Skip to main content
Skip table of contents

7.14.0 GA Release Notes - 2 October 2023

Introducing LogRhythm SIEM 7.14! In this version, we introduce Open Collector and Beat management within the Web Console along with many other great features. LogRhythm is focused on making log collection easy. In this version, we start by streamlining the Open Collector and Beat log sources. With streamlined onboarding workflows and under-the-hood product enhancements, you can focus less on SIEM administration and more on security.

Key Highlights

Maintenance

Open Collector and Beat Management in Web Console

LogRhythm Administrators want an easy and streamlined workflow to onboard and manage Open Collector. LogRhythm SIEM 7.14 brings this functionality to the Web Console! Integrate Open Collector with the SIEM and use the Web Console to deploy Beats and collect their log sources.

With this complete workflow all contained within the Web Console, security teams can now focus more on security and less on configuration. In this release the following Beats can be on-boarded and managed directly within the Web Console, cutting administration time in half.

  • AWS S3

  • Azure Event Hub

  • Carbon Black Cloud

  • Cisco AMP

  • Duo Authentication Security

  • Kafka

  • Microsoft Graph API

  • Prisma Cloud

  • Proofpoint

  • PubSub

  • Symantec WSS

LogRhythm SIEM 7.14 makes it easy to collect from cloud log sources with the new workflow and management all contained in the web console.

Open Collector and Beat Management in the Admin API

With new features, come new REST API endpoints! LogRhythm 7.14 further extends the automation capabilities of the Admin API so that you can programmatically:

  • Manage Beats

  • Manage Open Collector

  • Manage DP Pooling

  • Add Log Source and Agent parameters

New to the API and wondering how to get started? Learn more about the Community!

Resource Center

The LogRhythm SIEM’s new Resource Center offers Analysts quick access to important LogRhythm resources like Community, Documentation and Support. Additionally, the Onboarding section gives new users in-app tutorials to help them get comfortable with the LogRhythm Web Console. And finally, the Announcements section will be introduced in the Resource Center so customers are aware of the latest updates and critical information from LogRhythm.

The example guide teaches users how to use LogRhythm SIEM without having to leave the Web Console.

Send Logs to Axon from the System Monitor Agent

As LogRhythm Axon’s popularity increases, we want to make migration easier for customers switching to Axon. LogRhythm SIEM 7.14 gives users the power to forward a copy of their logs to Axon. Customers can easily do a proof of concept in Axon while still maintaining their current LogRhythm SIEM deployment. For customers who choose to migrate to Axon, onboarding to the new platform will be a smooth transition. While Axon has its own Agent, this speeds up the ability to get logs into Axon by sending logs to both the Data Processor and Axon. Previously only available in limited situations, now all customers can leverage both platforms!

The Axon Settings tab of the System Monitor Agent Properties makes it easy to start forwarding logs to your Axon tenant.

LogRhythm Cloud (LRC) Deployment Statistics

With the introduction of the Deployment Statistics, LogRhythm Cloud customers can now get more insight on their deployment. Quickly access important information such as current MPS, average log size, and details regarding archives (if applicable).

Enhancements & Resolved Issues

Bug #

Component

Description

ENG-41695

Active Directory

After upgrading to version 7.13, users no longer see AD sync errors or duplicate users in the People tab. Also, there are no error messages or warnings in the Job Manager log.

ENG-42830

Admin API

When using the Admin API, the isSilentLogSourceEnabled value is now set according to the input parameter value in the API request.

ENG-40026

Agents

When SSLStream cannot send logs to the Mediator, the Agent does not show the sent message in the log.

ENG-40728

Agents: Office 365 Log Collection

Office 365 log collection no longer stops even when volume is reduced.

ENG-41720

Agents: UDP Syslog Log Collection

After updating to version 7.14, customers can override the ReceiveBuffer Limit to prevent data loss and log drop issues for UDP Syslog log collection.

ENG-25247

AI Engine: Communication Manager

When the AI Engine Communication Manager starts, it can now connect to the EMDB and configure the file successfully.

ENG-30203

AI Engine

Connecting to the AI Engine Communication Manager enables the AI Engine Data Provider to store data in the suspended state of the LogRhythm Mediator Server until the Data Provider is restarted. Even if the initial connection between the AIE Data Provider and the AIE Communication Manager is lost due to network problems, the data will be saved and reconnected.

ENG-30391

AI Engine

AIE alarms that are triggered by any log source Entity now display the correct Entity name.

ENG-33005

AI Engine

The AI Engine now starts after a rule update as expected.

ENG-39736

AI Engine: MPE Rules

When opening or creating sub-rules, the MPE rule is no longer automatically saved. This allows users to complete multiple sub-rule changes before saving the MPE rule and causing the Mediator Service to restart. (Applies to 7.14 release only.)

ENG-22946

Alarm API

When using the Alarms API, the alarms results now respect the query request direction (ascending or descending order options).

ENG-25680

Alarm API

When using wildcard or pattern-matching filters in the Alarm API, alarm results are now displayed as expected.

ENG-32809

Alarm API

When using the Alarm API Endpoint Get: lr-alarm-api/alarms, Alarm API no longer returns duplicate alarms.

ENG-22882

APIs

The API Gateway no longer causes the non-paged pool memory to increase when it does not receive a response from an endpoint, and the Data Processor now performs as expected without a backlog. 

ENG-30864

Client Console: Log Sources

When LR Enhanced Audit files are used to execute the LR_sqlaudit_create_leastprivuser.sql script, the AIERruleToEngine UDLA log source is now set without any issues.

