Prepare to Upgrade a DR Deployment
Record Service Credentials
If the LogRhythm services in your deployment use Windows accounts, you need the account name and password to complete this upgrade.
- To see if a service is running under a Windows account, click Start, click All Programs, click Administrative Tools, and then click Services.
- Double-click a LogRhythm service.
- In Service Properties, select the Log On tab. If the This account option button is selected, this service is running under Windows credentials.
- For each LogRhythm service, note the account name and obtain the account password from your network administrator.
This task must be completed in Disaster Recovery deployments only.
Verify the SQL Server, SQL Server Agent, and LogRhythm Service Registry services are using domain accounts with local admin privileges on each DR server.
Request LogRhythm License File
You must have a license file before you can begin the upgrade process. Request your LogRhythm SIEM license file at this link. If you have an AI Engine, the AI Engine license is included in your LogRhythm license file.
The license file is imported after upgrading the LogRhythm components.
Modify web.config for LR API
If not already done, LR API users who are upgrading need to update web.config as the value for ApplicationAccountKey must be encrypted with LRCrypt. For more information, see the Initialize Users in the Web Configuration topic in the SOAP API Installation Guide.
Note Web Console Environmental Variables
If you are running multiple Web Consoles and you are using environment variables to override Configuration Manager settings on one or more Web Console servers, you should note the values of those variables on each server where used, and then delete the variables. In the current version of LogRhythm SIEM, the Configuration Manager supports individual configurations for multiple Web Consoles. If any of the variables are left in place, they will continue to override settings in the Configuration Manager.
Note Platform Manager IP, LogRhythm Web UI Password, and Login Warning Banner
Following the upgrade, you need to supply the Platform Manager (EMDB) IP address and LogRhythmWebUI password in the Configuration Manager. These values are in the Global, Database Server and Web Global, Database Password fields, respectively. Additionally, if you have a login warning banner configured, you should copy it out to a file so it can be set again after the upgrade.
Synchronize the Stored Knowledge Base
If a Knowledge Base has been downloaded but not synchronized, synchronize it before starting the upgrade. If you do not have a downloaded Knowledge Base, you can skip this step.
- Log on to a system where the Client Console is installed.
- Start the Client Console.
- On the Tools menu, click Knowledge, and then click Knowledge Base Manager.
The Knowledge Base Manager appears. If a downloaded Knowledge Base is ready for synchronization, a notice is displayed at the top of the window. - Click Synchronize Stored Knowledge Base.
The Knowledge Base Import Wizard appears and starts unpacking and validating the Knowledge Base file. The file is checked for compatibility with your current deployment and prepared for import. This may take several minutes.
When finished, the Unpack Progress: Knowledge Base unpacked message appears. - To Import the Knowledge Base, click Next.
- In the Knowledge Base Updated dialog box, click OK.
- In the Knowledge Base Import Wizard, click Close.
- Perform either of the following procedures as needed:
- To enable the Knowledge Base Modules and synchronize them, perform the following steps:
- Select the Action check boxes next to the modules you want.
- Right-click the grid, click Actions, and then click Enable Module.
The Enable Selected Modules dialogue box appears. - Select the options you want, and then click OK.
The Enable Modules box displays a confirmation message. - To start the synchronization, click Yes.
- When complete, click Close to close the Import Wizard.
To Migrate Common Event Changes, perform any of the following steps as needed:
If you are not familiar with the customizations which have been made to your deployment, you should not proceed with the import until such knowledge is acquired or contact LogRhythm Customer Support for assistance. For more information, see Migrate Common Events.If Action Required is displayed, some items need to be updated due to Common Event migration changes. Follow the instructions below. If Action Required is not displayed, go to step 9.
- Click Common Event Change Manager.
- Perform any of the following procedures as needed:
- To migrate a Common Event with a preview, select the Action check box for the item. Right-click the grid, click Migrate with Preview, and then click Migrate Common Event to Common Event or Common Event to MPE Rule.
- To migrate a Common Event without a preview, select the Action check box for the item. Right-click the grid, click Action, and then click Migrate Common Event to Common Event or Migrate Common Event to MPE Rule.
- To ignore the Common Events, select the Action check box for the item. Right-click the grid, click Action, and then click Ignore. When this option is selected, items checked in the grid are ignored during future Common Event Migration checks. The items no longer appear in the Common Event Change Manager.
- To close the Common Event Change Manager, click Close.
- To enable the Knowledge Base Modules and synchronize them, perform the following steps:
- To view the Synchronization History, click View Synchronization History.
- Click Close.
- To close the Knowledge Base Manager, click OK.
Configure the System Monitor Service
The LogRhythm System Monitor service must start automatically after a reboot. Therefore, you must verify that the LogRhythm System Monitor Service Startup type is set to Automatic.
- Log in to the System Monitor host as an administrator.
- On the Start menu, click Administrative Tools, and then click Services.
- Locate the LogRhythm System Monitor service.
- Right-click the service, and then click Properties.
- On the General tab, change the Startup type to Automatic.
- Click OK.
- Close the Services window.
Shut Down Antivirus and Endpoint Protection Software
Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.
In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm systems as it has been known to interfere with the LogRhythm solution.
When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.
Exit all Client Consoles
Close all Client Consoles running on all systems.