Client Console Administrator Guide
Administrators are tasked with performing setup, troubleshooting and general care and maintenance of the LogRhythm system. Administrators will setup Log Sources, User Access, Reporting and system advanced settings. Administrators also work with Analysts to ensure that Advanced Intelligence Engine rules are created and tuned for optimal use.
Advanced Intelligence Engine | LogRhythm AI Engine detects conditions in your deployment that occur over multiple data sources and time ranges. AI Engine provides realtime visibility to risks, threats, and critical operations issues. |
Alarm Rules | The Alarming and Response Manager (ARM) evaluates system and user-defined alarm rules to determine whether an Event should incur an alarm. |
Automatic Host Contextualization | LogRhythm contextualizes a host or service automatically to improve the aggregation of log data for unique IP and port combinations. Based on the port values, LogRhythm can infer the relationship of the two hosts if a log contains parsed values for the following fields: SIP/SName, DIP/DName, Source Port (SPort), Destination Port (DPort) |
Data Archives and Restoration | The LogRhythm Mediator Server service is responsible for archiving specified log data from active indexes to the LogRhythm Archives. When you need access to archived logs, the Archive Restoration Wizard allows you to import them into a special archives index. |
Data Indexer | The Data Indexer (Indexer) provides persistence and search capabilities, as well as high-performance, distributed, and highly scalable indexing of machine and forensic data. |
Data Processor | The Data Processor's Mediator Server service handles communications with LogRhythm Agents. The Mediator is also responsible for processing logs against the Knowledge Base and sending processed log messages to the Data Indexer. The Data Processor contains a log processing engine known as the Message Processing Engine (MPE). |
Deployment Health | LogRhythm provides configuration and tuning to ensure your solution starts off at an optimal configuration for your log processing needs. The health and maintenance of your LogRhythm solution is crucial for its optimal performance. |
Deployment Manager | LogRhythm administrators use the Deployment Manager to configure and manage LogRhythm components and functionality. |
Deployment Security | This section provides information about some of the security features in LogRhythm, including passwords and password encryption, support for Public Key Infrastructure (PKI), users and security roles, and user security permissions. |
Endpoint Monitoring | Endpoint Monitoring is a client/server information security (IS) methodology used to audit log files generated by endpoint devices, such as laptops, smartphones, and routers. Endpoint monitoring collects the generated log files and sends them to the Data Processor for analysis. If unusual behavior is detected, an alarm is generated. |
Entities | An Entity represents a physical location where LogRhythm is deployed. It is used to organize the deployment and contain network and host records and LogRhythm components. |
Global Log Processing Rules | Global Log Processing Rules (GLPR) provide a way to override settings defined in Classification Based Data Management (CBDM) or Standard Data Management modes. A GLPR provide a way to apply Data Management settings across all Data Processors, Log Sources and Log Processing Policies to logs that meet your specific criteria. |
Host Records | Host records identify and assign useful information—such as purpose of the system, any known issues, and key contacts—to important systems in your network. |
Knowledge Base | The Knowledge Base (KB) consists of a Core Base Module and individual KB modules. The KB Core Base Module must be installed and updated on all deployments and each module must be updated to meet the organization's needs. |
Log Distribution Services | Log Distribution Services (LDS) allow you to forward specified syslog and non-syslog log messages to an external syslog receiver over TCP or UDP in a format and configuration that best meets your needs. |
Log Processing Policies | Log Processing Policies, or Message Processing Engine (MPE) policies, determine which rules are processed against a Log Message Source and how matching log messages are treated. |
Log Sources | A Log Source is a unique source of log data that is collected from a Host. Every log is associated to a single Log Source, which is the key link LogRhythm uses to determine the origin of a log message. |
Network Monitor | LogRhythm NetMon provides visibility into all data traversing your network through in-depth packet capture and multiple recognition methodologies. |
Network Records | Network records identify and logically group a range of IP addresses to assign a Risk-Based Priority (RBP) to events and determine direction such as inbound or outbound for the activity being logged. |
Object Permissions Manager | The Object Permissions Manager enables a Global Administrator to manage Investigations, Tails, Lists, and Alarm Rules by setting read and write access permissions for an object and to assigning it to a new owner and/or entity. |
People and Users | LogRhythm employs Person Records to identify users so they can log in with personal credentials instead of the default LogRhythmAdmin or LogRhythmAnalyst accounts. Person records are also used for Alarm Notifications. |
Platform Manager | The Platform Manager (PM) serves as the central repository for events, configuration and licensing information, the LogRhythm Knowledge Base, and LogMart. |
SmartResponse | SmartResponse lets you execute preventative actions when threatening activity is observed. Actions may provide deeper forensic or operational data, automate operations tasks, or implement security controls in defense of an attack or intrusion, such as disabling a compromised user account or terminating a connection between attacker and target. |
System Monitor | The System Monitor is a software component that provides local and remote log data collection across various English-based operating systems including Windows and *NIX. |