New Features

Functional Group



Customer EnhancementsLogRhythm Documentation Site

Explanation: A new online Help site,, has been launched with 7.5.0. The site replaces the existing online Help as well as the in-product Help file and serves as the source of truth for LogRhythm Help documentation for 7.5.0 and future releases, as well as other LogRhythm products such as SysMon, NetMon, Open Collector, and more. Customers who need to download PDFs for offline use can download them from the site.

Benefit: Moving the Help file to an online help provides a more modern interface for user Help, ensures that users always get the most current version of the product Help available, and eliminates confusion around whether users have the most recent version of the PDF Help.

Platform AdministrationRestricted Administrator Privileges

Explanation: Several changes were made to Restricted Administrator user privileges in 7.5.0, including new permissions around MPE Rule development, SmartResponse Plugins, user management, widget updates, and more.

Benefit: These users now have more expansive permissions to administrate the LR Console, while still retaining granular control over tasks.

Platform AdministrationSearch API

Explanation: The Search API is a new REST API used for searching the Web Indexer for logs and events. Users can submit a search and view the results to better interface with the data directly.

Benefit: With the ability to search logs and events through an API, users can integrate with third-party applications and custom applications designed for specific business needs.

Platform AdministrationThreat Map Permissions

Explanation: Access to the Threat Activity Map widget in the Web Console can be granted to Restricted Administrator roles that would not normally have this permission. Permission can be granted or restricted through the Management Permissions tab of the User Profile Manager or through the Admin API.

Benefit: Global Administrators can better customize user roles to fit organizational needs.

Platform AdministrationTrueIdentity APIs

Explanation: The Admin API has two additional endpoints for TrueIdentity: Merge and Retire.

Benefit: Users can perform basic administrative functions on Identities through the API.

Security AnalyticsLucene Search Helper

Explanation: The Web Console dashboard and widget filters now include a built-in Lucene search helper that provides syntax highlighting, field suggestions, and known values integrations.

Benefit: Users don't have to memorize field names or refer to a separate guide, and can therefore work more efficiently and accurately.

Security AnalyticsNode Link Graph

Explanation: The Node Link Graph widget has been added to the Web Console. It displays relationships present in log data, such as network traffic between a source and destination host or authentication between an origin user and a destination host.

Benefit: This type of visualization greatly helps a security analyst by presenting two dimensions present within log data, rather than a single point aggregation. This speeds up investigation workflow and makes dashboards and threat hunting more effective by giving the analyst a tool for identifying patterns and abnormalities visually. In the same manner, it can be useful for visualizing baseline and anomaly data from CloudAI.

Security AnalyticsTail in the Web Console

Explanation: The search dialog box in the Web Console provides the option to run a tail.

Benefit: This function is the first go-to method of determining if a search query is correct and also provides the easiest user friendly way of determining if logs are actively entering the system. It allows the user to watch real time logs that match a particular query.


  • The new host import file capabilities introduced in 7.4.9 are now available in the Admin API Host Import endpoint as well. 
  • Error messaging was added to the Log Source Virtualization Template Manager to alert users to the following conflicts:
    • User is attempting to import a template with the same name as a template already in the deployment.
    • User is attempting to import a template for a log source type that already has a template in the deployment
  • Users can now choose to only monitor Windows Flat File collection for a certain number of days.

  • The Windows Host Wizard now communicates on the appropriate port (636) for Secure LDAP.

  • .NET has been upgraded from 4.5.2 to 4.7.2.

  • The behavior of Client Console and Admin API in regard to Host Import (OS, OS Version, and Location) has now been synchronized.
  • Client Access Card (CAC) authentication has been updated to support the new Department of Defense (DoD) format.
    • Military users will need to activate their Personal Identity Verification (PIV) number if their CAC card was issued before February 2018. If it was issued after this date, the PIV is already activated.
    • Customers configure their CAC MFA in the LogRhythm Configuration Manager.
  • Several security vulnerabilities have been resolved with this version, including a SQL connection issue, improved input validation for a diagnostic process, and upgrading to the bzip2 library.

