Skip to main content
Skip table of contents

Add a TrueIdentity Sync Job

  1. On the upper-right corner, click Add TrueIdentity Sync Job.
  2. Read through the system requirements, and click Continue.
  3. Type a descriptive name for the sync job to help you identify it among multiple jobs. The Sync Job Name displays in the LogRhythm Web Console as the source of a TrueIdentity or Identifier.
  4. Type your Active Directory authentication credentials.
    1. Fully Qualified Domain Name. Provide the name of the Active Directory host's Fully Qualified Domain Name (for example, example.com).

      If you are not using Secure LDAP, enter only the domain and not the FQDN.

    2. Username. Type the domain and user name for connecting to the AD server (for example, MyDomain\Username).
    3. Password. Type the password for the specified user.
    4. (Optional) Skip TLS Verification. Select to skip TLS certificate verifications for Active Directory LDAP connections. This is not recommended.
  5. To test your Active Directory authentication credentials, click Test Connection.
  6. Type your LogRhythm authentication connection information.
    1. API Endpoint URL. Type the local or remote URL for the API Gateway running on the Platform Manager. If you install the TrueIdentity Sync Client on the Platform Manager, you can connect to the API locally at http://127.0.0.1:8505/. Otherwise, you can access the API remotely at https://<hostname><domain>:8501.

      The localhost connects on port 8505 over HTTP, and the remote URL connects on port 8501 over HTTPS.

    2. API Token. Copy the Third Party Application token generated in the Client Console. For more information, see Generate LR API Token.

    3. Entity Id. The Root Entity to which synchronized TrueIdentities will be added. Leaving the default value adds TrueIdentities to the Global Entity. For a multi-tenant deployment, you must change the default entry to point to the tenant's Root Entity. The TrueIdentity Sync Client uses your API endpoint and token to query the LogRhythm Entity API for a list of Root Entities. For single tenant deployments, Global Entity is recommended.

      If the entity list does not populate, provide the API Token again and click Verify LogRhythm Connection to populate the new list of entities.

    4. (Optional) Skip TLS Verification. Select to skip TLS certificate verifications for LDAP connections. This is not recommended.
  7. To test your LogRhythm authentication connection information, click Test Connection.
  8. Click Create Config.

    If an error results when saving your configuration, ensure the TrueIdentity Sync Client was run as administrator.

Add Identifiers

Identifiers are specific fields of IAM accounts that uniquely identify a TrueIdentity. These fields are used during log processing to associate an event with the TrueIdentity.

To select which Active Directory attributes should be used to uniquely identify TrueIdentities:

  1. Click Add Identifier.
  2. Select a Type for the identifier. Login types are compared to the User (Origin) and User (Impacted) metadata fields. Email types are compared to the Sender and Recipient metadata fields. At least one identifier type must be selected.
  3. Select a Value from the Populates from list. The identifier value is an Active Directory field that is unique to every identity in the system.
  4. (Optional) Search for a user by specifying a value to see how these fields are populated in LogRhythm TrueIdentities in the Preview.
  5. Click Save and Continue.

Configure Attributes

Attributes are specific fields of IAM accounts that are imported into LogRhythm to provide context about a TrueIdentity.

  1. Select a value from the list corresponding to each attribute in the list provided. The attribute value is an Active Directory field that is imported when running the Sync Job. To not import a value, select (empty) from the list.
  2. (Optional) Search for a user by specifying a value to see how these fields are populated in LogRhythm TrueIdentities in the Preview.
  3. Click Save and Continue.

Add Filter Criteria

To filter which user accounts are pulled in from your sync job:

  1. Specify which domain controller and organizational unit will be queried for accounts. For example, if your domain is "example.com" and your organizational unit is called "test", type the following: ou=Test,dc=example,dc=com

    Note that spaces are not supported in the domain controller and organizational unit filter.

  2. Further refine your search by typing a valid LDAP query in the Active Directory Filter Query Override box. For example, to limit the sync to only accounts with surname "Smith", enter the following:(sn=Smith). For more information, see Add Query Filters or Overrides to the Sync Job.
  3. (Optional) To generate a CSV file with a sample of the imported TrueIdentities with the applied filters, click Generate CSV. This may take a few minutes to run. Upon completion, a file explorer opens to the directory that contains the CSV. The default directory is C:\Program Files\LogRhythm\LogRhythm TrueIdentity Sync Client\LogRhythm TrueIdentity Sync Client UI. 
  4. Click Save and Continue.

Schedule Sync Job

To schedule when and how often TrueIdentities synchronize:

  1. To schedule the sync job, select one of the following:
    • Scheduled Sync. Type a time for the synchronization to run once everyday.
    • Interval Sync. Type the number of hours between synchronizations.
  • To manually run a Sync Job, click the
    button on the home page, and then click Synchronize Now or Reset & Synchronize All TrueIdentities. The Sync Job must be enabled to run a synchronization.
  • Click Continue.

The Sync Job details display. To enable or disable automatic sync, select an option at the bottom of the page. Alternatively, click the

button next to the sync job in the list on the home page. Sync job settings may be used to update TrueIdentities. Click Save and Finish.

To retire or remove TrueIdentities, you must use the LogRhythm Admin API.

Add Query Filters or Overrides to the Sync Job

Depending on the AD domain you are using for synchronization, you may want to add one or more query filters to your configuration file to include or exclude records matching your criteria. There are numerous ways to filter AD/LDAP queries, and the following are two examples.

Add Multiple Filters

With Active Directory Filter Query Override, you can combine multiple filters in a single entry, using an LDAP query string. To return only users having a first name that starts with "jennifer":

(&(givenName=jennifer*))(sAMAccountType=805306368)(cn=*))"

If you want to return only users having a first name that starts with "jennifer" and whose last name is not "smith":

(&(givenName=jennifer*)(!(sn=smith))(sAMAccountType=805306368)(cn=*))"

If you want to return only users having a first name that starts with "matt" and whose login does not end in "_sup":

(&(givenName=matt*)(!(sAMAccountName=*_sup))(sAMAccountType=805306368)(sn=*))

If you want to return only users with a first and last name:

(&(objectCategory=person)(objectClass=user)(givenName=*)(sn=*))

If you want to return only enabled users:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

The default LDAP query is: (&(sAMAccountType=805306368)(cn=*)

For information about Active Directory fields, see the All Attributes page in the Microsoft Active Directory documentation. For information about building LDAP queries, see the Search Filter Syntax page in the Microsoft Active Directory documentation.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.