Install the Diagnostics Agent and Diagnostics Tool
System Requirements for Diagnostics Tool v.2.4.0
- LogRhythm SIEM 7.3 or later.
- Read-only access to the LogRhythm EMDB and LogMart SQL Server databases. SQL client connections use TCP port 1433. For instructions on setting up a least-privilege, read-only SQL Server user for this purpose, see Create a Least-Privilege SQL Server User for Querying LogRhythm Databases.
- The LogRhythm Diagnostics Agent must be installed on each LogRhythm Windows component node (Platform Manager, Data Processors, AI Engines, and standalone Web Consoles). The Diagnostics Agent is required even for single-node LogRhythm XM deployments.
- For Data Indexer (DX) connections, the Diagnostics Tool application (client) uses SSH/SFTP to query system information and collect log data and does not require a Diagnostics Agent.
- The LogRhythm Diagnostics Tool application (client) must be installed on a Windows host that has TCP 1433 connectivity to the Platform Manager, TCP 22 connectivity to each Data Indexer, and TCP 33334 connectivity to each Diagnostics Agent on each Windows component.
- If there is firewall software on the LogRhythm components hosting the Diagnostics Agent, a rule must be enabled for the Diagnostics Agent’s incoming port (default is 33334).
- Ensure that your firewall allows you to download the installer and reference materials from the LogRhythm Community, and that your antivirus software allows the installation of the Diagnostics Agent and Diagnostics Tool.
Installation Steps
Install and Configure the LogRhythm Diagnostics Agent
As part of the Diagnostics Agent installation, a Windows Service called “LogRhythm Diagnostics Agent” is installed on your system. The software installs to C:\Program Files\LogRhythm\LogRhythm Diagnostics Agent, and configuration is accessible via the LogRhythm Diagnostics Agent Windows shortcut.
- Run the LogRhythm Diagnostics Agent installer, available on the LogRhythm Community.
When the installer is finished, the configuration window appears. - Configure the following settings in the LogRhythm Diagnostics Agent user interface:
Agent Configuration
IP Address. The public routable IP address of the LogRhythm Windows host.
This is the IP address of the host running the Agent, not the host running the LogRhythm Diagnostics Tool.Port. Configurable port—the default is 33334.
Log Level. Logging is set to Informational by default, but for troubleshooting purposes, logging level can be set to Debug level.
Authentication Configuration
User Name. User-supplied username for HTTP basic authentication. This value does not need to be an existing LogRhythm or Windows user account.
Password. User-supplied password for HTTP basic authentication.
The basic HTTP authentication credentials and port for each Diagnostics Agent are used to configure and authenticate LogRhythm nodes on the Settings page in the LogRhythm Diagnostics Tool.
A Diagnostics Agent is Windows-only and is not installed on LogRhythm Linux DX nodes—for these nodes, valid SSH credentials are used for authentication.
The password is salted (512 bytes) and hashed (HMAC-SHA512). The username, salt, and hash are stored in the AgentConfig.json file in the ProgramData directory of the Agent system. The ProgramData directory is read-only except for administrators. Users can configure mutual, certificate-based authentication for the Agent service and the Client application. For more information, see the next section.
(Optional) HTTPS SSL Certificate Configuration
HTTPS is used for communication between the Diagnostics Tool and individual Diagnostics Agents. By default, the Diagnostics Agent uses a dynamically generated self-signed server certificate. For additional security, users can utilize their own self-signed certificates, a valid third-party signed certificate, or a valid certificate from their PKI infrastructure.
Use Generated Certificate. Select this option to use a dynamically generated self-signed certificate (default).
Use Certificate From Store. Select this option to use your own certificate. This option assumes that a usable certificate is already in the server’s certificate store.
When using a certificate from the local certificate store, the certificate’s private key must be exportable. If the certificate is a valid signed-certificate, the certificate must have a root signing certificate in the machine’s Trusted Root Certificate store.
Store. Select My or Root.
Location. Select Local Machine or Current User.
Subject. Enter in the format CN=<subject name>, where subject name is a FQDN, hostname, or IP address. Ensure that there are no spaces surrounding or between the “CN,” the “=,” and the subject.
- Click Save, and then click Close to exit the configuration.
Install the LogRhythm Diagnostics Tool
Typically, the LogRhythm Diagnostics Tool installs on the Platform Manager or XM. However, the Diagnostics Tool does not need to be installed on the LogRhythm deployment itself. The Diagnostics Tool requires TCP 1433 connectivity to the PM, TCP 22 connectivity to Linux DX nodes, and connectivity (default TCP 33334) to the LogRhythm Diagnostics Agents. The application installs to C:\Program Files\LogRhythm\LogRhythm Diagnostics.
- Run the LogRhythm Diagnostics Tool installer, available on the LogRhythm Community.
- Launch the application—click Start, click LogRhythm, and then click LogRhythm Diagnostics.
The LogRhythm Diagnostics login page appears. Enter the Platform Manager IP address, a suitable LogRhythm EMDB database account name, and the account password. For high availability (HA) deployments, use the virtual IP address (VIP) or shared address for the Platform Manager. To create a SQL Server user for the Diagnostics Tool to use, see Create a Least-Privilege SQL Server User for Querying LogRhythm Databases.
The LogRhythmAdmin user is not supported in the LogRhythm Diagnostics client.- To begin collecting data from the deployment, click Submit.
Create a Least-Privilege SQL Server User for Querying LogRhythm Databases
This section explains how to create a least-privilege SQL Server user (read-only) for the LogRhythm Diagnostics Tool to use when querying the LogRhythm SQL Server databases. For convenience, helper scripts to create and delete the user are provided with the installer in the databasescripts directory.
Create User
- On the LogRhythm Platform Manager, open the File Explorer and navigate to C:\Program Files\LogRhythm\LogRhythm Diagnostics\LogRhythm Diagnostics\databasescripts.
- Double-click either the create_lpu.ps1 script (PowerShell) or the create_lpu.bat (Windows Batch) script.
- Enter the password for a SQL Server administrative user (for example, “sa”).
- Enter the password for the new lrdiagnostics user.
The script creates a user account called “lrdiagnostics” with the password you specified. - Use these credentials to connect to the Platform Manager database on the Diagnostics Tool’s login screen.
Delete User
- On the LogRhythm Platform Manager, open the File Explorer and navigate to C:\Program Files\LogRhythm\LogRhythm Diagnostics\LogRhythm Diagnostics\databasescripts.
- Double-click either the delete_lpu.ps1 script (PowerShell) or the delete_lpu.bat (Windows Batch) script.
- Enter the password for a SQL Server administrative user (for example, “sa”).
The script removes the “lrdiagnostics” user account from SQL Server.