo password, enter the password for the LogRhythm user created in earlier steps.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.