Perform Post-Upgrade Procedures on an Upgraded HA Deployment

Before performing post-upgrade procedures, it is recommended to restart LR Core systems (such as the PM, DP, and DX) that have been upgraded.

Upgrade and Start Other Agents

Agents on other collectors and aggregators can be upgraded at any time, although we recommend upgrading them now.

Windows and Linux System Monitors can be upgraded in bulk using the System Monitor Package Manager in the Client Console. For additional information about this and about general System Monitor installation and upgrades, see the LogRhythm System Monitor documentation.

Windows hosts running System Monitors prior to version 7.2.x may not have .NET Framework 4.7.2 installed. If your Windows host does not have .NET Framework 4.7.2 installed, we do not recommend using the System Monitor Package Manager automatic update option. Since installing .NET Framework 4.7.2 requires a system reboot, the automatic update process will be disrupted and the Package Manager will not complete the installation process.

For additional information on System Monitor Agent installation, see the Set Up an Initial System Monitor Agent topic in the LogRhythm System Monitor documentation.

Windows

Users who attempt to upgrade the 32-bit System Monitor on a system having MS KB2918614 applied may encounter a software restriction policy error. In this case, the existing System Monitor should be uninstalled before attempting the upgrade.

To upgrade System Monitor Agent, do the following:

1. Log on with the Administrator account, or an account having administrative privileges, to the system where the System Monitor Agent is installed.
2. Before removing System Monitor, verify the account used for the System Monitor Service. In Windows Services console, right-click and view Properties, and click the Log On tab. If the service does not use Local System account, you will need the password to that account when installing the Agent, or you need a new account and password.
3. To open Windows Services, click Start, Administrative Tools, and Services.
4. Stop the service called LogRhythm System Monitor service.

5. Run the installer for the 32-bit or 64-bit System Monitor Agent, LRSystemMonitor_#.#.#.#.exe.

   

   If running Windows 2008, Vista, or Windows 7, you must run the installer as administrator.
6. If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click Install.
7. Follow the instructions in the Install Wizard.
8. If prompted, accept the license agreement.
9. Choose the default installation path, and then click Next.
10. To determine if you have sufficient space for installation, click Space and then click OK.

11. (Optional) Install the Realtime FIM driver.

    

    Realtime FIM is included with the System Monitor Lite license for desktop operating systems only. A System Monitor Pro or Collector license is required for servers. For more information, see LogRhythm System Monitor Compatibility and Functionality.

12. On the Install Wizard Completed screen, clear the Launch System Monitor Configuration Manager check box.
13. If your LogRhythm Windows System Monitor Agent service uses Windows accounts, open Windows Services Control Panel.
14. Click the Log On tab and add the service account and password in the service properties.
15. To start the Agent, click Start, Administrative Tools, and Services. Right-click the agent and select Start.
16. Repeat these steps for other Windows System Monitor Agents in your deployment.

(Optional) *NIX

Only Linux 2.4 & 2.6 can be upgraded directly. Other *NIX agents must be uninstalled and reinstalled.

Read the instructions included with the installer package for your particular operating system.

1. Copy the files from the installer package to the *NIX system.
2. Follow the instructions in the scsm_<operating_system>.txt file to uninstall the old version.
3. Decompress the file with the .tar extension, using tar xf scsm_<operating_system>.tar.
4. Follow the instructions in the scsm_<operating_system>.txt file to install the new *NIX System Monitor Agent.
5. Start the *NIX System Monitor Agent according to the instructions in the scsm_<operating_ system>.txt file.
6. Repeat for all *NIX Agents in your deployment.

Configure or Verify Communication Ports

LogRhythm installers should open the TCP ports required for component communications. Additional configuration may be required, as described in this section. For more information on ports, see the Networking and Communication topic in the Enterprise SIEM Help.

If you need assistance with any of the procedures listed below, contact your system or network administrator.

Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to the latest version of LogRhythm SIEM.

If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is not already allowed by applied policies:

ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130

ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132

Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm and run the following command:

sudo firewall-cmd --permanent --zone=public --list-all

This lists all the public ports opened for DX: 

• 8501/tcp
• 8300/udp
• 8301/udp
• 8300/tcp
• 8301/tcp

If you need to open any incoming ports on the Linux Indexer, do the following:

1. Log on to the Indexer node as logrhythm and run the following commands:

   CODE

   sudo firewall-cmd --zone=public --add-port=port/tcp --permanent
   sudo firewall-cmd –-reload

2. Repeat the steps above on each Linux Data Indexer.

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:

1. Log on to the Windows server as an administrator.

2. Open a command prompt and run the following command:

   CODE

   netsh firewall show state

   
   Ports that are currently open on all interfaces are displayed below the firewall status.

   

   The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2, and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current server.

If you need to allow any ports on a Windows server host:

1. Log on to the Windows server as an administrator.

2. Open a command prompt and run the following command:

   CODE

   netsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port

Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it. When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.

The following lists include the default directories. However, the location of any State folder (including AI Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The locations of these folders need to be excluded.

XM Appliance

If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed). 

PM Appliance

• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\tmp\indices\ (if Web Console is installed on the PM)
• If the Threat Intelligence Service (TIS) is installed:
  • C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
  • C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%, %DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state folder)

• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state folder)

• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
• C:\Windows\Temp\jtds*.tmp

DX Appliance (Linux)

• /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)

AIE Appliance

• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

If the AIE service is running on the PM appliance, exclude these directories on the PM.

Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a different location (for example, D:\), update the exclusion as required.

Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense

Web Console

• D:\tmp\indices

High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link:  http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/TechDoc/index.htm#DataKeeper/Administration/Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10

Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you should ensure that these processes are running by doing the following:

1. Go to Services on your machines.
2. Verify that the following services have started:
   • LogRhythm API Gateway
   • LogRhythm Authentication API
   • LogRhythm Case API
   • LogRhythm Service Registry
   • LogRhythm Threat Intelligence API
   • LogRhythm Web Console API
   • LogRhythm Web Console UI
   • LogRhythm Web Indexer
   • LogRhythm Web Services Host API
3. Go to Task Manager on your machine.
4. Verify that the following services have started:
   • java.exe (one instance)
   • LogRhythm.Web.Services.ServicesHost.exe
   • LogRhythmAPIGateway.exe
   • LogRhythmAuthenticationAPI.exe
   • LogRhythmCaseAPI.exe
   • LogRhythmServiceRegistry.exe
   • LogRhythmThreatIntelligence.exe
   • lr-threat-intelligence-api.exe (32 bit)
   • LogRhythmWebConsoleAPI.exe
   • LogRhythmWebConsoleUI.exe
   • LogRhythmWebIndexer.exe
   • LogRhythmWebServicesHostAPI.exe
   • nginx.exe *32 (a minimum of two instances)
   • node.exe (four instances)
   • procman.exe (eight instances)
   • NSSM Service Manager
   

   NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper around Java, Go, and other services to ensure that they run properly on Windows and that they are restarted when they stop.

FIPS Consideration

When running HA in a FIPS environment, the SQL_ResTag must be changed, as LifeKeeper uses a SQL account for its check. To prevent login failure in SQL, disable the deep check using the following instructions.

1. Open SIOS.
2. Right-click the SQL_ResTag on the active server, and then click Deep Check Interval.
3. Set the Deep Check Interval to Disable Deep Check, and then click Modify.
4. Repeat these steps for the inactive server.