7.10.0 GA Release Notes - 29 September 2022
Upgrade Considerations
Upgrade considerations for all 7.10.x releases are available on the LogRhythm Release Notes main page.
LogRhythm 7.9.0 introduced support for Microsoft SQL Server 2019 and Windows Server 2019 on standard deployments. If your deployment is running SQL Server 2016 Standard or Windows Server 2016, there is no need to upgrade to 2019.
For more information on the optional upgrades, see:
New Features
| Functional Group | Feature | Description |
|---|---|---|
| Customer Enhancement | AI Engine Unique Values Rule Block | Explanation: AI Engine Events now include Host information. This reduces misfires from AI Engine Unique Values rule blocks and provides correct logs in drilldown results. Benefit: The system is more stable and enables users to spend more time on threat detection and response. Relevant Documentation Updates: N/A |
| Platform Administration | Admin API | Explanation: The Admin API library now includes the Associate Pending Log Source endpoint. This enables SIEM administrators to manage pending or modify existing System Monitor Agents through the API. Benefit: The Admin API reduces administrative overhead and expedites workflow by automating routine tasks. Relevant Documentation Updates: Administration API Endpoints |
| Platform Administration | Alarm API | Explanation: The Alarm API library now includes the Get Alarm URL endpoint. This enables SIEM administrators to retrieve alarm URLs which were configured in Platform Manager through the API. Benefit: The Alarm API allows users to retrieve alarm information without a database connection. Relevant Documentation Updates: Alarm API Endpoints |
| Platform Administration | Metrics API | Explanation: The LogRhythm REST API now includes the Metrics API component. This enables SIEM API users to retrieve log volume and log indices TTL information from the Data Indexer. Benefit: The Metrics API allows customers to return log volume and index information when given a specified time and date to expedite workflow. Relevant Documentation Updates: Metrics API |
| Security and Reliability | Web Console | Explanation: LogRhythm implemented new CSFR token security protocols during Web Console login. Benefit: Enhanced security in Web Console. Relevant Documentation Updates: N/A |
Improvements
- LogRhythm updated Node.js to version 17.7.2 for the Web Console UI and API Gateway, and version 16.14.0 for the True Identity Sync Client (TISC).
Deprecated Features
LogRhythm 7.8 was the last published version of the SOAP API. LogRhythm is deprecating the SOAP API in favor of more effective and sustainable integration through RESTful APIs. While the SOAP API is still usable in 7.9, we encourage customers and partners using the SOAP API to migrate their integrations to REST APIs. For more information on REST integration, see our REST API documentation.
Resolved Issues
| Bug # | Ticket # | Component | Description |
|---|---|---|---|
| DE10313 | 375644, 361311, 342465, 370475, 386903, 387430, 388696, 390743, 390909, 390242, 423994, 394392, 395676, 400836, 420977, 443424 | AI Engine | AIE Unique Value Rules no longer misfire. |
| DE15530 | N/A | AI Engine | The AI Engine now successfully processes rules even if there is a high event rate. |
| DE14535 | 434663 | APIs | The Alarm API no longer experiences delays when processing queries using the default configuration settings. |
| DE15699 | 442916 | APIs | The Alarm API "Get Events by alarmid" response now correctly returns the origin and impacted host name. |
| DE15757 | 443327, 446262 | APIs | The Search API no longer experiences SQL-related connection issues when executing endpoints. |
| DE14135 | 431553, 431855, 433193, 440085, 440826, 449771 | Client Console | Changes to LDS Receiver syslog ports are now correctly saved. |
| DE15358 | 441361, 439108 | Client Console | Running the "API - Office 365 Message Tracking" LogMart investigation in the client console no longer produces an error. |
| DE12608 | 415307, 420234 | Client Console: Agents | Searching System Monitor Agent Properties log sources now correctly returns all log sources from the current agent. |
| DE12581 | 414797, 416678, 419401, 431664, 434279 | Client Console: Log Sources | Users can now correctly filter out the retired log sources when filtering by Log Source Type. |
| DE12212 | 423003 | Client Console: User | Restricted Admin accounts created by other Restricted Admin accounts now have the correct permissions. |
| DE11342 | 393176, 407121 | Data Indexer | Drill downs on AIE rules now function correctly regardless of the filter criteria. |
| DE15053 | 439238 | Data Indexer | Investigations using the "Host List" type with IP Range values are now executed correctly. |
| DE15650 | 411653, 415039, 445170 | Infrastructure: Database Scripts & Upgrade Scripts | CMDB and LogMart databases can now be backed up in Disaster Recovery deployments. |
| DE13779 | 421468 | Job Manager: Scheduled Reporting | Job Manager reports are no longer skipped in certain circumstances when multiple reports are scheduled. |
| DE13453 | 418253, 424344 | Mediator | SNMP Trap, sFlow, and Netflow collection is now permitted with a System Monitor Collector license. |
| DE14792 | N/A | Mediator | The Mediator no longer attempts to connect to ports that have been removed. |
| DE14851 | 436667 | Mediator | SSL warnings no longer appear in the Mediator logs in certain situations after restarting the service. |
| DE1039 | 369152 | Web Console | Older log files are now routinely cleared out from the Windows Auth Service and SQL Service. |
| DE11663 | 406403, 406587, 412875, 418654, 412776, 426312, 433452 | Web Console: Case Management | Clicking Case Evidence logs now correctly opens an Analyze page showing the logs selected. |
| DE15617 | 446045 | Web Console: Lucene Helper | Autosuggest values are now correctly selected by clicking as well as the Enter key in the Lucene Filter. |
| DE15058 | 437267, 438827 | Web Console: Reports | The Web Console no longer produces an error in certain situations when generating a report with over 1,000 log source items. |
| DE11124 | 394474, 403654 | Web Console UI | Links sent in Case and Alarm notification emails now correctly redirect to port 443 instead of 8443. |
| DE12836 | 404593, 413007, 418078, 420857, 435880 | Web Console UI | Search and drill down operations in the Web Console now correctly complete or display an error as soon as the result is available. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.
