Gen5/6 Windows Appliance Software Configuration

After you complete the hardware installation of your LogRhythm Windows Appliance, this document will guide you through the initial configuration of your LogRhythm deployment. 

Work with your LogRhythm Professional Services Consultant or an authorized LogRhythm Deployment Certified Partner to complete the procedures outlined in this guide.

Prerequisites

Before starting your configuration, you need:

• The LogRhythm License file (.LIC), provided via an email to technical point of contact on purchase or can be obtained by contacting support
• The factory default password for the LogRhythm Database accounts (contact support or professional services if you do not have this)
• The Platform Manager or XM (if all-in-one) Hostname or IP Address

Configure and Start LogRhythm Components

Configure the Platform Manager Service

1. On the Start Menu, click the LogRhythm folder, and then click Platform Manager Configuration Manager.
2. On the Job Manager tab, complete the following fields:

• Server. The name or IP address of the Platform Manager database server
• Password. The factory default password

• On the Alarming and Response Manager tab, complete the following fields:

• Server. The name or IP address of the Platform Manager database server
• Password. The factory default password

• Click OK.

Configure the Data Processor Service

1. On the Start Menu, click the LogRhythm folder, and then click Data Processor Configuration Manager.
2. On the General tab, complete the following fields:

• Server. The name or IP address of the Platform Manager database server
• Password. The factory default password

• Click OK.

Configure the AI Engine Service

1. On the Start Menu, click the LogRhythm folder, and then click AIEngine Configuration Manager.
2. On the General tab, complete the following fields:

• Server. The name or IP address of the Platform Manager database server
• Password. The factory default password

• Click OK.

Configure the System Monitor Agent Service

1. On the Start Menu, click the LogRhythm folder, and then click System Monitor Configuration Manager.
2. On the General tab, complete the following fields:

• Data Processor Address. The hostname or IP address of the Data Processor server
• System Monitor IP Address. The IP address of the System Monitor
• Host Entity ID. The default is zero for system assigned ID

• Click OK.

Log in to the Client Console

1. On the Start Menu, click the LogRhythm folder, and then click LogRhythm Console.
2. Complete the following fields:

• EMDB Server. The hostname or IP address of the Platform Manager server
• User ID. logrhythmadmin
• Password. The factory default password

• Click OK.

Complete New Deployment Wizard

Enter the following information in the New Deployment Wizard:

1. Windows host name of the Platform Manager
   • Enter the host name where the Platform Manager is located. To find the host name, start File Explorer, right-click This PC, and then click Properties. Under Computer name, domain, and workgroup settings, get the Full computer name up to the first period where the domain name starts.
   • If the appliance type is XM, all LogRhythm components are contained in a single appliance.
2. IP address of the Platform Manager
   Enter the IP address where the Platform Manager is located. Appliances are shipped with two Network Interface Cards (NICs). Typically, one NIC is used for Console connections, while the other NIC is used for database intercommunications. The IP address entered here will serve as a Console connection interface.
3. The Platform Manager is also a Data Processor (e.g., an XM appliance)
   If this is an XM Appliance, which has all LogRhythm components contained in a single appliance, select this checkbox.
4. The Platform Manager is also an AI Engine Server
   If AI Engine is installed on the Platform Manager, which means it is not deployed as a standalone appliance, select this checkbox.
5. LogMart DB Server Override
   If the LogMart database is installed on a different host, enter the host IP address here.

6. LogRhythm License file
   This file is provided by LogRhythm Support after purchase and shipment of the appliance(s), and it is required to access and configure LogRhythm.

   1. Navigate to the location of the license file (*.lic) by clicking the ellipses at the far right.
   2. Locate and select the master license file and click Open. The path and file name are listed in the License File text box.
   3. Click OK.
7. When prompted, select the appropriate Data Processor licensing mode from the available, valid options. The mode depends on: 
   1. Software (n available licenses). Select this option to identify a software only purchase
   2. Appliance Mode for software and appliance purchase. Select this option to identify a software and appliance purchase 
   3. Data Processor MPS mode for software and appliance purchase. Select this option to use a Messages Per Second license
8. Click Next.
   The license options vary according to the option selected above.
9. Select the appropriate licensing mode, and then click OK. The Initialize Knowledge Base window appears.

