LogRhythm Networking Considerations

There are general guidelines, considerations, and standards to consider prior to deploying your solution within a network. This page covers the networking and communication considerations and requirements to help you deploy your solution.

  • LogRhythm Server IP Addresses. LogRhythm appliances include multiple network interfaces to accommodate different deployment topologies. All IP addresses should be statically assigned or reserved to avoid IP changes. For many topologies, best practice is to use one of the 1Gb interfaces as management and one of the 10Gb interfaces for data.
  • DNS Resolution. It is recommended that the LogRhythm server acting as the Platform Manager be entered into DNS so it is addressable by name.
  • Domain Membership. A LogRhythm server does not need to be a member of the Windows Domain to function correctly. However, LogRhythm recommends adding it to make remote event log collection easier to manage.
  • Remote Event Log Collection User Account. A special user account must be created on the domain for remote event log collection. For more information, see Windows Event Log Collection.
  • Network Address Translation. Network address translation (NAT) cannot be used between core components (AIE, DP, DX, PM, Web). All communications between these components must be real IP to real IP.

LogRhythm components communicate over TCP, UDP, or HTTPS on specific ports. TLS is used when receiving logs at the Data Processor from the LogRhythm System Monitor and also when sending logs from the Data Processor to AI Engine. The diagram below shows the communication between the components and the specific protocols and ports used.


The following tables list all network communications and interactions within a LogRhythm deployment. They can assist system and network administrators with configuration of network access control devices and software.

Components

Client: AI Engine 

Client PortServerServer PortProtocolPurpose
8300Platform Manager8300TCPIncoming RPC requests from client Consul instances
8501Platform Manager8501HTTPSAuth/config/search requests between API Gateway on AIE and PM
8301Platform Manager8301TCP/UDP

Cluster membership and inter-node communications between Consul instances

Port 8301 must be opened for TCP and UDP traffic on all hosts (PM, DP, DX, AIE, Web) in your deployment, with the exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the Consul cluster. No log data or customer data is passed between hosts on this port It is only used for membership communication between LR hosts.

RandomPlatform Manager1433TCPConfiguration details from EMDB on PM
3334, 3335Data Processor30000, 30001TCPAIE Data Provider on DP forwarding log data to AIE Comm Manager

Client: Client Console 

Client PortServerServer PortProtocolPurpose
8501Data Indexer8501HTTPSAuth/config/search requests between API Gateway on Console and DX
8501Platform Manager8501HTTPSAuth/config/search requests between API Gateway on Console and PM
RandomPlatform Manager1433TCPConsole SQL Server access to PM EMDB

Client: Common Components

Client PortServerServer PortProtocolPurpose
RandomMetrics Database (InfluxDB)8076TCP

Persistence layer for time-series metrics

RandomMetrics Collection (Telegraf)8125TCP
  • Collects system-level metrics and reports metrics to the data store
  • Collects performance counters on Windows-based operating systems
  • Collects system information such as disk, ram, cpu, and port metrics on all systems
RandomMetrics Web UI (Grafana)3000TCPUser interface for viewing and exploring metrics

Client: Data Indexer 

Client PortServerServer PortProtocolPurpose
RandomPlatform Manager1433TCPDX SQL Server access to PM EMDB
8501Platform Manager8501HTTPSAuth/config/search requests between API Gateway on DX and PM
8300Platform Manager8300TCPIncoming RPC requests from client Consul instances
8301Platform Manager8301TCP/UDP

Cluster membership and inter-node communications between Consul instances

Port 8301 must be opened for TCP and UDP traffic on all hosts (PM, DP, DX, AIE, Web) in your deployment, with the exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the Consul cluster. No log data or customer data is passed between hosts on this port. It is only used for membership communication between LR hosts.

Client: Data Processor

Client PortServerServer PortProtocolPurpose
8501Data Indexer8501HTTPSAuth/config/search requests between API Gateway on DP and DX

Client: LR API

Client PortServerServer PortProtocolPurpose
RandomPlatform Manager1433TCPBidirectional connection between LR API and PM

Client: LR KB Update

Client PortServerServer PortProtocolPurpose
N/APlatform Manager80, 443TCPBidirectional connection for KB updates

Client: Open Collector

DirectionSource > DestinationServer PortProtocolPurpose
OutboundOpen Collector > *.github.com 443HTTPS

Identify latest container versions

This is only used during an installation or upgrade of the Open Collector.