Known Issues
The following issues have each been found and reported by multiple users.
Bug # | Found In Version | Components | Description | Release Notes |
|---|---|---|---|---|
| DE1871 | 7.3.3 | AI Engine | Under conditions of load, AI Engine Rules that are written incorrectly can cause significant issues throughout the entire AIE server. | Expected Results: Poorly written AIE Rules should be suspended until they are altered and re-enabled. Workaround: Rewrite the AIE Rule for better performance. Often, this involves adding filters, reducing log sources, and modifying the logic. Tuning an AIE Rule requires expertise, so contact LogRhythm Training, Professional Services, or a Sales Engineer to assist if necessary. Additional solutions to identify and monitor poorly performing rules are being developed for a future release. |
| DE1759 | 7.3.4 | AI Engine | When the AIE service starts up, errors are generated multiple times in the AIE Engine log. | Expected Results: These errors should not be generated in the AIE Engine log, but AIE is working and alarms are firing. Workaround: There is currently no workaround for this issue. |
| DE1606 | 7.3.5 | AI Engine | When an AIE Rule with two rule blocks has an evaluation period of 0 seconds, the rule does not trigger as expected. | Expected Results: AIE Rule Blocks should fire when they are triggered at the same time. Workaround: As the behavior of simultaneous events is unpredictable and the use case for a 0-time interval is rare, LogRhythm does not plan to change this behavior at this time. To avoid the issue, set the evaluation period to 1 second. |
| DE1324 | 7.4.3 | AI Engine | In certain circumstances, there may be a discrepancy between the AIE event date/time and the date/time of the message(s) triggering the AIE rule, causing the AIE event to show a future date/time. | Expected Results: The date and time of the AIE Event should not have a future time. Workaround: There is no workaround for this issue. |
| DE1288 | 7.4.6 | AI Engine | When an AIE Rule uses the Host (Impacted) or Host (Origin) in the Group By block, the rule misfires. | Expected Results: AIE Rules should not fire if the rule block relationship is not met. Workaround: Change the Host (origin) or Host (impacted) fields to IP Address, and the AIE Rule works as expected. |
| DE10501 | 7.4.7 | AI Engine | The Retire logs in the C:\Program Files\LogRhythm\LogRhythm AI Engine\HostInferenceLogs directory are not being removed after the defined number of expiration days. | Expected Results: Logs in this directory should be purged after the number of days defined for expiration has passed, defaulted to 7 days. Workaround: Manually remove these files to prevent the C drive from filling up. |
| DE10301 | 7.4.8 | AI Engine | Adding an AIE rule using the UTC time zone produces an error. | Expected Results: Should be able to define an AIE rule's date and time using the UTC time zone. Workaround: There is currently no workaround for this issue. |
| DE10397 | 7.4.8 | AI Engine | In certain circumstances, when an AIE Rule is evaluating an Observed block followed by a Not Observed block, alarms fire even if there are logs that indicate the second block was Observed. | Expected Results: Alarms should not fire if a log is received for a Not Observed block. Workaround: While there is currently no workaround, LogRhythm is investigating this issue for a future release. |
| DE10946 | 7.4.9 | AI Engine | When an AIE Alarm has an action including a SmartResponse Plugin, the execution is slow. | Expected Results: Alarms should execute quickly as expected with other AIE Alarms. Workaround: There is currently no workaround for this issue. |
| DE11051 | 7.4.9 | AI Engine | In certain circumstances, the AIE Engine does not consistently trigger alarms for Log Not Observed. | Expected Results: The AIE Engine should trigger alarms for Log Not Observed. Workaround: There is currently no workaround for this issue. |
DE14530 DE14531 | 7.9.0 | AI Engine | There is no input validation for the MAC Address field in the SIEM, which means that a MAC Address could be in multiple different formats. | Expected Results: Input normalization for MAC Addresses, requiring them to be entered in the accepted format. Workaround: Use data masking rules to transform the MAC addresses to the colon delimited format. |
| DE1087 | 7.3.5 | AI Engine | AI Engine rule group changes are not reflected in the Web Console until Web Services is restarted. | Expected Results: Web Services does not need to be restarted to have a rule group change show up. Workaround: Restart Web Services. |
| DE11098 | 7.4.9 | Alarming | When using a SMTP server with SSL authentication, the Alarming and Response Manager fails to send alarm notifications. | Expected Results: The Alarming and Response Manager should able to send alarm notifications using any SMTP server and SSL authentication. Workaround: There is currently no workaround for this issue. |
| DE10937 | 7.4.10 | Alarming | If an SRP is retired, the Alarming and Response Manager (ARM) does not recognize this and could cause the C: drive to fill with errors trying to execute the SRP if the logging level on the ARM is set high. | Expected Results: The Alarming and Response Manager should be aware of a change of status of the SRPs and should not continue to attempt to execute them. Workaround: Lower the logging level on the ARM to help mitigate this, but contact LogRhythm Technical Support if assistance is needed to retire the SRP. |
