Upgrade Considerations

LogRhythm 7.9.0 introduces support for Microsoft SQL Server 2019 and Windows Server 2019 on standard deployments. If your deployment is running SQL Server 2016 Standard or Windows Server 2016, there is no need to upgrade to 2019.

For more information on the optional upgrades, see:

LogRhythm 7.9.0 does not support upgrades to Microsoft SQL Server 2019 and Windows Server 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments.

SQL Server 2019 Licensing

If you purchased hardware through LogRhythm and wish to upgrade SQL, you must provide your own SQL 2019 installer and license.

Software-only purchases allow customers to either bring their own SQL license or purchase one through LogRhythm. See the table below to determine whether your software purchase includes a SQL 2019 license.

SQL Purchase DateLogRhythm SKUSQL 2019 LicenseCustomer Action
On or after February 1, 2022 LR-ACC-MSSQL-PIncludedIf you wish to upgrade SQL, you can request SQL 2019 license and installer through a support case.
Prior to February 1, 2022LR-ACC-MSSQL-PNot includedIf you wish to upgrade SQL, you must provide your own SQL 2019 license and installer.

Windows Server 2019 Licensing

  • If you purchased hardware from LogRhythm on or after Nov. 1, 2020, you purchased a Server 2019 from LogRhythm. This license can be used to upgrade the operating system. You can use and validate your license by looking at the license sticker on top of the server. If you are unable to locate the license, you can open a support case. 
  • If you purchased hardware prior to Nov. 1, 2020, you must provide your own Server 2019 license to upgrade.

New Features

Functional GroupFeatureDescription
Customer EnhancementsLicense Information Report

Explanation: The License Information Report now shows the 24-hour average MPS for each Data Processor. The License Metering Report was added to the bottom of the License Information Report. This shows the 24-hour moving average over the last 30 days, making licensing overages more visible and easier to understand.

Benefit: These two updates improve the accuracy and readability of MPS rates and improve users' ability to manage their license usage and lower expenses.

Relevant Documentation Updates: Assign LogRhythm Licenses (See View LogRhythm License Report section at the bottom of the page.)

Enterprise Log ManagementWindows Event Log Filtering

Explanation: Event log filtering allows users to select specific types of Windows Event logs during System Monitor Agent queries. Users can also split collection from a single log source across multiple Agents.

Benefit: Event log filtering reduces the Agent's workload and decreases log clutter.

Relevant Documentation Updates: Add a Single Log Source (See Additional Info Tab table in step 10.)

This feature requires LogRhythm System Monitor to be updated to version 7.9.

Platform AdministrationAdmin API

Explanation: The Admin API library now includes System Monitoring Management endpoints. This enables SIEM administrators to manage pending or modify existing System Monitor Agents through the API.

Benefit: The Admin API reduces administrative overhead and expedites workflow by automating routine tasks.

Relevant Documentation Updates: Administration API Endpoints

Platform AdministrationSearch API

Explanation: Simplified the the process for creating Search API queries.

Benefit: Search API queries are easier to use.

Relevant Documentation Updates: Search API Endpoints

Platform AdministrationWindows Server 2019 and SQL Server 2019

Explanation: LogRhythm 7.9 introduces support for Windows Server 2019 and SQL 2019 on standard deployments. (Licensing entitlements vary. For more information, see Relevant Documentation Updates.)

Benefit: Enables customers to run the latest versions of Windows Server and SQL Server.

Relevant Documentation Updates: Review the Upgrade Requirements and Considerations, Upgrade Windows Server 2016 to Windows Server 2019, and Upgrade SQL Server 2016 to SQL Server 2019.

LogRhythm 7.9.0 does not support upgrades to Microsoft SQL Server 2019 and Windows Server 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments.

Security AnalyticsNew Use Contexts for General List

Explanation: Use Contexts added as options when creating a General List in the Client Console and Web Console: Command, Object Name, MAC Address.

Benefit: Allows SIEM administrators to create lists for LogRhythm metadata fields to leverage MITRE ATT&CK and more sophisticated log sources that generate these data fields.

Relevant Documentation Updates: Lists in the Client ConsoleCreate a List in the Web Console, Use Lists with Filters 

Security and ReliabilityLog4j Patches

Explanation: LogRhythm made security patches to libraries, including Log4j, to resolve recently discovered vulnerabilities. This includes an Elasticsearch upgrade to version 6.8.23.

Benefit: Reduces customer vulnerability to exploits.

Relevant Documentation Updates: N/A

User and Entity Behavior Analytics (UEBA)CloudAI

Explanation: UEBA models in LogRhythm CloudAI now map to the MITRE D3FEND matrix.

Benefit: The updated models reduce alert fatigue and ensure today's complex attacks are still detected.

