New Features

Functional GroupFeatureDescription
Platform AdministrationWeb Console Single Sign-On

Explanation: Web Console Single Sign-On (SSO) adds the ability to use an external Identity Provider (IdP) to authenticate and authorize users who have been granted the right to use the LogRhythm SAML app for the IdP. This works for existing and new users, allowing users to provision accounts directly on the Web Console without provisioning in the Client Console.

Benefit: This feature provides a modern login experience that is easier to manage and adds a new layer of security to our product. For companies that are already leveraging the benefits of a SSO IdP, administrators can more easily control, provision, and remove access to users. SSO also includes the ability to auto-provision users in the Client Console via first-time SSO logins.

Platform AdministrationData Indexer Updates

Explanation: The LogRhythm Data Indexer (DX) is now installed with Elasticsearch 6.8.3. Grafana has been integrated with Centralized Metrics, and the DX configuration can now be completed through the Configuration Manager. A new installer for 2XDX (Node Installer) has been created to make it easier to install this configuration.

Benefit: The upgrade to Elasticsearch 6.8.3 includes many security and bug fixes, in addition to compatibility with more recent versions of Kibana. The movement of AllConf into the Configuration Manager and Grafana into Centralized Metrics enables users to configure and monitor a deployment in one place.


  • The default dashboards in the Web console have been updated. The Executive Dashboard, The IT Operations Dashboard, The Security Analyst Dashboard and the default analyze pages have been updated with new and different widgets with added colors.
  • Added additional permissions for Restricted Administrator users to allow them to manage and support Cases and Case Widgets. This is an addition to the permissions set for the existing Restricted Administrator User Profile.  This allows administrators to further customize the permissions available to Restricted Administrators, and gives the administrator the flexibility to use the correct permissions for each Restricted Administrator User Profile. This is especially beneficial for LR Cloud customers as it gives them the ability to add Case Management into their permission set.  It is also beneficial for other large environments where permissions are managed by role.  
  • Fixed a web socket vulnerability that potentially allowed a request to run a SmartResponse be highjacked and submitted by a user who lacked the proper permissions. 

Deprecated Features

No features were deprecated in this release.

Resolved Issues

Bug #Ticket #ComponentDescription
DE1079347503JobMgr: Scheduled ReportingThere are no longer any issues with reporting when the entity field is selected.
DE4697351190, 368705, 394027JClient ConsoleAn investigation in the Client Console with Max Logs to Query set to 0 is now able to export.
DE10109377475WC: Web Indexer

Web console software will pass vulnerability scans. Customer have the option of upgrading the version of Java used by the Web Indexer independently of LR software releases.


KB updates work without errors and lists are not locked when exporting an AIE rule from one system that uses a list in a KB Module and importing into another system that doesn't have the same KB Module enabled.



Data Indexer

The Data Indexer parameter Days Before Force Merge can now be set to a value below 10.

DE10626374804JobMgr:AD Synchronization

Accounts used to configure ad sync will no longer produce excessive user logon logs against the domain controllers.

DE10854387198WC:Other, WC: Web Console UI

Angular JS Version has been upgraded from 1.5.7 to 1.7.9 to correct a vulnerability related to the older Angular JS version.

DE10882387198, 388772, 387626, 390070


All AIE Alarm notification emails are now being received. 

DE10935388027AgentU: AIX RT FIM

A note was added to the LR help guide AIX prerequisites section to fix a problem with Realtime FIM not working properly.

DE10939389950WC: Dashboard

Users are now able to upload Dashboard Layouts via the web console.

DE11060392698Infr: Database Scripts & Upgrade Scripts

If a backup fails the backup device is now removed.

DE11169395742Search API

Search API now works when LRAdmin user is disabled in lr-cloud, or if the LRAdmin account is not set to the default password.


395408, 395743

WC: Lucene Helper, Web Console UI

When clearing multiple filters in the Web Console Analyze Grid, the logs in the grid now refresh to align with the remaining active filters.

DE11318397462WC: Dashboard

In the Web UI, widget filters appear according to the user settings display mode. 