  • The min and max normal dates in searches are no longer padded to include the entire previous day to the min normal date and the end of the max normal day. For example, a search for "dateMin":"2020-05-10T08:00:00Z","dateMax":"2020-05-10T09:00:00Z" will no longer be padded to 2020-05-09T00:00:00.000Z to 2020-05-11T00:00:00.000Z.

Deprecated Features

No features were deprecated in this release.

Resolved Issues

Bug #Ticket #ComponentDescription
DE9986374263AdminAPIIn the Admin API, the PUT command was not working for the Hosts endpoint.
DE10930388911AgentW: AWSAn AWS S3 API permission issue was preventing logs from being collected even when users had access to the appropriate buckets.
DE10363380020, 384806AgentW: Event Log CollectionWhen collecting logs via Windows Event Forwarder (WEF), certain Event ID logs do not parse completely. For example, in log messages with XML formatting, the values for Level and Keywords may be missing.
DE10926388358Console: Active DirectoryActive Directory Domain Manager was missing some OUs during sync.
DE10076not applicableConsole: AIE Event Drill DownWhen the parsed value for any of the double fields (Amount, BytesIn, BytesOut, BytesInOut, ItemsPacktesIn, ItemsPacketsOut, ImpactedHostTotalPackets, Quantity, Rate, Size, Duration) was 0, the parsed value did not persist in the Data Indexer and could not be searched on or retrieved.
DE10299387201, 387235, 387214Console: AIE Rule ManagerEnabling AIE Data Segregation on multiple rules at once produced a SQL Timeout error.
DE3934361904, 365186Console: Custom Report Template WizardEditing a custom Log Summary reporting template with a calculated field produced an error: ""Index was outside the bounds of the Array.""

381076, 378219, 374946, 366016, 365236, 352939, 330895, 326409, 326074, 325392, 324141, 323222, 321641, 321025, 310934, 330895, 326409, 326074, 325392, 324141, 323222, 321641, 321025, 310934

Console: InvestigatorOn the Client Console login screen, investigations and tails produced the error “Invalid URI: The hostname could not be parsed” if a trailing space or slash was entered after the EMDB Server name.
DE3849369469Console: Log SourcesWhen bulk-changing the Log Source Type, the MPE Policy changed to BETA: Log Dedup Optimized.
DE10220380590, 389185Console: Log SourcesFor the log source "Syslog - Palo Alto Firewall," the “Host (Impacted) Kbytes Sent” field was being overwritten by the “Host (Impacted) Packets Rcvd” field.
DE10024375933, 371014Console: Windows Host WizardAdding a log source via Windows Host Wizard and assigning it to a remote agent produced an error: ""Unable to assign remote agent. Object reference not set to an instance of an object."" This issue occurred only on hosts that also had virtual log sources.
DE10080374931, 382316Console: Windows Host WizardUtilizing the AD Scan feature of the Windows Host Wizard, the AD domain connection was set to utilize Secure LDAP (TCP 636), but the scan failed because it was still attempting to utilize non-secure LDAP (TCP 389).
DE1015200379027Console: Windows Host WizardWindows Host Wizard failed to onboard the Log Source Type: "MS Windows Event Logging XML - Sysmon 8/9/10."
DE10865384554, 385877, 386184Doc: Other User DocThe Least Privileged User Guide did not accurately reflect permissions around certain Windows perflib registries.
DE1328353300, 357592EMDBIn certain situations, the SystemMonitorVersionHistory grew unbounded and impacted overall system performance.
DE1019362151JobMgr: AD Group-based authorizationA user disabled in an Active Directory group was still enabled after LogRhythm AD Group Sync.
DE1141332846, 332861, 333150, 335914, 347819JobMgr: List importWhen importing tab-separated lists, the list items appeared as one item in the Client Console List Manager.
DE1795358188LogRhythm Authentication APIUsernames containing an "@" symbol experienced issues with search funcationality in the LogRhythm Console.
DE10072377551, 370330, 392062Mediator: ArchivingWhen the Archive queue wrote to the state folder and it reached the maximum of 500,000 logs, it sent the Mediator into Suspend mode, disconnecting System Monitors and causing them to fail over to a secondary Mediator if available.
DE307375307, 388546, 391444Mediator: Archiving;Mediator: Data ManagementThe Mediator could write inactive archives to other Mediators' sub-directories.
DE2166189809, 310528Mediator: OtherWhen running a vulnerability scanner on the Data Processor, some users reported a vulnerability for Signature Algorithm : SHA-1 With RSA Encryption.
DE2269189809Mediator: OtherThe remote service was using a SSL/TLS certificate chain signed using a cryptographically weak hashing algorithm.
DE1782358667, 374532WC: AuthenticationUsernames containing an "@" symbol could not log in to the Web Console when using Multi-Factor Authentication (MFA).
DE1030374430WC: Web Console UIDetails for Alarm in the Inspector panel showed Host (Impacted) as [object Object] instead of host.
DE1047360826WC: Web Console UIIf a user name in the Web Console contained an "@" symbol, the Web UI ignored the Automatic Logout Time (Minutes) set in the LogRhythm Configuration Manager.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #Found in VersionComponentDescriptionRelease Notes
DE60727.3.4APIsWhen using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. 