Relevant Documentation Updates: CloudAI Lab

User and Entity Behavior Analytics (UEBA)TrueIdentity Performance Increase

Explanation: Reduced the time needed to fetch and process identity data when the Mediator service starts.

Benefit: Customers with large data sets of identities will notice a significant increase in performance. 

Relevant Documentation Updates: N/A

Improvements

  • Users can now enable MPE Timeout when configuring SecondLook. For more information, see Data Masking in Create a SecondLook Restore.
  • Users can now filter out System Log Sources. For more information, see General tab in Manage Your Preferences.
  • Updated third party components to the lates compatible versions: Angular 1.8.2, jQuery 3.6.0, Go and Bazel-Gazelle.
  • Upgraded the Service Registry consul to version 1.9.4.

Deprecated Features

 LogRhythm 7.8 was the last published version of the SOAP API. LogRhythm is deprecating the SOAP API in favor of more effective and sustainable integration through RESTful APIs. While the SOAP API is still usable in 7.9, we encourage customers and partners using the SOAP API to migrate their integrations to REST APIs. For more information on REST integration, see our REST API documentation.

  • Removed the Content Delivery Network (CDN) setting from the Configuration Manager. This was a beta feature that is no longer in use.

Resolved Issues

Bug #Ticket #ComponentDescription
DE1579350227, 354060, 351088, 358746, 360510, 4107691AI Engine: Communication ManagerThe AIE service now stops and restarts without error at reboot.
DE11162393282AI Engine: Drilldown CacheThe AI Engine Cache Drilldown service now generates service logs as expected.
DE13400421288AI Engine: Drilldown CacheWhen reconnecting to the Web Service Host, the number of times the AIE Cache Drilldown service tries to reconnect now matches the RetryCount value set in the Configuration Manager.
DE6244353979, 395642ARM: Alarms

When the service restarts, unprocessed alarms now persist in memory and trigger SmartResponse Plugins as expected.

DE11932406880, 419417APIs

After a configuration change in the Console causes a service to restart, the API Gateway now recognizes that the service has restarted and allows normal functionality to resume.

DE11710375582, 400069, 414910, 418452, 418676Admin API

When FIPS is enabled in a Disaster Recovery (DR) environment, the Admin API now connects to SQL during failover.

DE12514402747, 413130, 420239, 422164, 422378, 426766, 427266Admin API

The Admin API no longer inserts corrupt entries into IP Address List Items during list updates.

DE13736427551, 433515Admin API

The Get Events by Alarm ID Admin API function no longer generates a timeout error in environments with high alarm volume (> 500 alarms/day).

DE13683418118, 427061, 425135, 428423Client Console: AIE Event Drill DownThe Client Console AIE Drill Down now returns results consistently or provides an error message when data is not available.
DE1626345857, 423244Client Console: AIE Rule Block WizardWhen the AIE Event Forwarding option is unchecked, the AI Engine no longer forwards events to the Events database.
DE13184420241Client Console: Component LicensingAfter uploading a new LogRhythm License, the System Monitor License no longer gets reset to Unlicensed.
DE10145418496, 420550 Client Console: Log SourcesWhen adding log sources from a file, the system no longer crashes.
DE12616414079Client Console: Log Sources

When a single log source is manually added, the host name is now pre-pended to the log source name.

DE12151398662 Client Console: Rule Builder

When a Restricted Admin clicks the Custom Sort Above option in the MPE Rule Editor, the Client Console no longer crashes.

DE10652387520 Client Console: SmartResponseWhen adding or modifying a SmartResponse Plugin in an Alarm Rule, the Console no longer crashes and the Alarm Rule is saved as expected.
DE12721417589, 429854Client Console: UserRestricted Admins can see only the log sources within the permissible entity. Log Sources on non-permissible entities are no longer visible to Restricted Admins.

DE13922

DE13923

427939

Client Console: User Profile Manager

SmartResponse Plugin

After drilling down on an alarm, Restricted Admins can no longer see installed SmartResponse Plugins they do not have access to. 
DE12258418298

Client Console: User Profile Manager

Web Console

Restricted Admins and Restricted Analysts who log in using SSO can now see log sources they have access to, and their Web Console search results are now accurate.
DE14122427640Client Console: Windows Host WizardAfter a domain is successfully validated, the Windows Host Wizard no longer returns a bad username or password when attempting to scan with Secure LDAP.
DE12664416099

CloudAI: Deployment

Documentation: Deployment

Updated specifications in the documentation for LogRhythm deployments in AWS to ensure customers are on well-architected instances.
DE1737

379934, 380707, 381030, 382490, 382962, 383576, 384654, 386466, 387765, 388771, 388894, 390540, 390649, 390651, 391117, 391911, 392708, 392736, 392968, 393716, 394580, 395961, 396018, 396112, 397309, 397905, 397970, 398903, 399006, 400187, 400388, 401868, 401976, 401994, 402528, 403427, 403583, 403688, 404059, 404864, 405260, 405714, 407070, 408033, 408292, 408377, 408608, 409560, 409760, 410088, 411135, 411906, 412162, 412835

Common Components

After a configuration change in the ARM service, procman no longer interrupts services, and Alarms continue to trigger and appear in the Web Console as expected.