Complete Knowledge Base Import Wizard

After completing the New Deployment Wizard, the New Knowledge Base Deployment Wizard appears.

1. Deploy the Knowledge Base by selecting one of the three following options: 
   • I have Internet access and want to automatically download the KB (recommended).
     • Proxy Server Address. Enter the Proxy Server Address for the KB Download.
     • Proxy Server Port. Enter the port number for the server.
     • Select the Proxy Server Requires Authentication check box
     • Enter the appropriate credentials and Host name, if necessary.
     • Click OK. The Knowledge Base is downloaded.
     • Click OK. Proceed to the Knowledge Base Importer Wizard section. 
   • I do not have Internet access or want to manually download the KB.
     The Manual Knowledge Base Download window appears.
   • Perform one of the following steps
     • Export Knowledge Base Request File. Select this option to export a Knowledge Base request file and upload it to the Support Portal:
       1. Click OK and download the file to your drive.
          The Export Successful page appears.
       2. Click OK.
          The Knowledge Base Not Loaded page appears.
       3. Click OK and the Console closes.
     • Contact Customer Support. Select this option to obtain the Knowledge Base file from Customer Support:
       1. From a computer with Internet access, log into the Support Portal at https://support.logrhythm.com.
       2. Go to the  Downloads section to access the latest version of the Knowledge Base. The request screen displays.
       3. Choose from the following:
          1. Upload the Request File downloaded from the Console.
          2. Enter the License ID, the Deployment ID, and the Product Version.
       4. Click Get Knowledge Base.
       5. Save the Knowledge Base file and transfer it to the computer on which you are loading the Console.
       6. Restart the Console and follow the instructions in the I have already manually downloaded the KB section.
     • I have already manually downloaded the KB. Select this option to manually import the Knowledge Base file.
       1. The Knowledge Base Export Wizard appears and starts unpacking and validating the Knowledge Base file. The file is checked for compatibility with your current deployment and is prepared for import. This may take several minutes.
          Upon completion the message Knowledge Base unpacked appears in the status. 
       2. Click Next to import the Knowledge Base.
2. When the Knowledge Base Updated message appears, click OK.
3. On the Knowledge Base Import Wizard, click Close.

Configure the Platform

After completing the Knowledge Base import, the Missing Platform Manager Platform message is displayed.

1. Click OK.
2. In the Platform Manager Properties dialog box, click the browse icon next to the Platform box.
3. In the Platform Selector table, select the row corresponding to your appliance, and then click OK.
4. Enter the Email From Address, and then click OK.
   The Missing Data Processor Platform error message appears.
5. Click OK.
6. In the Data Processor Properties dialog box, click the browse icon next to the Platform box.
7. In the Platform Selector table, select the row corresponding to your appliance, and then click OK.
8. Click the list box under Cluster Name, then click the default cluster (logrhythm).
9. In the lower-left corner of the Data Processor Properties dialog box, click Advanced
   The Data Processor Advanced Properties dialog box appears.
10. Change the ActiveArchivePath value from C:\LogRhythmArchives\Active to D:\LogRhythmArchives\Active.
11. Change the InactiveArchivePath value from C:\LogRhythmArchives\Inactive to D:\LogRhythmArchives\Inactive.
12. Click OK.
    The Restart Component message appears.
13. Click OK.

Configure and Start Core Services

1. Click the Start menu, and then click Windows Administrative Tools.
2. Double-click the Services shortcut.
3. Double-click each of the following services, set the startup type to Automatic, and click Start under Service status.

On an XM appliance, you will do the following all on the XM appliance. In a distributed setup, you will need to start these services on the appliance where they are installed.