OutboundOpen Collector > *.gcr.io443HTTPS

Download latest Open Collector software

This is only used during an installation or upgrade of the Open Collector.

OutboundOpen Collector > Windows System Monitor Agent514HTTPSSyslog feed of data to LogRhythm SIEM
InboundUser Machine > Open Collector3000HTTPView Open Collector metrics in Grafana
InboundUser Machine > Open Collector22SSHInteract with Open Collector

Client: Platform Manager 

Client PortServerServer PortProtocolPurpose
8300Data Processor8300TCPIncoming RPC requests from client Consul instances
8301Data Processor8301TCP/UDP

Cluster membership and inter-node communications between Consul instances

Port 8301 must be opened for TCP and UDP traffic on all hosts (PM, DP, DX, AIE, Web) in your deployment, with the exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the Consul cluster. No log data or customer data is passed between hosts on this port. It is only used for membership communication between LR hosts.

8501Data Processor8501HTTPSAuth/config/search requests between API Gateway on DP and PM
RandomData Processor1433TCPDP SQL Server access to PM EMDB

Client: System Monitor/Data Collector

Agents communicate with Data Processors via a secure, proprietary TCP-based application protocol. Communications are encrypted with TLS using either unilateral or bilateral authentication. The TCP port Agents send data from, and the TCP port Data Processors listen on, is user configurable.

Client PortServerServer PortProtocolPurpose
0 (formerly 3333)Data Processor40000TCP

Forwards raw log data to the DP when running in Unidirectional Agent mode


0 (formerly 3333)Data Processor443TCPForwards raw log data to the DP when running in Bidirectional Mode

Client: Web Browser 

Client PortServerServer PortProtocolPurpose
RandomWeb Console8443HTTPS

The SSL port to use for accessing the Web Console.

Client: Web Console

Client PortServerServer PortProtocolPurpose
8300Platform Manager8300TCPIncoming RPC requests from client Consul instances
8501Platform Manager8501HTTPSAuth/config/search requests between API Gateway on Web and PM
8501Data Indexer8501HTTPSAuth/config/search requests between API Gateway on Web and DX
RandomPlatform Manager1433TCPWeb Console SQL Server access to PM Events DB.
8301Platform Manager8301TCP/UDP

Cluster membership and inter-node communications between Consul instances

Port 8301 must be opened for TCP and UDP traffic on all hosts (PM, DP, DX, AIE, Web) in your deployment, with the exception of Client Console and Agent hosts. 8301 is the bi-directional communication port used between all Consul hosts. If the port is blocked, hosts in your deployment will not be able to join the Consul cluster. No log data or customer data is passed between hosts on this port. It is only used for membership communication between LR hosts.

43WHOIS43TCPRun a whois query using contextualization

Client: Web Console Case API

Client PortServerServer PortProtocolPurpose
The Web Console Case API uses dynamic ports in the range of 20000-30000. These are listening ports used for loopback purposes and do not require any firewall changes.
Client: TrueIdentity Sync Client
Client PortServerServer PortProtocolPurpose
389AD Server389LDAPTrueIdentity Sync Client access to the LDAP server
636AD Server636LDAPTrueIdentity Sync Client access to the secure LDAP server
8505 (local requests)Admin API, Platform Manager8505 (local requests)HTTPSConnection to the Admin API
8501 (remote requests)Admin API, Platform Manager8501 (remote requests)HTTPSConnection to the Admin API

Notifications and Alerts

ClientClient PortServerServer PortProtocolPurpose
LogRhythm Platform Manager and Web ConsoleRandomSMTP Server25TCPUnidirectional, Client Initiated
LogRhythm Platform ManagerRandomSNMP Manager162UDPUnidirectional, Client Initiated
LogRhythm Platform Manager**McAfee ePO Server****

**

LogRhythm alarms are forwarded to EPO via the McAfee agent installed on a Platform Manager. To determine the ports utilized by McAfee agents and EPO server, see your McAfee ePO documentation and configuration.

Devices Sending Logs

ClientClient PortServerServer PortProtocolPurpose
UDP Syslog DeviceRandomLogRhythm Agent514UDPUnidirectional
TCP Syslog DeviceRandomLogRhythm Agent514TCPUnidirectional
NetFlow v1, v5 or v9 DeviceConfigurableLogRhythm Agent5500UDPUnidirectional
IPFIX DeviceConfigurableLogRhythm Agent5500UDPUnidirectional
J-Flow DeviceConfigurableLogRhythm Agent5500UDPUnidirectional
sFlow DeviceConfigurableLogRhythm Agent6343UDPUnidirectional
SNMP Trap DeviceConfigurableLogRhythm Agent161UDPUnidirectional

Remote Log Collection

ClientClient PortServerServer PortProtocolPurpose
LogRhythm AgentRandomWindows Host (Windows Event Logs)135, 137, 138, 139,445TCP/RPCBidirectional, Client Initiated
LogRhythm AgentRandomDatabase Server (UDLA)

DB Server dependent

The server port for UDLA collection will vary based on the database server being queried.