DE12188409694, 408704Common Components

When viewing the Metrics dashboard in Grafana, the Memory Used Percentage widget in the LR Metrics - Deployment View dashboard now shows correct results for timeframes greater than three hours. 

DE11129393043 Data Indexer

GoMaintain no longer closes the current active index.

DE12106407057, 411738, 413260Data Indexer

When the Command field, Action field, or LogMessage field is larger than 32767 bytes, the Mediator now truncates the field before sending the log message in Transporter.

DE12350409401Data IndexerThe Upgrade Checker now checks for LogRhythm versions between 7.2.0 and 7.5.1 and prompts the user with an appropriate warning message. 
DE12799416374, 428902Data IndexerCarpenter no longer deletes EMDB list indices without creating new ones when they are in use by a search.

DE13590 (Windows)

DE13591 (Linux)

N/AData IndexerElasticsearch no longer starts if it is unable to communicate with Service Registry and the check data path.
DE13805429257, 434551DR

The Cluster IP setting in the Configuration Manager Global Database no longer reverts to default when the primary DR server is rebooted.

DE11015382674, 390442, 390671, 391011, 391496, 392225Infrastructure: Database Scripts and Upgrade Scripts

The SQL Database autogrowth settings are now set to increase in 256-MB increments and no longer cause fragmentation.

DE13182N/A Infrastructure: Database Scripts and Upgrade ScriptsModifications were made to improve SQL performance.

DE13324

DE13439

415889, 422685Infrastructure: Database Scripts and Upgrade ScriptsModifications were made to prevent SQL deadlocks from occurring.
DE14136431620Infrastructure: Database Scripts and Upgrade ScriptsUpdated the System Monitor Configuration Manager to allow the use of higher max values for FlushBatch, MaxServiceMemory, and MaxLogQueueMemory.
DE13234418072, 413680Job Manager: Active Directory SynchronizationWhen user accounts are disabled in the LogRhythm Console, their read and write privileges are now revoked.
DE11792404360, 404501, 404217, 405620, 408614, 429047, 427107, 429996, 419659, 416145, 419620, 421265, 423159, 424244, 421282, 421918, 429829, 431459, 432862, 432073, 440508, 434347, 442110Job Manager: Active Directory SynchronizationActive Directory users are no longer disabled in certain situations after an Active Directory Sync.
DE12167408873Job Manager: Scheduled Reporting

When a scheduled report is successfully sent to a recipient, the Job Manager now generates the correct log message.

DE1113363911, 384172Mediator

Cache refresh and license enumeration no longer interfere with sending heartbeat packets at the required interval.

DE12187409528 Mediator

When the license status is modified in the Client Console's Data Processor Properties configuration, the user now receives a pop-up message instructing them to re-enable the AI Engine servers assigned to the Data Processor.

DE12292415902, 409104, 413327, 414161Mediator

The MPE Entity Network Resolution processing performance is no longer slow if there is a large number of entity networks.

DE12967415692MediatorThe Mediator no longer sends archive files to the quarantine folder when there are issues connecting to the SQL server.
DE13212415902, 429193Mediator

The thread lock timeout setting was increased to prevent the MPE from suspending log processing.

DE13626414739Mediator

Reduced the time needed to fetch and process identity data when the Mediator service starts.

DE13848428101Mediator

Changed the frequency of the Location sync in the MPE from once per minute to once per day to ensure MPE processing is not needlessly disrupted.

DE14646436667MediatorResolved software crashes caused by unhandled .NET exceptions that could be encountered in the Data Processor.
DE11776404940Notification ServiceAfter the LogRhythm Windows Authentication Service is restarted, the Notification Service now connects to it and restarts successfully.
DE13108418782, 419135 Threat Intelligence Service

TIS STIX feed files now parse correctly.

DE11123

DE11624

390479, 400777, 401288, 406939, 404015, 405321, 409641, 390479, 400777, 409339, 411398, 412574, 412738,  421703, 430048Web ConsoleWhen performing AIE Drilldowns in the Web Console, filters and exported results now show data as expected.
DE147360986, 360776Web ConsoleAuthentication services for Web Console now handle the change to the new tokens without errors.
DE10514381030, 420857Web Console: Analyzer GridThe type-ahead filters now show correct values when filtering data in the Analyzer grid.
DE13603425006, 430228Web Console: Case APIThe Case Inspector pane no longer generates an error when the user adds a large number of logs to the case and attempts to view the evidence.
DE13700416924Web Console: Case Management

The Web Console no longer generates a 400 error when the user attaches logs to a case. 

