7.14.0 GA Release Notes - 2 October 2023
Introducing LogRhythm SIEM 7.14! In this version, we introduce Open Collector and Beat management within the Web Console along with many other great features. LogRhythm is focused on making log collection easy. In this version, we start by streamlining the Open Collector and Beat log sources. With streamlined onboarding workflows and under-the-hood product enhancements, you can focus less on SIEM administration and more on security.
Key Highlights
Maintenance
Open Collector and Beat Management in Web Console
LogRhythm Administrators want an easy and streamlined workflow to onboard and manage Open Collector. LogRhythm SIEM 7.14 brings this functionality to the Web Console! Integrate Open Collector with the SIEM and use the Web Console to deploy Beats and collect their log sources.
With this complete workflow all contained within the Web Console, security teams can now focus more on security and less on configuration. In this release the following Beats can be on-boarded and managed directly within the Web Console, cutting administration time in half.
AWS S3
Azure Event Hub
Carbon Black Cloud
Cisco AMP
Duo Authentication Security
Kafka
Microsoft Graph API
Prisma Cloud
Proofpoint
PubSub
Symantec WSS
LogRhythm SIEM 7.14 makes it easy to collect from cloud log sources with the new workflow and management all contained in the web console.
Open Collector and Beat Management in the Admin API
With new features, come new REST API endpoints! LogRhythm 7.14 further extends the automation capabilities of the Admin API so that you can programmatically:
Manage Beats
Manage Open Collector
Manage DP Pooling
Add Log Source and Agent parameters
New to the API and wondering how to get started? Learn more about the Community!
Resource Center
The LogRhythm SIEM’s new Resource Center offers Analysts quick access to important LogRhythm resources like Community, Documentation and Support. Additionally, the Onboarding section gives new users in-app tutorials to help them get comfortable with the LogRhythm Web Console. And finally, the Announcements section will be introduced in the Resource Center so customers are aware of the latest updates and critical information from LogRhythm.
The example guide teaches users how to use LogRhythm SIEM without having to leave the Web Console.
Send Logs to Axon from the System Monitor Agent
As LogRhythm Axon’s popularity increases, we want to make migration easier for customers switching to Axon. LogRhythm SIEM 7.14 gives users the power to forward a copy of their logs to Axon. Customers can easily do a proof of concept in Axon while still maintaining their current LogRhythm SIEM deployment. For customers who choose to migrate to Axon, onboarding to the new platform will be a smooth transition. While Axon has its own Agent, this speeds up the ability to get logs into Axon by sending logs to both the Data Processor and Axon. Previously only available in limited situations, now all customers can leverage both platforms!
The Axon Settings tab of the System Monitor Agent Properties makes it easy to start forwarding logs to your Axon tenant.
LogRhythm Cloud (LRC) Deployment Statistics
With the introduction of the Deployment Statistics, LogRhythm Cloud customers can now get more insight on their deployment. Quickly access important information such as current MPS, average log size, and details regarding archives (if applicable).
Enhancements & Resolved Issues
Bug # | Component | Description |
|---|---|---|
ENG-41695 | Active Directory | After upgrading to version 7.13, users no longer see AD sync errors or duplicate users in the People tab. Also, there are no error messages or warnings in the Job Manager log. |
ENG-42830 | Admin API | When using the Admin API, the isSilentLogSourceEnabled value is now set according to the input parameter value in the API request. |
ENG-40026 | Agents | When SSLStream cannot send logs to the Mediator, the Agent does not show the sent message in the log. |
ENG-40728 | Agents: Office 365 Log Collection | Office 365 log collection no longer stops even when volume is reduced. |
ENG-41720 | Agents: UDP Syslog Log Collection | After updating to version 7.14, customers can override the ReceiveBuffer Limit to prevent data loss and log drop issues for UDP Syslog log collection. |
ENG-25247 | AI Engine: Communication Manager | When the AI Engine Communication Manager starts, it can now connect to the EMDB and configure the file successfully. |
ENG-30203 | AI Engine | Connecting to the AI Engine Communication Manager enables the AI Engine Data Provider to store data in the suspended state of the LogRhythm Mediator Server until the Data Provider is restarted. Even if the initial connection between the AIE Data Provider and the AIE Communication Manager is lost due to network problems, the data will be saved and reconnected. |
ENG-30391 | AI Engine | AIE alarms that are triggered by any log source Entity now display the correct Entity name. |
ENG-33005 | AI Engine | The AI Engine now starts after a rule update as expected. |
ENG-39736 | AI Engine: MPE Rules | When opening or creating sub-rules, the MPE rule is no longer automatically saved. This allows users to complete multiple sub-rule changes before saving the MPE rule and causing the Mediator Service to restart. (Applies to 7.14 release only.) |
ENG-22946 | Alarm API | When using the Alarms API, the alarms results now respect the query request direction (ascending or descending order options). |
ENG-25680 | Alarm API | When using wildcard or pattern-matching filters in the Alarm API, alarm results are now displayed as expected. |
ENG-32809 | Alarm API | When using the Alarm API Endpoint Get: lr-alarm-api/alarms, Alarm API no longer returns duplicate alarms. |
ENG-22882 | APIs | The API Gateway no longer causes the non-paged pool memory to increase when it does not receive a response from an endpoint, and the Data Processor now performs as expected without a backlog. |
ENG-30864 | Client Console: Log Sources | When LR Enhanced Audit files are used to execute the LR_sqlaudit_create_leastprivuser.sql script, the AIERruleToEngine UDLA log source is now set without any issues. |
ENG-38703 | Client Console | When using the Client Console, the Syslog timestamp UTC offset calculation is now correct. |
ENG-38371 | Client Console: Agents | The recommended value and default value for OriginalMessage are now set to True for an Agent in the Advanced Properties of the Client Console. |
