System Management Settings
Global Data Management Settings
Administrators can enable global options that override settings at the Data Processor, Log Source, and MPE Policy levels. Global settings are applicable in both Classification Based and Standard Data Management configurations.
Data Management profiles simplify configuration based on the deployment's data management model. Data Management settings have been pre-packaged into configurations which support various deployment models and uses of the product.
- Collection Optimized
- Search Optimized
- Performance Optimized
- Custom
You have the option to manage these settings at a more granular level.
Global Data Management Settings are:
- a simpler way to configure and understand how LogRhythm manages log data.
- a global mechanism for configuring data management that does not require you to manage key settings in numerous places.
- a straightforward way to implement global data management overrides and event forwarding.
- powerful enough to enable data management configuration at the Data Processor, Log Source, and MPE Policy levels for advanced users.
Intelligent Indexing
In many deployments, it is not feasible to keep all log data indexed or online. The system must be tuned so only a subset of data is indexed in your Data Processor(s) while ensuring the right data is indexed. Intelligent Indexing automates and simplifies tuning where LogRhythm automatically indexes the data known to be needed versus requiring manual and complex tuning.
Types of Indexed Data
The following items have their log data indexed (i.e. brought online) into the applicable data source (Data Processor and/or LogMart):
- Reports
- Report Packages
- Tails
- Investigations
The Global Log Processing Rules supersede Intelligent Indexing settings and can be used to take specific data offline.
Performance Counters
The following performance counters monitor Intelligent Indexing:
- Intelligent Indexing Data Processor % Indexed. The percentage of logs processed against Data Processor Intelligent Indexing rules which matched a rule.
- Intelligent Indexing LogMart % Indexed. The percentage of logs processed against LogMart Intelligent Indexing rules which matched a rule.
- Intelligent Indexing Processing Rate. Intelligent Indexing Processing Rate
Global System Settings
Data Management settings require site-specific modifications for global configuration. Global system settings include Identity Inference, which can help recognize the user responsible for an activity when identity information, such as account or login, is not available in the log message. Using an inference model, the identity associated with logs containing applicable host information, such as IP addresses, can be determined. This feature maintains a mapping of users to hosts based on log activity observed. When this feature is enabled, the Message Processing Engine performs the identify inference.
Active Directory Domain Manager
LogRhythm provides a regularly scheduled synchronization process to retrieve data from Active Directory and store it in the LogRhythm EMDB. After synchronization, you can access and filter the data using the following tools: Investigations, Tails, Reports, Personal Dashboard, Alarm Rule Criteria, SecondLook restore criteria, and Log Distribution Service (LDS) Policy criteria. You can also view the data from the Active Directory Browsers accessible via the Client Console. With LogRhythm 6.2, administrators are able to manage LogRhythm users in the same manner as Active Directory users. This allows the administrators to put Active Directory users into the LogRhythm system based on their active directory.
Active Directory Synchronization
LogRhythm provides a regularly scheduled synchronization process to retrieve data from Active Directory and store it in the LogRhythm EMDB. After synchronization, you can access and filter the data using the following tools: Investigations, Tails, Reports, Personal Dashboard, Alarm Rule Criteria, SecondLook restore criteria, and Log Distribution Service (LDS) Policy criteria. You can also view the data from the Active Directory Browsers accessible via the Client Console.
LogRhythm administrators are able to manage LogRhythm users in the same manner as Active Directory users. This allows the administrators to put Active Directory users into the LogRhythm system based on their active directory.
Synchronization of Active Directory objects follows these rules:
- After a Group or User has been created in the local database, it is never deleted.
- All Users must be synced or synchronization fails. Each user is synced independently. If failure occurs, all users synced prior to failure will have been updated in the database.
- User Login Values: three login values are stored for each user and represent possible AD login strings:
- [Username] (i.e., pete). Saved in IDMUser.Login1.
- [Username]@[FQDN] (i.e., test@abcd.something.com). Saved in IDMUser.Login2.
- [NetBIOS Name]\[Username] (i.e., something\john). Saved in IDMUser.Login3.
- This format is only saved for root level domains. It is not saved for sub-domains because sub-domains may have the same NetBIOS name as the parent domain.