DE1041368599Web Console UIThe Web Console now displays the same Group By and Relationship fields shown in the AIE rule configuration.
DE13605426338, 428752Windows Agent: Auto-update

After updating an Agent through the System Monitor Package Manager, the StartScmedsvrAfterReboot job no longer appears in the Task Scheduler.

DE12600413909Windows Agent: Flat File Log CollectionThe Agent no longer generates "Failed to parse log data" errors in the scsm.log file when processing multi-line XML flat files.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #Found In VersionComponentsDescriptionRelease Notes
DE126087.7.0AgentsWhen searching System Monitor Agent Properties log sources, all log sources from all agents are displayed. 

Expected Results: Searching System Monitor Agent Properties log sources should return all log sources from the current agent. 

Workaround: There is currently no workaround for this issue. 

DE18717.3.3AI EngineUnder conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. 

Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled. 

Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release.

DE17597.3.4AI EngineWhen the AIE service starts up, errors are generated multiple times in the AIE Engine log. 

Expected Results: These errors should not be generated in the AIE Engine log, but AIE is working and alarms are firing.  

Workaround: There is currently no workaround for this issue.

DE16067.3.5AI EngineWhen an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. 

Expected Results: AIE Rule Blocks should fire when they are triggered at the same time. 

Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second.

DE13247.4.3AI EngineIn certain circumstances, there may be a discrepancy between the AIE event date/time and the date/time of the message(s) triggering the AIE rule, causing the AIE event to show a future date/time.   

Expected Results: The date and time of the AIE Event should not have a future time. 

Workaround: There is no workaround for this issue. 

DE12887.4.6AI EngineWhen an AIE Rule uses the Host (Impacted) or Host (Origin) in the Group By block, the rule misfires. 

Expected Results: AIE Rules should not fire if the rule block relationship is not met. 

Workaround: Change the Host (origin) or Host (impacted) fields to IP Address, and the AIE Rule works as expected. 

DE13367.4.6AI EngineIn certain circumstances, the AIE Summary Fields are not populating in the AIE Notification emails. 

Expected Results: AIE Summary Fields should be displayed on all AIE Notification emails. 

Workaround: View the AIE Summary Fields in the Alarm instead of the Notification email.

DE105017.4.7AI EngineThe Retire logs in the C:\Program Files\LogRhythm\LogRhythm AI Engine\HostInferenceLogs directory are not being removed after the defined number of expiration days. 

Expected Results: Logs in this directory should be purged after the number of days defined for expiration has passed, defaulted to 7 days. 

Workaround:  Manually remove these files to prevent the C drive from filling up.

DE103977.4.8AI EngineIn certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. 

Expected Results: Alarms should not fire if a log is received for a Not Observed block. 

Workaround: While there is currently no workaround, LogRhythm is investigating this issue for a future release.

DE103137.4.9AI EngineIn rare circumstances, AIE Unique Value Rules misfire. 

Expected Results: AIE Rules should fire as expected. 

Workaround: While there is currently no workaround, LogRhythm is investigating this issue for a future release.

DE109467.4.9AI EngineWhen an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. 

Expected Results: Alarms should execute quickly as expected with other AIE Alarms. 

Workaround: There is currently no workaround for this issue.

DE110517.4.9AI EngineIn certain circumstances, the AIE Engine does not consistently trigger alarms for Log Not Observed. 

Expected Results: The AIE Engine should trigger alarms for Log Not Observed. 

Workaround: There is currently no workaround for this issue. 

DE14530

DE14531

7.9.0AI EngineThere is no input validation for the MAC Address field in the SIEM, which means that a MAC Address could be in multiple different formats.

Expected Results: Input normalization for MAC Addresses, requiring them to be entered in the accepted format.

Workaround: Use data masking rules to transform the MAC addresses to the colon delimited format.

DE10877.3.5AI EngineAI Engine rule group changes are not reflected in the Web Console until Web Services is restarted.

Expected Results: Web Services does not need to be restarted to have a rule group change show up.

Workaround: Restart Web Services.

DE110987.4.9AlarmingWhen using a SMTP server with SSL authentication, the Alarming and Response Manager fails to send alarm notifications. 

Expected Results: The Alarming and Response Manager should able to send alarm notifications using any SMTP server and SSL authentication. 

Workaround: There is currently no workaround for this issue. 

DE109377.4.10AlarmingIf an SRP is retired, the Alarming and Response Manager (ARM) does not recognize this and could cause the C: drive to fill with errors trying to execute the SRP if the logging level on the ARM is set high.   

Expected Results: The Alarming and Response Manager should be aware of a change of status of the SRPs and should not continue to attempt to execute them. 