• LogRhythm AI Engine
• LogRhythm AI Engine Communication Manager
• LogRhythm Alarming and Response Manager
• LogRhythm Job Manager
• LogRhythm Mediator Server Service
• LogRhythm System Monitor Service

Associate the Default System Monitor Agent

1. In the LogRhythm Client Console, click Deployment Manager, and then click the System Monitors tab.
2. In the top pane, under New System Monitor Agents, select the Action box next to the pending Agent.
3. Right-click the selected Agent, and then click Associate.
   The Associate New System Monitor Agent with an Existing Agent message appears.
4. Select the Agent and click OK.
   The “Associate Successful” message appears.
5. Click OK.

Configure the Data Indexer

Accessing and configuring the Data Indexer differs slightly between Windows and Linux. Please refer to the appropriate procedure below according to your Data Indexer operating system.

Configure the Data Indexer on Windows

Configuring the Data Indexer for Windows and Linux has moved from the individual clusters, to the Configuration Manager on the Platform Manager. You can configure all data Indexers using the LogRhythm Configuration Manager installed on the Platform Manager.

• Cluster Name configuration is currently done through environment settings. Before configuring the Data Indexer on Windows, verify that the DX_ES_CLUSTER_NAME environment variable is set on both DR servers.
• LogRhythm Service Registry, LogRhythm API Gateway and LogRhythm Windows Authentication API Service must be running before opening LogRhythm Configuration Manager

• If you are configuring multiple data Indexers, all can be configured from the Primary PM as the configuration is centralized between servers.

  

  In an MSSP environment, DX Cluster names are visible to all Users of a Web Console, regardless of Entity segregation. For privacy reasons, avoid using cluster names that could be used to identify clients. Data and data privacy are still maintained; only the cluster name is visible

Do not attempt to modify consul configurations manually. If you have any issues, contact LogRhythm Customer Support.

To configure the Data Indexer:

1. Open the Configuration Manager from programs on the Platform Manager.

2. From the menu on the left, select the Data Indexers tab.

   Each installed Data Indexer has its own section that looks like this: 

   Data Indexer - Cluster Name: <ClusterName> Cluster Id: <ClusterID>

   

   The Cluster Name and Cluster ID come from the Environment variables, DX_ES_CLUSTER_NAME and DXCLUSTERID on each server. The Cluster Name can be modified in the Configuration Manager. If you change the Cluster Name, the name should be less than 50 characters long to ensure it displays properly in drop-down menus. The DXCLUSTERID is automatically set by the software and should not be modified.

3. Verify or update the following Data Indexer settings:

   

   Do not modify any settings from their defaults unless you fully understand their impact. Modifying a setting incorrectly can negatively impact Data Indexer function and performance.

   Setting	Default	Description
   Database User ID	LogRhythmNGLM	Username the DX services will use to connect to the EMDB database.  When in FIPS mode, Windows authentication is required (local or domain). When using a domain account, the Database Username must be in domain\username format.
   Database Password	<LogRhythm Default>	Password used by the DX services to connect to the EMDB database. It is highly recommended, and LogRhythm best practice, to change all MS SQL account passwords when setting up a deployment. After you change the LogRhythmNGLM password in Microsoft SQL Server Management Studio, you must set the Database Password to the same value. You should change the password in Microsoft SQL Server Management Studio first, then change it on the Data Indexer page.
   GoMaintain ForceMerge	Disabled	Enables/Disables maintenance Force Merging. This can be left at the default value.
   Integrated Security	Disabled	This should be enabled when FIPS is enabled on the operating system.

   

   Click Show or Hide in Advanced View to toggle the view for Advanced Settings.

   
   Advanced View Settings:

   Setting:	Default	Description
   Transporter Max Log Size (bytes)	1000000	Maximum log size in bytes that can be indexed. This can be left at the default value.
   Transporter Web Server Port	16000	Port that the Transporter service listens on. This can be left at the default value.
   Transporter Route Handler Timer (sec)	10	Indexing log batch timeout setting. This can be left at the default value.
   Elasticsearch Data Path	Windows: D:\LRIndexer\data Linux:/usr/local/logrhythm/db/data	Path where Data Indexer data will be stored. The path will be created if it does not already exist. Modifying this path after the Data Indexer installed will not move indices, they must be manually moved if the path is changed.
   GoMaintain TTL Logs (#indices)	-1	Number of indices kept by the DX. This should be left at the default value.
   GoMaintain IndexManage Elasticsearch Sample Interval (sec)	10	Number of seconds between resource usage samples. This can be left at the default value.
   GoMaintain Elasticsearch Samples (#Samples)	60	Total number of samples taken, before GoMaintain decides to take action, when resource HWMs are reached.
   GoMaintain IndexManager Disk HWM (%diskutil)	80	Maximum percentage of the disk for the Drive where the data path is configured. This can be left at the default value.
   GoMaintain IndexManage Elasticsearch Heap HWM (%esheap)	85	Maximum % Heap used percentage before GoMaintain closes an index to release resources. This can be left at the default value.
   Carpenter SQL Paging Size (#records)	10000	Number of records to pull from EMDB at one time when syncing EMDB indices. This can be left at the default value.
   Carpenter EMDB Sync Interval (#minutes)	5	Interval of how often Carpenter service will sync EMDB indices. This can be left at the default value.
   Enable Warm Replicas	Disabled	Turn replicas on for Warm Indices. This setting will only affect Linux Data Indexer clusters that contain warm nodes. This can be left at the default value.

4. Click Submit.

Automatic Maintenance

Automatic maintenance is governed by several of the above settings by the GoMaintain service. On startup, GoMaintain will continuously take samples from Elasticsearch stats, including disk and heap utilization for the configured time frame. 

GoMaintain will automatically perform maintenance when High Water Mark settings are reached. Samples are taken over a period of time and analyzed before GoMaintain will take action on an index. This will depend on the Sample Interval and #Sample settings. By default, this is 60 samples, 1 every 10 seconds for a total of 10 minutes. If it is determined during that sample period that a High Water Mark setting was reached for an extended period of time, indices will be closed, deleted, or moved to warm nodes depending on the data indexer configuration. After an action is taken and completed, the sample period will begin again.

The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning threshold, and continues to delete days based on the default disk utilization setting of 80%.

Logging of configuration and results for force merge can be found in C:\Program Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

GoMaintain TTL Logs (#Indices)

The default configuration value is -1. This value monitors the systems resources and automatically manages the time-to-live (TTL). You can configure a lower TTL by changing this number. If this number is no longer achievable, the Data Indexer sends a diagnostic warning and starts closing the indices. Indices that have been closed by GoMaintain are not actively searchable after 7.9.x, but are maintained for reference purposes. 

To show closed indices, run a curl command such as:

curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 == "close" {print $2}'

To show both open and closed indices, open a browser to http://localhost:9200/_cat/indices?v.

Indices can be reopened with the following query, as long as you have enough heap memory and disk space to support this index. If you do not, it immediately closes again.

curl -XPOST 'localhost:9200/<index>/_open?pretty'

After you open the index in this way, you can investigate the data in either the Web Console or Client Console.

Disk Utilization Limit

• IndexManager Disk HWM (%diskUtil) Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which means that maintenance starts when the Elasticsearch data disk is 80% full.

• If Warm nodes are present, the disk utilization for combined Hot and Warm nodes will be tracked separately.

  

  The value for %diskUtil should not be set higher than 80. This can have an impact on the ability of Elasticsearch to store replica shards for the purpose of failover.

If Warm nodes are present, the oldest index will be moved to the Warm node(s) if the Disk HWM is reached.

Maintenance is applied to the active repository, as well as archive repositories created by Second Look. When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, GoMaintain deletes completed restored repositories starting with the oldest date.

The default settings prioritize restored repositories above the active log repository. Restored archived logs are maintained while sacrificing active logs. If you want to keep your active logs and delete archives for space, set your min indices equal to your max indices. This forces the maintenance process to delete restored repositories first.

Heap Utilization Limit

• IndexManager Heap HWM (%esheap) Indicates the percentage of Elasticsearch (java) heap utilization that triggers maintenance. The default is 85, which means that maintenance starts when the Elasticsearch heap utilization reaches 85%.

