The purpose of this document is to assist the community of LogRhythm administrators and users in getting the most out of LogRhythm Support. Your LogRhythm Support Concierge Team has constructed the document for you, and asks that you make it your own by modifying your copy over time based on your experiences with LogRhythm Support.

Support Levels

LogRhythm offers two support levels: Enhanced Support and Standard Support. The table below shows the coverage hours and initial target response (ITR) times.


Case Priority
Enhanced SupportStandard Support
CoverageITRCoverageITR
Critical24x72 hours11x54 hours
High24x74 hours11x58 hours
Medium11x58 hours11x512 hours
Low11x512 hours11x516 hours

Enhanced Support provides 24x7 coverage for Critical and High cases only. Medium and Low cases are serviced during local support region hours. For case priority levels, see Appendix A: Case Priority.


Path for Submitting Cases

  • For fastest support during business hours, please call our Support Line. The numbers are:
    • 11x5 Support

      RegionNumberBusiness DaysBusiness Hours
      North America (Toll Free)+1 866-255-0862Monday - Friday7:00 a.m. – 6:00 p.m. MT
      The Americas (Direct Dial)+1 720-407-3990Monday - Friday7:00 a.m. – 6:00 p.m. MT
      EMEA+44 (0) 844 3245898Monday - Friday7:00 a.m. – 6:00 p.m. GMT
      META+971 8000-3570-4506Sunday - Thursday7:00 a.m. – 6:00 p.m. Gulf Time (GMT+4)
      APAC+65 31572044Monday – Friday7:00 a.m. – 6:00 p.m. SGT (Singapore)
    • Alternatively, you may submit a case at any time via the LogRhythm Support Portal at https://support.logrhythm.com. If a response to your case is urgently required, please also feel free to call the support line after you’ve submitted the case and ask to be transferred to a support engineer right away. If possible, we’ll accommodate you.

 

We recommend that, at least a day or two before you might need Support, you visit the Portal home page (https://logrhythmcommunity.force.com/CustomSelfRegister) to create your account and then contact your LogRhythm Customer Relations Manager (CRM) to ask them to authorize access for you to the Support Portal.


If you have Enhanced Support, we suggest that you use the 24x7 telephone numbers exclusively. For case priority levels, see Appendix A: Case Priority.


Utilizing the 24x7 Feature of Your Enhanced Support Contract

The Enhanced Support contract gives you the flexibility to contact our support team on any day, at any time, 24/7/365. If you have an Enhanced Support contract, please read this entire section to be sure you understand how to utilize this feature.

Continue Work with Next Available Region

If you come to the end of a working session with a support engineer and you wish to resume work with another support engineer in the next available region, tell your support engineer. You will need to let the engineer know whom we should contact to continue the work. Please note:

  • We cannot guarantee that a support engineer will immediately be available in the next region.
  • Many times it is more beneficial to stay with the support engineer with whom you’ve been working rather than transferring to another engineer who will need to study the case history before being able to help you.

New Case Submitted Outside Business Hours (Weekend)

Whether you call our Support Line or submit a new case through the Support Portal, our weekend staff will be notified and will make every effort to reach back out to you within two hours for Critical cases or four hours for High cases.

Continue Work on Existing Case Outside Business Hours (Weekend)

Updates to existing cases will NOT notify our weekend staff. So please call the Support Line to record a message in the voice mail system, and remember to include your support case number. Our weekend support team will be notified immediately, will update your case with the information you provided, and will respond to you as soon as possible to continue working with you.

Some Other Dos and Don’ts

  • If you have a case open for a particular issue, please do not open another case for that same issue.
  • If you’re unhappy with the progress on a case, the responsiveness of the engineer, or the engineer in general, please call our Support Line and express your concern to the Concierge.
  • If, in the course of working on a case, it becomes evident that the title (summary field) is no longer appropriate, please ask the support engineer to change the title.
  • When you experience a product issue, please refrain from restarting services or rebooting systems as a means of restoring operations until a support engineer has been able to observe the problem and collect relevant data.