Workaround: Lower the logging level on the ARM to help mitigate this, but contact LogRhythm Technical Support if assistance is needed to retire the SRP. 

DE60727.3.4APIsWhen using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. 

Expected Results: Case API and Admin API should start when using any size certificate. 

Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate.

DE18697.4.7APIsIn certain circumstances the Admin API log generates multiple invalid argument errors without providing context.  

Expected Results: When the Admin API log generates errors, it should provide some context within the error message. 

Workaround: There is currently no workaround for this issue. 

DE102007.4.9APIsPowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. 

Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade. 

WorkaroundWhile there is currently no workaround, LogRhythm is investigating this issue for a future release.

DE76327.1.3Client ConsoleEntities cannot be deleted from within the Client Console. 

Expected Results: Entities should be retireable and able to be hidden from view. 

Workaround: Contact Technical Support to assist you in removing entities that are no longer needed.

DE76127.1.7Client ConsoleReports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs.

Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row.

Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS).

DE18297.3.3Client ConsoleThere may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. 

Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE. 

Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651).

DE31957.3.4Client ConsoleWhen running a search in either the Client or Web Console, users see an error: Error fetching data - Gateway timeout.

Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout. 

Workaround: Increase the timeout on the query and re-run it.

DE51857.3.4Client ConsoleThe Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field.

Expected Results: All chosen fields should appear on the report if they contain data.

Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release.

DE40497.4.6Client ConsoleWhen running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated.

Expected Results: Identity data should appear in reports that contain those fields.

Workaround: Run an investigation to provide the same information.

DE39327.4.7Client ConsoleAfter disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. 

Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor. 

Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh.

DE38397.4.8Client ConsoleIn certain circumstances after running a Second Look restore, an error appears stating there is an issue with the Min and Max Ticks. 

Expected Results:  Second Look restore should run without issues. 

Workaround:  There is currently no workaround for this issue. 

DE106787.4.8Client ConsoleThe Log Management Usage Auditing Event Detail, Event List, and Logon & Logoff Events reports are rendering in UTC date/time format instead of the local time.   

Expected Results:  Reports should all display in the local time zone or that specified in the report configuration.   

Workaround:  There is currently no workaround for this issue.

DE106217.4.9Client ConsoleWhen an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. 

Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed. 

Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it.

DE117987.4.10Client ConsoleWhen exporting a large number of logs using the Send all Logs option from the Log Viewer in Client Console, the Console freezes. 

Expected Results: The Console should not freeze when exporting logs. 

Workaround: Export selected logs instead of all logs to allow the export to complete. 

DE114997.5.1Client ConsoleWhen DNStoIP is enabled on the Data Processor and the DNS name doesn't have a host record, the host field shows only the IP address without the host name.  This impacts only the Client Console and is displayed correctly in the Web Console. 

Expected Results: The hostname should be displayed the same for both Web and Client Consoles. 

Workaround: View the record in the Web Console. 

DE128937.6.0Client ConsoleActive Directory users that are linked to User Profiles may not be updated after moving the user to a different Active Directory group. 

Expected Results: Users that are moved between Active Directory groups should update upon the move. 

Workaround: There is no workaround for this issue other than manually updating the profiles. 

DE125817.7.0Client ConsoleThe Log Source Type filter in the Client Console does not work unless the Include Retired log sources box is selected. 

Expected Results: Users should be able to filter out the retired log sources when filtering by Log Source Type. 

Workaround:  Use the Include Retired box or use another method of filtering.   

DE125107.7.0Client ConsoleWhen importing a new SmartResponse Plugin to the Client Console, permissions have to be explicitly granted to the user account that imported the plugin.

Expected Results: The user importing the SmartResponse Plugin should have permissions granted automatically.

Workaround: Go into the User Profile Manager and grant access to the newly imported SmartResponse Plugin.

DE117177.4.0Client ConsoleWhen the Knowledge Base is synced, customized Log Source Type settings in the Windows Host Wizard revert to default. 

Expected Results: When custom settings are selected, they should persist through a Knowledge Base update.

Workaround: Reselect the Log Source Type settings prior to doing a Windows Host Wizard scan.

DE106287.4.8Client Console

Duplicate Active Directory groups and users are being created because OU filters are not being used when scanning domains.

Expected Results: No duplicate entries should be created.

Workaround: There is currently no workaround for this issue.

DE12489

7.4.9Common ComponentsIn rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. 

Expected Results: Alarms should continue to trigger and be displayed in the Web Console. 

Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause.

DE107687.4.9Common ComponentsIn certain circumstances, the Data Processor runs slowly and the non-paged pool uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. 

Expected Results: The non-paged pool should not increase and cause system performance issues. 

Workaround: Restart the LogRhythm API Gateway service.

DE105697.4.10Common ComponentsIn certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. 