  

  The value for %esheap should not be set higher than 85. This can have an impact on the ability of Elasticsearch searches and indexing and can degrade overall Elasticsearch performance.

• If the Heap HWM is reached, GoMaintain will automatically close the oldest index in the cluster to release memory resources used by the cluster. If warm nodes are present in the cluster, the index will automatically be moved to the warm nodes before the index is closed.

  

  Closed Indices on Hot nodes cannot be searched and will remain in a closed state on the data indexer until the Utilization Limit is reached.

Force Merge Configuration

Do not modify any of the configuration options under Force Merge Config without the assistance of LogRhythm Support or Professional Services.

The force merge configuration combines index segments to improve search performance. In larger deployments, search performance can degrade over time due to a large number of segments. Force merge can alleviate this issue by optimizing older indices and reducing heap usage.

Enabling Force Merge will show these additional ForceMerge Settings:

Configure the Data Indexer on Linux

Whether your Linux Data Indexer cluster is one node or 3 to 20 nodes, you only have to log in to the configuration page on one of the nodes. Note the following requirements:

• On a Linux Data Indexer, you can only access the web page from an external computer that has access to the Data Indexer network.
• You can only access the web page using Google Chrome, Mozilla Firefox (latest versions of each), or Internet Explorer 11.

Do not attempt to modify any configuration files manually. If you have any issues, contact LogRhythm Support.

To configure the Data Indexer:

1. Log in to the DPX appliance as an administrator:
2. Log in to a Windows server with network access to the Data Indexer nodes.
3. Start one of the supported browsers.
4. Type the IP address of one of the cluster nodes in the address bar, and then press Enter.
   The Data Indexer Configuration sign in page appears.

5. Type admin in the Username box and the LogRhythm default password in the Password box, and then click Sign In.

   

   If you make any changes to the existing Indexer configuration, ensure that you click Submit before signing out or leaving the page.

6. Modify or verify the following settings:

   CloudAI Config
   These configuration values apply only to users of the LogRhythm CloudAI solution.
   Enable CloudAI	Enables (true) or disables (false) CloudAI in your LogRhythm deployment.

   All Conf Config
   Administrator Password	Best practice is to change the default password for the admin user. Click Change Password, then use the Update Password dialog box to enter and confirm a new password. Passwords must be at least six (6) characters long. It is recommended that you create a strong password using a combination of numbers, letters, and special characters, and use both uppercase and lowercase letters.

   Carpenter Config
   Db Password	This is the password used by the LogRhythmNGLM SQL account. Services on the Data Indexer use this account to connect to the EMDB and read/update tables. It is highly recommended and LogRhythm best practice to change all MS SQL account passwords when setting up a deployment. After you change the LogRhythmNGLM password in Microsoft SQL Server Management Studio, you must set Db Password to the same value. You should change the password in Microsoft SQL Server Management Studio first, then change it on the Data Indexer page.
   Db Username	This should be left unchanged unless you have renamed the LogRhythmNGLM SQL account in SQL Server Management Studio. When in FIPS mode, Windows authentication is required (local or domain). When using a domain account, Db Username must be in the domain\username format.
   Emdb Host	This must be set to the external IP address of your Platform Manager appliance, where the EMDB database is hosted. In High Availability deployments, this must be set to the HA Shared IP.
   Minutes to Rest	This can be left at the default value.
   Sql Paging Size	This can be left at the default value.

   Cluster Node Config
   Node Info [n]
   Hostname	Cannot be changed.
   Public IP	For each node, this must be set to the external IP address of your Data Indexer appliance or server.

