7.7.0 GA Release Notes
New Features
| Functional Group | Feature | Description |
|---|---|---|
| Platform Administration | Alarm API | Explanation: A newly developed RESTful Alarm API enables users to add alarm functionality to their LogRhythm deployment at parity with the capabilities of the existing SOAP API. Benefit: The Alarm API can be used in third-party integration, allowing customers to extend the LogRhythm solution or integrate it with other systems. It also brings LogRhythm closer to full deprecation of the complex SOAP API for Alarm Service. For more information, see Deprecated Features. |
| Platform Administration | Configure Cloud Log Source in Web Console | Explanation: Cloud log collection enables users to create, configure, and manage Beat Log Sources and Sysmon Log Sources through a user interface in the Web Console. Benefit: Instead of having to configure log sources through the Console or command line interface, users can now configure log sources through a GUI using a list of available log sources. |
| Security Analytics | Timeline View | Explanation: From the Inspector, users can now launch a search on a single user or host and land on a details page that displays the search results in the new Timeline widget. Benefit: The timeline widget is a chronological way to "tell a story" about the user or host activity, including a contextualized sentence helping explain the log activity in plain English. |
Improvements
- Numerous third-party libraries have been updated to mitigate the risk of security vulnerabilities manifesting in LogRhythm 7.7.0. For more information, see Open Source License Acknowledgements.
- Updates to the Admin API provide access to Notification Groups at the user profile level. New Users and Notification endpoints are now available in the Admin API.
If a SysMon Agent is licensed as a Collection Agent, then EDR features are now disabled. This gives users control over use of the EDR feature for a license user.
- The DB upgrade process now includes a measure to validate that a user trying to upgrade LogRhythm has a valid license file for the target version, and provides a warning/error that a new license is required before proceeding.
Deprecated Features
LogRhythm is deprecating the SOAP API in favor of more usable and sustainable integration through RESTful APIs. Starting with the release of LogRhythm SIEM version 7.7.0, development work will cease on the SOAP API. We will still publish the SOAP API installer, and existing integrations will continue to function. LogRhythm 7.8.0 (expected Q2 2021) will be the last published version of the SOAP API. We encourage customers and partners using the SOAP API to migrate their integrations to REST APIs. For more information on REST integration, see our REST API documentation.
Resolved Issues
| Bug # | Ticket # | Component | Description | |
|---|---|---|---|---|
| DE1975 | 322187, 370669, 00403498 | Mediator | Special characters such as (') are no longer allowed in the LicensedTo field during license generation, allowing Mediator service to start without error. | |
| DE10612 | 3680676 | Mediator | Missing Messaging Performance Counters or corruption to counters no longer prevents Mediator from starting up. | |
| DE10883 | 382311 | Databases | Sub-rule field mapping tags have been removed from the MPERule table. | |
| DE11024 | 381875, 396764, 397660 | Job Manager | Active Directory sync now validates when using secure LDAP. | |
| DE11029 | N/A | Job Manager | Log source virtualization templates are now imported by automatic KB sync. | |
| DE11106 | 390438 | API Gateway | LogRhythm API Gateway now uses strong ciphers. | |
| DE11134 | 392559 | Data Indexer | The Carpenter service can now connect to SQL in non-FIPS mode. | |
| DE11159 | 391799 | Job Manager | Having two user accounts with same first and last name in an AD group now logs a descriptive error and does not prevent AD sync from completing. | |
| DE11227 | 00393721 | Mediator | LDS no longer stops forwarding when Log Source lists are updated. | |
| DE11299 | 00406368, 409590, 00411655 | Windows Agent | SNMP Trap Receiver configuration encryption in scsm.ini has been fixed. | |
| DE11425 | 00398689 | Mediator | The Admin API Get Identity Identifiers now supports pagination in API responses. | |
| DE11516 | 00399571, 00400795 | Mediator | The LDS secure TCP option in the Network Protocol dropdown of the Syslog Receiver Properties is now working properly. | |
| DE11688 | 401385, 403686 | User Profile Manager | Restricted Analysts/Admins can now see TrueIdentity data. | |
| DE11713 | N/A | Documentation | Data Indexer upgrade guidance with regard to preinstall.sh has been updated and clarified. | |
| DE11722 | 00403700, 00404093, 00403994, 00405766, 00412702 | Web Console | The Host Details page was improperly displaying in 7.6.0, and is now displaying properly. | |
| DE11732 | 00403549, 00405700, 00405755, 00403914, 00404814, 00405027 | Data Indexer | Elasticsearch upgrades for Data Indexer can now continue even when an environment variable is deleted. | |
| DE11748 | 00404491, 00403989 | Data Indexer | Data Indexer upgrade no longer throws a LRDXNode Installer Warm Node Insufficient Resources error. | |
