The LogRhythm installation includes predefined templates, reports, and Report Packages which are sets of reports that pertain to a single topic such as security compliance standards, usage auditing, or LogRhythm diagnostics. The following tasks can be performed from the Report Center:

  • Generate a report from a predefined report format included in the LogRhythm installation.
  • Generate a group of reports (a report package) from a predefined Report Package format included in the LogRhythm installation.
  • Generate a report from a custom format.
  • Copy, import, and export reports.
  • Create a custom template.
  • Import a custom report logo.

New and updated reports are loaded with the updated Knowledge Base. You must have administrative privileges to import a Knowledge Base.

Report Templates

A report template defines the report format including the columns, group order, and sort order. The report configuration defines the data that is included in the report. All available report templates are listed on the Report Templates tab of the Report Center page. The table below describes the columns that appear in the Report Template grid.

ColumnDescription
Template Type

Category of Report Type

  • Alarm and Response Report. Alarms and related events.
  • Audit Log Report. Auditing activity events by user and date.
  • Executive Report. Trending information for executive/management analysis.
  • Log Detail Report. Raw logs and/or parsed metadata.
  • Log Management Statistics Report.
  • Log Summary Report. Summarized data.
NameThe Name of the template.
PMWhen selected, the Platform Manager is available for selection as an input source at in the Report Wizard.
DPWhen selected, the Data Processor is available for selection as an input source at in the Report Wizard.
LogMartWhen selected, the LogMart is available for selection as an input source at in the Report Wizard.
Fields IncludedA list of the data fields that define the columns in the Report.
Field Grouping and OperationsGoverns how the report data is grouped and sorted in the report.
DescriptionA report definition.
PermissionsDetermines who can view and generate reports: Private, Public All Users, Public Global Analysts, and Public Global Administrators.
OwnerDisplays who owns the reports.
Date UpdatedDisplays the date and time the report was last updated.
VersionDisplays the Version in which the report was updated.
IDA system-generated identification number.

Report Permissions

There are four categories of permissions for reports:

  • Private. Only the owner can run or edit the report.
  • Public All Users. Only Global Administrators or the owner can edit the report, but everyone can run it.
  • Public Global Analysts. Only Global Administrators or the owner can edit the report, but everyone except standard Restricted Analysts can run it.
  • Public Global Administrator. Only Global Administrators or the owner can edit the report, but everyone except standard Restricted Analysts and Global Analysts can run it.

    Restricted Analysts with elevated permissions have access to more functions than do standard Restricted Analysts. For more information, see Modify User Profile Management Permissions.

Permissions Table for Custom Reports: Report Permission Level vs. User Role

User RolePrivatePublic All UsersPublic Global AnalystsPublic Global Administrators
OwnerFullFullFullFull
Restricted AnalystNoneRun/ViewNoneNone
Global AnalystNoneRun/ViewRun/ViewNone
Global AdministratorNoneFullFullFull

Permissions Table for System Reports: Report Permission Level vs. User Role

User RolePublic All UsersPublic Global AnalystsPublic Global Administrators
Restricted AnalystRun/ViewNoneNone
Global AnalystRun/ViewRun/ViewNone
Global AdministratorRun/ViewRun/ViewRun/View

If you change the Authorized User Profiles after a report has been run, users with newly granted access cannot see the report in the Web Console. You must run the report again for it to be visible to the new user profiles.

Report Data Sources

Understanding how data is retrieved, from where, and what state it is in helps determine which template to use.

In LogRhythm, all dates are stored in Greenwich Mean Time (GMT). LogMart dates use whole hour resolution. Activity occurring between the start and the end of the hour is recorded as occurring on the hour. For example, a log entry dated 1/1/10 3:34:33 PM would be associated with the aggregated occurrence record dated 1/1/10 3:00:00 PM.

Because LogMart occurrences are aggregated by the hour, reports contain results within whole hours. For example, a report run 1/1/10 5:30 AM GMT thru 1/1/10 5:30 PM GMT will actually contain results on or after 1/1/10 6:00 AM GMT and prior to 1/1/10 6:00 PM GMT.

Manage Reporting Memory

If a report query causes Client Console memory usage to exceed the threshold, then the report is rendered with partial data and the label (Sample Dataset) is added to the title page footer:

Report prepared for LogRhythm Inc. on 1/28/11 2:00 PM MST (GMT-07:00) (Sample Dataset)

The reporting memory can be set from 0-100%. When set to 100%, the behavior is identical to LogRhythm 6.0 memory management.

The amount of application memory available to the Client Console is different for 32-bit versus 64-bit systems because 32-bit systems can only access the first 1 GB of memory.

Maximum application memory:

  • LogRhythm Client Console (32-bit) = 1 GB
  • LogRhythm Client Console (64-bit) = installed physical memory

For example, if 8 GB RAM is installed and the reporting memory threshold is set to 50%, the following amount of memory is available:

  • LogRhythm Client Console (32-bit) = 0.5 GB report memory threshold
  • LogRhythm Client Console (64-bit) = 4.0 GB report memory threshold

To adjust these values, use the Report Center tab in My Preferences.

ARM and Job Manager Memory Allocation

The memory allocation can be distributed between the ARM and the Job Manager. In the ARM Advanced Properties settings, MaxServiceMemory has been replaced with two properties:

  • MaxServiceMemory_ARM. Range 512-64000 MB; Default 2048 MB
  • MaxServiceMemory_JobManager. Range 512-64000 MB; Default 2048 MB

Maximum Errors per Job Package

Reports can be run individually or in packages. If one of more individual reports are selected, Report Center bundles the reports into an ad hoc package. Errors can occur due to factors such as connections, permissions, and timeouts.

In the ARM Advanced Properties settings, the maximum number of errors per job package can be adjusted:

  • SRE_MaxErrorsPerJobPackage. Range 1-100; Default 5

After the limit has been reached, the package is stopped.

Large Deployments

In some large deployments, where scheduled reports are not finishing or timing out, the following settings may be effective at preventing timeouts. First, stagger multiple schedule report jobs so one does not cancel out the other when it executes, and ensure run time does not conflict with the LogRhythm nightly maintenance. By default, each report can take as much as 600 seconds to complete, and nightly maintenance begins at 1 AM every day.

Nightly database maintenance jobs may take hours to run.

For example, schedule your first report package to start execution at 3 AM, and allow more than 600 seconds (for each report within the package) before scheduling your second package. If your first package has six reports in it, your second report package should be scheduled to start 3600 seconds, or one hour, later.

If the above does not solve your problem, consider changing the following advanced properties on the Platform Manager, and recalculate the time needed between report package scheduled execution time:

  • SRE_QueryCommandTimeout. Change to 1800 seconds.
  • SRE_MaxErrorsPerJobPackage. Change from 3 to 1.

The SQL Server remote query timeout, which is 600 seconds or 10 minutes by default, is also taken into account. To view this setting, start SQL Server Management Studio, right-click the EMDB host in Object Explorer, and then click Properties. Click the Connections page, and the timeout value can be found under Remote server connections on the right.