SMTP Server Failover
The SMTP Server IP Addresses are located in the Platform Manager Properties. They are used to send email notifications. You can specify a primary, secondary, and tertiary server to allow for failover.
Three attempts are made to send each email notification to the IP Address(es) specified.
- If one SMTP server is specified, that same server is tried 3 times.
- If two SMTP servers are specified, the first is tried, then the second, then the first again.
- If three SMTP servers are specified, each is tried once.
If an Email From address is not specified, the Alarming and Reporting Engine is disabled.
Successful or not, a record of all notifications are written to the nfns.log file in the ARM logs folder on the server.
To ensure events aren't processed more than once, the ARM maintains the state in which events have been processed. This information is maintained in a state file located in the state directory where the ARM was installed (...LogRhythm\LogRhythm Alarming and Response Manager\state).
The file is named ARMState.pos. If the state file is removed, the next time the ARM is started, all events are reprocessed.
The ARM logs data to C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\logs\scarm.log. When initially configuring and installing the ARM, a LogLevel of Info or Verbose provides detailed information on the ARM performance that is useful in ensuring the system is functioning properly. After the ARM is configured and operating properly, we recommend you set the LogLevel to Error or Warning.
The LogLevel can be set from the Modify Platform Manager Basic Properties dialog box.
LogRhythm's Alarming and Response Manager (ARM) allows you to customize alarm rules that are triggered by identified events, and then send out alarm notifications via email and SNMP traps. LogRhythm also can forward alarm notifications to McAfee ePolicy Orchestrator (version 3.6, 4.0, 4.5, 5.0, 5.1, or 5.3) where they appear in the Console's Event Log interface. An ePO Administrator or Reviewer can view, filter, sort, and export these events and summarize them in custom charts, tables and ePO dashboards. LogRhythm's ePO notification events are securely transmitted from the LogRhythm Platform Manager server to the ePO server by the McAfee Agent.
LogRhythm Alarm Event Data in the ePolicy Orchestrator Event Log (May Vary by Version)
|ePO Event Log Column||LogRhythm Alarm Event Data|
Threat Source Host Name
Source Host name
Threat Source IPv4 Address
Source IP Address
Threat Source Login Name
Target Host Name
Destination Host name
Destination IP Address
Target User Name
Target Process Name
Target File Name
“Audit”, “Operations”, “Security” or “Unknown”
Triggered Alarm Rule Name
LogRhythm alarm priority, a range of 0 to 100, mapped to one of ePO’s eight Severity levels (Information, Debug, Warning, etc.).LogRhythm alarm priority is partially based on risk values assigned to the host referenced in the triggering events.
LogRhythm always reports the alarm event, but never blocks the reported action