Expected Results: The Data Processor and Data Indexer should connect to Service Registry after a reboot of the Platform Manager. 

Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager.

DE117337.6.0Common ComponentsWhen running the LogRhythm Infrastructure Installer (LRII), you may receive the error: No plan file found in LogRhythm Service Registry KV store. This is caused by the plan file not fully updating into the Consul KV store, and only happens in certain environments. 

Expected Results: LRII should be able to run multiple times without affecting the plan file. 

Workaround: For assistance with this issue, contact LogRhythm Technical Support. 

DE121537.6.0Common ComponentsIn some cases after a Data Indexer install, the Service Registry may not be able to communicate with the Platform Manager, causing alarms and errors in the Service Registry log.   

Expected Results: Communication to the Platform Manager should be maintained after an install. 

Workaround: Restart Service Registry on each node in the cluster after the installation is complete. 

DE147297.6.0Common ComponentsGrafana does not categorize Mediators per cluster Log Indexing since moving to 7.6.

Expected Results: Filter should show data processor stats for only the selected cluster.

Workaround: Contact LogRhythm support for a new Mediator.json file.

DE33857.3.2Data IndexerThe DX Diagnostic logs are firing too often. 

Expected Results: The Diagnostic logs should be tuned to alarm less frequently. 

WorkaroundThere is currently no workaround for this issue.

DE26897.4.4Data IndexerWhen the Data Indexer cluster health changes from green to yellow during EMDB list maintenance, alarms for Indexer Cluster Health Excessive Warnings are generated. This can cause concern when there is no actual issue on the system. 

Expected Results: An alarm should only generate when the cluster health changes to red. 

Workaround: Edit the impacted alarm to suppress for 24 hours or disable that alarm.

DE113427.4.9Data IndexerHaving entity lists with Entity (Impacted) or Entity (Origin) as filter criteria in an AIE Rule causes the alarm drill down to fail.   

Expected Results: Drill downs on AIE rules should work regardless of the filter criteria. 

Workaround: There is no workaround for this issue.

DE118227.5.0Data IndexerThe C:\Windows\Temp directory may become full with jtds.tmp files if the Carpenter service continually recycles.  This can happen if using an SRP with List Management. 

Expected Results: Temporary files should not be left on disk. 

Workaround: Contact Technical Support for assistance with the workaround for this issue.   

DE117657.5.1Data IndexerIn certain circumstances, Elasticsearch uses more memory than the set limit, causing performance issues on the server. 

Expected Results: Elasticsearch should abide by the memory limit that is set. 

Workaround: For a workaround, contact LogRhythm Technical Support. 

DE119347.6.0Data IndexerIn certain circumstances, customers with warm node indices may experience failed searches against those indices. This is due to Columbo being unable to close certain warm indices. 

Expected Results: Columbo should handle the warm node indices correctly and allow searches. 

Workaround: For assistance with this workaround, contact LogRhythm Technical Support. 

DE122077.6.0.HF2Data IndexerIn some circumstances, installing the 7.6.0 Hotfix 2 upgrade will install a second instance of the Data Indexer. 

Expected Results: The Data Indexer should be removed and re-added instead of adding a second instance. 

Workaround: Uninstall both versions of the Data Indexer, ensure there or no hung .msi processes in the Task Manager, then re-install the 7.6.0 Hotfix 2 version. 

DE131507.7.0Data IndexerIn certain circumstances after upgrading to 7.7.0, the Carpenter service causes port exhaustion and the service must be restarted. 

Expected Results: The Carpenter service should not cause port exhaustion. 

Workaround: Create a scheduled task to restart the Carpenter service each day. 

DE122187.6.0Data IndexerThe Transporter can fail to fully start after restart at UTC midnight, causing indexing and performance issues. (This issue only impacts Linux clusters.)

Expected Results: The Transporter should continue to run after a restart signal is sent.

Workaround: Restart the Transporter service.

DE122017.6.0Data IndexerData is being indexed in lower case, ignoring the case of the original logs.

Expected Results: Data should be stored in the format in which it was sent.

Workaround: There is currently no workaround for this issue.

DE260

DE9367

7.4.7Installation ComponentsIn certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL.

Expected Results: SQL deadlock issues should not cause a missed heartbeat.

Workaround: While there is no known workaround, LogRhythm is actively investigating this issue for a solution.

DE99957.4.6Job ManagerScheduled reports are sent to a disabled account if an email is attached to the disabled account. 

Expected Results: Scheduled reports should not be sent to disabled accounts. 

Workaround: There is currently no workaround for this issue. 

DE10137.4.7Job ManagerReports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. 

Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it. 

Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead.

DE113167.4.10Job ManagerScheduled reports that do not complete within an hour return only partial results without indication of additional results available. 

