New Features

No new features were added in this release.

Improvements

  • Hardened LRCrypt DLL to align with industry best practices.
  • Resolved several security vulnerabilities: 
    • Added response headers to Data Indexer and API gateway requests.
    • Changed requirements for adding empty notes in the Web Console UI.
    • Limited the maximum duration of SSL certificates to 825 days. 

Deprecated Features

No features were deprecated in this release.

Resolved Issues

Bug #Ticket #ComponentDescription
DE10367379395Data IndexerThe Data Indexer parameter Days Before Force Merge can now be set to a value below 10.
DE10613378511Windows Agent: Flat File Log CollectionAfter source files are deleted from the flat file path directory, Agent now removes associated .info files and folders from the Agent state directory for compressed flat files.
DE10699387837API Gateway

LogRhythm API gateway requests now include the following response headers to protect against known vulnerabilities:

  • X-Frame-Options
  • X-XSS-Protection
  • Content Security Policy
  • X-Content-Type-Options
  • Strict-Transport-Security
For more information on secure response headers, see https://owasp.org/www-project-secure-headers/#tab=Headers.
DE10700387837API Gateway

LogRhythm-generated API gateway SSL certificates now have a maximum duration of 825 days to comply with industry recommendations. For more information, see https://www.ssl.com/blogs/ssl-certificate-maximum-duration-825-days.

DE10702387837LCM: Data Indexer

LogRhythm-generated Data Indexer SSL certificates now have a maximum duration of 825 days to comply with industry recommendations. For more information, see https://www.ssl.com/blogs/ssl-certificate-maximum-duration-825-days.

DE10857

390390

WC: Web Console UI

The LogRhythm Web Console UI now requires users to include at least one space between quotation marks (" ") when adding an empty note. 

DE10881387837Data Indexer

LogRhythm Data Indexer requests to Grafana, AllConf, and InfluxDB now include the following response headers to protect against known vulnerabilities:

  • X-Frame-Options
  • X-XSS-Protection
  • Content Security Policy
  • X-Content-Type-Options
  • Strict-Transport-Security

For more information on secure response headers, see https://owasp.org/www-project-secure-headers/#tab=Headers.

DE11049not applicableSearch API, WC: Web Indexer

When working with multiple Web Console instances, Search API no longer returns inconsistent data.

DE11111383943, 393528, 390070

Console: Agents, Agent: Others

The limit for Agent parameter FlushBatch has been increased from 10000 to 50000.

DE11119387671WC: Node Link Graph

The Web Console UI no longer sends the Web Indexer invalid height and width values for the Node Link Graph (NLG) widget.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #Found in VersionComponentDescriptionRelease Notes
DE12887.4.6AI EngineWhen an AIE Rule uses the Host (Impacted) or Host (Origin) in the Group By block, the rule misfires.

Expected Results: AIE Rules should not fire if the rule block relationship is not met.

Workaround: Change the Host (origin) or Host (impacted) fields to IP Address, and the AIE Rule works as expected.

DE13367.4.6AI EngineIn certain circumstances, the AIE Summary Fields are not populating in the AIE Notification emails. 

Expected Results: AIE Summary Fields should be displayed on all AIE Notification emails.

Workaround: View the AIE Summary Fields in the Alarm instead of the Notification email.

DE16067.3.5AI Engine When an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. 

Expected Results: AIE Rule Blocks should fire when they are triggered at the same time.

Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second.

DE18717.3.3AI EngineUnder conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. 

Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled.

Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release.

DE103137.4.9AI EngineIn rare circumstances, AIE Unique Value Rules misfire. 

Expected Results: AIE Rules fire as expected.

Workaround: There is no workaround at this time. LogRhythm is actively investigating the issue for a future release.

DE103977.4.8AI EngineIn certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. 

Expected Results: Alarms do not fire if a log is received for a Not Observed block.

Workaround: There is no workaround at this time. LogRhythm is investigating this issue for a future release.

DE109467.4.9AI Engine, SmartResponse PluginWhen an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. 

Expected Results: Alarms should execute quickly as expected with other AIE Alarms.

Workaround: There is currently no workaround for this issue.

