Breadcrumbs

Complete Additional LogRhythm Installation Tasks

Configure or Verify Communication Ports

LogRhythm installers should open the TCP ports required for component communications. Additional configuration may be required, as described in this section. For more information on ports, see the Networking and Communication topic in the LogRhythm SIEM Documentation.

If you need assistance with any of the procedures listed below, contact your system or network administrator.

Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to the latest version of LogRhythm SIEM.

If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is not already allowed by applied policies:

ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130

ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132

Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm and run the following command:

sudo firewall-cmd --permanent --zone=public --list-all

This lists all the public ports opened for DX: 

  • 8501/tcp

  • 8300/udp

  • 8301/udp

  • 8300/tcp

  • 8301/tcp

If you need to open any incoming ports on the Linux Indexer, do the following:

  1. Log on to the Indexer node as logrhythm and run the following commands:

    sudo firewall-cmd --zone=public --add-port=port/tcp --permanent
sudo firewall-cmd –-reload

  2. Repeat the steps above on each Linux Data Indexer.

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:

  1. Log on to the Windows server as an administrator.

  2. Open a command prompt and run the following command:

    netsh firewall show state

    Ports that are currently open on all interfaces are displayed below the firewall status.

The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2, and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current server.

If you need to allow any ports on a Windows server host:

  1. Log on to the Windows server as an administrator.

  2. Open a command prompt and run the following command:

    netsh advfirewall firewall add rule name="rule name" dir=in action=allow protocol=TCP localport=port

Verify SQL Server Authentication and LogRhythm Databases

To verify authentication on the Platform Manager or XM server:

  1. Click StartApps, and then Microsoft SQL Server Management Studio.

  2. In the Connect to Server window, enter the following information:

    1. AuthenticationSQL Server Authentication

    2. Loginsa

    3. Password. Enter the appropriate password

  3. Click Connect.
    The Microsoft SQL Server Management Studio window opens.

  4. Expand the Databases folder. You should see the following LogRhythm Databases:

    • LogRhythm_Alarms

    • LogRhythm_CMDB

    • LogRhythm_Events

    • LogRhythm_LogMart

    • LogRhythmEMDB

  5. Exit Microsoft SQL Server Management Studio.

Verify LogRhythm Installation

Verify that the installation completed successfully by checking for the LogRhythm components in Add/Remove Programs.

1. Click StartControl Panel, and Add/Remove Programs.

2. Search for the following LogRhythm components on each server type and verify the version within the support information link.

LogRhythm Component

XM

PM

DP

DX

AIE

Collector

Advanced Intelligence (AI) Engine

X

X



X


Alarming Manager

X

X





Console*

X

X





Data Indexer (DX)

X



X



Job Manager

X

X





Mediator Server Service

X


X




System Monitor Service**

X

X

X


X

X

Common

X



X



* The Console can be installed on any supported system.

** The System Monitor can be installed on any supported system. At a minimum, you must install it on the XM or PM.

If you have any issues with the installation, contact LogRhythm Support. C:\LogRhythm\InstallLogs contains the install logs that may supply useful error messages for support.

Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you should ensure that these processes are running by doing the following:

  1. Go to Services on your machines.

  2. Verify that the following services have started:

    • LogRhythm API Gateway

    • LogRhythm Authentication API

    • LogRhythm Case API

    • LogRhythm Service Registry

    • LogRhythm Threat Intelligence API

    • LogRhythm Web Console API

    • LogRhythm Web Console UI

    • LogRhythm Web Indexer

    • LogRhythm Web Services Host API

  3. Go to Task Manager on your machine.

  4. Verify that the following services have started:

    • java.exe (one instance)

    • LogRhythm.Web.Services.ServicesHost.exe

    • LogRhythmAPIGateway.exe

    • LogRhythmAuthenticationAPI.exe

    • LogRhythmCaseAPI.exe

    • LogRhythmServiceRegistry.exe

    • LogRhythmThreatIntelligence.exe

    • lr-threat-intelligence-api.exe (32 bit)

    • LogRhythmWebConsoleAPI.exe

    • LogRhythmWebConsoleUI.exe

    • LogRhythmWebIndexer.exe

    • LogRhythmWebServicesHostAPI.exe

    • nginx.exe *32 (a minimum of two instances)

    • node.exe (four instances)

    • procman.exe (eight instances)

    • NSSM Service Manager

NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper around Java, Go, and other services to ensure that they run properly on Windows and that they are restarted when they stop.

