Configure LogRhythm Echo

Before running any use cases with a new Echo installation, perform the following configuration steps.

Start and Configure the Echo Service

Echo creates log sources in the LogRhythm deployment that might not be picked up by the Data Processor for several minutes. To ensure that the new log sources are in available in the DP’s cache when running use cases, restart the Mediator service on the DP after creating the Echo log sources. In addition, any imported and enabled AIE Rules require a restart of the AI Engine. To ensure that all necessary AIE Rules are enabled, restart the AI Engine service after importing the AIE Rules.

1. Start the LogRhythm Echo service, if necessary.
2. Open a Chrome or Firefox browser, and then type the default address of the Echo server: https://<localhost>:33333
   The LogRhythm Echo web interface appears.
3. Click Configuration.

4. Configure the LogRhythm Platform Manager’s EMDB connection. Enter your PM Host IP address, database user name, and password, and then click Save Settings.

   

   • It is recommended that you use a least-privilege SQL Server account for this purpose. For instructions on setting up this user, see Create a Least-Privilege SQL Server User for Echo.
   • The password is encrypted and stored on disk in the LogRhythm Echo’s config directory.

   After the EMDB settings are saved, Echo connects to the database and retrieves a list of Data Processors in the deployment.

5. Select a DP for the Echo service to send logs to.
6. (Optional) Specify the Entity, Host, Agent, and Agent IP. If these values are omitted, the defaults are used—EchoTestEntity, EchoTestHost, EchoTestAgent, and 10.1.2.50, respectively.
7. (Optional) Create a GLPR for Echo: Forward Echo Events, Index Echo Logs, and Do Not Archive Echo Logs.
8. Click Initialize Echo Configuration.
   This creates various objects in the EMDB:
   • Entity record for the Echo objects—Agent Host, System Monitor Agent, Log Sources, Known Hosts.
   • Host record for the Echo log collection Agent.
   • System Monitor Agent record for the Echo log collection Agent.
   • Log source records for each log source type across all use cases in the use case DB. This ensures that all possible log source types are created before any logs are sent to the system. When new use cases are created, new log source types are created when the use case runs for the first time.
   • Known Host records for each use case. This ensures that all Known Hosts are created before any logs are sent to the system. When new use cases are created, new Known Hosts are created when the use case runs for the first time.
   • (Optional) GLPR to forward and index all Echo Events and raw logs.
   After the objects have been created in the EMDB, they appear under Data Processor settings on the SIEM Configuration page.

9. To delete Echo configuration objects—such as Entity, Hosts, and Log Sources—from the EMDB, click Delete Echo Configuration. Any subsequent Echo usage on the deployment requires clicking Initialize Echo Configuration to reinitialize the objects in the EMDB.

   

   This does not delete any AIE rules, Lists, or SmartResponses that were manually imported as part of the Echo configuration. These objects must be deleted manually in the Client Console.

10. (Optional) Configure the LogRhythm NetMon’s Management API connection. Enter your NetMon’s address, user name, and API key, and then click Save Settings.

    

    The password and API key are encrypted and stored on disk in the LogRhythm Echo’s config directory.
11. (Optional) Configure the maximum number of logs to import from an .llx file when using the LLX File Browser to create use cases.

12. (Optional) Configure the LogRhythm Echo web server settings. These settings specify whether the Echo web server binds to localhost or the hostname.

    

    When Bind to localhost is set to False, the Echo service is potentially accessible from other machines.
13. (Optional) Toggle between night mode and day mode.

Create a Least-Privilege SQL Server User for Echo

This section explains how to create a least-privilege SQL Server user account for Echo to use when reading and writing to the LogRhythm EMDB database. For convenience, helper scripts to create and delete the user are provided with the installer in the databasescripts directory.

Create User

1. On the LogRhythm Platform Manager, open the File Explorer and navigate to C:\Program Files (x86)\LogRhythm\LogRhythm Echo\databasescripts.
2. Double-click either the create_lpu.ps1 script (PowerShell) or the create_lpu.bat (Windows Batch) script.
3. Enter the password for a SQL Server administrative user (for example, “sa”).
4. Enter the password for the new lrecho user.
   The script creates a user account called “lrecho” with the password you specified.
5. Use these credentials to connect to the Platform Manager database on the Echo Configuration page.

Delete User

1. On the LogRhythm Platform Manager, open the File Explorer and navigate to C:\Program Files (x86)\LogRhythm\LogRhythm Echo\databasescripts.
2. Double-click either the delete_lpu.ps1 script (PowerShell) or the delete_lpu.bat (Windows Batch) script.
3. Enter the password for a SQL Server administrative user (for example, “sa”).
4. The script removes the “lrecho” user account from SQL Server.

Import and Enable Required AIE Rules

Note the following regarding AIE rules and use cases in Echo:

• Not all use cases have AIE rules. Some have regular Alarm rules, and others have no Alarms at all—only raw logs and Events.
• All non-Knowledge Base—in other words, non-OOTB—AIE rules can be found and imported from the siemimports.zip file in the siemimports subdirectory.
• AIE rules and SmartResponses are imported using the LogRhythm Client Console.
• After importing AIE rules:
  • Enable each AIE rule’s Alarm (batch enable Alarms).
  • Enable each AIE rule—after import, they are disabled by default (batch enable Rules).
  • Associate any required SmartResponses with their AIE rules—for more information, see Required Out-of-the-Box AIE Rules.
  • Restart the AI Engine service for the changes to take effect.
• For details on what AIE rules are needed for what use cases, see AIE Rule Use Cases.

Import Required AIE Rules, Lists, and SmartResponses with the LogRhythm Client Console

1. Import the latest Knowledge Base: Click Tools, click Knowledge, click Knowledge Base Manager, click Check For Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
2. Enable all KB Modules: Click Tools, click Knowledge, and then click Knowledge Base Manager.
3. Batch import the AIE rules in the siemimports directory: In the Deployment Manager, click the AI Engine tab, click Actions, and then click Import. For more details, see LogRhythm Echo Use Cases and Their AIE Rules and SmartResponses.
4. Create and import the Echo Sensitive Files List (General Value list, type Object).
5. Batch enable the Alarms for the AIE rules:
   1. In the Deployment Manager, click the AI Engine tab.
   2. Click the box in the Action column for the Alarms you want to batch-enable.
   3. Right-click a selected rule, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
6. Batch enable the AIE rules:
   1. In the Deployment Manager, click the AI Engine tab.
   2. Click the box in the Action column for the AIE rules you want to batch-enable.
   3. Right-click a selected rule, click Actions, and then click Enable.
7. Batch import the SmartRepsonses in the siemimports directory: Click Tools, click Administration, click SmartResponse Plugin Manager, click Actions, and then click Import. For more details, see LogRhythm Echo Use Cases and Their AIE Rules, Lists, and SmartResponses.
8. Associate SmartResponses with their AIE rules. Edit each AIE rule that has an associated SmartResponse—see LogRhythm Echo Use Cases and Their AIE Rules, Lists, and SmartResponses—and configure the action on the Actions tab of the AIE rule wizard.
9. Restart the AI Engine service for the changes to take effect.