| DE11777 | 404694 | Documentation | 7.6.0 XM DR installation documentation no longer lists duplicate cluster names. | |
| DE11786 | 404217, 400347, 404360, 409515 | Job Manager | The Job Manager now retries three times if there is an error during AD group member lookup. After three failures, Job Manager skips that group. | |
| DE11850 | 403762, 405412, 404759, 409733 | Job Manager | Renaming an Active Directory group being used in AD Group-based authorization is now caught and logged as a warning during the group-based authorization sync. | |
| DE11873 | 405774, 406288 | Mediator | An error in TrueIdentity sync on large data sets no longer causes MPE to stop processing. | |
| DE11895 | 00406862 | CloudAI | CloudAI data is now accessible in Web Console with SSO login. | |
| DE11925 | 00406944 | Web Console | SSO timeout no longer occurs when multifactor authentication is enabled and the user authenticates with SSO. | |
| DE11995 | 408293 | Data Indexer | Elasticsearch startup has been modified to prevent Elasticsearch from starting when Windows Service Registry is not available. | |
| DE12067 | 00408347 | Data Indexer | Transporter now fully starts after automatic restart at five minutes past midnight UTC. | |
| DE12068 | 405081 | Log Sources | Client Console no longer freezes filtering log sources on the Log Source tab. | |
| DE12105 | 409558 | Data Indexer | The migrate-consul-keyspace.ps1 script has been signed. | |
| DE12123 | 406612 | Admin API | Admin API GET /identities/ no longer returns duplicate identities. | |
| DE12124 | N/A | Data Indexer | Elasticsearch startup has been modified to prevent Elasticsearch from starting when Service Registry is not available. | |
| DE12183 | 00407818 | Web Console | JRE (java) files have been excluded from the hashed files list to allow users to apply security patches. | |
| DE12191 | 00410813 | Admin API | Admin API's Create Agent Record action now works properly. | |
Known Issues
The following issues have each been found and reported by multiple users.
| Bug # | Found in Version | Component | Description | Release Notes |
|---|---|---|---|---|
| DE1288 | 7.4.6 | AI Engine | When an AIE Rule uses the Host (Impacted) or Host (Origin) in the Group By block, the rule misfires. | Expected Results: AIE Rules should not fire if the rule block relationship is not met. Workaround: Change the Host (origin) or Host (impacted) fields to IP Address, and the AIE Rule works as expected. |
| DE1336 | 7.4.6 | AI Engine | In certain circumstances, the AIE Summary Fields are not populating in the AIE Notification emails. | Expected Results: AIE Summary Fields should be displayed on all AIE Notification emails. Workaround: View the AIE Summary Fields in the Alarm instead of the Notification email. |
| DE1606 | 7.3.5 | AI Engine | When an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. | Expected Results: AIE Rule Blocks should fire when they are triggered at the same time. Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second. |
| DE1759 | 7.3.4 | AI Engine | Errors are being reported numerous times in the AIE Engine log when the AIE service starts up. | Expected Results: These errors should not be reported in the AIE Engine log, but AIE is working and alarms are firing. Workaround: There is currently no workaround for this issue. |
| DE1871 | 7.3.3 | AI Engine | Under conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. | Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled. Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release. |
| DE10313 | 7.4.9 | AI Engine | In rare circumstances, AIE Unique Value Rules misfire. | Expected Results: AIE Rules fire as expected. Workaround: There is no workaround at this time. LogRhythm is actively investigating the issue for a future release. |
| DE10397 | 7.4.8 | AI Engine | In certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. | Expected Results: Alarms do not fire if a log is received for a Not Observed block. Workaround: There is no workaround at this time. LogRhythm is investigating this issue for a future release. |
| DE10501 | 7.4.7 | AI Engine: Host Interference | The HostInferenceLogs are not being maintained/purged out after 7 days as defined. | Expected Results: These logs should be automatically purged after 7 days as defined. Workaround: Sort by log date and delete all older logs. |
| DE10946 | 7.4.9 | AI Engine, SmartResponse Plugin | When an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. | Expected Results: Alarms should execute quickly as expected with other AIE Alarms. Workaround: There is currently no workaround for this issue. |
| DE11098 | 7.4.9, 7.4.10 | ARM: Notifications | When using a SMTP server with SSL authentication, the Alarming and Response Manager fails to send alarm notifications. | Expected Results: The Alarming and Response Manager should able to send alarm notifications using any SMTP server and SSL authentication. Workaround: There is currently no workaround for this issue. |
| DE6072 | 7.3.4 | APIs | When using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. | Expected Results: Case API and Admin API should start when using any size certificate. Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate. |
