LogRhythm Diagnostics Tool
Diagnostics Tool v.2.4.0
The LogRhythm Diagnostics Tool is a standalone application that collects log and data files from LogRhythm components, runs Platform Manager database queries, and performs health, capacity, and oversubscription analysis on a LogRhythm deployment. The data is consolidated into a local .zip file for subsequent evaluation, capacity analysis and planning, and troubleshooting.
The LogRhythm Diagnostics Tool is made up of two components—the Diagnostics Tool itself and the LogRhythm Diagnostics Agent. The Diagnostics Agent must be installed on each LogRhythm Windows node (Platform Manager, Data Processor, and AI Engine) in the deployment.
Background
For LogRhythm Customer Support technicians, determining the cause of problems coming in from the field requires manually collecting log files, performance counters, SQL table data and job histories, Elasticsearch index data, configuration files, state repositories, and more. The LogRhythm technician must request files and other data from each component in the deployment, and often must help the customer gather that data. If the deployment is more than an XM, this means gathering data from more than one machine, a process that is time-consuming and could lead to human error.
The LogRhythm Diagnostics Tool allows customers and LogRhythm technicians to perform deep analysis of a LogRhythm deployment’s operational characteristics by accessing, executing, and interpreting results with ease. The tool enables users to gather all pertinent logs, metrics, queries, counters, and other data from a LogRhythm deployment quickly, easily, consistently, and locally—there are no online components. All data collection is read-only, so there is negligible performance impact on the deployment itself.
Users can also determine whether the deployment is healthy and in specification with respect to platform and licensing settings. If the deployment is not in a good state, the Diagnostics Tool provides all the logs and data in one local .zip file for further analysis by either the LogRhythm Administrator at the customer site or the LogRhythm support technician who receives the .zip file from the customer support ticket.
Functionality
The LogRhythm Diagnostics Tool offers the following functionality. For a full list of log files and data points collected and consolidated by the Diagnostics Tool, see Log Files and Data Collected by the Diagnostic Tool.
- Provides the current performance and capacity of the LogRhythm SIEM data pipeline, as measured against the Sustained Rate and Peak Rate definitions published by LogRhythm Solutions.
- Empirically demonstrates where the deployment is operating against the prescribed rates. Illustrates how much capacity remains before the deployment would be considered oversubscribed, or if the deployment is already oversubscribed.
- Automates the analysis of a deployment’s current data processing pipeline, per the Solutions Sizing Guide. This analysis makes it easy for field personnel and even customers to understand the deployment’s current capacity and performance.
- Installs and runs as a standalone application on any Windows host that can access LogRhythm Diagnostics Agents, consolidates files and data on a Windows host into a .zip file, and presents the files and data for immediate review.
- Collects files and data in a passive, read-only manner. Collected data includes information about LogRhythm components, the operating systems that host those components, and the hardware that runs on those hosts.
- Does not make changes to the LogRhythm SIEM deployment during operation.
- Runs on many versions of LogRhythm SIEM (currently 7.3.x and later).
Release Notes
Features Overview
The LogRhythm Diagnostics Tool is a standalone application that collects log files and data from a LogRhythm deployment and consolidates the collected information into a local .zip file. The tool also provides automated performance and oversubscription analysis and presents the information for immediate review and problem determination.
Version 2.4.0 introduces the following improvements from version 2.3.0:
- Created a better initial tool login experience when logging in and waiting for initial data load.
- Added missing LogRhythm Mediator: Messaging performance counters.
- Revised the DP Spool File Information component to add:- Count and size of Unprocessed Archives Quarantined folder
- Count and size of Processed Logs folder
- Count and size of Active Archive
 
- Added DX service and install logs.- Linux:- /var/log/persistent
- /var/log/elasticsearch
- /var/log/nginx
- sudo journalctl -u LogRhythmServiceRegistry -n1000 > serviceregistry.log
 
- Windows:
 - %DXPATH%\logs (usually C:\Program Files\LogRhythm\Data Indexer\logs)
- %DXPATH%\elasticsearch\logs
- %DXPATH%\elasticsearch\bin\LimitWorkingSet.log
- C:\Program Files\LogRhythm\LogRhythm Common\logs
 
 
- Linux:
- Added DX configuration files.- Linux:- /usr/local/logrhythm/configserver/conf
- /etc/systemd/system/LogRhythmServiceRegistry.service.d/LogRhythmServiceRegistry.conf
 
- Windows:
 - %DXPATH%\configserver\conf (usually C:\Program Files\LogRhythm\Data Indexer\configserver\conf)
- %DXPATH%\elasticsearch\config
 
 
- Linux:
- C:\Program Files\LogRhythm\LogRhythm Common\logs
Bug Fixes
The following bugs have been fixed in the version 2.4.0 release:
| Bug | Description | 
| TOOLS-111 | Linux DX iowait - Get/show CPU and Disk I/O wait for DX | 
| TOOLS-369 | HealthCheck report showing duplicate data for XM | 
| TOOLS-450 | Filtering is case-sensitive on export settings grid | 
| TOOLS-451 | Filters are not getting cleared when switched between export profiles | 
| TOOLS-452 | LRD app Credentials tab still says auth successful even after agent creds are changed | 
| TOOLS-453 | LRD Agent config UI allows blank password | 
| TOOLS-462 | Add MPE Log Level to LRD Client interface | 
| TOOLS-463 | Agent picking up duplicate log samples | 
| TOOLS-529 | Error visibly for bad password characters. For example, Credentials page for DX nodes – the plink/SSH password cannot contain quotes (single/double) or spaces. | 
Known Issues
The following issues are known in the version 2.4.0 release and are currently targeted for remediation in a subsequent release:
| Priority | Description | 
| Medium | The LogRhythm Diagnostics Tool does not automatically close when uninstalling. | 
| Medium | The LogRhythm Diagnostics Agent cannot use certificates from the CurrentUser location in the Windows Certificate Store. | 
Limitations
Some known limitations of the LogRhythm Diagnostics Tool include:
- The Diagnostics Tool should only be launched from the Windows Start Menu. Attempting to launch from the command line or Windows Explorer may result in an error.
- The Diagnostics Tool cannot determine model or processing rate information for AI Engines not running on the PM.
- Users cannot set the rates for Unknown or Custom component models: processing (DP and AIE), indexing, archiving, events, and LogMart.
- The licensed rate for DPs cannot be determined when a Deployment (MPS) license is in use.
- When attempting to upgrade the Diagnostics Tool from a previous version, you might receive the following error: - Error 0x80070643: Failed to install MSI package - If you receive this error, uninstall your current version of the Diagnostics Tool from the Windows Control Panel (Control Panel > Programs and Features), and then install a new version as outlined in Install the Diagnostics Agent and Diagnostics Tool. 
