7.11.0 GA Release Notes - 5 January 2023
Upgrade Considerations
Upgrade considerations for all 7.11.x releases are available on the LogRhythm Release Notes main page.
LogRhythm 7.9.0 introduced support for Microsoft SQL Server 2019 and Windows Server 2019 on standard deployments. If your deployment is running SQL Server 2016 Standard or Windows Server 2016, there is no need to upgrade to 2019.
For more information on the optional upgrades, see:
New Features
| Functional Group | Feature | Description |
|---|---|---|
| Platform Administration | Admin API | Explanation: The Admin API library now includes new log source virtualization and MPE rule management endpoints. Benefit: The Admin API reduces administrative overhead and expedites workflow by automating routine tasks. Relevant Documentation Updates: Administration API Endpoints |
| Platform Administration | Enhanced Auditing | Explanation: LogRhythm 7.11 introduces built-in auditing tables to the EMDB. The tables capture and log administrative activity, providing a historical record for auditing administrative changes. Benefit: Customers can now audit administrative changes made to LogRhythm configurations. They can also set up alerts to closely monitor critical configurations. Relevant Documentation Updates: Enhanced Auditing |
| Message Processing Engine | MPE Rule Sharing | Explanation: SIEM Admins can now use MPE Rule Builder to import MPE rules created by other users without having to make manual modifications. Benefit: SIEM Admins can now share and import existing MPE rules from Community and other sources. Relevant Documentation Updates: Import and Export MPE Rules |
| LogRhythm Cloud | SecondLook as a Service (SLaaS for Windows) | Explanation: LR Cloud SREs can now configure SecondLook as a Windows service for LR Cloud customers. Benefit: LR Cloud customers can configure, save, and execute SecondLook searches from the Web Console. Relevant Documentation Updates: SecondLook |
| Data Processor, LogRhythm Console | Load Balanced Agent Groups | Explanation: Customers can now assign Agents to a specific load balanced group. The Agents are no longer required to connect to the same set of Data Processors, and load balanced child log sources function correctly. Adding new load balanced log sources or Agents to a group triggers an automatic Agent configuration update. Benefit: Organizing load balanced agents is easier. Relevant Documentation Updates: Load Balanced Agent Groups |
| Security and Reliability | Authentication Service | Explanation: LogRhythm implemented new JWT token security protocols in Authentication Service. Benefit: Enhanced security in Authentication Service. Relevant Documentation Updates: N/A |
Improvements
- Added an option that allows the System Monitor Agent handles count to reset when the Mediator is restarted. For more information, see the Flat File Settings Tab table in Add a Single Log Source.
Deprecated Features
LogRhythm 7.8 was the last published version of the SOAP API. LogRhythm is deprecating the SOAP API in favor of more effective and sustainable integration through RESTful APIs. While the SOAP API is still usable in 7.9, we encourage customers and partners using the SOAP API to migrate their integrations to REST APIs. For more information on REST integration, see our REST API documentation.
Resolved Issues
| Bug # | Ticket # | Component | Description |
|---|---|---|---|
ENG-10781 (DE15454) | 440713 | APIs | Data retrieved by the Alarm API no longer presents out of order in certain situations. |
ENG-11098 (DE15540) | N/A | Automatic Remediation Engine | Smart Responses will no longer time out due to the stored procedures used by the ARM. |
ENG-10811 (DE16240) | 447860, 452400, 452554 | Client Console | The Log Volume Report no longer produces an error stating that values are too large in certain situations. |
ENG-10923 (DE11938) | 405024, 444224 | Client Console | Collecting logs via the Windows Host Wizard no longer assigns the wrong log sources in certain situations. |
ENG-10792 (DE11015) | 392225, 391496, 391011, 390671, 390442, 382674 | Infrastructure: Database Scripts & Upgrade Scripts | The SQL database auto-growth settings no longer cause performance impacts and database fragmentation in certain situations. |
ENG-10807 (DE16434) | 451493 | LR Cloud | Newly-created LR Cloud users are now visible to restricted admins by default. |
ENG-11084 (DE11496) | 396944, 413307, 424141, 415807, 426425, 449506, 449623, 450874 | Mediator | The Mediator now correctly only seals the archive file once. |
ENG-10928 (DE12546) | 412596, 429205 | Mediator | The agent handles count now correctly resets when the Mediator is restarted. |
ENG-11099 (DE14771) | 436942, 446452 | Mediator | Saving MPE rules in the development status no longer causes updates within the MPE engine and soft resets. |
ENG-10853 (DE16607) | 450985 | Mediator | An error message is no longer generated in the archive.log file in certain situations. |
ENG-11077 (DE11622) | 399555 | Web Console | New AD users are now granted the correct permissions when being synced into LogRhythm via the AD Group Based Authorization. |
ENG-11107 (DE14649) | 434551 | Disaster Recovery | Disaster Recovery (DR) Failovers no longer fail to receive DNS updates if the DR site uses a secondary domain controller with batched replication. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.
