Skip to main content
Skip table of contents

7.13.0 GA Release Notes - 29 June 2023

Introducing LogRhythm SIEM 7.13! In this version, we significantly improved processing performance with the System Monitor JSON Engine and Data Processor Pooling. Brief explanations of the updates are grouped into the following sections:

Key highlights include:

Sections on maintenance and upgrades:

We’ve updated our LogRhythm SIEM Documentation. You can now select documentation associated with a specific version (starting with 7.12.0). Click on the version picker in the upper-right corner on the SIEM and Installations and Upgrades landing pages.

Analyst Experience

SecondLook in Web Console

Customers want to retain their data, and they need an easy way to find their older data. With LogRhythm 7.13, customers who use our self-hosted SIEM option now have access to SecondLook. After installing and configuring SecondLook, customers can query data and search through archives directly from the Web Console. Without having to pivot between the Web Console and Client Console, customers save valuable time. Using SecondLook also means searches are passed off to a dedicated service for a more reliable user experience.

Initiating a SecondLook search.

For installation and configuration details, see Install SecondLook API.

Automation

With new features, come new REST API endpoints! LogRhythm 7.13 further extends the automation capabilities of the Admin API so that you can programmatically:

  • Configure, update, and retrieve System Monitor DP Pooling settings.

  • Configure, update, and retrieve System Monitor Load Balanced Group settings.

  • Configure, update, and retrieve log source Watch File Rename on Rollover settings.

For more details on all the available endpoints, see our REST API Documentation.

New to the API and wondering how to get started? Learn more on the Community!

Data Collection

Data Processor Pooling

Data Processor pooling makes it easy for administrators to distribute log volume across a pool of Data Processors and create well-balanced Data Indexer clusters. With DP pooling, administrators can quickly define DP pools and assign Agents to them. Agents then auto-distribute their logs across the DP pool. Administrators can also turn off DP pooling by switching an Agent to pinned mode.

System Monitor Agents are the workhorses that collect and ship data to Data Processors. But there was not a good way to load balance these System Monitor Agents across multiple Data Processors — until now. 

With version 7.13, LogRhythm introduces Data Processor Pooling, a new feature that lets administrators define a pool of one or more Data Processors to allow a single Agent to collectively send its data to a group of Data Processors. When an Agent is assigned a DP pool, the Agent will spread the logs across the Data Processors. This removes the need to manually review Agent volumes and adjust which Data Processors the Agents are sending to, saving you time.

Defining a Data Processor pool.

Assigning a Data Processor to a pool.

Assigning a System Monitor to a pool.

System Monitor JSON Engine

The 7.13 System Monitor is now embedded with a native JSON parsing engine. This significantly improves processing performance and removes the need to work with JQ query language. With the new architecture, Beats can be rerouted from the Open Collector parsing engine to the new parsing engine on the System Monitor. This simplifies sizing, deployment, and troubleshooting of the platform. For more information, see Configure Beats for JSON Parsing.

Enabling JSON parsing on a System Monitor Agent.

View System Monitor Agents in the Web Console

In the Web Console, global and restricted administrators now have an Agents option in the Administration menu.

On the Agents page, administrators can quickly check the status and health of System Monitors right in the Web Console. They can easily see a System Monitor's status and the timestamp of the last heartbeat received. 

The Agents Grid shows a dynamic display of agents based on the access granted to the user.

Restricted administrators can only view the effective System Monitors defined in their user profile.

The Agents Grid helps administrators immediately identify problematic Agents with Last Heartbeat highlighting. In environments that contain thousands of Agents, admins can filter down to view just the Agents that matter. Filters include:

  • Name

  • Host

  • Entity

  • Type

  • Number of Log Source

  • Version

  • Status

  • Data Processor

  • Last Heartbeat

Applying a filter on the Agents Grid.

Platform

Over time, operating systems become outdated, making past versions unsupported. With the release of 7.13, LogRhythm is supporting and installing Microsoft Server 2022, Microsoft SQL Server 2019, and Rocky Linux. For customers that prefer the open-source version of Linux, Data Indexers and Open Collector support Rocky Linux 9 and RHEL 9. For customers with RHEL licenses, LogRhythm SIEM supports RHEL 9. For information, see the Component Operating System Support section in Review the Requirements for a New LogRhythm Deployment.

We’ve also added additional support for System Monitor, which includes Windows 2022, Windows 11, Rocky Linux 9, and RHEL 9. For information, see LogRhythm System Monitor Compatibility and Functionality.

Resolved Issues

Bug #

Component

Description

ENG-11205

(DE16679)

Active Directory

Active Directory syncs no longer fail when a user account has two usernames.

ENG-35407

AI Engine

AI Engine rules no longer experience significant delays when firing in certain situations.

ENG-22876

(DE16824)

APIs

Changing the alarm status in the Case API no longer results in an error in certain situations.

ENG-11199

(DE16890)

APIs

Alarm Status update requests no longer fail in LRCloud deployments in certain situations.

ENG-23824

Client Console

The Deployment Manager option is no longer shown to Restricted Analysts.