DE11321369834Console: Alarm Viewer, WC: Web Console UI

When multiple alarms for a drill down are checked, the first results for the drill down do not uncheck any of the alarms.

DE11333394342Doc: Other User Doc

Realtime antivirus exclusions documentation now includes more specific file path information for the Data Indexer (DP, DPX, and DX appliances).

DE11345398590Console: Entities

Due to RBAC there were dependency items not being deleted when a user selected to delete an entity, preventing the entity from being deleted. Now when a user deletes an entity all those dependencies are also deleted.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #Found in VersionComponentDescriptionRelease Notes
DE12887.4.6AI EngineWhen an AIE Rule uses the Host (Impacted) or Host (Origin) in the Group By block, the rule misfires.

Expected Results: AIE Rules should not fire if the rule block relationship is not met.

Workaround: Change the Host (origin) or Host (impacted) fields to IP Address, and the AIE Rule works as expected.

DE13367.4.6AI EngineIn certain circumstances, the AIE Summary Fields are not populating in the AIE Notification emails. 

Expected Results: AIE Summary Fields should be displayed on all AIE Notification emails.

Workaround: View the AIE Summary Fields in the Alarm instead of the Notification email.

DE16067.3.5AI Engine When an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. 

Expected Results: AIE Rule Blocks should fire when they are triggered at the same time.

Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second.

DE17597.3.4AI EngineErrors are being reported numerous times in the AIE Engine log when the AIE service starts up.

Expected Results: These errors should not be reported in the AIE Engine log, but AIE is working and alarms are firing. 

Workaround: There is currently no workaround for this issue.

DE18717.3.3AI EngineUnder conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. 

Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled.

Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release.

DE103137.4.9AI EngineIn rare circumstances, AIE Unique Value Rules misfire. 

Expected Results: AIE Rules fire as expected.

Workaround: There is no workaround at this time. LogRhythm is actively investigating the issue for a future release.

DE103977.4.8AI EngineIn certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. 

Expected Results: Alarms do not fire if a log is received for a Not Observed block.

Workaround: There is no workaround at this time. LogRhythm is investigating this issue for a future release.

DE105017.4.7AI Engine: Host InterferenceThe HostInferenceLogs are not being maintained/purged out after 7 days as defined. 

Expected Results: These logs should be automatically purged after 7 days as defined.

Workaround: Sort by log date and delete all older logs.

DE109467.4.9AI Engine, SmartResponse PluginWhen an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. 

Expected Results: Alarms should execute quickly as expected with other AIE Alarms.

Workaround: There is currently no workaround for this issue.




ARM: NotificationsWhen using a SMTP server with SSL authentication, the Alarming and Response Manager fails to send alarm notifications.

Expected Results: The Alarming and Response Manager should able to send alarm notifications using any SMTP server and SSL authentication.

Workaround: There is currently no workaround for this issue.

DE60727.3.4APIsWhen using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. 

Expected Results: Case API and Admin API should start when using any size certificate.

Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate.

DE102007.4.9APIsPowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. 

Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade.

Workaround: There is no workaround for this issue at this time. A solution is being investigated for a future release.

DE18297.3.3Client Console There may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. 

Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE.

Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651).

DE31957.3.4Client ConsoleWhen running a search in either the Client or Web Console, users see an error: ""Error fetching data - Gateway timeout."" 

Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout.

Workaround: Increase the timeout on the query and re-run it.

DE39327.4.7Client ConsoleAfter disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. 

Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor.

Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh.

DE40497.4.6Client ConsoleWhen running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated.

Expected Results: Identity data appears in reports that contain those fields.

Workaround: Run an investigation to provide the same information.

DE51857.3.4Client ConsoleThe Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field.

Expected Results: All chosen fields should appear on the report if they contain data.

Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release.

DE76127.1.7Client ConsoleReports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs.

Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row.

Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS).

DE76327.1.3Client Console Entities cannot be deleted from within the Client Console. 

Expected Results: Entities should be retireable and able to be hidden from view.

Workaround: Contact Technical Support to assist you in removing entities that are no longer needed.

DE106217.4.9Client ConsoleWhen an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. 

Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed.

Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it.

