Skip to main content
Skip table of contents

LogRhythm Default Passwords

LogRhythm comes configured with default passwords for a number of components that users may want to change to conform to best practices and security guidelines.

LogRhythm passwords must not:

  • contain a space character
  • contain an apostrophe
  • contain a single quote, double-quote, or semicolon
  • start with the $ or @ character

Users and Service Accounts

AI Engine User

The AI Engine user is called LogRhythmAIE. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab and then the Logins tab.
  3. Right-click the user LogRhythmAIE, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the AIEngine Configuration Manager.
  6. Enter the new password for the LogRhythmAIE user.
  7. Click the Test Connection button and verify that the connection is successful.
  8. To close the connection window, click OK.
  9. Click the Windows Service tab.
  10. Select the Start (or restart) the service when the configuration is saved check box.
  11. To save the settings, click OK.

AI Engine Drill Down Cache API User

The Case API user is called LogRhythmAIEDrillDownCache. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmAIEDrillDownCache, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the AIE Drill Down Cache API section.
  7. Enter the new password for the LogRhythmAIEDrillDownCache user.
  8. Click Save.

Alarming and Response Manager User

The Alarming and Response Manager user is called LogRhythmARM. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmARM, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Platform Manager Configuration Manager.
  6. Click the Alarming and Response Manager tab.
  7. Enter the new password for the LogRhythmARM user.
  8. Click the Test Connection button and verify that the connection is successful.
  9. To close the connection window, click OK.
  10. Click the Windows Service tab.
  11. Select the Start (or restart) the service when the configuration is saved check box.
  12. To save the settings, click OK.

Case API User

The Case API user is called LogRhythmCaseAPI. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmCaseAPI, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the Case API section.
  7. Enter the new password for the LogRhythmCaseAPI user.
  8. Click Save.

Case API Admin User

The Case API user is called LogRhythmCaseAPIAdmin. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmCaseAPIAdmin, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the Case API section.
  7. Enter the new password for the LogRhythmCaseAPIAdmin user.
  8. Click Save.

Case API Maintenance User

The Case API Maintenance user is called LogRhythmCaseAPIMaintenance. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmCaseAPIMaintenance, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the Case API Maintenance section.
  7. Enter the new password for the Case API Maintenance user.
  8. Click Save.

Data Indexer Carpenter User

The Data Indexer Carpenter user is called LogRhythmNGLM. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmNGLM, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.

    The remaining steps are only required if using LogRhythm version 7.5 or below. In LogRhythm version 7.6 and above, this password is changed in Configuration Manager.

  5. Open a browser window and go to one of the following URLs:
    • Windows Data Indexer: http://localhost:9100/
    • Linux Data Indexer: https://<DX_IP_Address>
  6. Log in with user admin.
  7. Under Carpenter Config, click Change Password.
  8. Enter the new password for the LogRhythmNGLM user twice, and click Change Password.
  9. At the bottom of the window, click Submit to apply the changes.
    A confirmation warning appears.
  10. Click Continue, and then close the browser window.

Data Indexer (Linux) LogRhythm User

  1. Log into the Data Indexer using SSH.
  2. Elevate your permissions and use the password update utility to update the password for the "logrhythm" user:

    CODE
    [whoever@DX5 grub.d]# sudo su
    [root@DX5 grub.d]# passwd logrhythm
    Enter password:
    Reenter password:

Data Indexer (Linux) Grub Bootloader Password

  1. Log into the Data Indexer using SSH.
  2. Execute the Grub Password Creation Utility to create a password. You will copy this output in the next step:

    CODE
    [root@DX5 grub.d]# grub2-mkpasswd-pbkdf2
    Enter password:
    Reenter password:
  3. Modify the Grub Configuration file with the password you have set and add the LogRhythm user:

    CODE
    [root@DX5 grub.d]# echo 'set superusers="logrhythm"' >> /etc/grub.d/40_custom
    [root@DX5 grub.d]# echo 'password_pbkdf2 logrhythm grub.pbkdf2.sha512.10000.remaininghashvaluescopiedfromstep2'  >> /etc/grub.d/40_custom
  4. Update Grub to be reflected on next reboot:

    CODE
    [root@DX5 grub.d]# update-grub

Data Processor User

The Data Processor user is called LogRhythmLM. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmLM, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Data Processor Configuration Manager.
  6. Enter the new password for the LogRhythmLM user.
  7. Click the Test Connection button and verify that the connection is successful.
  8. To close the connection window, click OK.
  9. Click the Windows Service tab.
  10. Select the Start (or restart) the service when the configuration is saved check box.
  11. To save the settings, click OK.

Job Manager User

The Job Manager and Threat Intelligence Service user is called LogRhythmJobMgr. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmJobMgr, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Platform Manager Configuration Manager.
  6. Go to the Job Manager tab, and enter the new password for the LogRhythmJobMgr user.
  7. Click the Test Connection button and verify that the connection is successful.
  8. To close the connection window, click OK.
  9. Click the Windows Service tab.
  10. Select the Start (or restart) the service when the configuration is saved check box.
  11. To save the settings, click OK.

    The remaining steps are only required if the default TIS Configuration login has been changed.

  12. From the Start menu, open Threat Intelligence Service.
    The LogRhythm Threat Intelligence Service Configuration Window appears.
  13. Enter the new password for the LogRhythmJobMgr account, and click Next.
  14. If the service status is currently running, select Stop Service and then Start Service.