| DE10200 | 7.4.9 | APIs | PowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. | Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade. Workaround: There is no workaround for this issue at this time. A solution is being investigated for a future release. |
| DE1829 | 7.3.3 | Client Console | There may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. | Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE. Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651). |
| DE3195 | 7.3.4 | Client Console | When running a search in either the Client or Web Console, users see an error: ""Error fetching data - Gateway timeout."" | Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout. Workaround: Increase the timeout on the query and re-run it. |
| DE3932 | 7.4.7 | Client Console | After disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. | Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor. Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh. |
| DE4049 | 7.4.6 | Client Console | When running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated. | Expected Results: Identity data appears in reports that contain those fields. Workaround: Run an investigation to provide the same information. |
| DE5185 | 7.3.4 | Client Console | The Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field. | Expected Results: All chosen fields should appear on the report if they contain data. Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release. |
| DE7612 | 7.1.7 | Client Console | Reports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs. | Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row. Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS). |
| DE7632 | 7.1.3 | Client Console | Entities cannot be deleted from within the Client Console. | Expected Results: Entities should be retireable and able to be hidden from view. Workaround: Contact Technical Support to assist you in removing entities that are no longer needed. |
| DE10621 | 7.4.9 | Client Console | When an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. | Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed. Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it. |
| DE10678 | 7.4.8 | Client Console: Report Center | The Configuration Manager may display an error "Cannot connect to LogRhythm API Gateway" when it first loads. In addition, it may show all services are down when they appear to be healthy otherwise. | Expected Results: The Configuration Manager should load immediately and show the services in the correct state. Workaround: The Configuration Manager will eventually load if given a little time. When the services show down, a refresh of the Configuration Manager should show them correctly. We are working on a resolution to this issue. |
| DE3385 | 7.3.2 | Data Indexer | The DX Diagnostic logs are firing too often. | Expected Results: The Diagnostic logs should be tuned to alarm less frequently. Workaround: There is no workaround for this issue at this time. |
| DE1737 | 7.4.9 | Installation Components | In rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. | Expected Results: Alarms should continue to trigger and be displayed in the Web Console. Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause. |
| DE10569 | 7.4.10 | Installation Components | In certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. | Expected Results: The Data Processor and Data Indexer connect to Service Registry after a reboot of the Platform Manager. Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager. |
| DE10768 | 7.4.9 | Installation Components | In certain circumstances, the Data Processor runs slowly and the ""non-paged pool"" uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. | Expected Results: The "non-paged pool" should not increase and cause system performance issues. Workaround: Restart the LogRhythm API Gateway service. |
| DE11015 | 7.4.10 | Installation Components | SQL Database autogrowth settings are too small, causing fragmentation and performance issues. | Expected Results: Autogrowth increases in larger increments so it does not cause fragmentation. Workaround: Set the autogrowth settings to the following:
|
| DE260 | 7.4.7 | Installation Components, Job Manager | In certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL. | Expected Results: SQL deadlock issues should not cause a missed heartbeat. Workaround: While there is no known workaround, this issue is being actively investigated for a solution. |
| DE9367 | 7.4.7 | Installation Components, Job Manager | SQL Server deadlocks causing missed heartbeats on AI Engine. | Expected Results: Deadlocks should not cause a missed heartbeat alarm. Workaround: While there is no workaround for this issue, LogRhythm is investigating a solution. |
| DE1750 | 7.4.6 | Installation Components, Web Console | In certain circumstances, the Web Console may show a 500 Error page. Typically, this occurs overnight when new service tokens are created for authentication. | Expected Results: Authentication services for Web Console should not be interrupted by the change to the new tokens. Workaround: Restarting the LogRhythm Authentication API on the Platform Manager mitigates this issue until the next time it occurs. |