DE106787.4.8Client Console: Report CenterThe Configuration Manager may display an error "Cannot connect to LogRhythm API Gateway" when it first loads. In addition, it may show all services are down when they appear to be healthy otherwise.

Expected Results: The Configuration Manager should load immediately and show the services in the correct state.

Workaround: The Configuration Manager will eventually load if given a little time.  When the services show down, a refresh of the Configuration Manager should show them correctly.  We are working on a resolution to this issue.

DE38397.4.8Client Console: Second LookIn certain circumstances after running a Second Look restore, an error appears stating there is an issue with the Min and Max Ticks.

Expected Results: Second Look restore should run with out errors.

Workaround: There is currently no workaround for this issue.

DE26897.4.4Data IndexerAlarms for ""Indexer Cluster Health Excessive Warnings"" are generated when the Data Indexer cluster health changes from green to yellow during EMDB list maintenance. This can cause concern when there is no actual issue on the system. 

Expected Results: An alarm should only generate when the cluster health changes to red.

Workaround: Edit the impacted alarm to suppress for 24 hours or disable that alarm.

DE33857.3.2Data IndexerThe DX Diagnostic logs are firing too often. 

Expected Results: The Diagnostic logs should be tuned to alarm less frequently.

Workaround: There is no workaround for this issue at this time.

DE115467.6.0Data Indexer: ConfigurationWhen creating a Data Indexer Cluster Name with a parenthesis in it, the upgrade from 7.5.x to 7.6.x fails.

Expected Results: The Cluster Name should not allow reserved characters.

Workaround: Remove the special characters from the Cluster Name and continue the upgrade.

DE17377.4.9Installation Components In rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. 

Expected Results: Alarms should continue to trigger and be displayed in the Web Console.

Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause.

DE105697.4.10Installation Components In certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. 

Expected Results: The Data Processor and Data Indexer connect to Service Registry after a reboot of the Platform Manager.

Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager.

DE107687.4.9Installation ComponentsIn certain circumstances, the Data Processor runs slowly and the ""non-paged pool"" uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. 

Expected Results: The "non-paged pool" should not increase and cause system performance issues.

Workaround: Restart the LogRhythm API Gateway service.

DE110157.4.10Installation ComponentsSQL Database autogrowth settings are too small, causing fragmentation and performance issues. 

Expected Results: Autogrowth increases in larger increments so it does not cause fragmentation.

Workaround: Set the autogrowth settings to the following:

  • EMDB: 256 MB
  • Events: 1 GB
  • Alarms: 256 MB
  • LogMart: 256 MB
  • CMDB: 256 MB
DE2607.4.7Installation Components, Job ManagerIn certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL.

Expected Results: SQL deadlock issues should not cause a missed heartbeat.

Workaround: While there is no known workaround, this issue is being actively investigated for a solution.

DE93677.4.7Installation Components, Job ManagerSQL Server deadlocks causing missed heartbeats on AI Engine. 

Expected Results: Deadlocks should not cause a missed heartbeat alarm.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a solution.

DE17507.4.6Installation Components, Web ConsoleIn certain circumstances, the Web Console may show a 500 Error page. Typically, this occurs overnight when new service tokens are created for authentication.

Expected Results: Authentication services for Web Console should not be interrupted by the change to the new tokens.

Workaround: Restarting the LogRhythm Authentication API on the Platform Manager mitigates this issue until the next time it occurs.

DE10137.4.7Job ManagerReports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. 

Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it.

Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead.

DE110247.4.7Job Manager: AD SynchronizationThe Active Directory Domain Manager is unable to sync with Secure LDAP.

Expected Results: The Active Directory Domain Manager should sync successfully with Secure LDAP.

Workaround: There is currently no workaround for this issue.

DE99957.4.6Job Manager: Scheduled ReportingScheduled reports are sent to a disabled account if an email is attached to the disabled account.

Expected Results: Scheduled reports should not be sent to disabled accounts.

Workaround: There is currently no workaround for this issue.




Job Manager: Scheduled ReportingWhen using Gmail SMTP with SSL authentication, the Job Manager fails to send scheduled reports.

Expected Results: The Job Manager should able to send scheduled reports using any SMTP server and SSL authentication.

