Complete Additional LogRhythm Installation Tasks
Configure or Verify Communication Ports
LogRhythm installers should open the TCP ports required for component communications. Additional configuration may be required, as described in this section. For more information on ports, see the Networking and Communication topic in the Enterprise SIEM Help.
Configure Access for Remote Consoles
Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to the latest version of LogRhythm SIEM.
If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is not already allowed by applied policies:
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132
Verify Ports on the Linux Data Indexer
To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm and run the following command:
sudo firewall-cmd --permanent --zone=public --list-all
This lists all the public ports opened for DX:
- 8501/tcp
- 8300/udp
- 8301/udp
- 8300/tcp
- 8301/tcp
If you need to open any incoming ports on the Linux Indexer, do the following:
Log on to the Indexer node as logrhythm and run the following commands:
CODEsudo firewall-cmd --zone=public --add-port=port/tcp --permanent sudo firewall-cmd –-reload
- Repeat the steps above on each Linux Data Indexer.
Verify Ports on the Windows Data Indexer or the Data Processor
To verify allowed ports on a Windows server host:
- Log on to the Windows server as an administrator.
Open a command prompt and run the following command:
CODEnetsh firewall show state
Ports that are currently open on all interfaces are displayed below the firewall status.The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2, and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current server.
If you need to allow any ports on a Windows server host:
- Log on to the Windows server as an administrator.
Open a command prompt and run the following command:
CODEnetsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port
Verify SQL Server Authentication and LogRhythm Databases
To verify authentication on the Platform Manager or XM server:
- Click Start, Apps, and then Microsoft SQL Server Management Studio.
- In the Connect to Server window, enter the following information:
- Authentication. SQL Server Authentication
- Login. sa
- Password. Enter the appropriate password
- Click Connect.
The Microsoft SQL Server Management Studio window opens. - Expand the Databases folder. You should see the following LogRhythm Databases:
- LogRhythm_Alarms
- LogRhythm_CMDB
- LogRhythm_Events
- LogRhythm_LogMart
- LogRhythmEMDB
- Exit Microsoft SQL Server Management Studio.
Verify LogRhythm Installation
Verify that the installation completed successfully by checking for the LogRhythm components in Add/Remove Programs.
1. Click Start, Control Panel, and Add/Remove Programs.
2. Search for the following LogRhythm components on each server type and verify the version within the support information link.
LogRhythm Component | XM | PM | DP | DX | AIE | Collector |
---|---|---|---|---|---|---|
Advanced Intelligence (AI) Engine | X | X | X | |||
Alarming Manager | X | X | ||||
Console* | X | X | ||||
Data Indexer (DX) | X | X | ||||
Job Manager | X | X | ||||
Mediator Server Service | X | X | ||||
System Monitor Service** | X | X | X | X | X | |
Common | X | X |
* The Console can be installed on any supported system.
** The System Monitor can be installed on any supported system. At a minimum, you must install it on the XM or PM.
If you have any issues with the installation, contact LogRhythm Support. C:\LogRhythm\InstallLogs contains the install logs that may supply useful error messages for support.
Verify Web Console Processes
The installer automatically starts the services and processes needed to run the Web Console. However, you should ensure that these processes are running by doing the following:
- Go to Services on your machines.
- Verify that the following services have started:
- LogRhythm API Gateway
- LogRhythm Authentication API
- LogRhythm Case API
- LogRhythm Service Registry
- LogRhythm Threat Intelligence API
- LogRhythm Web Console API
- LogRhythm Web Console UI
- LogRhythm Web Indexer
- LogRhythm Web Services Host API
- Go to Task Manager on your machine.
- Verify that the following services have started:
- java.exe (one instance)
- LogRhythm.Web.Services.ServicesHost.exe
- LogRhythmAPIGateway.exe
- LogRhythmAuthenticationAPI.exe
- LogRhythmCaseAPI.exe
- LogRhythmServiceRegistry.exe
- LogRhythmThreatIntelligence.exe
- lr-threat-intelligence-api.exe (32 bit)
- LogRhythmWebConsoleAPI.exe
- LogRhythmWebConsoleUI.exe
- LogRhythmWebIndexer.exe
- LogRhythmWebServicesHostAPI.exe
- nginx.exe *32 (a minimum of two instances)
- node.exe (four instances)
- procman.exe (eight instances)
- NSSM Service Manager
NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper around Java, Go, and other services to ensure that they run properly on Windows and that they are restarted when they stop.
Install Other Agents
To install the LogRhythm System Monitor Agent on other machines, or to install the non-Windows System Monitor Agents:
- System Monitor installer files are available in the LogRhythm Install Wizard, in the Installers subfolder. Make sure to use the appropriate file for 32-bit or 64-bit systems:
- LRSystemMonitor_7.x.x.xxxx.exe
- LRSystemMonitor_64_7.x.x.xxxx.exe
- Download *NIX System Monitor Agent packages from the release downloads page on the LogRhythm Community. Text-based installation instructions for each package and platform are available, and additional installation instructions are available in the SYSMON documentation.
For all *NIX operating systems that support Realtime FIM, the System Monitor requires root privileges.
Configure the LogRhythm Software
You can work directly with Professional Services to configure your LogRhythm Solution, or you can follow the steps in the New Deployment Wizard topic in the LogRhythm SIEM Help. You can find additional resources on the LogRhythm Community.
The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall) configurations that are important to your deployment. You may want to review those guides to ensure that at least the following items are addressed:
- Ensure that all Data Processors are assigned to a cluster
- Verify the IP Address of the LogMart Database Server
You need the following items for the deployment, whether you configure LogRhythm yourself or you work with Professional Services:
- LogRhythm License File that is sent via email
- LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB
Add Realtime Antivirus Exclusions for LogRhythm
If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.
The following lists include the default directories. However, the location of any State folder (including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The locations of these folders need to be excluded.
XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).
PM Appliance
- D:\*.mdf
- L:\*.ldf
- T:\*.mdf
- T:\*.ldf
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
- C:\tmp\indices\ (if Web Console is installed on the PM)
- If the Threat Intelligence Service (TIS) is installed:
- C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
- C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*
DP or DPX Appliance (Windows)
- All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%, %DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To view the environment variables, go to the Advanced System Settings, and click Environment Variables.
- D:\LogRhythmArchives\Active\*.lua
- X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
- X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state folder)
X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state folder)
- C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
- C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
- C:\Windows\Temp\jtds*.tmp
DX Appliance (Linux)
- /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)
AIE Appliance
- C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
- C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
If the AIE service is running on the PM appliance, exclude these directories on the PM.
Collector Appliance or Agents Deployed on Servers
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
- C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense
The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a different location (for example, D:\), update the exclusion as required.
Agents Deployed Linux Servers
- /opt/logrhythm/scsm/state/*.pos
- /opt/logrhythm/scsm/state/*.suspense
Web Console
- D:\tmp\indices
High Availability Deployments
- C:\lk\* directory (or whichever folder LifeKeeper is installed in)
- C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
- C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
- Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/TechDoc/index.htm#DataKeeper/Administration/Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10
Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm Enterprise for information on logging into the console, completing the new deployment wizard, and assigning licenses.