LogRhythm software can leverage either local Windows or Active Directory accounts for some or all of the LogRhythm services. Configuring LogRhythm services to use Integrated Security follows best practices and enforces the use of Windows domain authentication only.
LogRhythm Services and Integrated Security
The following LogRhythm services can be run under integrated security:
- LogRhythm Advanced Intelligence Engine (AIE) Services, including the Cache Drill Down and Communication Manager
- LogRhythm Alarming and Response Manager (ARM) Service
- LogRhythm API Services, including Admin API, API Gateway, Authentication API, Case API, Threat Intelligence API, Web Console API, and Web Services Host API
- LogRhythm Data Indexer Services, including WatchTower, consul-template, GoMaintain, Elasticsearch, Carpenter, Transporter, Columbo, and Bulldozer
- LogRhythm Job Manager Service
- LogRhythm Mediator Server Service
- LogRhythm Service Registry
- LogRhythm System Monitor Service (Windows)
- LogRhythm Web Console Services, including API, UI, Indexer, and Host API
Not all services are present in all deployments.
If the System Monitor Agent service performs remote event log collection, then it must be configured to use Integrated Security. For additional information, see Create a Least-Privileged Domain User Account for Remote Log Collection.
Windows Local Versus Active Directory Accounts
The decision to use local accounts or Active Directory (AD) accounts depends on the environment in which the LogRhythm components are deployed.
- If all LogRhythm systems (PM, DP, XM, or AIE configurations) reside on an AD domain, then AD accounts for the services are recommended.
- For non-domain environments, local Windows accounts must be used. If a service on one system (for example, the Mediator on a Data Processor) requires access on another system (for example, the Platform Manager), the same local Windows accounts must be created on each system.
It is important to understand that LogRhythm services running on one system (for example, the Mediator Server service running on a Data Processor) require database access on other systems (e.g. the Platform Manager databases). When configuring LogRhythm services to run under Integrated Security, the service is configured to run under the appropriate account. Then, databases that must be accessed are modified to allow that account the proper database access and permissions.
Make Remote Resources Available to LogRhythm Services
After the Integrated Security configuration is complete, you may choose to grant the LogRhythm services access to remote resources. This is most common in domain environments. Some common uses are:
- Granting the LogRhythm Mediator Server read/write permissions to a network share for writing inactive archive files.
- Granting the LogRhythm Job Manager read/write permissions to a network share for writing scheduled reports.
- Granting the LogRhythm ARM read/write permissions to a network share for writing text file notifications of alarms.