Workaround: There is currently no workaround for this issue.

DE18792.4LogRhythm DiagnosticsThe LogRhythm Diagnostics Report shows the last backup information incorrectly. 

Expected Results: The report should show the accurate last backup time for each database.

Workaround: Review the backup information in SQL Server Management Studio.

DE11137.2.5MediatorWhen the Mediator does agent license enumeration and cache refresh it stops sending heartbeats for few minutes.

Expected Results: Cache refresh and License enumeration does not interfere with the heartbeat. We should send heartbeat packets at the required interval.

Workaround: There is currently no workaround for this issue.

DE16407.3.5MediatorThe AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. 

Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly.

Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release.

DE19687.2.5MediatorProcessing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. 

Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification.

Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release.

DE19757.4.6MediatorAfter importing a LogRhythm License file with special characters in the name, the Mediator service fails to start. 

Expected Results: Special characters should not cause the Mediator service to not start.

Workaround: Contact Technical Support to get a license file without special characters in the name.

DE115167.5.0Mediator: Log Distribution ServiceSecure Syslog Log Distribution Services using the TCP+TLS option in the Network Protocol dropdown of the Syslog Receiver Properties is not working correctly.  The error "Log Distribution Service engine fatal error: Object reference not set to an instance of an object" can be found in the error log.  

Expected Results: Secure Syslog in LDS should work as designed.  

Workaround: There is currently no workaround for this issue.  Do not use this option in the Network Protocol of the Syslog Receiver Properties.  

DE397.4.5TrueIdentity Sync ClientThe TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000).

Expected Results: The TrueIdentity Sync Client should work for any number of users.

Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments.

DE53127.4.3TrueIdentity Sync ClientThe OU/DC filter in the TrueIdentity Sync Client does not allow white space. 

Expected Results: White space should be allowed in the OU/DC filter.

Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release.

DE5147.4.3Web ConsoleWhen viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: ""Failed to fetch Identities: Bad Request."" 

Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console.

Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release.

DE11987.4.6Web ConsoleWhen downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. 

Expected Results: The Web Console should not time out when downloading large PCAP files.

Workaround: Change the time out setting in the Configuration Manager.

DE12387.4.2Web ConsoleWhen copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. 

Expected Results: When copying widgets, all settings should remain.

Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release.

DE13347.3.3Web ConsoleCustomers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an ""unclassified failure"" message. 

Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure.

Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager.

DE72637.4.2Web ConsoleWhen exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates.

Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console.

Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue.

DE104037.4.9Web ConsoleThe Web Console Current Processing Rate widget does not showing the correct rate. It does not include messages older than 3 minutes in the rate determined. 

Expected Results: The Current Processing Rate widget shows all logs being processed.

Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate.

DE104427.4.9Web ConsoleWhen viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. 

Expected Results: The Download PCAP button appears when reviewing NetMon logs.

Workaround: Reload the frame with the Download PCAP button to activate it.

DE111017.4.10SmartResponse Plugin

In certain circumstances, a SmartResponse action may fail to execute with an error: "No System Monitor Associated with execution target."

Expected Results: The SmartResponse Plugin should execute after selecting the System Monitor Agent.

Workaround: There is currently no workaround for this issue.

DE113987.5.1Web Console: OtherWhen running a Vulnerability Scanner, you may see an issue stating "HSTS is missing from the HTTPS Server."

Expected Results: The remote web server should be enforcing HSTS.

Workaround: Configure the remote web server to use HSTS.

DE114637.6.0Web Console

When the browser window is zoomed out, the Node-Link Graph on the Web Console dashboards may display an error: "Failed to establish logs subscription with the Web Console API." This is not related to the zoom functionality within the Node-Link Graph itself.

Expected Results: The Node-Link Graph should function regardless of the browser zoom level.

Workaround: Return the browser to 100% zoom and refresh the Web Console. 

DE112857.6.0Data Indexer

Elasticsearch Maintenance Dashboards do not populate in Grafana for XMs.

Expected Results: The Elasticsearch Maintenance Dashboard should populate regardless of the type of Data Indexer.

Workaround: Contact Technical Support for assistance implementing the workaround for this issue.