| DE14950 | 7.8.0 | Alarming | When a restricted administrator runs a search on recent alarms, system alarms will not show up. However, they do in the web console. | Expected Results: Recent alarms should be visible when searching in the client console. Workaround: There is currently no workaround for this issue. |
| DE6072 | 7.3.4 | APIs | When using a 512-bit RSA-signed certificate, Case API and Admin API do not start due to an incomplete implementation of TLS 1.2. This typically happens when a GPO pushes the certificate to the server. | Expected Results: Case API and Admin API should start when using any size certificate. Workaround: Remove the server from the domain and reboot it. Verify that the 512-bit certificate has been removed, re-run the installers, and reboot. To avoid this issue, do not join the domain again or the certificate will be pushed out again. In addition, create a new certificate that uses a 384-bit (or less) hash or exclude the impacted system from the GPO that pushes the certificate. |
| DE1869 | 7.4.7 | APIs | In certain circumstances the Admin API log generates multiple invalid argument errors without providing context. | Expected Results: When the Admin API log generates errors, it should provide some context within the error message. Workaround: There is currently no workaround for this issue. |
| DE10200 | 7.4.9 | APIs | PowerShell scripts utilizing the Case and Admin APIs may stop working upon upgrade to 7.4.9 or later. This is due to an additional semicolon at the end of the valid content-type value. | Expected Results: The extra semicolon, which is an optional valid separator in a content-type header, should not prevent scripts from working upon upgrade. Workaround: While there is currently no workaround, LogRhythm is investigating this issue for a future release. |
| DE13070 | 7.7.0 | APIs | Changing Log Levels via the Configuration Manager for the Web Services does not change the Log Level for the 'LogRhythm Admin API.log', which means the request and responses being made to the platform can't be seen. | Expected Results: The Log Level should be changed by updating the Log Level in Configuration Manager. Workaround: There is currently no workaround for this issue. |
| DE7632 | 7.1.3 | Client Console | Entities cannot be deleted from within the Client Console. | Expected Results: Entities should be retireable and able to be hidden from view. Workaround: Contact Technical Support to assist you in removing entities that are no longer needed. |
| DE7612 | 7.1.7 | Client Console | Reports exported to .csv format are not formatted correctly. The headers are duplicated in each row as name/value pairs. | Expected Results: When exporting reports in .csv format, the column headers should not be repeated on each row. Workaround: The report needs to be formatted to remove columns that show the column headers. In addition, LogRhythm data can be exported using Log Distribution Services (LDS). |
| DE1829 | 7.3.3 | Client Console | There may be inconsistencies in the way a log parses through MPE processing and within the MPE Rule Builder. A log that parses without issue in the Rule Builder may not parse when run through MPE processing. This could be caused by rule match timeouts. | Expected Results: The processing of a log should be the same whether it is parsed in Rule Builder or MPE. Workaround: Change the sub-rule to use a different tag, such as <Tag1>. If you are experiencing this issue, ensure that you are not using a custom Log Processing Policy and that there are no MPE timeouts. If issues persist, contact Technical Support and reference this bug number (DE1829) or its sister defect (DE1651). |
| DE3195 | 7.3.4 | Client Console | When running a search in either the Client or Web Console, users see an error: Error fetching data - Gateway timeout. | Expected Results: When a search times out, a message should inform users and instruct them to re-run the search with a longer timeout. Workaround: Increase the timeout on the query and re-run it. |
| DE5185 | 7.3.4 | Client Console | The Network (Impacted) field does not display on reports where it is included as a column, even though data appears in that field. | Expected Results: All chosen fields should appear on the report if they contain data. Workaround: Running the report as an investigation yields the expected results in the Network (Impacted) column. LogRhythm is actively working on a solution to this issue in a future release. |
| DE4049 | 7.4.6 | Client Console | When running a report that contains User Origin Identity or User Impacted Identity fields, the report runs and provides data, but the Identity fields are not populated. | Expected Results: Identity data should appear in reports that contain those fields. Workaround: Run an investigation to provide the same information. |
| DE3932 | 7.4.7 | Client Console | After disabling Log Source Virtualization for a log source, users are unable to perform certain tasks on the System Monitor from which the log source is collected. | Expected Results: Disabling Log Source Virtualization should not change the behavior of the System Monitor. Workaround: This issue is caused by the scsm.ini file not being updated immediately. To work around it, refresh the Log Sources tab in the Client Console to force the .ini file to refresh. |