   Elasticsearch Server Config
   Elasticsearch Server Settings [n]
   Name	cluster.name
   Value	If you only have one cluster, you can leave this value at the default: logrhythm If you have more than one cluster, change this value so that each cluster name is unique. For example, logrhythm01, logrhythm02, and logrhythm03. In an MSSP environment, DX Cluster names are visible to all Users of a Web Console, regardless of Entity segregation. For privacy reasons, you may want to avoid using cluster names that could be used to identify clients. Data and data privacy are still maintained; only the cluster name is visible.
   Elasticsearch Server Settings [n]
   Name	path.data
   Value	This is the directory where Elasticsearch data is stored. You can change this location if you like, but it is OK to leave the default location. If you have more than one path for data, you can specify multiple locations separated by a comma: /usr/local/logrhythm/db/data, /usr/local/logrhythm/db/data1/ When you change this data path, you have to go to each node in the Data Indexer cluster and start the Elasticsearch service manually, one node at a time.  The new path must be manually created and ownership for the new path must be changed.
   Elasticsearch Server Settings [n]
   Name	path.logs
   Value	This is the directory where Elasticsearch logs are stored. You can change this location if you like, but it is OK to leave the default location.

   FIPS Config
   Enabled	Enables or disables FIPS on the Data Indexer cluster. Set to false to disable FIPS, or set to true to enable FIPS. The default value is false.

7. Click Submit.
   Your changes are pushed to the appropriate appliances and database tables, and all the required Indexer services start or restart.

Information about Automatic Maintenance

Automatic maintenance is governed by several settings in GoMaintain Config:

Disk Utilization Limit

• Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which means that maintenance starts when the Elasticsearch data disk is 80% full.

  

  The value for Disk Util Limit should not be set higher than 80. This can have an impact on the ability of Elasticsearch to store replica shards for the purpose of failover.

Maintenance is applied to the active repository, as well as archive repositories created by Second Look. When the Disk Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, Go Maintain deletes completed restored repositories starting with the oldest date.

The default settings prioritize restored repositories above the active log repository. Restored archived logs are maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for space, set your min indices equal to your max indices. This forces the maintenance process to delete restored repositories first.

Force Merge Config

Do not modify any of the configuration options under Force Merge Config without the assistance of LogRhythm Support or Professional Services.

The force merge configuration combines index segments to improve search performance. In larger deployments, search performance could degrade over time due to a large number of segments. Force merge can alleviate this issue by optimizing older indices and reducing heap usage.

Logging of configuration and results for force merge can be found in C:\Program Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

Index Configs

The DX monitors Elasticsearch memory and DX storage capacity. GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the warning threshold and continues to delete days based on the disk utilization setting of 80% by default.

The default config is -1. This value monitors the systems resources and automanages the time-to-live (TTL). You can configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends a diagnostic warning and starts closing the indices.

Indices that have been closed by GoMaintain are not actively searchable in LogRhythm SIEM but are maintained for reference purposes. To see which indices are closed, you can run a curl command such as the following:

curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 == "close" {print $2}'

You can also open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.

Indices can be reopened with the following query as long as you have enough heap memory and disk space to support this index. If you do not, it immediately closes again.

curl -XPOST 'localhost:9200/<index>/_open?pretty'

After you open the index in this way, you can investigate the data in either the Web Console or Client Console.

Verify Appliance Functionality

1. Verify Log Collection via Tail. For more information, see the Create New Tails topic in the SIEM Help. 
2. Ensure log data is being received by viewing the log data in the Tail display.
3. Configure the Tail to query all available log sources for the last 24 hours. Do not configure any filters.
4. Ensure logs are being processed by double-clicking a row in the Log/Event List pane, and checking for metadata parsing and classification. It is sufficient to verify some data loaded into the fields on the Processed Metadata Fields tab.
5. Verify Event Forwarding by opening the Personal Dashboard and viewing events as they arrive.
6. Visually check system health and status by opening the Deployment Monitor. The Deployment Monitor provides statistics about log collection and system resource usage.

Log collection happens from the older date to the newer date. If no data is present, repeat the Tail using a timeframe further in the past. It may take your LogRhythm appliance several hours to catch up to the present after collection begins.

Additional Tasks

1. Activate and register the Microsoft Windows operating system on the appliance.
2. Ensure that you have the latest LogRhythm software, especially if there was a time lapse between the receipt and the setup of the appliance.
3. Configure log collection from additional sources.
4. Run Microsoft Windows Update to confirm that you have the latest Microsoft updates installed on the appliance.