LogRhythm API Gateway Error on Windows Server 2012 R2
After upgrading to LogRhythm SIEM version 7.19, you may experience issues completing API calls/operations on servers that operate on Windows Server 2012 R2. This can be resolved by adjusting enabled cipher suites in the LogRhythm API Gateway.
Microsoft support for Windows Server 2012 R2 ended October 2023, as detailed in this article from Microsoft. This error has arisen because Microsoft no longer patches Windows Server 2012 R2, so it does not have the latest, most secure cipher suite support.
LogRhythm also no longer supports Windows Server 2012 R2 on versions 7.19 and later. It is recommended to upgrade to a newer version of Windows Server to avoid this issue rather than using the workaround detailed in this guide.
Possible Errors
You may see one of the following error messages when using the API after upgrading to LogRhythm SIEM 7.19:
Admin API Log
TLS Handshake failed: Cannot read handshake packet: EOF.
Console Investigation Error
Unable to complete operation since JSON Web Token was not passed. Please ensure that API gateway authentication services are running OK on platform manager.
Resolution
To resolve this issue on an affected Windows Server 2012 R2 server, take the following steps:
Open the API console at localhost:8500.
Navigate to:
Key/Values/services/lr-api-gateway
Create a folder named “configs”.
Leave the Value blank in order to create a folder.
Within the new “configs” folder, create a new key named CIPHERS with the Value set to the following:
CDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!SHA1:!DSS
Click Save.
Restart the LogRhythm API Gateway service.