The LogRhythm installation includes predefined templates, reports, and Report Packages which are sets of reports that pertain to a single topic such as security compliance standards, usage auditing, or LogRhythm diagnostics. The following tasks can be performed from the Report Center:
- Generate a report from a predefined report format included in the LogRhythm installation.
- Generate a group of reports (a report package) from a predefined Report Package format included in the LogRhythm installation.
- Generate a report from a custom format.
- Copy, import, and export reports.
- Create a custom template.
- Import a custom report logo.
New and updated reports are loaded with the updated Knowledge Base. You must have administrative privileges to import a Knowledge Base.
A report template defines the report format including the columns, group order, and sort order. The report configuration defines the data that is included in the report. All available report templates are listed on the Report Templates tab of the Report Center page. The table below describes the columns that appear in the Report Template grid.
Category of Report Type
|Name||The Name of the template.|
|PM||When selected, the Platform Manager is available for selection as an input source at in the Report Wizard.|
|DP||When selected, the Data Processor is available for selection as an input source at in the Report Wizard.|
|LogMart||When selected, the LogMart is available for selection as an input source at in the Report Wizard.|
|Fields Included||A list of the data fields that define the columns in the Report.|
|Field Grouping and Operations||Governs how the report data is grouped and sorted in the report.|
|Description||A report definition.|
|Permissions||Determines who can view and generate reports: Private, Public All Users, Public Global Analysts, and Public Global Administrators.|
|Owner||Displays who owns the reports.|
|Date Updated||Displays the date and time the report was last updated.|
|Version||Displays the Version in which the report was updated.|
|ID||A system-generated identification number.|
There are four categories of permissions for reports:
- Private. Only the owner can run or edit the report.
- Public All Users. Only Global Administrators or the owner can edit the report, but everyone can run it.
- Public Global Analysts. Only Global Administrators or the owner can edit the report, but everyone except standard Restricted Analysts can run it.
Public Global Administrator. Only Global Administrators or the owner can edit the report, but everyone except standard Restricted Analysts and Global Analysts can run it.
Permissions Table for Custom Reports: Report Permission Level vs. User Role
|User Role||Private||Public All Users||Public Global Analysts||Public Global Administrators|
Permissions Table for System Reports: Report Permission Level vs. User Role
|User Role||Public All Users||Public Global Analysts||Public Global Administrators|
If you change the Authorized User Profiles after a report has been run, users with newly granted access cannot see the report in the Web Console. You must run the report again for it to be visible to the new user profiles.
Report Data Sources
Understanding how data is retrieved, from where, and what state it is in helps determine which template to use.
In LogRhythm, all dates are stored in Greenwich Mean Time (GMT). LogMart dates use whole hour resolution. Activity occurring between the start and the end of the hour is recorded as occurring on the hour. For example, a log entry dated 1/1/10 3:34:33 PM would be associated with the aggregated occurrence record dated 1/1/10 3:00:00 PM.
Because LogMart occurrences are aggregated by the hour, reports contain results within whole hours. For example, a report run 1/1/10 5:30 AM GMT thru 1/1/10 5:30 PM GMT will actually contain results on or after 1/1/10 6:00 AM GMT and prior to 1/1/10 6:00 PM GMT.
Manage Reporting Memory
If a report query causes Client Console memory usage to exceed the threshold, then the report is rendered with partial data and the label (Sample Dataset) is added to the title page footer:
Report prepared for LogRhythm Inc. on 1/28/11 2:00 PM MST (GMT-07:00) (Sample Dataset)
The reporting memory can be set from 0-100%. When set to 100%, the behavior is identical to LogRhythm 6.0 memory management.
The amount of application memory available to the Client Console is different for 32-bit versus 64-bit systems because 32-bit systems can only access the first 1 GB of memory.
Maximum application memory:
- LogRhythm Client Console (32-bit) = 1 GB
- LogRhythm Client Console (64-bit) = installed physical memory
For example, if 8 GB RAM is installed and the reporting memory threshold is set to 50%, the following amount of memory is available:
- LogRhythm Client Console (32-bit) = 0.5 GB report memory threshold
- LogRhythm Client Console (64-bit) = 4.0 GB report memory threshold
To adjust these values, use the Report Center tab in My Preferences.
ARM and Job Manager Memory Allocation
The memory allocation can be distributed between the ARM and the Job Manager. In the ARM Advanced Properties settings, MaxServiceMemory has been replaced with two properties:
- MaxServiceMemory_ARM. Range 512-64000 MB; Default 2048 MB
- MaxServiceMemory_JobManager. Range 512-64000 MB; Default 2048 MB
Maximum Errors per Job Package
Reports can be run individually or in packages. If one of more individual reports are selected, Report Center bundles the reports into an ad hoc package. Errors can occur due to factors such as connections, permissions, and timeouts.
In the ARM Advanced Properties settings, the maximum number of errors per job package can be adjusted:
- SRE_MaxErrorsPerJobPackage. Range 1-100; Default 5
After the limit has been reached, the package is stopped.
In some large deployments, where scheduled reports are not finishing or timing out, the following settings may be effective at preventing timeouts. First, stagger multiple schedule report jobs so one does not cancel out the other when it executes, and ensure run time does not conflict with the LogRhythm nightly maintenance. By default, each report can take as much as 600 seconds to complete, and nightly maintenance begins at 1 AM every day.
Nightly database maintenance jobs may take hours to run.
For example, schedule your first report package to start execution at 3 AM, and allow more than 600 seconds (for each report within the package) before scheduling your second package. If your first package has six reports in it, your second report package should be scheduled to start 3600 seconds, or one hour, later.
If the above does not solve your problem, consider changing the following advanced properties on the Platform Manager, and recalculate the time needed between report package scheduled execution time:
- SRE_QueryCommandTimeout. Change to 1800 seconds.
- SRE_MaxErrorsPerJobPackage. Change from 3 to 1.
The SQL Server remote query timeout, which is 600 seconds or 10 minutes by default, is also taken into account. To view this setting, start SQL Server Management Studio, right-click the EMDB host in Object Explorer, and then click Properties. Click the Connections page, and the timeout value can be found under Remote server connections on the right.