Communicating with the Support Engineers

  • Please don’t hesitate to ask your support engineer at the end of a work session what the action plan is. That is, be sure you know what will be done next, by whom, and by when.
  • Please watch for updates to your cases in your email inbox, or by checking the Support Portal.

    When a LogRhythm Support Engineer sends you a message through your support case, the case management system automatically will send you an additional email message to notify you that somebody updated your case. If you would prefer not to receive that extra message:
    1. On the Support Portal homepage, select My Settings from the pulldown menu next to your name at the top right of the page.
    2. Locate the “Email Notifications” section and uncheck the boxes by “Comments on my posts” and “Comments after me.” This will not impact your Community settings.
    3. Click Save.
  • After receiving a case update, please respond as quickly as you can so that we may continue to work with you. You're welcome to respond to case emails directly, though it is helpful to the LogRhythm Support Team if you reply through the portal instead. Two important tips for you in working with your case on the portal:
    1. When you reply through the portal, we recommend that you provide your update in the top right box labeled "Post". It's easier to track the discussion this way than to have nested comments.
    2. Under the "Post" box, there's a sorting menu. It's labeled with your current choice, either "Most Recent Activity" or "Latest Posts". We recommend you set it to "Most Recent Activity."

What to Expect when You Submit a Case

  • If you call LogRhythm Support during business hours, one of our Support Concierges will answer your call. The Concierge will create your new support case for you, gather all necessary information from you and if possible transfer your call to an appropriate support engineer to begin work with you immediately.
  • If you submit a case through the portal, or if you called but could not be transferred, your case will be placed into the appropriate support queue. We will do our best to have one of our support engineers contact you within four business hours to begin work.

Specific Items to Include with Your Cases

Please be sure to include the following information in each case you submit. The more accurate and thorough you are, the better we will be able to route your case to the right person and the better that person will be able to address your issue quickly and effectively.

  1. Correct LogRhythm product
  2. Correct product version
    If you have different versions for different components involved in the issue, please indicate that in the details of your request.
  3. Correct topic
  4. Accurate priority
    Please help us to help you best by indicating the priority fairly. For more information about case priority, please see Appendix A: Case Priority.
  5. Summary: think of this as the title of your support case. This should tell us at a glance what problem you’re observing or question you’re asking.
  6. In the Details field, indicate:
    1. whether, how, and how much the problem is impacting your business.
    2. exactly what problem you’ve observed or question you need answered. Remember to let us know when the problem occurred. Please provide as many relevant details as possible, such as specific alarms, log sources, agents, reports, and other items that were involved.
    3. what has changed in your environment in the hours or days leading up to the problem.

If you have a good idea which product component or components are having trouble, please attach to your case the appropriate log files (see Appendix B: Log Collecting). Be sure the log files have logs from at least a couple of hours before the problem was observed all the way through to the present, or the time when the problem went away.

Appendix A: Case Priority

This table is intended as a guide to understanding the appropriate setting of priorities for LogRhythm Support cases. Your selection of a priority will assist LogRhythm Support in serving you better, but will not guarantee any specific response or resolution times outside of what is specified in your LogRhythm maintenance contract.

 

PRIORITY DEFINITION - LOGRHYTHM SUPPORT

 

Priority 1

Priority 2

Priority 3

Priority 4

 

Critical

High

Medium

Low

Business Impact

Extensive - the entire LogRhythm product is not operational.

Significant - one or more major features of the LogRhythm product are not operational or accessible.

Moderate - a feature of the LogRhythm product is not working as documented.

Minimal - general questions and enhancement requests.

Technical Impact

Complete or Major outage or degradation of the core LogRhythm application or the user-facing Web Console.

Outage or degradation of one or more core components of the LogRhythm application or the user-facing Web Console.

Moderate non-production outage or production degradation.

Issue has little to no impact on users or is isolated to a small number of users

Work-Around

There is no workaround or no acceptable workaround to effectively use or administer the LogRhythm product.

There is no workaround or no acceptable workaround to effectively use or administer the impacted components of the LogRhythm product.

There is an acceptable workaround to use or administer the LogRhythm product.

