This guide describes the issues that have been fixed in LogRhythm 7.6.0 Hotfix 2 (7.6.0 HF2), as well as the upgrade procedure from 7.6.0 GA to 7.6.0 HF2.
This hotfix release includes updated installers for the LogRhythm Data Indexer. The updated components provided in 7.6.0 HF2 were added to the 7.6.0 GA release downloads on January 19, 2021. If you upgraded using to 7.6.0 GA using software downloaded before January 19, apply this hotfix as soon as possible. If you upgraded using 7.6.0 GA software downloaded after January 19, you do not need to apply this hotfix. If your deployment is earlier than 7.6.0, do not apply this hotfix to your deployment.
|Bug #||Ticket #||Component||Description|
|DE11720||403587, 404458, 404957, 405071||Data Indexer: Installer|
The existing Carpenter configuration is now migrated during a Data Indexer upgrade.
If you have already upgraded to 7.6.0 GA, there are no changes to the current Carpenter configuration.
|DE11730||403914, 403944, 404026, 404120, 404131, 404169, 404189, 404201||Data Indexer: Elasticsearch|
The PreInstall.sh script has been updated to provide the following warning if there is a conflict with an existing Elasticsearch data path containing the cluster name.
"**** WARNING ****
The existing Data Indexer configuration is now migrated during a Data Indexer upgrade.
If you have already upgraded to 7.6.0 GA, there are no changes to the current Data Indexer configuration.
|DE11773||404746, 405061||Data Indexer: Elasticsearch||The Elasticsearch startup script has been updated to handle stale .pid files that can prevent Elasticsearch from starting in certain scenarios.|
|DE11779||404746, 405052||Data Indexer: Installer||The Windows Data Indexer installer has been updated to prevent PreInstall.msi failures when running the installer after the initial install.|
|DE11791||405178||Data Indexer: Elasticsearch|
The logs.json template has been updated to set the index "_source" setting to false (as in previous versions), reducing index size.
This change is not retroactive. It only affects indices created after the update is applied.
|DE11888||N/A||Data Indexer: Installer||The PreInstall.sh script has been improved to allow configuration of Public Key Authentication, which is required for Data Indexer install.|
Download Upgrade Components
The 7.6.0 HF2 release includes updated installers for the Data Indexer on both Windows and Linux systems. The new installers can be downloaded from the LogRhythm Community.
- Log in to the Community and then click Documentation & Downloads at the top of the page.
- Under the SIEM tab, click the 7.6 filter, and then click 7.6.0 Hotfixes.
- Under 7.6.0 Hotfix 2, download the 7.6.0 Hotfix 2 LogRhythm Install Wizard package for either Windows DX (for XM deployments) or Linux DX.
Upgrade the 7.6.0 Deployment
After you have downloaded the hotfix from the LogRhythm Community, you can run the DX installer just as you would with a new deployment.
For Windows DX on XM deployments, right-click the LRDataIndexer_10.0.0.121.exe you downloaded in the steps above, and then click Run as administrator. When the installer is finished, verify that the Data Indexer service is running.
For Linux DX, copy the Data Indexer to the existing install node Soft directory, and then execute the DX installer:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts file> --plan /home/logrhythm/Soft/plan.yml
Verify Updated Component Versions
When you are finished applying the hotfix, from the Start menu, open Control Panel > Programs > Programs and Features or Add/Remove Programs to verify the version of the following components on all appliances or servers.
|Component||Original Version||Updated Version|
|Data Indexer (Windows)||10.0.0.85/10.0.0.94||10.0.0.121|
|Data Indexer (Linux)||10.0.0.85/10.0.0.94||10.0.0.121-1|