Known Issues
The following issues have each been found and reported by multiple users.
Bug # | Found In Version | Components | Description | Release Notes |
|---|---|---|---|---|
ENG-23205 (DE11499) | 7.5.1 | Client Console | When DNStoIP is enabled on the Data Processor and the DNS name doesn't have a host record, the host field shows only the IP address without the host name. This impacts only the Client Console and is displayed correctly in the Web Console. | Expected Results: The hostname should be displayed the same for both Web and Client Consoles. Workaround: View the record in the Web Console. |
ENG-11120 (DE13422) | 7.7.0 | Client Console | The entity delete functionality is very fragile, often failing with a generic error. | Expected Results: The entity delete functionality should work without any issues. Workaround: There is currently no workaround for this issue. |
ENG-11165 (DE16414) | 7.9 | Client Console | Client console search queries including the Host IP Address criteria are timing out in large databases. | Expected Results: Log source searches should be completed without performance issues. Workaround: There is currently no workaround for this issue. |
ENG-22882 (DE10768) | 7.4.9 | Common Components | In certain circumstances, the Data Processor runs slowly and the non-paged pool uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system. | Expected Results: The non-paged pool should not increase and cause system performance issues. Workaround: Restart the LogRhythm API Gateway service. |
ENG-11108 (DE12153) | 7.6.0 | Common Components | In some cases after a Data Indexer install, the Service Registry may not be able to communicate with the Platform Manager, causing alarms and errors in the Service Registry log. | Expected Results: Communication to the Platform Manager should be maintained after an install. Workaround: Restart Service Registry on each node in the cluster after the installation is complete. |
ENG-22881 (DE12218) | 7.6.0 | Data Indexer | The Transporter can fail to fully start after restart at UTC midnight, causing indexing and performance issues. (This issue only impacts Linux clusters.) | Expected Results: The Transporter should continue to run after a restart signal is sent. Workaround: Restart the Transporter service. |
ENG-11175 (DE16040) | 7.6.0 | Data Indexer | Data is being indexed in lower case, ignoring the case of the original logs. | Expected Results: Data should be stored in the format in which it was sent. Workaround: There is currently no workaround for this issue. |
ENG-22862 (DE13480) | N/A | Data Indexer | Alarm drilldowns fail as a result of changes to daylight savings in Chile. The failure is temporary and only lasts a few hours. | Expected Results: Searching should work. Workaround: Either wait for the issue to naturally pass or manually adjust system clocks. |
ENG-11150 (DE15289) | N/A | Infrastructure | Weekday maintenance is taking much longer than expected. | Expected Results: The weekday maintenance task should perform in a reasonable amount of time. Workaround: There is currently no workaround for this issue. |
ENG-11173 (DE15601) | 7.9.0 | Installation Components | DR SQL transaction logs are filling the L: drive when unable to sync to secondary nodes. | Expected Results: Transaction logs should be truncated by frequent scheduled backups throughout the day. Workaround: There is currently no workaround for this issue. |
ENG-11142 (DE15089) | 7.9.0 | Metrics Collection | Telemetry metrics parsing errors from Datadog are present in the metrics collection file. | Expected Results: Datadog's telemetry metrics parsing errors should not be present in the metrics collection file. Workaround: There is currently no workaround for this issue. |
ENG-22873 (DE12714) | 7.6.0 | Web Console | In the Web Console, if the last selected Analyzer page dashboard has a filter, drill down results are hidden. | Expected Results: drill down results should not be hidden. Workaround: Select Default Analyze Dashboard |
ENG-11135 (DE13128) | 7.7.0 | Web Console | When running a search or drill down in the Web Console, the operation does not return results or terminate as intended. | Expected Results: The search and drill down operations should return results upon completion or terminate. Workaround: Reload the page. |
ENG-11134 (DE13442) | 7.7.0 | Web Console | In some cases the Web Console services will not get the updated EMDB IP and will continually fail to connect to SQL until it is manually restarted. | Expected Results: Services should restart or recheck the EMDB IP in service registry if it cannot connect to SQL server. Workaround: Restart Service Registry and SQL services. |
ENG-22863 (DE14276) | 7.7.0 | Web Console | When using a Lucene filter in a Web Console widget, users are unable to filter widget time ranges for originUser. | Expected Results: The Lucene filter should be able to filter time ranges. Workaround: Remove the time filter from the widget to show all data. |
ENG-11166 (DE15763) | 7.9.0 | Web Console | The “Component Status” widget is not showing the component name correctly, instead it is showing as an icon. | Expected Results: Component names should be shown. Workaround: Hover over the icon to see the Component Name. |