Licensing
LogRhythm licensing has been designed to allow licenses to be assigned and transferred between components centrally. There is no need to type license keys directly into each LogRhythm component, making deployment much simpler. Instead, you import your license file into the LogRhythm License Manager and assign available licenses to the deployed components.
LogRhythm Master License File
The LogRhythm Solution requires a LogRhythm license file which contains a LogRhythm Master License and Component Licenses. The Master License is tied to an individual customer for a single deployment of LogRhythm (1 Platform Manager and 1 or more Data Processors). Component Licenses fall within the Master License and are used to license specific LogRhythm components within the same LogRhythm deployment.
A LogRhythm license file can contain the following component and subscription licenses:
- Platform Manager License (always included)
- Data Processor License(s)
- Software License
- Appliance License
- Log Message Source License(s)
- Quantity License
- Unlimited License
- System Monitor Lite License
- System Monitor Pro License
- System Monitor Collector license
- Advanced Intelligence Engine License (separate volume license)
- GeoIP Resolution Subscription License
Licensing Considerations
- The License for Platform Manager is automatically assigned. Licenses for all other components are assigned when the component is created or assigned via the LogRhythm Deployment Manager.
- The Deployment Manager attempts to license all newly created components. If a license is unavailable, you are notified. A license can later be assigned via the Deployment Manager.
- The Deployment Manager first tries to assign a System Monitor Pro license to an agent, if one is available; otherwise, it assigns a System Monitor Lite license.
- When a Data Processor starts, it validates its license. If a license is not assigned, has expired, or has been tampered with, the Data Processor Mediator Server process terminates.
- When the Data Processor Mediator Server process authenticates System Monitor Agents, it validates the license of the Agent and all reporting Log Message Sources.
- If the Agent is not assigned a license, has expired, or been tampered with, the Agent is not allowed to connect to the Data Processor.
- If a Data Processor has exceeded the assigned number of Message (Log) Source licenses (in limited licensing mode), additional log sources are not able to send log messages to the Data Processor.
Data Processor Licensing
A LogRhythm Data Processor is licensed in one of two modes:
- Software Mode. Used if you purchased the LogRhythm licenses as a software package.
- Appliance Mode. Used if you purchased the LogRhythm licenses as part of a LogRhythm appliance.
Each Data Processor also has a Log Source licensing mode that determines the number of log sources the Data Processor is licensed to handle:
- Limited Mode. Data Processor is licensed to handle a fixed number of log sources.
- Unlimited Mode. Data Processor is licensed to handle an unlimited number of log sources.
Log Message Source Licensing
Each Log Message Source from which an Agent collects logs must have a corresponding license, except for the following log sources (which are considered part of the Agent): Data Loss Defender (DLD), User Activity Monitor (UAM), Process Monitor (PM), Network Connection Monitor (NCM), File Integrity Monitor (FIM), Syslog Server, and IPFIX/NetFlow/J-Flow Server. However, virtualized Log Message Sources collected by the Syslog or NetFlow/J-Flow Servers do need Log Message Source licenses.
Log Message Source licenses are available in packs of varying size. Data Processors use license packs as a whole, as assigned in the Data Processor Licensing Wizard. As Agents connect, they authenticate Log Message Sources, which consume licenses on a first come, first served basis. As Agent connections to the Data Processor close, the Log Message Source licenses are returned to an unclaimed state, and can be consumed by the next connecting Agent.
System Monitor Licensing
You must license each LogRhythm System Monitor to connect to a Data Processor and forward data. LogRhythm provides three types of System Monitor licenses:
- System Monitor Lite
- System Monitor Pro
- System Monitor Collector
When a System Monitor is registered in the Deployment Manager, it is automatically assigned a System Monitor Pro license, if one is available; otherwise it assigns a System Monitor Lite license. To view the features associated with System Monitor Lite and Pro licenses, see the System Monitor Functionality by License: Lite, Pro, and Collector table in LogRhythm Compatibility and System Monitor Functionality Guide.
SQL Server and CAL Licensing
LogRhythm includes SQL Server enterprise Runtime as part of the LogRhythm Solution (Appliance or Software). LogRhythm also provides an initial number of User Client Access Licenses (CALs) for SQL Server Licensing. The initial CALs are included in the purchase of the LogRhythm Solution; however, if you require additional CALs above the initial set included, they must be purchased from LogRhythm.
CALs apply to a single deployment for LogRhythm (1 Platform Manager and 1 or more Data Processors). Because CALs apply to a LogRhythm deployment, they are only provided with EM or XM Appliances and EM or XM Software Sales.
Either 3 or 5 user CALs are included with a LogRhythm purchase depending on the software and/or appliance purchased. Client Access Licenses (CALs) provide one device CAL for the appliance services and allow up to four simultaneous LogRhythm Client Console connections. Deployments that require more than four must purchase additional CALs to ensure license compliance. If you require additional SQL Server CALs, contact your Customer Relationship Manager (CRM).
The LogRhythm Solution will come with a SQL Server End User License Agreement (EULA) for the specific appliance purchased. View your license to determine the number of CALs you have purchased.
Every user who has a login for LogRhythm requires one user CAL. Please note the following:
- 1 CAL is automatically used by the LogRhythm Administrator default account
- 1 CAL is automatically used by the LogRhythm Analyst default account
To determine the number of CALs a LogRhythm deployment requires, refer to the Person tab in Deployment Manager. Count every Person record where Has Login is selected. This is the number of CALs required.