This section provides information about Knowledge Base Release notes and the Knowledge Base Manager.
Release Notes
To view current and past release notes, see the LogRhythm Community. Select Documentation & Downloads from the menu at the top, then the KB tab, and then KB Release Notes.
Knowledge Base Configuration
When updating a module to receive new Compliance Automation Suite objects, the LogRhythm environment’s Knowledge Base configuration determines whether and how new or updated Knowledge Base objects are added to the deployment. LogRhythm’s recommended Knowledge Base synchronization settings are listed in this portion of the Deployment Guide. If any synchronization settings vary from the listed configuration, please contact LogRhythm’s Support or Professional Services groups for guidance on ensuring that new content is received when module updates occur. For more information, see Configure Knowledge Base Synchronization Settings.
Recommended Modules
Follow the below steps to enabled additional recommended Knowledge Base modules. The modules are required to complete other sections in this guide around AIE and the Threat Intelligence Service.
-
Open the LogRhythm Console and close all other windows within the Console.
-
Click Tools, Knowledge, and Knowledge Base Manager.
The Knowledge Base Manager appears. -
Select the Action check box of each module you want, right-click the grid, click Actions, and then click Enable Module. The recommended minimum modules to enable are:Core Threat DetectionThreat Intelligence ServiceThreat Intelligence Service : Open SourceDo not enable Intelligent Indexing for any imported Knowledge Base Module.
-
Enable additional modules outlined in RecSol or Statement of Work.
-
At the top of the Knowledge Base Manager, click Synchronize Stored Knowledge Base, and then click OK.
-
To begin the Knowledge Base Import Wizard and allow the knowledge synchronization update to complete, click Next.
Data Management Settings
LogRhythm’s Data Management Settings need to be set according to the specifications below, in order to ensure that the right metadata and raw log data is managed and stored appropriately.
Global Data Management Settings
In the Deployment Manager, click the Platform Manager tab, and then click Global Data Management Settings. Ensure all check boxes under Global Configuration Options are selected.
Classification Based Data Management Settings
In the same Data Management Settings window, click the Classification Based Data Management Settings tab. Ensure Classification Based Data Management (CBDM) is enabled, with all Global CBDM Settings check boxes selected.
Classification Settings (GCS)
In the grid on the bottom of the Classification Based Data Management Settings tab, configure the Global Classification Settings as outlined in the following table.
R = Required for reports to properly populate and to meet compliance regulation archiving standards
O = Optional, but recommended for forensic search support
NR = Not required and not recommended
|
Classification Type |
Classification |
Online |
Archive |
LogMart |
|---|---|---|---|---|
|
Audit |
Access Failure |
R |
R |
R |
|
Audit |
Access Granted |
R |
R |
R |
|
Audit |
Access Revoked |
R |
R |
R |
|
Audit |
Access Success |
O |
O |
R |
|
Audit |
Account Created |
R |
R |
R |
|
Audit |
Account Deleted |
R |
R |
R |
|
Audit |
Account Modified |
R |
R |
R |
|
Audit |
Account Disabled |
R |
R |
R |
|
Audit |
Account Locked |
R |
R |
R |
|
Audit |
Authentication Failure |
R |
R |
R |
|
Audit |
Authentication Success |
O |
R |
R |
|
Audit |
Configuration |
R |
R |
R |
|
Audit |
Other Audit |
R |
O |
NR |
|
Audit |
Other Audit Failure |
R |
R |
NR |
|
Audit |
Other Audit Success |
R |
O |
NR |
|
Audit |
Policy |
R |
R |
R |
|
Audit |
Startup and Shutdown |
O |
O |
NR |
|
Operations |
Critical |
R |
R |
R |
|
Operations |
Error |
R |
R |
R |
|
Operations |
Information |
O |
O |
NR |
|
Operations |
Network Allow |
R |
R |
NR |
|
Operations |
Network Deny |
R |
R |
NR |
|
Operations |
Network Traffic |
R |
R |
NR |
|
Operations |
Other Operations |
O |
R |
NR |
|
Operations |
Warning |
R |
R |
NR |
|
Security |
Activity |
R |
R |
NR |
|
Security |
Attack |
R |
R |
NR |
|
Security |
Compromise |
R |
R |
NR |
|
Security |
Denial Of Service |
R |
R |
NR |
|
Security |
Failed Activity |
R |
O |
NR |
|
Security |
Failed Attack |
R |
O |
NR |
|
Security |
Failed Denial of Service |
R |
O |
NR |
|
Security |
Failed Malware |
R |
O |
NR |
|
Security |
Failed Misuse |
R |
O |
NR |
|
Security |
Failed Suspicious |
R |
O |
NR |
|
Security |
Malware |
R |
R |
NR |
|
Security |
Misuse |
R |
R |
NR |
|
Security |
Other Security |
O |
O |
NR |
|
Security |
Reconnaissance |
R |
R |
NR |
|
Security |
Suspicious |
R |
R |
NR |
|
Security |
Vulnerability |
R |
R |
NR |
Time to Live and Archiving Strategies
Logs are stored on the Data Indexer and in Active Archives to provide for quick searching and reporting.