| DE3839 | 7.4.8 | Client Console | In certain circumstances after running a Second Look restore, an error appears stating there is an issue with the Min and Max Ticks. | Expected Results: Second Look restore should run without issues. Workaround: There is currently no workaround for this issue. |
| DE10678 | 7.4.8 | Client Console | The Log Management Usage Auditing Event Detail, Event List, and Logon & Logoff Events reports are rendering in UTC date/time format instead of the local time. | Expected Results: Reports should all display in the local time zone or that specified in the report configuration. Workaround: There is currently no workaround for this issue. |
| DE10621 | 7.4.9 | Client Console | When an existing report template that includes the Normal Date field is edited, the Normal Date field disappears from the template until it is added again. | Expected Results: When editing a report template, existing fields should remain unless they are explicitly removed. Workaround: When editing a report template that contains the Normal Date field, add that field back to the template prior to saving it. |
| DE11798 | 7.4.10 | Client Console | When exporting a large number of logs using the Send all Logs option from the Log Viewer in Client Console, the Console freezes. | Expected Results: The Console should not freeze when exporting logs. Workaround: Export selected logs instead of all logs to allow the export to complete. |
| DE11499 | 7.5.1 | Client Console | When DNStoIP is enabled on the Data Processor and the DNS name doesn't have a host record, the host field shows only the IP address without the host name. This impacts only the Client Console and is displayed correctly in the Web Console. | Expected Results: The hostname should be displayed the same for both Web and Client Consoles. Workaround: View the record in the Web Console. |
| DE11056 | 7.6.0 | Client Console | When investigating results in the Client Console, the Unconfigured TopX configuration menu does not appear upon right-click. | Expected Results: When right-clicking the Unconfigured TopX section in the investigation results, a menu appears to allow for configuration of results. Workaround: Utilize the Web Console to view results in a widget-type format. |
| DE12893 | 7.6.0 | Client Console | Active Directory users that are linked to User Profiles may not be updated after moving the user to a different Active Directory group. | Expected Results: Users that are moved between Active Directory groups should update upon the move. Workaround: There is no workaround for this issue other than manually updating the profiles. |
| DE12510 | 7.7.0 | Client Console | When importing a new SmartResponse Plugin to the Client Console, permissions have to be explicitly granted to the user account that imported the plugin. | Expected Results: The user importing the SmartResponse Plugin should have permissions granted automatically. Workaround: Go into the User Profile Manager and grant access to the newly imported SmartResponse Plugin. |
| DE13422 | 7.7.0 | Client Console | The entity delete functionality is very fragile, often failing with a generic error. | Expected Results: The entity delete functionality works without any issues. Workaround: There is currently no workaround for this issue. |
| DE11717 | 7.4.0 | Client Console | When the Knowledge Base is synced, customized Log Source Type settings in the Windows Host Wizard revert to default. | Expected Results: When custom settings are selected, they should persist through a Knowledge Base update. Workaround: Reselect the Log Source Type settings prior to doing a Windows Host Wizard scan. |
| DE10628 | 7.4.8 | Client Console | Duplicate Active Directory groups and users are being created because OU filters are not being used when scanning domains. | Expected Results: No duplicate entries should be created. Workaround: There is currently no workaround for this issue. |
DE12489 | 7.4.9 | Common Components | In rare circumstances, Alarms may not be available in the Web Console or will stop triggering. Typically, this occurs directly after a configuration change to the ARM service. | Expected Results: Alarms should continue to trigger and be displayed in the Web Console. Workaround: Contact Technical Support for assistance, as there could be many reasons for this behavior beyond this defect. Support will help determine the root cause. |
| DE10768 | 7.4.9 | Common Components | In certain circumstances, the Data Processor runs slowly and the non-paged pool uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. | Expected Results: The non-paged pool should not increase and cause system performance issues. Workaround: Restart the LogRhythm API Gateway service. |
| DE10569 | 7.4.10 | Common Components | In certain circumstances, when the Platform Manager reboots, the Data Processor and Data Indexer are not able to connect to consul and logs may not be indexed. | Expected Results: The Data Processor and Data Indexer should connect to Service Registry after a reboot of the Platform Manager. Workaround: Manually restart the API Gateway and Service Registry services on the Data Indexer and Data Processor after a reboot of the Platform Manager. |
