The Alarming and Reporting Manager (ARM) service is a component of the Platform Manager and is responsible for the processing and delivery of all alerts and alarms. The ARM service runs as a Windows service named LogRhythm Alarming and Manager.

SMTP Server Failover

The SMTP Server IP Addresses are located in the Platform Manager Properties. They are used to send email notifications. You can specify a primary, secondary, and tertiary server to allow for failover.

Three attempts are made to send each email notification to the IP Address(es) specified.

  • If one SMTP server is specified, that same server is tried 3 times.
  • If two SMTP servers are specified, the first is tried, then the second, then the first again.
  • If three SMTP servers are specified, each is tried once.

If an Email From address is not specified, the Alarming and Reporting Engine is disabled.

Successful or not, a record of all notifications are written to the nfns.log file in the ARM logs folder on the server.

State

To ensure events aren't processed more than once, the ARM maintains the state in which events have been processed. This information is maintained in a state file located in the state directory where the ARM was installed (...LogRhythm\LogRhythm Alarming and Response Manager\state).

The file is named ARMState.pos. If the state file is removed, the next time the ARM is started, all events are reprocessed.

Logging

The ARM logs data to C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\logs\scarm.log. When initially configuring and installing the ARM, a LogLevel of Info or Verbose provides detailed information on the ARM performance that is useful in ensuring the system is functioning properly. After the ARM is configured and operating properly, we recommend you set the LogLevel to Error or Warning.

The LogLevel can be set from the Modify Platform Manager Basic Properties dialog box.

McAfee ePO

LogRhythm's Alarming and Response Manager (ARM) allows you to customize alarm rules that are triggered by identified events, and then send out alarm notifications via email and SNMP traps. LogRhythm also can forward alarm notifications to McAfee ePolicy Orchestrator (version 3.6, 4.0, 4.5, 5.0, 5.1, or 5.3) where they appear in the Console's Event Log interface. An ePO Administrator or Reviewer can view, filter, sort, and export these events and summarize them in custom charts, tables and ePO dashboards. LogRhythm's ePO notification events are securely transmitted from the LogRhythm Platform Manager server to the ePO server by the McAfee Agent.

LogRhythm Alarm Event Data in the ePolicy Orchestrator Event Log (May Vary by Version)

ePO Event Log ColumnLogRhythm Alarm Event Data

Detecting Program

“LogRhythm”

Detected UTC

Alarm Date

Event ID

“200000”

Threat Source Host Name

Source Host name

Threat Source IPv4 Address

Source IP Address

Threat Source Login Name

Login

Target Host Name

Destination Host name

Target IPv4

Destination IP Address

Target Port

Destination Port

Target User Name

Login

Target Process Name

Process

Target File Name

Object

Network Protocol

Protocol

Source URL

URL

Threat Category

“ops.detect”

Threat Type

“Audit”, “Operations”, “Security” or “Unknown”

Threat Name

Triggered Alarm Rule Name

Threat Severity

LogRhythm alarm priority, a range of 0 to 100, mapped to one of ePO’s eight Severity levels (Information, Debug, Warning, etc.).LogRhythm alarm priority is partially based on risk values assigned to the host referenced in the triggering events.

Threat Handled

LogRhythm always reports the alarm event, but never blocks the reported action