Logs are stored in Inactive Archives for long-term data retention.
Log data is maintained and stored indefinitely by the LogRhythm Platform (provided there is enough disk space to hold it). However, not all the data is stored online indefinitely.
The following databases store specific log data as described below:
-
Events Database. A component of the Platform Manager (PM). The Events database is the central repository for logs identified as Events, it stores the raw log and metadata parsed from those log messages. Data is stored here for a total of 90 days, by default.
-
Data Indexer. Allows for search-based analytics and provides indexing of data. The Data Indexer (DX) stores both the raw log message and the metadata parsed from all logs sent to the Data Processor (DP). Log data is stored here until storage capacity reaches 80%, or about 30 days on average.
-
LogMart. Used to store metadata parsed from the log messages that qualified as Events, or data that was specifically sent to LogMart via a processing rule; data is stored here for a total of 365 days, by default.
-
Archive. Provides long-term storage for all raw log messages that have been processed by LogRhythm. Archives are stored indefinitely, allowing for access to historical data that may have been removed from one of the above storage locations. Archives are usually stored in an external storage location.
Data that is indexed (in a database) can be searched for investigative purposes, forensic research, and system troubleshooting. Indexed data is data contained in any of the above databases, whereas archived data is data that has been stored and secured in the LogRhythm Archive files.
Before setting a specific retention policy, consult with your internal stakeholders, auditors, and LogRhythm Professional Services to determine how certain log data should be retained to align with any retention requirements. TTL durations can be set for each individual LogRhythm database based on your organization’s prioritization of readily available logs. LogRhythm offers an Archive tier for longterm cold storage, and a warm tier that allows TTL up to and beyond 365 days that keeps the data searchable.
Archiving strategies will be unique to the organization’s compliance and regulatory requirements along with available resources. Long-term archiving strategies and TTL settings can be discussed in further detail with LogRhythm Professional Services.
Global System Settings, available on the Platform Manager tab in the Client Console, include Global Maintenance Settings and Identity Inference. Database backup paths and time-to-live (TTL) values are configured here.
LogRhythm Specific Terminology
|
Abbreviation |
Term |
|---|---|
|
Acct |
Account |
|
AIE |
Advanced Intelligence (AI) Engine |
|
Auth |
Authentication |
|
CCF |
Consolidated Compliance Framework |
|
Comm |
Communication |
|
DB |
Database |
|
DMZ |
Demilitarized Zone or Perimeter Network |
|
EMDB |
Event Manager Database |
|
FIM |
File Integrity Monitor |
|
IP |
Internet Protocol |
|
Intrn |
Internal |
|
Inet |
Internet |
|
Mod |
Modification |
|
Priv |
Privilege or Privileged |
|
ProServ |
Professional Services |
|
SIEM |
Security Information & Event Management |
|
Sync |
Synchronization |
|
UDLA |
Unified Database Layer Access |
|
WAP |
Wireless Access Point |