| DE11733 | 7.6.0 | Common Components | When running the LogRhythm Infrastructure Installer (LRII), you may receive the error: No plan file found in LogRhythm Service Registry KV store. This is caused by the plan file not fully updating into the Consul KV store, and only happens in certain environments. | Expected Results: LRII should be able to run multiple times without affecting the plan file. Workaround: For assistance with this issue, contact LogRhythm Technical Support. |
| DE12153 | 7.6.0 | Common Components | In some cases after a Data Indexer install, the Service Registry may not be able to communicate with the Platform Manager, causing alarms and errors in the Service Registry log. | Expected Results: Communication to the Platform Manager should be maintained after an install. Workaround: Restart Service Registry on each node in the cluster after the installation is complete. |
| DE14729 | 7.6.0 | Common Components | Grafana does not categorize Mediators per cluster Log Indexing since moving to 7.6. | Expected Results: Filter should show data processor stats for only the selected cluster. Workaround: Contact LogRhythm support for a new Mediator.json file. |
| DE3385 | 7.3.2 | Data Indexer | The DX Diagnostic logs are firing too often. | Expected Results: The Diagnostic logs should be tuned to alarm less frequently. Workaround: There is currently no workaround for this issue. |
| DE2689 | 7.4.4 | Data Indexer | When the Data Indexer cluster health changes from green to yellow during EMDB list maintenance, alarms for Indexer Cluster Health Excessive Warnings are generated. This can cause concern when there is no actual issue on the system. | Expected Results: An alarm should only generate when the cluster health changes to red. Workaround: Edit the impacted alarm to suppress for 24 hours or disable that alarm. |
| DE2753 | 7.4.5 | Data Indexer | When re-running the LogRhythm Infrastructure Installer (LRII) after the initial upgrade, the LogRhythm DX - Cluster Templating Service (consul-template) may remain in a paused state and not start up. | Expected Results: All services, regardless of version, should start after an upgrade. Workaround: Re-run the Data Indexer component installer. |
| DE11822 | 7.5.0 | Data Indexer | The C:\Windows\Temp directory may become full with jtds.tmp files if the Carpenter service continually recycles. This can happen if using an SRP with List Management. | Expected Results: Temporary files should not be left on disk. Workaround: Contact Technical Support for assistance with the workaround for this issue. |
| DE11765 | 7.5.1 | Data Indexer | In certain circumstances, Elasticsearch uses more memory than the set limit, causing performance issues on the server. | Expected Results: Elasticsearch should abide by the memory limit that is set. Workaround: For a workaround, contact LogRhythm Technical Support. |
| DE11934 | 7.6.0 | Data Indexer | In certain circumstances, customers with warm node indices may experience failed searches against those indices. This is due to Columbo being unable to close certain warm indices. | Expected Results: Columbo should handle the warm node indices correctly and allow searches. Workaround: For assistance with this workaround, contact LogRhythm Technical Support. |
| DE12207 | 7.6.0.HF2 | Data Indexer | In some circumstances, installing the 7.6.0 Hotfix 2 upgrade will install a second instance of the Data Indexer. | Expected Results: The Data Indexer should be removed and re-added instead of adding a second instance. Workaround: Uninstall both versions of the Data Indexer, ensure there or no hung .msi processes in the Task Manager, then re-install the 7.6.0 Hotfix 2 version. |
| DE13150 | 7.7.0 | Data Indexer | In certain circumstances after upgrading to 7.7.0, the Carpenter service causes port exhaustion and the service must be restarted. | Expected Results: The Carpenter service should not cause port exhaustion. Workaround: Create a scheduled task to restart the Carpenter service each day. |
| DE12218 | 7.6.0 | Data Indexer | The Transporter can fail to fully start after restart at UTC midnight, causing indexing and performance issues. (This issue only impacts Linux clusters.) | Expected Results: The Transporter should continue to run after a restart signal is sent. Workaround: Restart the Transporter service. |
DE12201 DE16040 | 7.6.0 | Data Indexer | Data is being indexed in lower case, ignoring the case of the original logs. | Expected Results: Data should be stored in the format in which it was sent. Workaround: There is currently no workaround for this issue. |
| DE13480 | N/A | Data Indexer | Alarm drilldowns fail as a result of changes to daylight savings in Chile. The failure is temporary and only lasts a few hours. | Expected Results: Searching should work. Workaround: Either wait for the issue to naturally pass or manually adjust system clocks. |
| DE14719 | 7.6.0 | Data Indexer | In a deployment with DX7500 (2XDX), bulldozer reports the error message "Configuration of elasticsearch topology differs from active elasticsearch topology". | Expected Results: Bulldozer should handle 2XDX nodes correctly. Workaround: There is currently no workaround for this issue. |
