LogRhythm Metrics App v.1.0.2

The LogRhythm Metrics App is a standalone application that extracts LogRhythm LogMart, Case, and Alarm SQL Server database data to a standalone Elasticsearch instance for analysis and presentation.

Background

The LogRhythm Metrics App gives system integrators, MSSPs, and large enterprises the capability to customize reporting logs, events, alarms, and other metrics, along with the ability to create highly customized dashboards, reports, and bespoke views of data captured in the LogRhythm platform. This allows users to create content that is unique to their service offering, combine data from LogRhythm with their managed solutions for broader visibility across their full technology portfolio, and provide reporting to their end users that demonstrates measurement across SLAs and other contractual requirements.

The most dynamic, direct, and flexible dashboard and reporting capabilities are concentrated in two areas:

  • Security Operations—alarm counts, alarm histograms, MTTD/MTTR metrics, etc.
  • Platform—log processing rates, indexing rates, logs by source, logs by type, etc.

Features

The LogRhythm Metrics App provides:

  • A certified and supported SecOps metrics application for supporting custom dashboards, reporting, and analysis via third-party solutions, specifically Kibana.
  • The following capabilities as certified and fully supported components of the app:
    • Automatic and consistent extraction of specific metrics data through exposed APIs (preferred) or directly from SQL Server
    • Appropriate transformation of data in support of analytics flexibility and to alleviate data persistence concerns
    • Writing metrics to a separate, dedicated Elasticsearch instance. We use our best efforts to ensure that when updating the app for new features or in support of new LogRhythm versions, Elastic indices will not be modified in ways that would break existing analytics integrations.
  • Reference architectures and documentation as part of the app, in support of:
    • Deploying and configuring the Metrics App, including the Elasticsearch/Logstash/Kibana stack
    • Integrating Kibana for custom analytics
    • Data retention best practices
    • App health monitoring and troubleshooting
  • Example Kibana dashboards and widget samples.

Solution Architecture

Figure 1 LogRhythm Metrics App solution architecture

The LogRhythm Metrics App uses Logstash to perform the required ETL (Extract, Transform, and Load) on the SQL Server data. This makes the solution extensible in the field without needing code changes from LogRhythm to add or modify functionality. The transformed data repository is a standalone Elasticsearch instance (separate from the LogRhythm Data Indexer).

As part of this architecture, LogRhythm supports:

  • Standalone Elastic instance configuration (with a fixed size and config)
  • Logstash configuration and setup
  • Logstash queries to ETL data from SQL Server databases—EMDB, LogMart, Alarms, and Case—to the standalone Elastic instance. Users can transform data to de-normalize, add Entities, perform lookups, and more.
  • Sample Kibana searches (4), visualizations (25), and dashboards (4)