LogRhythm Global Administrator User

The default global administrator is called LogRhythmAdmin. To change the password of this user, do one of the following:

  • Via the LogRhythm Console:
    1. Open the LogRhythm Client Console and log in with the user LogRhythmAdmin.
    2. On the My LogRhythm menu, click Change Password.
      A message notifies you that after you change your password, the application will exit and you will have to log in using your new password.
    3. Click Yes to continue.
    4. Complete the following fields:
      1. Old Password. Type your current password.
      2. New Password. Type your new password.
      3. Verify New Password. Confirm your new password.
      LogRhythm supports passwords up to 255 characters long.
    5. Click OK to save your new password and close the Client Console.
    6. Start the Client Console again and log in using your new password.
  • Via SQL Management Studio:
    1. Log into the LogRhythm server, and open SQL Management Studio.
    2. Expand the Security tab, and then the Logins tab.
    3. Right-click the user LogRhythmAdmin, and select Properties.
    4. Enter the new password twice, and click OK to save the settings.
    5. Open the LogRhythm Client Console and log in with the user LogRhythmAdmin and the new password.

LogRhythm Global Analyst User

The default global analyst is called LogRhythmAnalyst. To change the password of this user, do one of the following:

  • Via the LogRhythm Console:
    1. Open the LogRhythm Client Console and log in with the user LogRhythmAnalyst.
    2. On the My LogRhythm menu, click Change Password.
      A message notifies you that after you change your password, the application will exit and you will have to log in using your new password.
    3. Click Yes to continue.
    4. Complete the following fields:
      1. Old Password. Type your current password.
      2. New Password. Type your new password.
      3. Verify New Password. Confirm your new password.
      LogRhythm supports passwords up to 255 characters long.
    5. Click OK to save your new password and close the Client Console.
    6. Start the Client Console again and log in using your new password.
  • Via SQL Management Studio:
    1. Log into the LogRhythm server, and open SQL Management Studio.
    2. Expand the Security tab, and then the Logins tab.
    3. Right-click the user LogRhythmAnalyst, and select Properties.
    4. Enter the new password twice, and click OK to save the settings.
    5. Open the LogRhythm Client Console and log in with the user LogRhythmAnalyst and the new password.

Notification Service User

The Case API user is called LogRhythmNotification. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmNotification, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the Notification Service section.
  7. Enter the new password for the LogRhythmNotification user.
  8. Click Save.

SQL Server System Administrator User

The default SQL system administrator is called sa. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user sa, and select Properties.
  4. Enter the new password twice.
  5. To save the new settings, click OK.

Web Console User

The Web Console user is called LogRhythmWebUI. To change the password of this user:

  1. Log into the LogRhythm server, and open SQL Management Studio.
  2. Expand the Security tab, and then the Logins tab.
  3. Right-click the user LogRhythmWebUI, and select Properties.
  4. Enter the new password twice, and click OK to save the settings.
  5. From the Start menu, open the Configuration Manager.
  6. Scroll to the Global section.
  7. Enter the new password for the LogRhythmWebUI user.
  8. Click Save.

Deployment Secret Key

LogRhythm also comes configured with a deployment-wide default secret key that users may want to change to conform to best practices and security guidelines. The secret key is used on SQL Server service accounts in service configuration files. The same secret key is also used in API log collection for API token/password protection in System Monitor .ini configuration files.

When changing the secret key, you must use the same non-default secret key across your LogRhythm deployment.

Change the Secret Key Across the LogRhythm Deployment

The following LogRhythm components must be configured to use the same, non-default secret key:

  • AI Engine (AIE)
  • Alarming and Response Service (ARM)
  • Client Console
  • Configuration Manager
  • Job Manager
  • Mediator (DP)
  • System Monitor (SMA)

For each component listed above, log in to the machine on which it is running and complete the following:

  1. Create a new lr.key file in the config subdirectory. 
    For example, the System Monitor config subdirectory would be C:\Program Files\LogRhythm\LogRhythm System Monitor\config\lr.key.
  2. Edit the lr.key file. On a single line in the lr.key file, enter the new secret key.

    This new secret key must be used across all the components listed above.

  3. Make sure to set appropriate read/write permissions on the lr.key file.
  4. Save the edited lr.key file.

Reset the SQL Server Service Accounts

  1. After updating the lr.key files with the same key, use the LogRhythm Configuration Manager apps to reset the SQL Server service accounts for the following services:

    • AI Engine (AIE)
    • Alarming and Response Service (ARM)
    • Job Manager
    • Mediator (DP)
    • System Monitor
     
  2. Run the Configuration Manager app to reset all passwords using the new key.

    You can use the same passwords as before; they will just be encrypted using the new secret key.

Reset System Monitor Agent .ini Configuration Files for API Log Sources

For each API log source, use the lrcrypt.exe app to reset the relevant API token, key, and password. 
For example, the System Monitor configuration file for Nessus Vulnerability Scanner would be C:\Program Files\LogRhythm\LogRhythm System Monitor\config\nessus.ini.

For more information on .ini file settings for API log sources, see the appropriate Device Configuration Guide.

Restart Services and Apps

After changing your secret key deployment-wide and resetting the services and apps indicated above, restart all of those same services and apps.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.