| DE15289 | N/A | Infrastructure | Weekday maintenance is taking much longer than expected. | Expected Results: The weekday maintenance task should perform in a reasonable amount of time. Workaround: There is currently no workaround for this issue. |
DE260 DE9367 | 7.4.7 | Installation Components | In certain circumstances, customers may receive an alarm for a missed heartbeat on the AI Engine. This can stem from a deadlock on resources in SQL. | Expected Results: SQL deadlock issues should not cause a missed heartbeat. Workaround: While there is no known workaround, LogRhythm is actively investigating this issue for a solution. |
| DE15601 | 7.9.0 | Installation Components | DR SQL transaction logs are filling the L: drive when unable to sync to secondary nodes. | Expected Results: Transaction logs should be truncated by frequent scheduled backups throughout the day. Workaround: There is currently no workaround for this issue. |
| DE9995 | 7.4.6 | Job Manager | Scheduled reports are sent to a disabled account if an email is attached to the disabled account. | Expected Results: Scheduled reports should not be sent to disabled accounts. Workaround: There is currently no workaround for this issue. |
| DE1013 | 7.4.7 | Job Manager | Reports are not completing when a large set of data is required. This is due to a limitation within Crystal Reports. | Expected Results: The Client Console should provide an alternate way to retrieve the data if Crystal Reports is not able to render it. Workaround: Decrease the amount of data the report is trying to retrieve or export the data instead. |
| DE10013 | 7.4.7 | Job Manager | When running a report against the Data Processor data source with a time period that contains only warm indices, the report returns no data. | Expected Results: Searching against warm indices should return results whether the results are in hot or warm nodes. Workaround: Contact Technical Support for assistance with this workaround. |
| DE11701 | 7.4.10 | Job Manager | When exporting reports as .csv files, there are duplications of headers and footers that cause the report to be much larger in size than when run in the Console. | Expected Results: Exported reports should not duplicate header and footer lines. Workaround: Export the report in another format or remove the extra lines from the .csv. |
| DE11892 | 7.6.0 | Job Manager | When re-enabling a disabled Active Directory user, the user's LogRhythm login is not re-enabled. | Expected Results: When a disabled user is re-enabled, the user's login should also be enabled during the next AD Synchronization. Workaround: Manually enable the user's login after the AD sync. |
| DE1879 | 2.4 | LogRhythm Diagnostics Tool | The LogRhythm Diagnostics Report shows the last backup information incorrectly. | Expected Results: The report should show the accurate last backup time for each database. Workaround: Review the backup information in SQL Server Management Studio. |
| DE1968 | 7.2.5 | Mediator | Processing of Archive .bin files is sometimes delayed during heavy load and can back up at the Mediator, filling the hard drive. | Expected Results: Archives should process, seal, and move out of the Unprocessed Archives folder as long as the processing rate is at or below the system specification. Workaround: Evaluate system sizing and consider an expansion to meet active load demands. In some systems, increasing the ArchiveSize setting in the Data Processor Advanced Properties to 51200 (from the default value of 10240) can help process archive files faster. If necessary, move large files out of the Unprocessed Archives folder to another drive and slowly feed them back in when the system is successfully processing the live data. A more permanent solution to this issue will be provided in a future release. |
| DE1640 | 7.3.5 | Mediator | The AIE Data Provider service does not start up correctly unless the Mediator service is also stopped and restarted. Because logging is inconsistent, users may not know that the service has failed to start properly. | Expected Results: The AIE Data Provider service should start consistently and as expected. Failures should be consistently logged to alert when the service did not start correctly. Workaround: Restart the Mediator service to allow the AIE Data Provider service to start. A more permanent solution to this issue is being evaluated for a future release. |
| DE10182 | 7.4.10 | Mediator | If the network share that is used to store Inactive Archives becomes unavailable, the Mediator goes into a suspended state. | Expected Results: The Mediator continues to process and move archive files to inactive when the connection is restored. Workaround: Ensure that the account the Mediator service is running has permission to access the network location. |
| DE13301 | 7.4.10 | Mediator | In certain circumstances when Entity Archive settings are turned on, customers may receive the following error: **ERROR** Failed to locate or create inactive subdirectory: The given key was not present in the dictionary.. Inactive archive files will be temporarily stored at the root of the system drive (C:\ in most cases). This error must be corrected in order for inactive archives to be stored at the specified location. | Expected Results: Entity archiving should function without errors. Workaround: There is currently no workaround for this issue. |
