This guide describes the issues that have been fixed in LogRhythm 7.6.0 Hotfix 2 (7.6.0 HF2), as well as the upgrade procedure from 7.6.0 GA to 7.6.0 HF2.

This hotfix release includes updated installers for the LogRhythm Data Indexer. The updated components provided in 7.6.0 HF2 were added to the 7.6.0 GA release downloads on January 19, 2021. If you upgraded using to 7.6.0 GA using software downloaded before January 19, apply this hotfix as soon as possible. If you upgraded using 7.6.0 GA software downloaded after January 19, you do not need to apply this hotfix. If your deployment is earlier than 7.6.0, do not apply this hotfix to your deployment.

Resolved Issues

Bug #Ticket #ComponentDescription
DE11720403587, 404458, 404957, 405071Data Indexer: Installer

The existing Carpenter configuration is now migrated during a Data Indexer upgrade.

If you have already upgraded to 7.6.0 GA, there are no changes to the current Carpenter configuration.
DE11730403914, 403944, 404026, 404120, 404131, 404169, 404189, 404201Data Indexer: Elasticsearch

The PreInstall.sh script has been updated to provide the following warning if there is a conflict with an existing Elasticsearch data path containing the cluster name.

"**** WARNING ****
 - PreInstall script has detected a directory at the end of the Elasticsearch 'data path' that matches the cluster
 - This will prevent Elasticsearch from starting after the upgrade.
 - AFTER running the upgrade, the data path will need to be corrected.
 - Please contact LogRhythm Support for any questions or assistance regarding DE11730"

DE11764N/AData Indexer

The existing Data Indexer configuration is now migrated during a Data Indexer upgrade.

If you have already upgraded to 7.6.0 GA, there are no changes to the current Data Indexer configuration.
DE11773404746, 405061Data Indexer: ElasticsearchThe Elasticsearch startup script has been updated to handle stale .pid files that can prevent Elasticsearch from starting in certain scenarios.
DE11779404746, 405052Data Indexer: InstallerThe Windows Data Indexer installer has been updated to prevent PreInstall.msi failures when running the installer after the initial install.
DE11791405178Data Indexer: Elasticsearch

The logs.json template has been updated to set the index "_source" setting to false (as in previous versions), reducing index size.

This change is not retroactive. It only affects indices created after the update is applied.
DE11888N/AData Indexer: InstallerThe PreInstall.sh script has been improved to allow configuration of Public Key Authentication, which is required for Data Indexer install.

Download Upgrade Components

The 7.6.0 HF2 release includes updated installers for the Data Indexer on both Windows and Linux systems. The new installers can be downloaded from the LogRhythm Community.

  1. Log in to the Community and then click Documentation & Downloads at the top of the page.
  2. Under the SIEM tab, click the 7.6 filter, and then click 7.6.0 Hotfixes.
  3. Under 7.6.0 Hotfix 2, download the 7.6.0 Hotfix 2 LogRhythm Install Wizard package for either Windows DX (for XM deployments) or Linux DX.

Upgrade the 7.6.0 Deployment

Running the DX installer temporarily stops all Data Indexer services while the hotfix is applied. Searches, tails, and indexing will be impacted during the upgrade, but should resume automatically after the install is complete.

After you have downloaded the hotfix from the LogRhythm Community, you can run the DX installer just as you would with a new deployment.

For Windows DX on XM deployments, right-click the LRDataIndexer_10.0.0.121.exe you downloaded in the steps above, and then click Run as administrator. When the installer is finished, verify that the Data Indexer service is running.

For Linux DX, copy the Data Indexer to the existing install node Soft directory, and then execute the DX installer:

sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts file> --plan /home/logrhythm/Soft/plan.yml

Verify Updated Component Versions

When you are finished applying the hotfix, from the Start menu, open Control Panel > Programs > Programs and Features or Add/Remove Programs to verify the version of the following components on all appliances or servers.

ComponentOriginal VersionUpdated Version
Data Indexer (Windows)10.0.0.85/10.0.0.9410.0.0.121
Data Indexer (Linux)10.0.0.85/10.0.0.9410.0.0.121-1