DE9827.2.3Alarming, Job ManagerScheduled reports are not being sent to expected users, but the same users are able to receive alarm notifications. 

Expected Results: Users who are configured to be sent a scheduled report should receive it.

Workaround: Contact Technical Support for a development binary to resolve this issue.

DE108827.4.9AlarmingIn some circumstances, AIE Alarm notification emails are not sent and a ""5.7.3 Authentication Unsuccessful"" error appears in the log file. 

Expected Results: All AIE Alarm notification emails are received.

Workaround: Contact Technical Support for assistance in resolving this issue.

DE11098

7.4.9,

7.4.10

ARM: NotificationsWhen using a SMTP server with SSL authentication, the Alarming and Response Manager fails to send alarm notifications.

Expected Results: The Alarming and Response Manager should able to send alarm notifications using any SMTP server and SSL authentication.

Workaround: There is currently no workaround for this issue.

DE60727.3.4APIsWhen using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. 

Expected Results: Case API and Admin API should start when using any size certificate.

Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate.

DE102007.4.9APIsPowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. 

Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade.

Workaround: There is no workaround for this issue at this time. A solution is being investigated for a future release.

DE18297.3.3Client Console There may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. 

Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE.

Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651).

DE31957.3.4Client ConsoleWhen running a search in either the Client or Web Console, users see an error: ""Error fetching data - Gateway timeout."" 

Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout.

Workaround: Increase the timeout on the query and re-run it.

DE39327.4.7Client ConsoleAfter disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. 

Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor.

Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh.

DE40497.4.6Client ConsoleWhen running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated.

Expected Results: Identity data appears in reports that contain those fields.

Workaround: Run an investigation to provide the same information.

DE46977.4.6Client ConsoleWhen running an investigation in the Client Console with Max Logs to Query set to 0 and the results set to export immediately, the following error appears: ""Error Exporting Investigation Results."" 

Expected Results: An investigation set to 0 for Max Logs to Query should be able to export.

Workaround: Set Max Logs to Query to a number other than 0.

DE51857.3.4Client ConsoleThe Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field.

Expected Results: All chosen fields should appear on the report if they contain data.

Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release.

DE76127.1.7Client ConsoleReports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs.

Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row.

Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS).

DE76327.1.3Client Console Entities cannot be deleted from within the Client Console. 

Expected Results: Entities should be retireable and able to be hidden from view.

Workaround: Contact Technical Support to assist you in removing entities that are no longer needed.

DE100137.4.7Client ConsoleWhen running a report against the Data Processor data source with a time period that contains only warm indices, the report returns no data. 

Expected Results: Searching against warm indices should return results whether the results are in hot or warm nodes.

Workaround: Contact Technical Support for assistance with this workaround.

DE101347.4.8Client ConsoleIn certain circumstances, existing Syslog log sources may show up as a new pending log source. 

Expected Results: After a log source is accepted, no pending log sources for the same IP address should be created.

Workaround: While there is no workaround for this issue, it is being actively investigated.

DE106217.4.9Client ConsoleWhen an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. 

Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed.

Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it.

DE110567.4.10Client ConsoleWhen investigating results in the Client Console, the Unconfigured TopX configuration menu does not appear upon right-click. 

Expected Results: When right-clicking the Unconfigured TopX section in the investigation results, a menu appears to allow for configuration of results.

Workaround: Utilize the Web Console to view results in a widget-type format.

DE107037.4.10Client Console, Installation ComponentsWhen running an investigation or report against LogMart, an error appears regarding LogMartLookupTableFieldName. Typically, this occurs when using the User Origin, User Impacted, Address, Domain, Hostname, Object, URL, or Vendor Message ID fields in the investigation or report. 

Expected Results: LogMart investigations succeed when using any of the fields available.

Workaround: Contact Technical Support for assistance in resolving this issue.

DE38397.4.8Client Console: Second LookIn certain circumstances after running a Second Look restore, an error appears stating there is an issue with the Min and Max Ticks.

Expected Results: Second Look restore should run with out errors.

Workaround: There is currently no workaround for this issue.