| DE11496 | 7.5.1 | Mediator | In certain circumstances, the Mediator will attempt to seal the same archive file twice. This causes errors in the scmedsvr.log file. | Expected results: The Mediator should only attempt to seal the archive file once. Workaround: There is no workaround for this issue. |
| DE15089 | 7.9.0 | Metrics Collection | Telemetry metrics parsing errors from Datadog are present in the metrics collection file. | Expected Results: Datadog's telemetry metrics parsing errors should not be present in the metrics collection file. Workaround: There is currently no workaround for this issue. |
| DE11101 | 7.4.10 | Smart Response Plugin | In certain circumstances, a SmartResponse action may fail to execute with an error: No System Monitor Associated with execution target. | Expected Results: The SmartResponse Plugin should execute after selecting the System Monitor Agent. Workaround: There is currently no workaround for this issue. |
| DE12597 | 7.5.0 | Smart Response Plugin | When grouping two values in a SmartResponse Plugin, users receive an error that they do not have access to the Config file. | Expected Results: Grouping values in SmartResponse Plugins should be allowed. Workaround: There is no workaround for this issue. |
| DE11820 | 7.6.0 | Smart Response Plugin | When utilizing multiple SmartResponse Plugins as part of the actions for an AIE Rule, inconsistent results may occur. | Expected Results: SmartResponse Plugins should fire each time the AIE Rule is triggered. Workaround: There is no workaround for this issue. |
| DE10867 | 1.2.0.10 | TrueIdentity Sync Client | The TrueIdentity Sync Client will not connect to the Microsoft Active Directory LDAP server on port 636 using LDAP. | Expected Results: The TrueIdentity Sync Client should be able to connect using LDAP via port 636. Workaround: Use port 389 instead and ensure the proper certificates are in place for security. |
| DE5312 | 7.4.3 | TrueIdentity Sync Client | The OU/DC filter in the TrueIdentity Sync Client does not allow white space. | Expected Results: White space should be allowed in the OU/DC filter. Workaround: While there is no workaround for this issue, LogRhythm is investigating a resolution for a future release. |
| DE39 | 7.4.5 | TrueIdentity Sync Client | The TrueIdentity Sync may fail if attempting to run with a large number of users (greater than approximately 10,000). | Expected Results: The TrueIdentity Sync Client should work for any number of users. Workaround: While there is no workaround for this issue, the next release of the Sync Client will be able to support larger AD environments. |
| DE1334 | 7.3.3 | Web Console | Customers who have integrated NetMon into the Web Console may encounter a condition where the PCAP has aged out, but the user interface indicates that it is still available. Attempting to download the PCAP results in an unclassified failure message. | Expected Results: When users try to download a PCAP that is no longer available on disk, the error message should provide that detail instead of an unclassified failure. Workaround: The error message will be changed in a future release. There are two simple troubleshooting steps to identify if the PCAP exists or if other issues are occurring in the integration: Log in to NetMon directly and verify if the selected PCAP has already aged out or should be available on disk. Recreate the API key for the selected NetMon and update the NetMon configuration in the Deployment Manager. |
| DE1238 | 7.4.2 | Web Console | When copying a Top X widget to another dashboard, all configuration is lost after saving and refreshing the target dashboard. | Expected Results: When copying widgets, all settings should remain. Workaround: Users can add a new widget to the dashboard and configure it manually to work around this issue. This issue is still being actively investigated and will be resolved in a future release. |
| DE7263 | 7.4.2 | Web Console | When exporting the results of an Investigation to .csv from the Web Console Analyzer Grid, the date values in the first and last rows are exported as UNIX-formatted large integers rather than simple dates. | Expected Results: All data contained in the .csv export should be valid and match the data displayed in the Web Console. Workaround: Export the same investigation from the Client Console or manually adjust the first and last date post export. LogRhythm is investigating a solution to this issue. |
| DE514 | 7.4.3 | Web Console | When viewing TrueIdentity records in the Web Console, 1,000 records are shown at once. Scrolling past that initial 1,000 records produces the error message: Failed to fetch Identities: Bad Request. | Expected Results: Users should be able to scroll through all TrueIdentity records in the Web Console. Workaround: Using filters to find specific data in the TrueIdentity page prevents the error message from showing and helps find data more quickly. LogRhythm is working on a resolution for a future release. |