(SQL Server default = TCP 1433; MySQL default 3306; Oracle default = TCP 1521; DB2 default = TCP 50000)

TCP/ODBCBidirectional, Client Initiated
LogRhythm AgentRandomCheck Point Firewall18184TCP/OPSEC LEABidirectional, Client Initiated
LogRhythm AgentRandomCisco IDS (SDEE)443TCP/HTTPSBidirectional, Client Initiated
LogRhythm AgentRandomNessus Server8834TCP/HTTPSBidirectional, Client Initiated
LogRhythm AgentRandomQualys Server443TCP/HTTPSBidirectional, Client Initiated
LogRhythm AgentRandomMetasploit Server3790TCP/HTTPSBidirectional, Client Initiated
LogRhythm AgentRandomNexpose Server3780TCP/HTTPSBidirectional, Client Initiated
LogRhythm AgentRandomRetina Server1433TCP/ODBCBidirectional, Client Initiated
LogRhythm Agent4444eStreamer Server8302TCP/HTTPSBidirectional, Client Initiated

Data Indexer - Inbound Ports

ApplianceProtocolInbound PortReceived From...Operating SystemPurpose
PM - Disaster RecoveryTCP5022Inter-node Disaster Recovery communicationWindowsPort used for replication requests in Disaster Recovery deployments
PM - SQLTCP1433Carpenter and Bulldozer on DXWindows & LinuxSQL Server access to EMDB
LogRhythm API GatewayHTTPS8501API GatewayWindows & LinuxEnables secure, load balanced, and discoverable service to service communication. Required to use the JWT from the Authentication API.
ConsulTCP/UDP8300, 8301Service RegistryWindows & LinuxEstablishes a secure cluster between the LogRhythm hosts in a deployment, not including agents

Data Indexer - Local Ports

ServiceProtocolPortDirectionOperating SystemPurpose
ColumboTCP13131, 13133DX Local OnlyWindows & LinuxColumbo internal processing
ConsulTCP/UDP8300, 8301Inter-nodeWindows & LinuxNodes in cluster sharing keys
8500DX Local OnlyWindowsConsul administration dashboard
ElasticsearchTCP9200DX Local OnlyWindows & LinuxCurl queries to Elasticsearch
9300-9400Inter-nodeLinuxReplication and federation across nodes

Open Collector

DirectionPortProtocolSourceDestinationPurpose
Outbound443HTTPSOpen Collector*.github.com

Identify latest container versions

This is only used during an installation or upgrade of the Open Collector.

Outbound443HTTPSOpen Collector*.gcr.io

Download latest Open Collector software

This is only used during an installation or upgrade of the Open Collector.

Inbound3000HTTPUser machineOpen CollectorView Open Collector metrics in Grafana
Inbound22SSHUser machineOpen CollectorInteract with Open Collector
Outbound514HTTPSOpen CollectorWindows System Monitor AgentSyslog feed of data to LogRhythm SIEM

Beats

DirectionPortProtocolSourceDestinationPurpose
Outbound443HTTPSBeats*.windows.net Collection from any active beat: Azure Event Hub, AWS S3, Gmail Message Tracking, GSuite, Pub/Sub, Sophos Central
Outbound5671AMQPSEvent Hub Beat*.windows.net Azure collection from Event Hub

Unidirectional Agent Communication

LogRhythm provides support for secure transmission from an unclassified server to a top secret server. The System Monitor Agents support unidirectional communication without receiving any control or data transmissions from the Data Processor or Platform Manager. The table below shows the unidirectional communication from the Agent(s) within the unclassified sector to the Data Processor within the top secret sector.

ClientClient PortServerServer PortProtocolCommnunications
LogRhythm Agent3333LogRhythm Data Processor

40000

TCP

Unidirectional

Web Console ClientRandomLogRhythm Web Server8443HTTPSBidirectional, Client Initiated
Web Console ClientRandomData Indexer13130, 13132TCPBidirectional, Client Initiated