Expected Results: The Job Manager should generate a message stating that the results were not complete and the report should indicate partial results. 

Workaround: There is currently no workaround for this issue. 

DE117017.4.10Job ManagerWhen exporting reports as .csv files, there are duplications of headers and footers that cause the report to be much larger in size than when run in the Console.   

Expected Results: Exported reports should not duplicate header and footer lines. 

Workaround: Export the report in another format or remove the extra lines from the .csv. 

DE118927.6.0Job ManagerWhen re-enabling a disabled Active Directory user, the user's LogRhythm login is not re-enabled.

Expected Results: When a disabled user is re-enabled, the user's login should also be enabled during the next AD Synchronization.

Workaround: Manually enable the user's login after the AD sync.

DE18792.4LogRhythm Diagnostics ToolThe LogRhythm Diagnostics Report shows the last backup information incorrectly. 

Expected Results: The report should show the accurate last backup time for each database. 

Workaround: Review the backup information in SQL Server Management Studio.

DE19687.2.5MediatorProcessing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. 

Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification. 

Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release.

DE16407.3.5MediatorThe AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. 

Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly. 

Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release.

DE133017.4.10Mediator

In certain circumstances when Entity Archive settings are turned on, customers may receive the following error:

**ERROR** Failed to locate or create inactive subdirectory: The given key was not present in the dictionary.. Inactive archive files will be temporarily stored at the root of the system drive (C:\ in most cases). This error must be corrected in order for inactive archives to be stored at the specified location. 

Expected Results: Entity archiving should function without errors. 

Workaround: There is currently no workaround for this issue. 

DE114967.5.1MediatorIn certain circumstances, the Mediator will attempt to seal the same archive file twice.  This causes errors in the scmedsvr.log file. 

Expected results: The Mediator should only attempt to seal the archive file once. 

Workaround: There is no workaround for this issue. 

DE111017.4.10Smart Response PluginIn certain circumstances, a SmartResponse action may fail to execute with an error: No System Monitor Associated with execution target.

Expected Results:  The SmartResponse Plugin should execute after selecting the System Monitor Agent. 

WorkaroundThere is currently no workaround for this issue

DE125977.5.0Smart Response PluginWhen grouping two values in a SmartResponse Plugin, users receive an error that they do not have access to the Config file. 

Expected Results: Grouping values in SmartResponse Plugins should be allowed. 

Workaround: There is no workaround for this issue. 

DE118207.6.0Smart Response PluginWhen utilizing multiple SmartResponse Plugins as part of the actions for an AIE Rule, inconsistent results may occur. 

Expected Results: SmartResponse Plugins should fire each time the AIE Rule is triggered. 

Workaround: There is no workaround for this issue. 

DE108671.2.0.10TrueIdentity Sync ClientThe TrueIdentity Sync Client will not connect to the Microsoft Active Directory LDAP server on port 636 using LDAP. 

Expected Results: The TrueIdentity Sync Client should be able to connect using LDAP via port 636. 

Workaround: Use port 389 instead and ensure the proper certificates are in place for security. 

DE53127.4.3TrueIdentity Sync ClientThe OU/DC filter in the TrueIdentity Sync Client does not allow white space. 

Expected Results: White space should be allowed in the OU/DC filter. 

Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release.

DE397.4.5TrueIdentity Sync ClientThe TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000).

Expected Results: The TrueIdentity Sync Client should work for any number of users. 

Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments.

DE13347.3.3Web ConsoleCustomers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an unclassified failure message. 

Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure. 

Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager.

DE12387.4.2Web ConsoleWhen copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. 

Expected Results: When copying widgets, all settings should remain. 

Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release.

DE72637.4.2Web ConsoleWhen exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates. 

Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console. 

Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue.

DE5147.4.3Web ConsoleWhen viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: Failed to fetch Identities: Bad Request.

Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console. 

Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release.

DE1750

7.4.6Web ConsoleIn certain circumstances, the Web Console may show a 500 Error page. Typically, this occurs overnight when new service tokens are created for authentication.

Expected Results: Authentication services for Web Console should handle the change to the new tokens without errors.

Workaround: Restarting the LogRhythm Authentication API on the Platform Manager mitigates this issue until the next time it occurs.

DE11987.4.6Web ConsoleWhen downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. 

Expected Results: The Web Console should not time out when downloading large PCAP files. 

Workaround: Change the time out setting in the Configuration Manager.

DE104037.4.9Web ConsoleThe Web Console Current Processing Rate widget does not show the correct processing rate. It does not include messages older than 3 minutes in the rate determined. 

Expected Results: The Current Processing Rate widget should show all logs being processed.

Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate.

DE104427.4.9Web ConsoleWhen viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. 

Expected Results: The Download PCAP button should appear when reviewing NetMon logs. 