Expected Results: Case API and Admin API should start when using any size certificate.

Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate.

DE102007.4.9APIsPowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. 

Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade.

Workaround: There is no workaround for this issue at this time. A solution is being investigated for a future release.

DE13367.4.6AI EngineIn certain circumstances, the AIE Summary Fields are not populating in the AIE Notification emails. 

Expected Results: AIE Summary Fields should be displayed on all AIE Notification emails.

Workaround: View the AIE Summary Fields in the Alarm instead of the Notification email.

DE16067.3.5AI Engine When an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. 

Expected Results: AIE Rule Blocks should fire when they are triggered at the same time.

Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second.

DE18717.3.3AI EngineUnder conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. 

Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled.

Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release.

DE103137.4.9AI EngineIn rare circumstances, AIE Unique Value Rules misfire. 

Expected Results: AIE Rules fire as expected.

Workaround: There is no workaround at this time. LogRhythm is actively investigating the issue for a future release.

DE109467.4.9AI Engine, SmartResponse PluginWhen an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. 

Expected Results: Alarms should execute quickly as expected with other AIE Alarms.

Workaround: There is currently no workaround for this issue.

DE103977.4.8AI EngineIn certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. 

Expected Results: Alarms do not fire if a log is received for a Not Observed block.

Workaround: There is no workaround at this time. LogRhythm is investigating this issue for a future release.

DE9827.2.3Alarming, Job ManagerScheduled reports are not being sent to expected users, but the same users are able to receive alarm notifications. 

Expected Results: Users who are configured to be sent a scheduled report should receive it.

Workaround: Contact Technical Support for a development binary to resolve this issue.

DE108827.4.9AlarmingIn some circumstances, AIE Alarm notification emails are not sent and a ""5.7.3 Authentication Unsuccessful"" error appears in the log file. 

Expected Results: All AIE Alarm notification emails are received.

Workaround: Contact Technical Support for assistance in resolving this issue.

DE107687.4.9Installation ComponentsIn certain circumstances, the Data Processor runs slowly and the ""non-paged pool"" uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. 

Expected Results: The "non-paged pool" should not increase and cause system performance issues.

Workaround: Restart the LogRhythm API Gateway service.

DE17377.4.9Installation Components In rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. 

Expected Results: Alarms should continue to trigger and be displayed in the Web Console.

Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause.

DE105697.4.10Installation Components In certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. 

Expected Results: The Data Processor and Data Indexer connect to Service Registry after a reboot of the Platform Manager.

Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager.

DE76327.1.3Client Console Entities cannot be deleted from within the Client Console. 

Expected Results: Entities should be retireable and able to be hidden from view.

Workaround: Contact Technical Support to assist you in removing entities that are no longer needed.

DE46977.4.6Client ConsoleWhen running an investigation in the Client Console with Max Logs to Query set to 0 and the results set to export immediately, the following error appears: ""Error Exporting Investigation Results."" 

Expected Results: An investigation set to 0 for Max Logs to Query should be able to export.

Workaround: Set Max Logs to Query to a number other than 0.

DE110567.4.10Client ConsoleWhen investigating results in the Client Console, the Unconfigured TopX configuration menu does not appear upon right-click. 

Expected Results: When right-clicking the Unconfigured TopX section in the investigation results, a menu appears to allow for configuration of results.

Workaround: Utilize the Web Console to view results in a widget-type format.

DE107037.4.10Client Console, Installation ComponentsWhen running an investigation or report against LogMart, an error appears regarding LogMartLookupTableFieldName. Typically, this occurs when using the User Origin, User Impacted, Address, Domain, Hostname, Object, URL, or Vendor Message ID fields in the investigation or report. 

Expected Results: LogMart investigations succeed when using any of the fields available.

Workaround: Contact Technical Support for assistance in resolving this issue.

DE39327.4.7Client ConsoleAfter disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. 

Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor.

Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh.

DE101347.4.8Client ConsoleIn certain circumstances, existing Syslog log sources may show up as a new pending log source. 

Expected Results: After a log source is accepted, no pending log sources for the same IP address should be created.

Workaround: While there is no workaround for this issue, it is being actively investigated.

DE31957.3.4Client ConsoleWhen running a search in either the Client or Web Console, users see an error: ""Error fetching data - Gateway timeout."" 

Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout.

Workaround: Increase the timeout on the query and re-run it.

DE40497.4.6Client ConsoleWhen running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated.

Expected Results: Identity data appears in reports that contain those fields.

Workaround: Run an investigation to provide the same information.

DE51857.3.4Client ConsoleThe Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field.

Expected Results: All chosen fields should appear on the report if they contain data.

Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release.

DE76127.1.7Client ConsoleReports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs.

Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row.

Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS).

DE106217.4.9Client ConsoleWhen an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. 

Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed.

Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it.

DE100137.4.7Client ConsoleWhen running a report against the Data Processor data source with a time period that contains only warm indices, the report returns no data. 

Expected Results: Searching against warm indices should return results whether the results are in hot or warm nodes.

Workaround: Contact Technical Support for assistance with this workaround.

DE18297.3.3Client Console There may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. 

Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE.

Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651).

DE33857.3.2Data IndexerThe DX Diagnostic logs are firing too often. 

Expected Results: The Diagnostic logs should be tuned to alarm less frequently.

Workaround: There is no workaround for this issue at this time.

DE27537.4.4Data IndexerWhen re-running the LogRhythm Infrastructure Installer (LRII) after the initial upgrade, the LogRhythm DX - Cluster Templating Service (consul-template) may remain in a paused state and not start up. 

Expected Results: All services, regardless of version, should start after an upgrade.

Workaround: Re-run the Data Indexer component installer.

DE26897.4.4Data IndexerAlarms for ""Indexer Cluster Health Excessive Warnings"" are generated when the Data Indexer cluster health changes from green to yellow during EMDB list maintenance. This can cause concern when there is no actual issue on the system. 

Expected Results: An alarm should only generate when the cluster health changes to red.

Workaround: Edit the impacted alarm to suppress for 24 hours or disable that alarm.

DE110157.4.10Installation ComponentsSQL Database autogrowth settings are too small, causing fragmentation and performance issues. 