There is an acceptable workaround to use or administer the LogRhythm product.

Examples

System down or unavailable

Data Processor (DP) not accepting any Agent connections

Core component down or unavailable

  • Platform Manager (PM)
  • Data Indexer (DX)
  • Web Console (WC) complete outage
  • Advanced Intelligence Engine (AIE)

Multiple collection components down/backlogged

  • Data Collectors (DC)
  • System Monitor Agents (SMA)
  • Data Processors (DP)

Widespread performance degradation

  • Web Console searches not functioning
  • Log Sources not collecting
  • Alarms not functioning

Single collection component down/backlogged

  • Data Collector (DC)
  • System Monitor Agent (SMA)
  • Data Processor (DP)

Isolated issues

  • Slow Web Console searches for one/few users
  • Single Log Sources not collecting
  • Single alarm drill-downs failing

Parsing issues (parsing gap causing issues in production)

LogRhythm diagnostic events or errors

SmartResponse Plugin or Alarm troubleshooting

New Log Source configuration assistance

General questions

Upgrade guidance

Documentation questions

Parsing requests (Log Source still being on-boarded)

New device requests

Community-supported products (Beta)

Access to the Community or portals

Appendix B: Log Collecting

Platform Manager Issues

Alarming related issues

C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\scarm.log

Scheduled reports and AD Sync issues

C:\Program Files\LogRhythm\LogRhythm Job Manager\lrjobmgr.log

SQL Related issues/ Log Manager indexing /Investigation issues (See Mediator logs):

C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG

Agent connection/collection issues:

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\scsm.log

File Integrity Monitor issues:  

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\rtfim.log, filemon.log

Data Processor or Log Manager Issues

Mediator connection / processing / indexing /Investigation issues:

C:\Program Files\LogRhythm\LogRhythm Mediator Server\logs\scmedsvr.log, scmpe.log, lps_detail.log

Archiving issues:

C:\Program Files\LogRhythm\LogRhythm Mediator Server\logs\archive.log

AIE issues (see AIE Logs):

C:\Program Files\LogRhythm\LogRhythm Mediator Server\logs\lraiedp.log

Agent connection/collection issues:

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\scsm.log

File Integrity Monitor issues:  

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\rtfim.log, filemon.log

AIE Issues

Any AIE related issues:

C:\Program Files\LogRhythm\LogRhythm AI Engine\logs\LRAIEComMgr.log, LRAIEEngine.log

AIE Cache Drilldown:

C:\Program Files\LogRhythm\LogRhythm AI Engine Cache Drilldown\logs\LogRhythm AI Engine Cache Drilldown.log

AIE Notifications:

C:\Program Files\LogRhythm\LogRhythm Notification Services\logs\LogRhythm Notification Service.log

Agent connection/collection issues:

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\scsm.log

File Integrity Monitor issues:  

C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\rtfim.log, filemon.log

Data Indexer Issues

Indexing/ investigation issues:

Windows

C:\Program Files\LogRhythm\Data Indexer\logs\gomaintain.log, columbo.log, carpenter.log, bulldozer.log

C:\Program Files\LogRhythm\Data Indexer\Elasticsearch\logs\logrhythm.log

C:\Program Files\LogRhythm\LogRhythm Common\logs\LogRhythm API Gateway.log, LogRhythm Service Registry.log, LogRhythm Metrics Collection.log

Linux:

/var/log/Elasticsearch/<Your DX Name Here>.log

/var/log/persistent/ gomaintain.log, columbo.log, carpenter.log, bulldozer.log

Other Issues

Web Console:

C:\Program Files\LogRhythm\LogRhythm Web Services\logs\ LogRhythm Case API.log, LogRhythm Threat Intelligence API.log, LogRhythm Web Console AP.log, LogRhythm Web Console UI.log, LogRhythm Web Indexer.log, LogRhythm Web Services Host API.log

LogRhythm Authentication Services:

C:\Program Files\LogRhythm\LogRhythm Authentication Services\logs\ LogRhythm Authentication API.log, LogRhythm SQL Service.log, LogRhythm Windows Authentication Service.log