| DE1013 | 7.4.7 | Job Manager | Reports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. | Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it. Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead. |
| DE9995 | 7.4.6 | Job Manager: Scheduled Reporting | Scheduled reports are sent to a disabled account if an email is attached to the disabled account. | Expected Results: Scheduled reports should not be sent to disabled accounts. Workaround: There is currently no workaround for this issue. |
| DE11097 | 7.4.9, 7.4.10 | Job Manager: Scheduled Reporting | When using Gmail SMTP with SSL authentication, the Job Manager fails to send scheduled reports. | Expected Results: The Job Manager should able to send scheduled reports using any SMTP server and SSL authentication. Workaround: There is currently no workaround for this issue. |
| DE1879 | 2.4 | LogRhythm Diagnostics | The LogRhythm Diagnostics Report shows the last backup information incorrectly. | Expected Results: The report should show the accurate last backup time for each database. Workaround: Review the backup information in SQL Server Management Studio. |
| DE1113 | 7.2.5 | Mediator | When the Mediator does agent license enumeration and cache refresh it stops sending heartbeats for few minutes. | Expected Results: Cache refresh and License enumeration does not interfere with the heartbeat. We should send heartbeat packets at the required interval. Workaround: There is currently no workaround for this issue. |
| DE1640 | 7.3.5 | Mediator | The AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. | Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly. Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release. |
| DE1968 | 7.2.5 | Mediator | Processing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. | Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification. Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release. |
| DE39 | 7.4.5 | TrueIdentity Sync Client | The TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000). | Expected Results: The TrueIdentity Sync Client should work for any number of users. Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments. |
| DE5312 | 7.4.3 | TrueIdentity Sync Client | The OU/DC filter in the TrueIdentity Sync Client does not allow white space. | Expected Results: White space should be allowed in the OU/DC filter. Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release. |
| DE514 | 7.4.3 | Web Console | When viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: ""Failed to fetch Identities: Bad Request."" | Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console. Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release. |
| DE1198 | 7.4.6 | Web Console | When downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. | Expected Results: The Web Console should not time out when downloading large PCAP files. Workaround: Change the time out setting in the Configuration Manager. |
| DE1238 | 7.4.2 | Web Console | When copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. | Expected Results: When copying widgets, all settings should remain. Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release. |
| DE1334 | 7.3.3 | Web Console | Customers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an ""unclassified failure"" message. | Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure. Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager. |
| DE7263 | 7.4.2 | Web Console | When exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates. | Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console. Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue. |
| DE10403 | 7.4.9 | Web Console | The Web Console Current Processing Rate widget does not showing the correct rate. It does not include messages older than 3 minutes in the rate determined. | Expected Results: The Current Processing Rate widget shows all logs being processed. Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate. |
| DE10442 | 7.4.9 | Web Console | When viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. | Expected Results: The Download PCAP button appears when reviewing NetMon logs. Workaround: Reload the frame with the Download PCAP button to activate it. |
| DE11101 | 7.4.10 | SmartResponse Plugin | In certain circumstances, a SmartResponse action may fail to execute with an error: "No System Monitor Associated with execution target." | Expected Results: The SmartResponse Plugin should execute after selecting the System Monitor Agent. Workaround: There is currently no workaround for this issue. |
| DE11398 | 7.5.1 | Web Console: Other | When running a Vulnerability Scanner, you may see an issue stating "HSTS is missing from the HTTPS Server." | Expected Results: The remote web server should be enforcing HSTS. Workaround: Configure the remote web server to use HSTS. |