ENG-38703

Client Console

When using the Client Console, the Syslog timestamp UTC offset calculation is now correct.

ENG-38371

Client Console: Agents

The recommended value and default value for OriginalMessage are now set to True for an Agent in the Advanced Properties of the Client Console.

ENG-42809

Client Console: User Profile Manager

Changes can now be applied to all users in the User Profile Manager of the Client Console.

ENG-38564

Common Components

Common components now automatically recover and function as expected after network outage.

ENG-37278

Database Upgrade Tool

When using the Database Upgrade Tool update from 7.10 to 7.12, the user no longer receives errors and the DB upgrade works properly despite the dashboard changes.

ENG-22881

Data Indexer: Transporter

Transporter now fully starts after receiving service restart command at UTC midnight.

ENG-47326

Data Indexer: Transporter

The Transporter no longer fails to index when a field is larger than the maximum length allowed. With 7.14 release, users can now change the MaxLuceneStringLength parameter. (Default = 32700, Min = 30000, Max = 32767)

ENG-33067

Data Processor

Added a new TTL setting that allows customers to stop archiving old logs that are older than the TTL time period.

ENG-11125

Documentation

Reference Architecture documentation has been updated to include relevant information.

ENG-48514

Documentation

Removed host URL links from API documentation because information on endpoints is now published on docs.logrhythm.com.

ENG-30183

Infrastructure: Database Scripts and Upgrade Scripts

When running database script, cluster creation now occurs in order as IP addresses become available.

ENG-11173

Installation Components

DR SQL transaction logs no longer fill the L: drive when unable to sync to secondary nodes.

ENG-24714

Job Manager

When using Gmail’s SMTP server with SSL enabled, the Job Manager now sends scheduled reports as expected.

ENG-41949

Job Manager

After using the Job Manager to sync the Active Directory, new AD users that were created in the People tab from the Group configured in Profile Manager are now displayed correctly.

ENG-11142

Metrics Collection Service

The metrics collection file no longer contains telemetric parsing errors from Datadog.

ENG-41117

LR Cloud: Enhanced Auditing

Shadow tables are no longer dropped and recreated during upgrade.

ENG-31744

Open Collector/Beats

The User Principal Name field is now parsed from Azure Defender logs.

ENG-27104

Threat Intelligence Service

When using the Threat Intelligence Service custom STIX/TAXII feed, users can now configure the data of NumofBackDaysData according to their requirements.

ENG-34698

Threat Intelligence Service

When using Threat Intelligence Service, after configuring the custom provider, the correct list file is available under the list default folder (C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\).

ENG-40039

Threat Intelligence Service

When using the Threat Intelligence Service, feeds after July 25, 2023, are now downloading.

ENG-27216

Web Console

When a time range is applied to the dashboard filter in the Web Console, the widget now displays data relevant to that time range.

ENG-31396

Web Console

While using the Web Console, the Typeahead filters now display the correct column values.

ENG-35070

Web Console: UI

When using the Web Console, after editing a dashboard and applying a longer filter in the Dashboard Filter field, the dashboard filter is displayed in a shortened form.

ENG-39264

Web Console

In larger deployments that upgraded to 7.12, the Web Console no longer has the rate limiting issues that were causing users to experience instability in their environments.

ENG-41022

Web Console

While using Web Console, after typing an open or closed parenthesis character "(", ")" or brackets "[", "]", the Known Values Browser does not close out anymore. It displays results accordingly.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #

Found In Version

Components

Description

Release Notes

ENG-24726

7.10

AI Engine

When drilling down on an alarm with Host (Impacted) in the Group By field, the action fails and returns the following error:

"LogRhythm encountered an error reading the extended AI Engine metadata for this Event. It might be an unexpected non-printable character in a textual field. Please make a copy of the Log Message field (Raw Log Data) of this Event and contact LogRhythm Customer Support"

Expected Results: Drill down results should appear without returning an error.

Workaround: There is currently no workaround for this issue.

ENG-43218

N/A

Alarm API

When using the XSOAR integration with Alarm API, requests periodically return a 500 internal server error.

Expected Results: The integration should work without returning an error.

Workaround: Retry the request until it succeeds.

ENG-38849

N/A

Knowledge Base

When parsing logs associated with Syslog Linux Host, the Mediator returns the following error message:

“Regex rule match timed out.”

Expected Results: The regex rule should parse successfully without timing out.

Workaround: There is currently no workaround for this issue.

ENG-47026

7.13

Search API

After upgrading to 7.13, the LogRhythmWebUI password reverts to default, and Search API fails to log in.

Expected Results: When LogRhythmWebUI password is changed, it should not revert to default when upgrading.

Workaround: There is currently no workaround for this issue.

ENG-38594

7.11

SmartResponse Plugins

When SmartResponse Plugin scripts are modified but not triggered for 7 days, the custom changes are deleted and the SRP reverts to default settings.

Expected Results: When SRP scripts are modified, the changes should be retained.

Workaround: There is currently no workaround for this issue.

ENG-36041

7.8

7.12

Tools: TIS

The PhishTank TIS feed contains an unusually long URL that prevents the List Indicies in the Data Indexer from updating and causes drill down searches to fail.

Expected Results: Drill down results should appear without returning an error.

Workaround: Replacing the list file with a manually sanitized file will temporarily resolve the issue, until it happens again.

ENG-41651

7.12

7.13

Web Console

After upgrading to 7.12 or 7.13, the CAC authorization used to log in to the Web Console stops working.

Expected Results: The CAC authorization should work when logging in to the Web Console.

Workaround: There is currently no workaround for this issue.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.