If you are experiencing problems with your Echo service, first verify that your Echo service:
- Is running in the Windows Service Control Manager.
- Is listening on localhost (for example, 127.0.0.1) or hostname/IP (for example, USLTD0076MSANN, 10.128.2.156).
- Has a firewall that is allowing traffic on TCP 33333 (if connecting to a remote Echo service).
Echo Configuration Files
Echo configuration files are written to the C:\Program Files (x86)\LogRhythm\LogRhythm Echo\config directory.
Echo Log Files
Echo log files are written to the C:\Program Files (x86)\LogRhythm\LogRhythm Echo\logs directory. The AgentSimulator.log file contains information about the Agent simulator’s operations—starting up, connecting to the Mediator, sending logs and PCAPs, shutting down, and more. If you are not receiving logs or events as you expect, look here to see if there are any ERROR logs.
The file echoWeb.log contains Echo web server logs. If you are having trouble connecting to the Echo service in your browser, check this log file for problems.
Verify That LogRhythm Is Receiving Echo Logs
You can run a use case and verify that the logs are received and Events are generated by looking in the Events DB on the LogRhythm PM. Note that not all logs will generate Events that are forwarded to the Events DB—this is dependent on RBP settings as well as data management settings (for example, CBDM settings).
Perform the following:
- Tail the Data Processor’s scmedsvr.log and look for logs indicating the Echo System Monitor is successfully connecting and sending logs to the Mediator service.
- Use the Web Console to run a raw log search against the Data Indexer to confirm receipt of the raw logs.
- Use the Web Console to run a search against the Events DB to confirm that the Events were generated.
- Verify that the AIE alarms were generated by examining the Alarm Viewer in the Web Console or Client Console.
Use Case XML Files
When a use case is exported, it is written to an XML file. You can use a text editor to cut, paste, and modify a use case and then import it back into Echo. This is particularly helpful when editing complex use cases with many log source types or large numbers of logs.