Least Privileged User: PM, Disaster Recovery
Purpose
LogRhythm’s Disaster Recovery solution includes LogRhythm SIEM software running in two LogRhythm deployments: one on a primary site and one on a secondary site. The primary site includes the active Platform Manager, which sends replicated data to the secondary Platform Manager. The secondary site essentially becomes a “hot standby” in a planned outage, natural disaster, or attack.
Shared Resources
| Read | Write | Read & Execute | Modify | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|
| Microsoft SQL | X | |||||
| SQL Logs | X | |||||
| LogRhythm System | X |
Registry Access
N/A
Database Access
The DR services require admin rights for all LogRhythm SQL databases.
Ports
The ports used for replication between the two sites are open (not locked down by a firewall). The DR setup will automatically open ports secured by Windows Firewall, but not by other types of firewalls.
LogRhythm SQL Mirroring uses Port 5022. This is locked down to the replication interface (standalone network adapter).
DNS Infrastructure
All components within the primary and secondary sites must include a common DNS infrastructure. When configuring the DNS infrastructure, follow these guidelines:
- Platform Managers. A common DNS record can point to either the IP address of the primary Platform Manager or the IP address of the secondary Platform Manager.
- Data Indexers and AI Engines. The Data Indexers and AI Engines point to the Platform Manager using a DNS name rather than an IP address. Remote Data Indexers and AI Engines should also support DNS for connecting to either a primary site or a secondary site.
- Agents. The Agents can use DNS to identify new Mediator host connections. The Agent resolves the DNS name to IP upon every new connection attempt. Agents can also be redirected to new Data Indexers using the Deployment Manager in the LogRhythm Console.