ENG-11160

(DE15875)

Client Console

LogMart maintenance now correctly reflects changes made to LogMart_TTL.

ENG-24715

Client Console

SSL/TLS can now be enabled on the Platform Manager Properties tab to prevent SSL/TLS notification failure.

ENG-24954

Client Console

The MaxMessageCount for a log source can now accept values up to 50,000.

ENG-11141

(DE14874)

Reporting

The Log Volume by Log Source report's Bytes/Packets and Sent/Rcvd filters now execute successfully.

ENG-31775

SecondLook

The SecondLook API log no longer displays incorrect "Object reference" errors.

ENG-36167

SecondLook

Saving a SecondLook configuration with a retired log source no longer fails.

ENG-34885

SecondLook

SecondLook drill-downs and searches no longer give inaccurate results in certain situations due to local machine time zone discrepancies.

ENG-34260

SecondLook

The SecondLook API no longer produces an incorrect "out of memory" error in certain situations when executing a search.

ENG-36544

System Monitor

The AutoCorrectionMSEvtPosLogic flag is now OFF by default in the scsm.exe.config file to prevent unnecessary errors.

ENG-34772

System Monitor

Starting a System Monitor agent in "unidirectional mode" no longer produces a socket error in certain situations.

ENG-22863

(DE14276)

Web Console

The Lucene filter now correctly filters time ranges.

ENG-11143

(DE15241)

Web Console

The Web Console no longer crashes in certain situations when attempting to search by log source.

ENG-11161

(DE15810)

Web Console

The time range filter now works correctly and populates widgets when applied to the trend chart.

ENG-11140

(DE14882)

Web Console

The User (Origin), User (Impacted), and User (Identity) fields on widgets now correctly show results when the widget or dashboard timeframe is changed.

ENG-11162

(DE16404)

Web Console

Location-based widget filters are now applied correctly.

ENG-11192

(DE16711)

Web Console

The Dashboard navigation bar no longer appears abnormally large in the Google Chrome browser.

ENG-23301

Web Console

Web Console CSV exports of log investigations are no longer partially blank in certain situations.

ENG-25994

(DE11929)

Web Console

Web Console Dashboard drill-downs now correctly abide by set filters.

ENG-26562

Web Console

CAC card authentication now correctly works for Web Console logins.

ENG-30099

Web Console

Custom time ranges no longer fail to work correctly on Dashboard widgets in certain situations.

ENG-30493

Web Console

The Web Console night mode cursor color has been changed so that it is visible at all times.

ENG-32795

Web Console

The Web Console night mode Lucene filter box has been changed to match the rest of the night mode UI.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #

Found In Version

Components

Description

Release Notes

ENG-11165

(DE16414)

7.9

Client Console

Client console search queries including the Host IP Address criteria are timing out in large databases.

Expected Results: Log source searches should be completed without performance issues.

Workaround: There is currently no workaround for this issue.

ENG-22882

(DE10768)

7.4.9

Common Components

In certain circumstances, the Data Processor runs slowly and the non-paged pool uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. 

Expected Results: The non-paged pool should not increase and cause system performance issues. 

Workaround: Restart the LogRhythm API Gateway service.

ENG-11108

(DE12153)

7.6.0

Common Components

In some cases after a Data Indexer install, the Service Registry may not be able to communicate with the Platform Manager, causing alarms and errors in the Service Registry log.   

Expected Results: Communication to the Platform Manager should be maintained after an install. 

Workaround: Restart Service Registry on each node in the cluster after the installation is complete. 

ENG-22881

(DE12218)

7.6.0

Data Indexer

The Transporter can fail to fully start after restart at UTC midnight, causing indexing and performance issues. (This issue only impacts Linux clusters.)

Expected Results: The Transporter should continue to run after a restart signal is sent.

Workaround: Restart the Transporter service.

ENG-11175

(DE16040)

7.6.0

Data Indexer

Data is being indexed in lower case, ignoring the case of the original logs.

Expected Results: Data should be stored in the format in which it was sent.

Workaround: There is currently no workaround for this issue.

ENG-22862

(DE13480)

N/A

Data Indexer

Alarm drilldowns fail as a result of changes to daylight savings in Chile. The failure is temporary and only lasts a few hours.

Expected Results: Searching should work. 

Workaround: Either wait for the issue to naturally pass or manually adjust system clocks. 

ENG-11150

(DE15289)

N/A

Infrastructure

Weekday maintenance is taking much longer than expected.

Expected Results: The weekday maintenance task should perform in a reasonable amount of time.

Workaround: There is currently no workaround for this issue.

ENG-11173

(DE15601)

7.9.0

Installation Components

DR SQL transaction logs are filling the L: drive when unable to sync to secondary nodes.

Expected Results: Transaction logs should be truncated by frequent scheduled backups throughout the day.

Workaround: There is currently no workaround for this issue.

ENG-11142

(DE15089)

7.9.0

Metrics Collection

Telemetry metrics parsing errors from Datadog are present in the metrics collection file.

Expected Results: Datadog's telemetry metrics parsing errors should not be present in the metrics collection file.

Workaround: There is currently no workaround for this issue.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.