| DE11463 | 7.6.0 | Web Console | When the browser window is zoomed out, the Node-Link Graph on the Web Console dashboards may display an error: "Failed to establish logs subscription with the Web Console API." This is not related to the zoom functionality within the Node-Link Graph itself. | Expected Results: The Node-Link Graph should function regardless of the browser zoom level. Workaround: Return the browser to 100% zoom and refresh the Web Console. |
| DE11123 | 7.4.9 | Web Console | Occasionally in multiple Web Console environments, AIE Drilldown does not export results or show data in the filters. | Expected Results: Drilldowns should always allow export of results and filters should always have data. Workaround: Use the Client Console to drill down and export results. |
| DE11124 | 7.4.9, 7.5.0 | Web Console | When SSL Port In Redirects is set to Exclude in the Web Console configuration, links in Alarm and Case notification emails do not work. | Expected Results: The links sent in Case and Alarm notification emails should redirect to port 443 instead of 8443, as they are coming from an external location. Workaround: Open the Web Console and manually find the Alarm or Case to review. |
| DE11316 | 7.4.10 | Job Manager | Scheduled reports that do not complete within an hour return only partial results without indication of additional results available. | Expected Results: The Job Manager should generate a message stating that the results were not complete and the report should indicate partial results. Workaround: There is currently no workaround for this issue. |
| DE11663 | 7.6.0 | Web Console | When clicking Case Evidence logs from the Case page, the Analyze window shows a Custom Filter that prevents the logs from displaying. | Expected Results: Clicking Case Evidence logs should open an Analyze page showing the logs selected. Workaround: To show the logs, click the X next to the Custom Filter. |
| DE11710 | 7.4.8 | Admin API | If FIPS and Integrated Security are enabled in a Disaster Recovery (DR) environment, the Admin API errors during startup because of a failure to connect to SQL during failover. | Expected Results: The Admin API should connect to SQL during failover. Workaround: Manually change the Global IP to the Management IP. This may need to be done after each upgrade. |
| DE11733 | 7.6.0 | Installation Components | When running the LogRhythm Infrastructure Installer (LRII), you may receive the error: "No plan file found in LogRhythm Service Registry KV store." This is caused by the plan file not fully updating into the Consul KV store, and only happens in certain environments. | Expected Results: LRII should be able to run multiple times without affecting the plan file. Workaround: For assistance with this issue, contact LogRhythm Technical Support. |
| DE11765 | 7.5.1 | Data Indexer | In certain circumstances, Elasticsearch uses more memory than the set limit, causing performance issues on the server. | Expected Results: Elasticsearch should abide by the memory limit that is set. Workaround: For a workaround, contact LogRhythm Technical Support. |
| DE11775 | 7.6.0 | Data Indexer | Searches and drilldowns using Location lists do not return results. | Expected Results: Search results should return if using a Location list. Workaround: Clone the original rule and replace the Location list with manual entries for the countries in Location (Origin). |
| DE11792 | 7.5.0 | Job Manager | After the Active Directory Sync, some Active Directory users may be disabled. | Expected Results: Only users who are disabled in Active Directory should be disabled within LogRhythm. Workaround: Manually re-enable users by logging in to the Console as a Global Administrator or LogRhythm Admin user. |
| DE11929 | 7.6.0 | Web Console | When using a Direction filter in the Web Console dashboard and drilling into any of the TopX widgets, the data shown in the Analyzer Grid contains logs that do not match the dashboard filter. | Expected Results: Drilling into data on a dashboard should not change the dashboard filter criteria. Workaround: Reapply the dashboard filter. |
| DE11934 | 7.6.0 | Data Indexer | In certain circumstances, customers with warm node indices may experience failed searches against those indices. This is due to Columbo being unable to close certain warm indices. | Expected Results: Columbo should handle the warm node indices correctly and allow searches. Workaround: For assistance with this workaround, contact LogRhythm Technical Support. |
| DE12188 | 7.6.0 | LR Metrics | When viewing the Metrics dashboard in Grafana, the Memory Used Percentage widget in the LR Metrics - Deployment View dashboard shows incorrect results for timeframes greater than three hours. | Expected Results: The aggregator in the widget query should use an average calculation instead of a sum calculation. Workaround: For assistance with this workaround, see this knowledge article on the LogRhythm Community. |
| DE6244 | 7.4.5 | Alarms | In certain circumstances, an Alarm does not associate with a SmartResponse Plugin and does not run the SmartResponse Plugin. | Expected Results: The SmartResponse Plugin should be triggered by any Alarm meeting the criteria. Workaround: There is currently no workaround for this issue. |