- Only login 1-3 fields are synchronized, login4 and login5 are not synced. Users can manually input values into these fields and they would be filtered on.
- All Groups must be synced or sync fails. Each group is synced independently. If failure occurs, all groups synced prior to failure will have been updated in the database.
- Group membership is synced to reflect membership at time of sync. All group members must be successfully updated or no changes are made for that group. Group membership is updated within a transaction. If any failure occurs when updating a single group, no changes for that group are updated in the database. However, groups having membership synced prior to failure will have been updated in the database.
Active Directory Permissions and Security
Active Directory Synchronization is required for the Windows Host Wizard to identify computers and for the Active Directory Group Authorization in the User Profile to identify users. The following permissions are required for Active Directory Synchronization.
- Ports must be enabled for the LDAP environment. To determine the ports required for your specific LDAP environment, see Active Directory and Active Directory Domain Services Port Requirements. Most deployments will require TCP and UDP 389.
- The service account must have read permissions for the Job Manager.
- The service the Job Manager runs under must have the permissions required to query Active Directory to avoid permission-related errors.
Active Directory Domain Manager
The Active Directory Domain Manager window contains a grid to list the domains and subdomains that have been previously added for synchronization. The following table describes the columns in the grid.
Column Name | Description |
---|---|
Action | The check box used in conjunction with the Actions context menu |
Domain Name | The name of the domain. |
Include In Sync | The indicator to include in the synchronization |
Include in Group Based Authorization | Include the domain in the group-based authorization. |
User Name | The user name provided to scan the domain. |
Organizational Unit | The organizational unit for the domain. Used for Windows Host Wizard scanning. |
Description | The brief description given to the domain via the properties. |
Status | The status of the domain, either Active or Retired. |
Domain ID | The unique identifier for the domain record. |
There are two menu items available: New and Properties. The OK, Cancel, and Apply buttons appear at the bottom of the window.
The actions in the following table can be accessed by right-clicking the grid area.
Context Menu | Description |
---|---|
New | Create a new domain and open the New Domain Properties Window. |
Add Subdomains | Query Active Directory for sub-domains of the active domain configuration and add rows to the grid for each. If the grid already contains active rows for the sub-domains, their details are updated. The Add Subdomains context menu is disabled if the active domain configuration is retired. |
Actions > Activate | Active domains. |
Actions > Retire | Retire domains. |
View > Retired Domains | Display retired domains. |
Properties | Open the domain properties window. |
Synchronization of Domains
The domains are synchronized hourly. Domains must exist in the list and at least one must have Include in Sync or Include in Group Based Authorization checked in the appropriate column.
Synchronizing updates the LogRhythm deployment with the current users, groups, and group members in Active Directory. All domains where Include In Sync or Include in Group Based Authorization are checked will be synchronized.
The synchronization process does not delete users or groups because they might be referred to by log, event, and alarm records.
Scheduled Synchronization
The Job Manager service performs scheduled Active Directory Synchronization with these conditions:
- Synchronization starts five minutes after the Job Manager service starts.
- Synchronization occurs every hour as long as the Job Manager service is running.
- The Job Manager attempts to synchronize three times after experiencing an error before waiting for the next scheduled synchronization.
- The service the Job Manager runs under must have the permissions required to query AD to avoid permission related errors.
- Only domains that have Include In Sync selected are synchronized.
Active Directory Browsers
There are two Active Directory browsers, both accessible under Knowledge on the Tools menu. The browsers provide a means to access the existing Active Directory information that has been synchronized and stored in the LogRhythm EMDB. However, users who are limited to Restricted Admin or Restricted Analyst roles do not have access to view Active Directory group or user membership information in these browsers.
Active Directory User Browser
The Active Directory User Browser has two grids. The top grid contains all users who have been synchronized as part of the AD Synchronization process that stores the AD information in the LogRhythm EMDB. The lower grid lists the groups to which the user belongs.
Active Directory Group Browser
The Active Directory Group Browser has three grids. The top grid contains all groups that have been synchronized as part of the AD Synchronization process that stores the AD information in the LogRhythm EMDB. The lower-left grid lists the members of the group. The lower-right grid contains the user information for members of the group.