DE26897.4.4Data IndexerAlarms for ""Indexer Cluster Health Excessive Warnings"" are generated when the Data Indexer cluster health changes from green to yellow during EMDB list maintenance. This can cause concern when there is no actual issue on the system. 

Expected Results: An alarm should only generate when the cluster health changes to red.

Workaround: Edit the impacted alarm to suppress for 24 hours or disable that alarm.

DE27537.4.4Data IndexerWhen re-running the LogRhythm Infrastructure Installer (LRII) after the initial upgrade, the LogRhythm DX - Cluster Templating Service (consul-template) may remain in a paused state and not start up. 

Expected Results: All services, regardless of version, should start after an upgrade.

Workaround: Re-run the Data Indexer component installer.

DE33857.3.2Data IndexerThe DX Diagnostic logs are firing too often. 

Expected Results: The Diagnostic logs should be tuned to alarm less frequently.

Workaround: There is no workaround for this issue at this time.

DE17377.4.9Installation Components In rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. 

Expected Results: Alarms should continue to trigger and be displayed in the Web Console.

Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause.

DE105697.4.10Installation Components In certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. 

Expected Results: The Data Processor and Data Indexer connect to Service Registry after a reboot of the Platform Manager.

Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager.

DE107687.4.9Installation ComponentsIn certain circumstances, the Data Processor runs slowly and the ""non-paged pool"" uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. 

Expected Results: The "non-paged pool" should not increase and cause system performance issues.

Workaround: Restart the LogRhythm API Gateway service.

DE110157.4.10Installation ComponentsSQL Database autogrowth settings are too small, causing fragmentation and performance issues. 

Expected Results: Autogrowth increases in larger increments so it does not cause fragmentation.

Workaround: Set the autogrowth settings to the following:

  • EMDB: 256 MB
  • Events: 1 GB
  • Alarms: 256 MB
  • LogMart: 256 MB
  • CMDB: 256 MB
DE2607.4.7Installation Components, Job ManagerIn certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL.

Expected Results: SQL deadlock issues should not cause a missed heartbeat.

Workaround: While there is no known workaround, this issue is being actively investigated for a solution.

DE93677.4.7Installation Components, Job ManagerSQL Server deadlocks causing missed heartbeats on AI Engine. 

Expected Results: Deadlocks should not cause a missed heartbeat alarm.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a solution.

DE17507.4.6Installation Components, Web ConsoleIn certain circumstances, the Web Console may show a 500 Error page. Typically, this occurs overnight when new service tokens are created for authentication.

Expected Results: Authentication services for Web Console should not be interrupted by the change to the new tokens.

Workaround: Restarting the LogRhythm Authentication API on the Platform Manager mitigates this issue until the next time it occurs.

DE10137.4.7Job ManagerReports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. 

Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it.

Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead.

DE110247.4.7Job Manager: AD SynchronizationThe Active Directory Domain Manager is unable to sync with Secure LDAP.

Expected Results: The Active Directory Domain Manager should sync successfully with Secure LDAP.

Workaround: There is currently no workaround for this issue.

DE99957.4.6Job Manager: Scheduled ReportingScheduled reports are sent to a disabled account if an email is attached to the disabled account.

Expected Results: Scheduled reports should not be sent to disabled accounts.

Workaround: There is currently no workaround for this issue.

DE11097

7.4.9,

7.4.10

Job Manager: Scheduled ReportingWhen using Gmail SMTP with SSL authentication, the Job Manager fails to send scheduled reports.

Expected Results: The Job Manager should able to send scheduled reports using any SMTP server and SSL authentication.

Workaround: There is currently no workaround for this issue.

DE18792.4LogRhythm DiagnosticsThe LogRhythm Diagnostics Report shows the last backup information incorrectly. 

Expected Results: The report should show the accurate last backup time for each database.

Workaround: Review the backup information in SQL Server Management Studio.

DE16407.3.5MediatorThe AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. 

Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly.

Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release.

DE19687.2.5MediatorProcessing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. 

Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification.

Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release.

DE19757.4.6MediatorAfter importing a LogRhythm License file with special characters in the name, the Mediator service fails to start. 

Expected Results: Special characters should not cause the Mediator service to not start.

