Alarming, Reporting, and Response Manager Services
The Alarming and Reporting Manager (ARM) service is a component of the Platform Manager and is responsible for the processing and delivery of all alerts and alarms. The ARM service runs as a Windows service named LogRhythm Alarming and Manager.
SMTP Server Failover
The SMTP Server IP Addresses are located in the Platform Manager Properties. They are used to send email notifications. You can specify a primary, secondary, and tertiary server to allow for failover.
Three attempts are made to send each email notification to the IP Address(es) specified.
- If one SMTP server is specified, that same server is tried 3 times.
- If two SMTP servers are specified, the first is tried, then the second, then the first again.
- If three SMTP servers are specified, each is tried once.
If an Email From address is not specified, the Alarming and Reporting Engine is disabled.
Successful or not, a record of all notifications are written to the nfns.log file in the ARM logs folder on the server.
State
To ensure events aren't processed more than once, the ARM maintains the state in which events have been processed. This information is maintained in a state file located in the state directory where the ARM was installed (...LogRhythm\LogRhythm Alarming and Response Manager\state).
The file is named ARMState.pos. If the state file is removed, the next time the ARM is started, all events are reprocessed.
Logging
The ARM logs data to C:\Program Files\LogRhythm\LogRhythm Alarming and Response Manager\logs\scarm.log. When initially configuring and installing the ARM, a LogLevel of Info or Verbose provides detailed information on the ARM performance that is useful in ensuring the system is functioning properly. After the ARM is configured and operating properly, we recommend you set the LogLevel to Error or Warning.
The LogLevel can be set from the Modify Platform Manager Basic Properties dialog box.
McAfee ePO
LogRhythm's Alarming and Response Manager (ARM) allows you to customize alarm rules that are triggered by identified events, and then send out alarm notifications via email and SNMP traps. LogRhythm also can forward alarm notifications to McAfee ePolicy Orchestrator (version 3.6, 4.0, 4.5, 5.0, 5.1, or 5.3) where they appear in the Console's Event Log interface. An ePO Administrator or Reviewer can view, filter, sort, and export these events and summarize them in custom charts, tables and ePO dashboards. LogRhythm's ePO notification events are securely transmitted from the LogRhythm Platform Manager server to the ePO server by the McAfee Agent.
LogRhythm Alarm Event Data in the ePolicy Orchestrator Event Log (May Vary by Version)
ePO Event Log Column | LogRhythm Alarm Event Data |
---|---|
Detecting Program | “LogRhythm” |
Detected UTC | Alarm Date |
Event ID | “200000” |
Threat Source Host Name | Source Host name |
Threat Source IPv4 Address | Source IP Address |
Threat Source Login Name | Login |
Target Host Name | Destination Host name |
Target IPv4 | Destination IP Address |
Target Port | Destination Port |
Target User Name | Login |
Target Process Name | Process |
Target File Name | Object |
Network Protocol | Protocol |
Source URL | URL |
Threat Category | “ops.detect” |
Threat Type | “Audit”, “Operations”, “Security” or “Unknown” |
Threat Name | Triggered Alarm Rule Name |
Threat Severity | LogRhythm alarm priority, a range of 0 to 100, mapped to one of ePO’s eight Severity levels (Information, Debug, Warning, etc.).LogRhythm alarm priority is partially based on risk values assigned to the host referenced in the triggering events. |
Threat Handled | LogRhythm always reports the alarm event, but never blocks the reported action |