This section provides information about Knowledge Base Release notes and the Knowledge Base Manager.  

Release Notes

To view current and past release notes, see the LogRhythm Community. Select Documentation & Downloads from the menu at the top, then the KB tab, and then KB Release Notes.

Knowledge Base Configuration

When updating a module to receive new Compliance Automation Suite objects, the LogRhythm environment’s Knowledge Base configuration determines whether and how new or updated Knowledge Base objects are added to the deployment. LogRhythm’s recommended Knowledge Base synchronization settings are listed in this portion of the Deployment Guide. If any synchronization settings vary from the listed configuration, please contact LogRhythm’s Support or Professional Services groups for guidance on ensuring that new content is received when module updates occur. For more information, see Configure Knowledge Base Synchronization Settings.

Recommended Modules

Follow the below steps to enabled additional recommended Knowledge Base modules. The modules are required to complete other sections in this guide around AIE and the Threat Intelligence Service.

  1. Open the LogRhythm Console and close all other windows within the Console.
  2. Click Tools, Knowledge, and Knowledge Base Manager.
    The Knowledge Base Manager appears.
  3. Select the Action check box of each module you want, right-click the grid, click Actions, and then click Enable Module. The recommended minimum modules to enable are:
    • Core Threat Detection
    • Threat Intelligence Service
    • Threat Intelligence Service : Open Source

      Do not enable Intelligent Indexing for any imported Knowledge Base Module.

  4. Enable additional modules outlined in RecSol or Statement of Work.
  5. At the top of the Knowledge Base Manager, click Synchronize Stored Knowledge Base, and then click OK.
  6. To begin the Knowledge Base Import Wizard and allow the knowledge synchronization update to complete, click Next.

Data Management Settings

LogRhythm’s Data Management Settings need to be set according to the specifications below, in order to ensure that the right metadata and raw log data is managed and stored appropriately.

Global Data Management Settings

In the Deployment Manager, click the Platform Manager tab, and then click Global Data Management Settings. Ensure all check boxes under Global Configuration Options are selected.

Classification Based Data Management Settings

In the same Data Management Settings window, click the Classification Based Data Management Settings tab. Ensure Classification Based Data Management (CBDM) is enabled, with all Global CBDM Settings check boxes selected.

Classification Settings (GCS)

In the grid on the bottom of the Classification Based Data Management Settings tab, configure the Global Classification Settings as outlined in the following table.

R = Required for reports to properly populate and to meet compliance regulation archiving standards
O = Optional, but recommended for forensic search support
NR = Not required and not recommended

Classification TypeClassificationOnlineArchiveLogMart
AuditAccess FailureRRR
AuditAccess GrantedRRR
AuditAccess RevokedRRR
AuditAccess SuccessOOR
AuditAccount CreatedRRR
AuditAccount DeletedRRR
AuditAccount ModifiedRRR
AuditAccount DisabledRRR
AuditAccount LockedRRR
AuditAuthentication FailureRRR
AuditAuthentication SuccessORR
AuditConfigurationRRR
AuditOther AuditRONR
AuditOther Audit FailureRRNR
AuditOther Audit SuccessRONR
AuditPolicyRRR
AuditStartup and ShutdownOONR
OperationsCriticalRRR
OperationsErrorRRR
OperationsInformationOONR
OperationsNetwork AllowRRNR
OperationsNetwork DenyRRNR
OperationsNetwork TrafficRRNR
OperationsOther OperationsORNR
OperationsWarningRRNR
SecurityActivityRRNR
SecurityAttackRRNR
SecurityCompromiseRRNR
SecurityDenial Of ServiceRRNR
SecurityFailed ActivityRONR
SecurityFailed AttackRONR
SecurityFailed Denial of ServiceRONR
SecurityFailed MalwareRONR
SecurityFailed MisuseRONR
SecurityFailed SuspiciousRONR
SecurityMalwareRRNR
SecurityMisuseRRNR
SecurityOther SecurityOONR
SecurityReconnaissanceRRNR
SecuritySuspiciousRRNR
SecurityVulnerabilityRRNR

Time to Live and Archiving Strategies

Logs are stored on the Data Indexer and in Active Archives to provide for quick searching and reporting.

Logs are stored in Inactive Archives for long-term data retention.

Log data is maintained and stored indefinitely by the LogRhythm Platform (provided there is enough disk space to hold it). However, not all the data is stored online indefinitely.

The following databases store specific log data as described below:

  • Events Database. A component of the Platform Manager (PM). The Events database is the central repository for logs identified as Events, it stores the raw log and metadata parsed from those log messages. Data is stored here for a total of 90 days, by default.
  • Data Indexer. Allows for search-based analytics and provides indexing of data. The Data Indexer (DX) stores both the raw log message and the metadata parsed from all logs sent to the Data Processor (DP). Log data is stored here until storage capacity reaches 80%, or about 30 days on average.
  • LogMart. Used to store metadata parsed from the log messages that qualified as Events, or data that was specifically sent to LogMart via a processing rule; data is stored here for a total of 365 days, by default.
  • Archive. Provides long-term storage for all raw log messages that have been processed by LogRhythm. Archives are stored indefinitely, allowing for access to historical data that may have been removed from one of the above storage locations. Archives are usually stored in an external storage location.

Data that is indexed (in a database) can be searched for investigative purposes, forensic research, and system troubleshooting. Indexed data is data contained in any of the above databases, whereas archived data is data that has been stored and secured in the LogRhythm Archive files.

Before setting a specific retention policy, consult with your internal stakeholders, auditors, and LogRhythm Professional Services to determine how certain log data should be retained to align with any retention requirements. TTL durations can be set for each individual LogRhythm database based on your organization’s prioritization of readily available logs. LogRhythm offers an Archive tier for longterm cold storage, and a warm tier that allows TTL up to and beyond 365 days that keeps the data searchable.

Archiving strategies will be unique to the organization’s compliance and regulatory requirements along with available resources. Long-term archiving strategies and TTL settings can be discussed in further detail with LogRhythm Professional Services.

Global System Settings, available on the Platform Manager tab in the Client Console, include Global Maintenance Settings and Identity Inference. Database backup paths and time-to-live (TTL) values are configured here.

LogRhythm Specific Terminology

AbbreviationTerm
AcctAccount
AIEAdvanced Intelligence (AI) Engine
AuthAuthentication
CCFConsolidated Compliance Framework
CommCommunication
DBDatabase
DMZDemilitarized Zone or Perimeter Network
EMDBEvent Manager Database
FIMFile Integrity Monitor
IPInternet Protocol
IntrnInternal
InetInternet
ModModification
PrivPrivilege or Privileged
ProServProfessional Services
SIEMSecurity Information & Event Management
SyncSynchronization
UDLAUnified Database Layer Access
WAPWireless Access Point