Microsoft Azure Installations

This section provides information about how to design and deploy LogRhythm in Microsoft Azure.

It is assumed that the user has experience with Microsoft HyperV and Azure services.

Design

Designing LogRhythm in Azure is similar to on-premise deployments. However, there are some areas of optimization that can reduce OS and SQL licensing costs, which are per-core. In most cases where an all-in-one XM would be used on physical hardware, it doesn't make sense when you are effectively renting licensing for the OS and SQL. In public cloud environments, it's often more cost-effective to split the deployment into separate small components, such as a small PM (less vCPU for SQL licensing) + DPAWC (remaining Windows based services) + DX (Linux services). Assess the volume needs of your organization and match them to the LogRhythm Reference Architecture.

Windows Systems

Create Windows Virtual Machines using the standard compute instances from Azure. Select the newest operating system supported on your version of LogRhythm.

The VM disk type should be SSD.
Select the size of the instance based on your appliance sizing needs using the Azure Reference Architecture table in the Reference Architecture topic.
Storage should be set to use managed disks.

After creating the instance, you will need to add data disks to match the reference architecture. By default, the Windows instances will create a temporary OS disk that is used for swap and emptied with every shutdown.

If using instances with included Local Storage, you must change the drive letter of the swap space disk from D to something else. On XM and PM systems the LogRhythm Database Install Tool requires the D drive be used for database storage. If you install to this swap disk, all of the databases will be removed with the virtual machine is shut down.

Linux Systems (Data Indexer)

LogRhythm recommends installing a Rocky Linux 9.x minimal image or Red Hat Enterprise Linux 9 and adhering to the following steps:

Use SSD for the VM disk type.
Select the size of the instance based on your appliance sizing needs using the Azure Reference Architecture table in the Reference Architecture topic.
Set storage to use managed disks.
Set up VM access as SSH with the LogRhythm user. Doing so makes step 5 unnecessary and you can skip to step 6.
Create LogRhythm user.

Skip this section if the LogRhythm user was already created to access the VM. If the user already exists with SSH access, skip to the Install the Data Indexer section below.
1. Log into the Azure instance and elevate to the root user:
  CODE
```
# sudo su
```
2. Add a new user called logrhythm:
  CODE
```
# adduser logrhythm
```
3. Set the password for the LogRhythm user:
  CODE
```
# passwd logrhythm
```
4. Provide and confirm the desired password for the LogRhythm user.
5. Add the LogRhythm user to the wheel group:
  CODE
```
# usermod -aG wheel logrhythm
```
6. Navigate to the LogRhythm user:
  CODE
```
# su - logrhythm
```
Configure the SSH key.
1. Generate the SSH key:
  CODE
```
# ssh-keygen -t rsa
```
2. Accept all defaults and do not enter a password.
3. Navigate to the SSH key:
  CODE
```
# cd /home/logrhythm/.ssh
```
4. Copy and authorize the key:
  CODE
```
# cp id_rsa.pub authorized_keys
```
5. SSH into the instance and add the SSH key to the list of known hosts:
  CODE
```
# ssh localhost
```
6. Enter yes when prompted to continue connecting.
7. Log in as the newly created LogRhythm user.
Install the Data Indexer.
1. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:
  CODE
```
# sudo mv <filename> /home/logrhythm/Soft
```
2. Run the DX installer:
  CODE
```
# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/Soft/hosts --plan /home/logrhythm/Soft/plan.yml
```
3. When prompted for the SSH password, press Enter with no input or enter the LogRhythm user password.
4. When prompted for the Sudo password, enter the password for the LogRhythm user created in earlier steps.