The Secondlook API is a service used to load inactive archives, process archive logs, and restore selected logs into a Data Indexer cluster. This service supports only a single concurrent instance per LogRhythm deployment and should be installed in a location where it has access to all inactive archive paths used in the deployment. It is recommended to install the Secondlook API on a dedicated machine, or one which is otherwise not used for live log processing (like a Disaster Recovery server) as it consumes resources when archive restoration jobs are run and could impact production services if on a shared system. Secondlook API restoration performance is limited to 15,000 messages per second under ideal conditions. Performance of SecondLook restorations can vary in different environments and depending on restoration criteria.
Instructions on how to use SecondLook API can be found here.
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference Platform you selected.
- Make sure your hardware or virtual machine is running 64-bit versions of Windows Server 2016, 2019, or 2022.
- Install .NET Framework 4.7.2+ as it is required by the LogRhythm Install Wizard. You can download the Microsoft .NET Framework 4.7.2 standalone installer here. The .NET Framework 4.7.2 installation requires 4.5 GB of free disk space.
- Run Windows Update to ensure the latest patches, updates, and service packs are installed.
- If deploying SecondLook API on a dedicated server or server which isn't otherwise part of your existing LogRhythm deployment you will need to install Common Services here prior to installing the SecondLook API service.
Shut Down Antivirus and Endpoint Protection Software
Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.
Run the LogRhythm Install Wizard
The LogRhythm Install Wizard can be used to install one or more applications or server roles on each server in your deployment. The wizard is designed for simplicity, so you can pick the applications or roles you are installing, and the wizard does everything else.
The installation of one or more applications should not take more than 10 minutes to complete. If you are installing on a virtual machine, the installation times will be slightly increased.
Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You must run the Install Wizard on each appliance or server in your deployment, and select the appliance configuration that you want to install or upgrade.
- The LogRhythm Install Wizard requires .NET Framework version 4.7.2 or above.
- If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall Service is running before starting the Install Wizard to allow firewall rules to be created and so the Common installer can open port 8300.
- Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
- For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated privileges. The person performing the installation must be in the Local Admin group, unless the domain is managed and the Group Policy Object dictates that only Domain Administrators can run installers.
- When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to install all Web Console services. You may choose to install the Web Console as a stand-alone installation or as part of the XM Appliance or Platform Manager (PM) configurations.
- Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm software.
- Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
- Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as administrator.
The Welcome screen appears.
- Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
- Click one of the following:
- If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM server on 6.3.9 deployments), click Yes to continue.
- If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the wizard, install or upgrade all of the required databases, and then continue with this procedure.
- Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a specific application or set of applications.For certain configurations, you can optionally select to install or upgrade the AI Engine.If you select the Web Console, it is installed to the default location, C:\Program Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a custom location, see the Use the LogRhythm Configuration Manager section in this guide.
For each appliance that you install, select the target appliance configuration, according to the following table.
If you are upgrading an existing PM + DP appliance or another configuration that is not represented in the Install Wizard, select one of the available configurations and then run the wizard again to install the next configuration.
7.x.x Configuration Select… XM
Platform Manager PM Data Processor DP Client Console Client Console Web Console Web Console AI Engine AIE Data Collector/System Monitor DC LogRhythm Diagnostics Tool LRD Tool LogRhythm Diagnostics Tools Agent LRD Agent SecondLook Service SecondLook Service Optional Applications Select LogRhythm Diagnostics Tools Agent LRD Agent LogRhythm Diagnostics Tool LRD Tool SecondLook Service SecondLook Service AI Engine AI Engine Web Console Web Console
When you have selected the target configuration, click Install.
The LogRhythm Deployment Tool appears.The options available on the main page of the Deployment Tool depend on whether you are upgrading an existing deployment or installing a new one.
Select either Configure New Deployment or Upgrade Deployment, depending on your situation.
select the Deployment properties and click OK.
Follow the on-screen instructions to create a Deployment Package.Additional help is available by clicking the question mark icon in the upper-right of the tool.
When you are finished preparing your deployment, click Create Deployment Package.
Follow the on-screen instructions for Next Steps.
Once the steps are completed, click Exit to Install wizard.
Additional help is available by clicking the question mark icon in the upper-right of the tool.
Observe for any failures as the wizard installs or upgrades the applications according to the selected configurations.When the Client Console is installed on a fresh system, additional software packages must be installed such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET Framework 4.7.2. For this reason, the Client Console installer may take 30 minutes or more to complete.
Progress in the installation screen is indicated as follows:
Color Meaning Green The application was installed successfully. A message about the application and installed version
is also printed below the status indicators.
Blue The application is being installed. Yellow The current or a newer version of the application is already installed. Red Something went wrong and the application was not installed. Additional details will be printed
below the status indicators. If something went wrong, check the installer logs located in the following location:
C:\LogRhythm\Installer Logs\<install date and time>\During the Web Console installation or upgrade, if you receive a message that notifies you of an error with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.
Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure you can see all settings. For more information, see the Use the LogRhythm Configuration Manager section in this guide.While the Configuration Manager is still open, review your previous Web Console configuration values (backed up before starting the upgrade), turn on the advanced view, and validate or set all of the values in the Configuration Manager, especially the following:
- Global, Database Server. This is the IP address of your Platform Manager where the EMDB is installed.
- Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will display an error.
- Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the Configuration Manager.After you validate and save your configuration, it is strongly recommended that you make a new back up. Save the file in a safe location in case you need to restore it later.
To close the LogRhythm Install Wizard, click Exit.
Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm SIEM for information on logging into the console, completing the new deployment wizard, and assigning licenses.
Configure SecondLook API in LogRhythm Configuration Manager
Within the Configuration Manager, configure the following required SecondLook Service settings:
Specify Search Path:
Enter the file path where LogRhythm archive files are stored. Use commas to separate multiple paths. For example, "D:\Archives\Inactive,\\server1\archives\inactive,\\server2\archives\inactive"
If the SecondLook API service is connecting to a remote UNC path ensure the service is running under a service account with appropriate permissions.
- Enable SecondLook:
Set to On to enable access to SecondLook within the Web Console.
Configure User Profiles
When enabled, default access to the SecondLook menu in the Web Console is available to global administrators only. To provide access to restricted administrators:
- Navigate to the Deployment Manager in the Client Console.
- Click Tools > Administration > User Profile Manager.
- Highlight the desired restricted administrator profile and select Properties.
- On the Management Permissions tab, check the box for the General Administration > Manage SecondLook (Web Console) permission.