Workaround: Contact Technical Support to get a license file without special characters in the name.

DE101827.4.10MediatorIf the network share that is used to store Inactive Archives becomes unavailable, the Mediator goes into a suspended state. 

Expected Results: The Mediator continues to process and move archive files to inactive when the connection is restored.

Workaround: Ensure that the account the Mediator service is running as has permission to access the network location.

DE105821.9.2Threat Intelligence ServiceURLHAUS Bad Hash feed download is failing while parsing due to the content being distributed in a .zip file instead of a text file.

Expected Results: Data from URLHAUSE imports without errors.

Workaround: While there is no workaround for this issue, LogRhythm is actively investigating a solution.

DE111971.9.2Threat Intelligence Service

When using the PhishTank TIS feed, users may receive error messages in Carpenter or Columbo indicating a parsing error or an EMDB sync failure.

Expected Results: Users should not receive errors when using the PhishTank TIS feed.

Workaround: If you receive the EMDB Sync failure message, perform the following steps:

  1. On the main toolbar in the Client Console, click List Manager.
  2. In the Name column of the List Manager grid, double-click on the PhishTank-URL-Phishing-All list.
    The List Properties window appears.
  3. On the Basic Information tab under Auto Import, deselect the Enable check box.
  4. On the List Items tab at the bottom, click Export items.
  5. Save the exported file as a .txt file.
  6. Open the saved .txt file with a text editor (for example, NotePad++).
  7. If using NotePad++ text editor, click View, then click Show Symbol, and then select Show All Characters.
  8. Search for the following value in the list without quotes:

    The two URLs below have been identified as threats. Do not access them.

    https://shop.hostingdude.com/?q= http://take-away1.com/sms/olb

  9. Notice there is a tab character between the two URLs. Delete the tab character.
  10. Save the .txt file.
  11. Follow steps 1 and 2 above to return to the List Properties window for the PhishTank-URL-Phishing-All list.
  12. On the List Items tab at the bottom, click Import items.
    The Import List window appears.
  13. Select the Replace existing items check box, and then click Import Text File.
  14. Select the .txt file you saved in step 10 above, and then click Open.
    The new .txt file will overwrite the existing list.

    Do not enable Auto Import for the PhishTank-URL-Phishing-All list, as this could possibly re-import the bad URLs that you removed in step 8 above.

DE397.4.5TrueIdentity Sync ClientThe TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000).

Expected Results: The TrueIdentity Sync Client should work for any number of users.

Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments.

DE53127.4.3TrueIdentity Sync ClientThe OU/DC filter in the TrueIdentity Sync Client does not allow white space. 

Expected Results: White space should be allowed in the OU/DC filter.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release.

DE5147.4.3Web ConsoleWhen viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: ""Failed to fetch Identities: Bad Request."" 

Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console.

Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release.

DE11987.4.6Web ConsoleWhen downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. 

Expected Results: The Web Console should not time out when downloading large PCAP files.

Workaround: Change the time out setting in the Configuration Manager.

DE12387.4.2Web ConsoleWhen copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. 

Expected Results: When copying widgets, all settings should remain.

Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release.

DE13347.3.3Web ConsoleCustomers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an ""unclassified failure"" message. 

Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure.

Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager.

DE72637.4.2Web ConsoleWhen exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates. 

Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console.

Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue.

DE104037.4.9Web ConsoleThe Web Console Current Processing Rate widget does not showing the correct rate. It does not include messages older than 3 minutes in the rate determined. 

Expected Results: The Current Processing Rate widget shows all logs being processed.

Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate.

DE104427.4.9Web ConsoleWhen viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. 

Expected Results: The Download PCAP button appears when reviewing NetMon logs.

Workaround: Reload the frame with the Download PCAP button to activate it.

DE112037.5.0Web Console: Lucene Helper, Web Console UIWhen clearing multiple filters in the Web Console Analyze Grid, the logs in the grid do not refresh to align with the remaining active filters.

Expected Results: The logs in the Web Console Analyze Grid should align with active filters.

Workaround: Remove the custom filter in the Lucene panel, and the logs will refresh correctly.