ENG-42809 | Client Console: User Profile Manager | Changes can now be applied to all users in the User Profile Manager of the Client Console. |
ENG-38564 | Common Components | Common components now automatically recover and function as expected after network outage. |
ENG-37278 | Database Upgrade Tool | When using the Database Upgrade Tool update from 7.10 to 7.12, the user no longer receives errors and the DB upgrade works properly despite the dashboard changes. |
ENG-22881 | Data Indexer: Transporter | Transporter now fully starts after receiving service restart command at UTC midnight. |
ENG-47326 | Data Indexer: Transporter | The Transporter no longer fails to index when a field is larger than the maximum length allowed. With 7.14 release, users can now change the MaxLuceneStringLength parameter. (Default = 32700, Min = 30000, Max = 32767) |
ENG-33067 | Data Processor | Added a new TTL setting that allows customers to stop archiving old logs that are older than the TTL time period. |
ENG-11125 | Documentation | Reference Architecture documentation has been updated to include relevant information. |
ENG-48514 | Documentation | Removed host URL links from API documentation because information on endpoints is now published on docs.logrhythm.com. |
ENG-30183 | Infrastructure: Database Scripts and Upgrade Scripts | When running database script, cluster creation now occurs in order as IP addresses become available. |
ENG-11173 | Installation Components | DR SQL transaction logs no longer fill the L: drive when unable to sync to secondary nodes. |
ENG-24714 | Job Manager | When using Gmail’s SMTP server with SSL enabled, the Job Manager now sends scheduled reports as expected. |
ENG-41949 | Job Manager | After using the Job Manager to sync the Active Directory, new AD users that were created in the People tab from the Group configured in Profile Manager are now displayed correctly. |
ENG-11142 | Metrics Collection Service | The metrics collection file no longer contains telemetric parsing errors from Datadog. |
ENG-41117 | LR Cloud: Enhanced Auditing | Shadow tables are no longer dropped and recreated during upgrade. |
ENG-31744 | Open Collector/Beats | The User Principal Name field is now parsed from Azure Defender logs. |
ENG-27104 | Threat Intelligence Service | When using the Threat Intelligence Service custom STIX/TAXII feed, users can now configure the data of NumofBackDaysData according to their requirements. |
ENG-34698 | Threat Intelligence Service | When using Threat Intelligence Service, after configuring the custom provider, the correct list file is available under the list default folder (C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\). |
ENG-40039 | Threat Intelligence Service | When using the Threat Intelligence Service, feeds after July 25, 2023, are now downloading. |
ENG-27216 | Web Console | When a time range is applied to the dashboard filter in the Web Console, the widget now displays data relevant to that time range. |
ENG-31396 | Web Console | While using the Web Console, the Typeahead filters now display the correct column values. |
ENG-35070 | Web Console: UI | When using the Web Console, after editing a dashboard and applying a longer filter in the Dashboard Filter field, the dashboard filter is displayed in a shortened form. |
ENG-39264 | Web Console | In larger deployments that upgraded to 7.12, the Web Console no longer has the rate limiting issues that were causing users to experience instability in their environments. |
ENG-41022 | Web Console | While using Web Console, after typing an open or closed parenthesis character "(", ")" or brackets "[", "]", the Known Values Browser does not close out anymore. It displays results accordingly. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.
Known Issues
The following issues have each been found and reported by multiple users.
Bug # | Found In Version | Components | Description | Release Notes |
|---|---|---|---|---|
ENG-24726 | 7.10 | AI Engine | When drilling down on an alarm with Host (Impacted) in the Group By field, the action fails and returns the following error: "LogRhythm encountered an error reading the extended AI Engine metadata for this Event. It might be an unexpected non-printable character in a textual field. Please make a copy of the Log Message field (Raw Log Data) of this Event and contact LogRhythm Customer Support" | Expected Results: Drill down results should appear without returning an error. Workaround: There is currently no workaround for this issue. |
ENG-43218 | N/A | Alarm API | When using the XSOAR integration with Alarm API, requests periodically return a 500 internal server error. | Expected Results: The integration should work without returning an error. Workaround: Retry the request until it succeeds. |
ENG-38849 | N/A | Knowledge Base | When parsing logs associated with Syslog Linux Host, the Mediator returns the following error message: “Regex rule match timed out.” | Expected Results: The regex rule should parse successfully without timing out. Workaround: There is currently no workaround for this issue. |
ENG-47026 | 7.13 | Search API | After upgrading to 7.13, the LogRhythmWebUI password reverts to default, and Search API fails to log in. | Expected Results: When LogRhythmWebUI password is changed, it should not revert to default when upgrading. Workaround: There is currently no workaround for this issue. |
ENG-38594 | 7.11 | SmartResponse Plugins | When SmartResponse Plugin scripts are modified but not triggered for 7 days, the custom changes are deleted and the SRP reverts to default settings. | Expected Results: When SRP scripts are modified, the changes should be retained. Workaround: There is currently no workaround for this issue. |
ENG-36041 | 7.8 7.12 | Tools: TIS | The PhishTank TIS feed contains an unusually long URL that prevents the List Indicies in the Data Indexer from updating and causes drill down searches to fail. | Expected Results: Drill down results should appear without returning an error. Workaround: Replacing the list file with a manually sanitized file will temporarily resolve the issue, until it happens again. |
ENG-41651 | 7.12 7.13 | Web Console | After upgrading to 7.12 or 7.13, the CAC authorization used to log in to the Web Console stops working. | Expected Results: The CAC authorization should work when logging in to the Web Console. Workaround: There is currently no workaround for this issue. |