Expected Results: Autogrowth increases in larger increments so it does not cause fragmentation.

Workaround: Set the autogrowth settings to the following:

  • EMDB: 256 MB
  • Events: 1 GB
  • Alarms: 256 MB
  • LogMart: 256 MB
  • CMDB: 256 MB
DE93677.4.7Installation Components, Job ManagerSQL Server deadlocks causing missed heartbeats on AI Engine. 

Expected Results: Deadlocks should not cause a missed heartbeat alarm.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a solution.

DE2607.4.7Installation Components, Job ManagerIn certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL.

Expected Results: SQL deadlock issues should not cause a missed heartbeat.

Workaround: While there is no known workaround, this issue is being actively investigated for a solution.

DE10137.4.7Job ManagerReports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. 

Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it.

Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead.

DE18792.4LogRhythm DiagnosticsThe LogRhythm Diagnostics Report shows the last backup information incorrectly. 

Expected Results: The report should show the accurate last backup time for each database.

Workaround: Review the backup information in SQL Server Management Studio.

DE17507.4.6Installation Components, Web ConsoleIn certain circumstances, the Web Console may show a 500 Error page. Typically, this occurs overnight when new service tokens are created for authentication.

Expected Results: Authentication services for Web Console should not be interrupted by the change to the new tokens.

Workaround: Restarting the LogRhythm Authentication API on the Platform Manager mitigates this issue until the next time it occurs.

DE19687.2.5MediatorProcessing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. 

Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification.

Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release.

DE101827.4.10MediatorIf the network share that is used to store Inactive Archives becomes unavailable, the Mediator goes into a suspended state. 

Expected Results: The Mediator continues to process and move archive files to inactive when the connection is restored.

Workaround: Ensure that the account the Mediator service is running as has permission to access the network location.

DE16407.3.5MediatorThe AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. 

Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly.

Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release.

DE19757.4.6MediatorAfter importing a LogRhythm License file with special characters in the name, the Mediator service fails to start. 

Expected Results: Special characters should not cause the Mediator service to not start.

Workaround: Contact Technical Support to get a license file without special characters in the name.

DE105821.9.2Threat Intelligence ServiceURLHAUS Bad Hash feed download is failing while parsing due to the content being distributed in a .zip file instead of a text file.

Expected Results: Data from URLHAUSE imports without errors.

Workaround: While there is no workaround for this issue, LogRhythm is actively investigating a solution.

DE397.4.5TrueIdentity Sync ClientThe TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000).

Expected Results: The TrueIdentity Sync Client should work for any number of users.

Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments.

DE53127.4.3TrueIdentity Sync ClientThe OU/DC filter in the TrueIdentity Sync Client does not allow white space. 

Expected Results: White space should be allowed in the OU/DC filter.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release.

DE72637.4.2Web ConsoleWhen exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates. 

Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console.

Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue.

DE104037.4.9Web ConsoleThe Web Console Current Processing Rate widget does not showing the correct rate. It does not include messages older than 3 minutes in the rate determined. 

Expected Results: The Current Processing Rate widget shows all logs being processed.

Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate.

DE104427.4.9Web ConsoleWhen viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. 

Expected Results: The Download PCAP button appears when reviewing NetMon logs.

Workaround: Reload the frame with the Download PCAP button to activate it.

DE13347.3.3Web ConsoleCustomers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an ""unclassified failure"" message. 

Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure.

Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager.

DE12387.4.2Web ConsoleWhen copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. 

Expected Results: When copying widgets, all settings should remain.

Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release.

DE11987.4.6Web ConsoleWhen downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. 

Expected Results: The Web Console should not time out when downloading large PCAP files.

Workaround: Change the time out setting in the Configuration Manager.

DE5147.4.3Web ConsoleWhen viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: ""Failed to fetch Identities: Bad Request."" 

Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console.

Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release.