Least Privileged User: DP, Mediator Server
Purpose
The Mediator Server is the primary Data Processor service, and is responsible for receiving and storing log data from Agents. The service receives communication from Agents and may send communications to the AIE Communication Manager service.
Shared Resources
| Read | Write | Read & Execute | Modify | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|
| LogRhythm Installation Directory Path>\LogRhythm\LogRhythm Mediator Server | X | |||||
| <LogRhythm Active Archive Path> | X | |||||
| <LogRhythm Inactive Archive Path> | X | |||||
| <LogRhythm Installation Directory Path>\LogRhythm\LogRhythm Mediator Server\state\DXReliablePersist | X |
Archive paths can be changed from the Data Processor Advanced Properties interface in the Deployment Manager/Data Processors tab.
If the Mediator is configured to write inactive archive files to a separate server, additional file permissions must be given so the Mediator service has write permissions to the remote file share. For assistance configuring Mediator offline storage, see Data Archives and Restoration.
Registry Access
| Read Control | Write Owner | Write DAC | Delete | Create Link | Enumerate Subkeys | Set Value | Query Value | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|---|---|---|---|
HKEY_LOCAL_MACHINE\ | X | X | X | X | X | X | X | X | X | |
HKEY_LOCAL_MACHINE\System\ | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\WinSock2\Parameters | X | X | X | X | X | X | X | X | X | |
HKEY_LOCAL_MACHINE\ | X | |||||||||
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows NT\CurrentVersion\Perflib | X | |||||||||
| HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Microsoft\Windows NT\CurentVersion\Perflib | X | |||||||||
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\LogRhythm Mediator:LDS | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\LogRhythm Mediator:LogMart | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\LogRhythm Mediator:Processing | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\LogRhythm Mediator:Stats | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Data | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Networking | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Networking 4.0.0.0 | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET Data Provider for Oracle | X | X | ||||||||
HKEY_LOCAL_MACHINE\ | X | X |
Database Access
The Mediator Server uses the LogRhythmLM database user and the LogRhythmGlobalMedSvr and LogRhythmGlobalMPE security roles to access the LogRhythm EMDBs and the archive database. All permissions are set as required by the default security role.
Ports
Mediator port configuration is handled through the Console’s Deployment Manager. Click the Data Processors tab, select and right-click a Data Processor, and then click Properties. The port settings can be reached through the Advanced button, the AI Engine tab, or the Automatic Log Source Configuration tab.
| Port | Default Port | Inbound/Outbound | Purpose |
|---|---|---|---|
| ServerSSLPort | 443 | Inbound from Agent(s) | Primary listener port for receiving logs from Agents |
| Mediator Port | 40000 | Inbound from Agent | Listener port for Mediator to get logs from Agent in unidirectional mode only |
| SecondaryServerSSLPort | 443 | Inbound from Agent(s) | External-facing IP port for secondary server (if configured) |
| TertiaryServerSSLPort | 443 | Inbound from Agent(s) | External-facing IP port for tertiary server (if configured) |
| AIE Client Management Port | Random/ Ephemera | Outbound to AIE communication | If this log source reports to AIE, it will call out to the configured AIE server |
| AIE Client Data Port | Random/ Ephemera | Outbound to AIE communication | If this log source reports to AIE, it will call out to the configured AIE server |
| Automatic Log Source | 161 | Inbound SNMP | The Mediator can be configured to automatically listen to and gather SNMP traps |
| DX Acknowledgment | 16000 | Inbound from DX | Acknowledgments for log transfer from the Mediator to the Data Indexer |
Other Resources
The Mediator Server does not access any external third-party systems.