Workaround: Reload the frame with the Download PCAP button to activate it.

DE111247.4.9Web ConsoleWhen SSL Port In Redirects is set to Exclude in the Web Console configuration, links in Alarm and Case notification emails do not work. 

Expected Results: The links sent in Case and Alarm notification emails should redirect to port 443 instead of 8443, as they are coming from an external location. 

Workaround: Open the Web Console and manually find the Alarm or Case to review. 

DE114637.6.0Web ConsoleWhen the browser window is zoomed out, the Node-Link Graph on the Web Console dashboards may display an error Failed to establish logs subscription with the Web Console API.  This is not related to the zoom functionality within the Node-Link Graph itself.   

Expected Results: The Node-Link Graph should function regardless of the browser zoom level. 

Workaround:  Return the browser to 100% zoom and refresh the Web Console. 

DE116637.6.0Web ConsoleWhen clicking Case Evidence logs from the Case page, the Analyze window shows a Custom Filter that prevents the logs from displaying. 

Expected Results: Clicking Case Evidence logs should open an Analyze page showing the logs selected. 

Workaround: To show the logs, click the X next to the Custom Filter. 

DE118637.6.0Web ConsoleWhen running AIE Events drill down from an AIE events dashboard, the Analyze Dashboard filter does not reset properly.  

Expected Results: The Analyze Dashboard filter should reset. 

Workaround: In User Settings set the Drilldown setting to Open in Page. 

DE119247.6.0Web ConsoleWhen a hostname IP address is showing in brackets, drill downs do not work.

Expected Results: Brackets should not affect the ability to drill down into a hostname.

Workaround: There is no workaround for this issue.

DE119297.6.0Web ConsoleWhen using a Direction filter in the Web Console dashboard and drilling into any of the TopX widgets, the data shown in the Analyzer Grid contains logs that do not match the dashboard filter. 

Expected Results: Drilling into data on a dashboard should not change the dashboard filter criteria. 

Workaround: Reapply the dashboard filter. 

DE125217.6.0Web ConsoleWhen pausing live data in the Web Console, the Analyzer grid continues to update with new events.

Expected Results: The Analyzer grid should not update with new events when paused. 

Workaround: There is currently no workaround for this issue. 

DE127147.6.0Web ConsoleIn the Web Console, if the last selected Analyzer page dashboard has a filter, drill down results are hidden.

Expected Results: drill down results should not be hidden. 

Workaround: Select Default Analyze Dashboard 

DE128367.6.0Web ConsoleWhen running a search or drill down in the Web Console, the operation does not return results or terminate as intended. 

Expected Results: The search and drill down operations should return results upon completion or terminate. 

Workaround: Reload the page. 

DE129087.6.0Web ConsoleEvent logs are not appearing in the Web Console dashboard. 

Expected Results: Event data should appear in the dashboard.

Workaround: There is currently no workaround for this issue. 

DE130797.6.0Web ConsoleWhen running a search or drill down in the Web Console, the operation does not return results or terminate as intended. 

Expected Results: The search and drill down operations should return results upon completion or terminate. 

Workaround: Reload the page. 

DE126247.7.0Web ConsoleWhen using the Check Visible option in Alarms after upgrading to 7.7.0, the checked count does not reset properly. 

Expected Results: The checked count should reset. 

Workaround: After performing an action, select the Uncheck All option to reset the checked count. 

DE131287.7.0Web ConsoleWhen running a search or drill down in the Web Console, the operation does not return results or terminate as intended. 

Expected Results: The search and drill down operations should return results upon completion or terminate. 

Workaround: Reload the page. 

DE128527.5.0Web ConsoleSearching the Log Message field for a term containing a hyphen breaks the search into parts rather than searching for the full term as an exact match.

Expected Results: Searching for terms should yield results for exact matches and not 'AND' the words separated by hyphens.

Workaround: There is currently no workaround for this issue.

DE121857.5.0Web ConsoleLucene widget filtering is applied globally to the entire opened dashboard when a drilldown or time slice is initiated.

Expected Results:  Lucene filtering should only apply to the widget from which it originated, Other widgets on the page will still lack the drilldown or time slice,

Workaround: There is currently no workaround for this issue.

DE155967.9.0Web ConsoleData does not populate in the AI Engine Rule Tab when switching from one AIE alarm to another.

Expected Results: Data should populate successfully when switching from one AIE alarm to another in the AI Engine Rule Tab.

Workaround: Switching from the Data, Comments and Details tab to AI Engine Rule tab will populate the data.

DE156177.9.0Web ConsoleThe Lucene Filter is not working on mouse click in widget and is also inconsistent on dashboard.

Expected Results: The autosuggest value should get selected by clicking as well in the Lucene Filter.

Workaround: Use the Enter key to select the value from the autosuggest popup from the Lucene Filter.