Install Other Agents

To install the LogRhythm System Monitor Agent on other machines, or to install the non-Windows System Monitor Agents:

  1. System Monitor installer files are available in the LogRhythm Install Wizard, in the Installers subfolder. Make sure to use the appropriate file for 32-bit or 64-bit systems:

    • LRSystemMonitor_7.x.x.xxxx.exe

    • LRSystemMonitor_64_7.x.x.xxxx.exe

    You can also download the Windows System Monitor installers from the release downloads page on the LogRhythm Community.

  2. Download *NIX System Monitor Agent packages from the release downloads page on the LogRhythm Community. Text-based installation instructions for each package and platform are available, and additional installation instructions are available in the unnamed link documentation.

For all *NIX operating systems that support Realtime FIM, the System Monitor requires root privileges.

Configure the LogRhythm Software

You can work directly with Professional Services to configure your LogRhythm Solution, or you can follow the steps in the New Deployment Wizard topic in the LogRhythm SIEM Help. You can find additional resources on the LogRhythm Community.

The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall) configurations that are important to your deployment. You may want to review those guides to ensure that at least the following items are addressed:

  • Ensure that all Data Processors are assigned to a cluster

  • Verify the IP Address of the LogMart Database Server

You need the following items for the deployment, whether you configure LogRhythm yourself or you work with Professional Services:

  • LogRhythm License File that is sent via email

  • LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB

Add Realtime Endpoint Protection Exclusions (Anti-Virus) for LogRhythm

Endpoint Security software, including Anti-Virus, Anti-Malware, and EDR/EPP solutions, can have a major impact on Installation, Upgrade, and ongoing Operations of any high-performance application, which includes the LogRhythm platform. LogRhythm provides a recommended list of paths to exclude from Realtime Scanning as a best practice to reduce the performance/stability impacts that can negatively affect the software. In some cases, there may be features specific to your Endpoint Security vendor, such as Heuristic detections, which may be required to be disabled due to vendor incompatibility. The directories below should be considered a minimum list of exclusion paths and additional paths may be required in some situations.

The following paths listed below include the default directories for each service. These locations are configurable in most cases and may vary from deployment to deployment or from version to version. Consider this to be a minimum list and adjust accordingly.

Where File Extensions are not provided, use RECURSIVE path configurations.

XM

If you have an XM appliance, apply the exclusions specified for all services below 

PM Services

  • D:\LogRhythm\*.mdf

  • L:\LogRhythm\*.ldf

  • T:\Temp\*.mdf

  • T:\Temp\*.ldf

  • C:\Program Files\LogRhythm\LogRhythm Common\*

  • C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\*

  • C:\Program Files\LogRhythm\LogRhythm Job Manager\*

  • C:\Program Files\LogRhythm\LogRhythm Metrics\*

  • If the Threat Intelligence Service (TIS) is installed:

    • C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\*

DP Services (Windows)

  • S:\LogRhythmArchives\Active\*.lua

  • D:\LogRhythmArchives\Inactive\*.lca

  • C:\Program Files\LogRhythm\LogRhythm Common\*

  • S:\LogRhythm\LogRhythm Mediator Server\state\*

DX Services (Linux)

  • /usr/local/logrhythm/db/elasticsearch/data

DX Services (Windows XM)

  • All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH% and %DXDATAPATH%. (Defaults below)

    • D:\LRIndexer

    • C:\Program Files\LogRhythm\Data Indexer

AIE Services

  • S:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.

  • S:\Program Files\LogRhythm\LogRhythm AI Engine\state\*

  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

  • C:\Program Files\LogRhythm\LogRhythm Common\*

  • C:\Program Files\LogRhythm\LogRhythm AI Engine\*

  • S:\Program Files\LogRhythm\LogRhythm Archive Engine\*

System Monitor Agent (Windows)

  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin

  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

  • C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

System Monitor Agent (Legacy Linux)

  • /opt/logrhythm/scsm/state/*.pos

  • /opt/logrhythm/scsm/state/*.suspense

Web Console Services

  • C:\Program Files\LogRhythm\LogRhythm Web Services\*

  • S:\tmp\indices\* (also often S:\LogRhythm\webindices\*)

  • C:\Program Files\LogRhythm\LogRhythm Common\*

Secondlook API

  • C:\Windows\system32\config\systemprofile\AppData\Roaming\LogRhythm\temp\

High Availability Deployments

  • C:\lk\* directory (or whichever folder LifeKeeper is installed in)

  • C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)

  • C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}

  • Registry keys used by SIOS are available at the following link: SIOS DataKeeper Administration

Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm Enterprise for information on logging into the console, completing the new deployment wizard, and assigning licenses.