Prerequisites for LogRhythm Echo v.2.0.3

  • LogRhythm Enterprise 7.2.0 or later.
  • (Recommended) Latest LogRhythm Knowledge Base.
  • The LogRhythm Echo service installed on a Windows system with network connectivity to the LogRhythm Platform Manager (TCP/1433) and Data Processor (TCP/443).
  • Read/write access to the LogRhythm EMDB SQL Server database.
  • (Recommended) Use a least-privilege SQL Server account for this purpose. For instructions on setting up a least-privilege SQL Server user, see Create a Least-Privilege SQL Server User for Echo.
  • The latest version of Chrome or Firefox browser. Internet Explorer is not supported.
  • (Optional) LogRhythm NetMon 3.x or later, for use cases that require PCAP replay. The NetMon’s management IP address, user name, and API key are required to access the PCAP Replay API.

Install Echo

The Echo installer overwrites your local use case database. If you have a previous version of Echo installed and want to keep the use cases you have created, export your use cases before upgrading. You can then import the use cases into the latest version of the Echo use case database after the upgrade. If in doubt, back up your use case database (C:\Program Files (x86)\LogRhythm\LogRhythm Echo\usecases.db) to a safe location before uninstalling the current version.

  1. Download the signed LogRhythm Echo installer from the LogRhythm Community.
  2. Copy the installer to a Windows machine with network connectivity to the LogRhythm Platform Manager and the Data Processor.
  3. Run the installer as Administrator.
  4. After installation, start the Echo service using the Windows Services interface. Click Control Panel, click Administrative Tools, and then click Services.
    Alternatively, run the following from the command line:
    sc start LogRhythmECHO

Installation Notes

Before using a new Echo installation, perform the configuration steps in the Configure LogRhythm Echo section.
  • Echo installs to C:\Program Files (x86)\LogRhythm\LogRhythm Echo.
  • The Echo software is a Windows Service called “LogRhythm ECHO.”
  • The Echo service can be started and stopped using the Windows Services interface, or from the command line using the following commands:
    • sc start LogRhythmECHO
    • sc stop LogRhythmECHO
  • Access the Echo user interface by pointing a browser at https://<localhost>:33333.

Upgrade Echo

The Echo installer overwrites your local use case database. If you have a previous version of Echo installed and want to keep the use cases you have created, export your use cases before upgrading. You can then import the use cases into the latest version of the Echo use case database after the upgrade. If in doubt, back up your use case database (C:\Program Files (x86)\LogRhythm\LogRhythm Echo\usecases.db) to a safe location before uninstalling the current version.

  1. Open the Echo web interface, and then click Configuration.
  2. Click Delete SIEM Configuration, and then click Confirm.

    This removes all Echo objects from the EMDB (Entity, Host, Agent, Log Sources, and GLPR).
  3. Uninstall the LogRhythm Echo application. Open the Windows Control Panel, click Programs and Features, click LogRhythm Echo, and then click Uninstall.
  4. Download the signed LogRhythm Echo installer from the LogRhythm Community.
  5. Copy the installer to the Windows machine where Echo will be installed.
  6. Run the installer as Administrator.
  7. After installation, start the LogRhythm Echo service using the Windows Services interface. Click Control Panel, click Administrative Tools, and then click Services.
    Alternatively, run the following from the command line:
    sc start LogRhythmECHO
  8. Open the Echo web interface, click Configuration, click Initialize Echo Configuration, and then follow the configuration steps. For more information, see Configure LogRhythm Echo.
  9. (Optional) Import any use cases you exported from the previous Echo version prior to upgrading.