| DE1198 | 7.4.6 | Web Console | When downloading large NetMon PCAPs from the Web Console, there may be delays to the initial download, increased memory usage, or timeouts. | Expected Results: The Web Console should not time out when downloading large PCAP files. Workaround: Change the time out setting in the Configuration Manager. |
| DE10403 | 7.4.9 | Web Console | The Web Console Current Processing Rate widget does not show the correct processing rate. It does not include messages older than 3 minutes in the rate determined. | Expected Results: The Current Processing Rate widget should show all logs being processed. Workaround: Resolve any log source issues that are causing old logs to be ingested, or use Grafana or Performance Counters to check the current processing rate. |
| DE10442 | 7.4.9 | Web Console | When viewing NetMon logs in the Web Console using Internet Explorer, the Download PCAP button does not appear. | Expected Results: The Download PCAP button should appear when reviewing NetMon logs. Workaround: Reload the frame with the Download PCAP button to activate it. |
| DE11463 | 7.6.0 | Web Console | When the browser window is zoomed out, the Node-Link Graph on the Web Console dashboards may display an error Failed to establish logs subscription with the Web Console API. This is not related to the zoom functionality within the Node-Link Graph itself. | Expected Results: The Node-Link Graph should function regardless of the browser zoom level. Workaround: Return the browser to 100% zoom and refresh the Web Console. |
| DE11863 | 7.6.0 | Web Console | When running AIE Events drill down from an AIE events dashboard, the Analyze Dashboard filter does not reset properly. | Expected Results: The Analyze Dashboard filter should reset. Workaround: In User Settings set the Drilldown setting to Open in Page. |
| DE11929 | 7.6.0 | Web Console | When using a Direction filter in the Web Console dashboard and drilling into any of the TopX widgets, the data shown in the Analyzer Grid contains logs that do not match the dashboard filter. | Expected Results: Drilling into data on a dashboard should not change the dashboard filter criteria. Workaround: Reapply the dashboard filter. |
| DE12003 | 7.6.0 | Web Console | When drilling into widget items, previous filter options are being used. | Expected Results: After closing a previous drilldown tab, the next drill down into a widget item should not show the older filters. Workaround: After drilling in a filter, refresh the web page. The next drill down into a widget item uses the correct filter. |
| DE12521 | 7.6.0 | Web Console | When pausing live data in the Web Console, the Analyzer grid continues to update with new events. | Expected Results: The Analyzer grid should not update with new events when paused. Workaround: There is currently no workaround for this issue. |
| DE12714 | 7.6.0 | Web Console | In the Web Console, if the last selected Analyzer page dashboard has a filter, drill down results are hidden. | Expected Results: drill down results should not be hidden. Workaround: Select Default Analyze Dashboard |
| DE12908 | 7.6.0 | Web Console | Event logs are not appearing in the Web Console dashboard. | Expected Results: Event data should appear in the dashboard. Workaround: There is currently no workaround for this issue. |
| DE13079 | 7.6.0 | Web Console | When running a search or drill down in the Web Console, the operation does not return results or terminate as intended. | Expected Results: The search and drill down operations should return results upon completion or terminate. Workaround: Reload the page. |
| DE12544 | 7.7.0 | Web Console | The Timeline View widget is periodically displaying no results. | Expected Results: The Timeline View widget works as normal. Workaround: There is currently no workaround for this issue. |
| DE12624 | 7.7.0 | Web Console | When using the Check Visible option in Alarms after upgrading to 7.7.0, the checked count does not reset properly. | Expected Results: The checked count should reset. Workaround: After performing an action, select the Uncheck All option to reset the checked count. |
| DE13128 | 7.7.0 | Web Console | When running a search or drill down in the Web Console, the operation does not return results or terminate as intended. | Expected Results: The search and drill down operations should return results upon completion or terminate. Workaround: Reload the page. |
| DE12852 | 7.5.0 | Web Console | Searching the Log Message field for a term containing a hyphen breaks the search into parts rather than searching for the full term as an exact match. | Expected Results: Searching for terms should yield results for exact matches and not 'AND' the words separated by hyphens. Workaround: There is currently no workaround for this issue. |
| DE12185 | 7.5.0 | Web Console | Lucene widget filtering is applied globally to the entire opened dashboard when a drilldown or time slice is initiated. | Expected Results: Lucene filtering should only apply to the widget from which it originated, Other widgets on the page will still lack the drilldown or time slice, Workaround: There is currently no workaround for this issue. |
| DE15763 | 7.9.0 | Web Console | The “Component Status” widget is not showing the component name correctly, instead it is showing as an icon. | Expected Results: Component names should be shown. Workaround: Hover over the icon to see the Component Name. |