Skip to main content
Skip table of contents

7.17.0 GA Release Notes - 1 July 2024

LogRhythm 7.17 introduces the Open Collection Architecture and the JSON Policy Builder, making onboarding and parsing Logstash formatted JSON logs a breeze. With these new features, security analysts can get a better view across the organization. Collecting mission critical log sources has never been easier!

What’s new in SIEM 7.17:


Open Collection Architecture

Ingest and customize log sources faster than ever before. With LogRhythm 7.17, we’ve made it easy to bring JSON log sources into the LogRhythm SIEM. We’ve opened the System Monitor Agent, allowing it to accept JSON logs from sources that support the Lumberjack protocol. Now administrators can configure third-party JSON agents to supplement LogRhythm’s vast library of supported log sources.

And whether you need to tailor custom or out-of-the-box normalization rules, the Open Collection Architecture lets you edit, apply, and manage rules like a pro. The new custom policy folder on the System Monitor gives users a safe place to store custom or modified normalization rules without the risk of being overwritten or impacted during upgrades. 


JSON Policy Builder

Map, export, apply. With the JSON Policy Builder, it’s that easy. The GUI-based wizard allows administrators to build policies and extract data from JSON log sources in minutes. No coding and no special training means that anyone can do it.

Data extracted from sample log messages is automatically extract by the wizard. Drop-down menus make it simple to map JSON values to the LogRhythm schema before exporting the policy file to the System Monitor Agent. 


Install & Upgrade Improvements

LogRhythm’s flexible architecture makes it easy to expand and scale, and now the LogRhythm Install Wizard is just as flexible. The streamlined installer gives you greater control over which components are installed on a single box.​ Administrators can now opt out of installing the Data Indexer on the same hardware as the rest of the LogRhythm components​. This streamlines your process, making your upgrade faster by removing the need to run the LogRhythm Install Wizard multiple times.


Licensing Details in the Admin API

Administrators can now programmatically obtain critical licensing information through the REST API. Manually logging into environments and the Client Console is no longer needed. Retrieve and monitor LogRhythm SIEM licensing and version details using the new licensing details endpoint in the Admin API. Combine with other LR API endpoints like the Metrics API to quickly compare and monitor licensed MPS vs current volume statistics.​ Reduce overhead and automate data retrieval across multiple environments. 


Updated Log Sources

As part of LogRhythm 7.17, we are proud of our many updated log sources. This quarter we focused on improving what we already have. We carefully reviewed and refined over 70 log sources to improve the experience for LogRhythm Analysts. We believe this will deliver great value in terms of more reliable and stable log parsing rules which ensures that visualizations, reports and detection rules leverage accurate and improved data.

To support our ongoing commitment to you, we continually update and improve Message Processor Engine (MPE) rules. As such, a crucial step in maintaining a healthy security posture is to normalize log messages. This helps ensure that you get more value out of the log data LogRhythm ingests and the security insight power of LogRhythm’s Machine Data Intelligence (MDI) Fabric

A few of the highlights released over the last three months include: 

  • Firewall security – The insight provided from firewalls is critical for protecting organizations. This quarter, LogRhythm released improvements for firewalls such as: Palo Alto Networks, Fortinet FortiGate, Sophos XG and Cisco Firepower and Meraki. With these improvements, LogRhythm customers will find greater value in the log enrichment and can better defend against threats. 

  • Applications – Key business applications have been updated this quarter: Oracle and Microsoft SQL have been updated for Databases, Apache access logs for web servers, Trend Micro Email Security and FortiMail for email solutions. These are just some of the business applications improved to give you more reliable insight.

  • Operation Systems – Many MPE rules improvements centered on Operations Systems, especially Windows Event logs. For non-Windows users, several Unix flavors have been updated also: AIX, HP-UX, IRIX, Solaris and Linux. Providing quality MPE rules for all of these Operations System log sources ensures security analysts have a clear and cohesive view of all the servers in an organization.

And these are just the highlights! LogRhythm updated more than 70 log sources over the last quarter, and we will continue to update more as part of our commitment to our customers’ successful security practices. For all of the release notes and changes review the Knowledge Base Release Notes on the Community.

Improved Log Sources:

API – Office 365 Management Activity
API – Okta Event
API – AWS CloudWatch Alarm
Flat File – Apache Tomcat Console Log
Flat File – Blue Coast Proxy
Flat File – Cisco Umbrella DNS
Flat File – Mimecast Email
Flat File – MS SQL Server 2012 Error Log
Flat File – MS SQL Server 2014 Error Log
Flat File – Linux Audit Log
Flat File – LogRhythm System Monitor Log File
Flat File – MS Exchange 2013 Message Tracking Log
LogRhythm Diagnostic Messages
MS Event Log for XP/2000/2003 – Application
MS Windows Event Logging – Application
MS Windows Event Logging – Firewall with Advanced Security
MS Windows Event Logging XML – Application
MS Windows Event Logging XML – Security
MS Windows Event Logging XML – Windows Defender
MS Windows Event Logging XML – PowerShell
MS Windows Event Logging – TS Session Broker
Syslog – Apache Access Log
Syslog – BitDefender
Syslog – Broadcom ProxySG

Syslog – Citrix NetScaler
Syslog – F5 Big-IP GTM & DNS
Syslog – F5 Big-IP LTM
Syslog – F5 FirePass Firewall
Syslog – Fortinet FortiMail
Syslog – Fortinet FortiNAC
Syslog – Fortinet FortiWeb
Syslog – Fortinet FortiGate
Syslog – Palo Alto Firewall
Syslog – Pulse Secure
Syslog – SentinelOne CEF
Syslog – Cisco Firepower
Syslog – Cisco Firepower Threat Defense
Syslog – Cisco ISE
Syslog – Cisco Meraki
Syslog – Cisco Switch
Syslog – Forcepoint Stonesoft NGFW
Syslog - Kemp Load Balancer
Syslog – AIX Host
Syslog – BSD Host
Syslog - Linux Audit
Syslog – Generic Linux OS
Syslog – HP-UX Host
Syslog – IRIX Host

Syslog – Linux Host
Syslog – Solaris Host
Syslog – Lancope StealthWatch CEF
Syslog – LogRhythm Network Monitor
Syslog – Sonicwall
Syslog – Sophos UTM
Syslog – Sophos XG Firewall
Syslog – Thycotic Secret Server
Syslog – Oracle 10g Audit Trail
Syslog – Oracle 11g Audit Trail
Syslog – Crowdstrike Falconhost CEF
Syslog – Kaspersky Security Center
Syslog – FireEye Web MPS/CMS/ETP/HX
Syslog – Forcepoint DLP
Syslog – Legacy Checkpoint Firewall
Syslog – OpenLDAP
Syslog – Symantec DLP CEF
Syslog – Trend Micro Email Security
Syslog – Trend Micro Deep Security CEF
Syslog – VMWare NSX/NSX-T
Syslog – VMWare vCenter Server
Syslog – Riverbed
Syslog – SecureAuth IdP v9
Syslog - Zscaler Nano Streaming Service
UDLA – LREnhancedAudit

Enhancements & Resolved Issues

Mediator Update to .NET 8 Framework

The Data Processor service (Mediator) has been migrated from .NET 4.7 to the .NET 8 framework. The .NET 8 code base has been optimized for modern operating systems and offers improvements in performance, compatibility and features. The .NET 8 Mediator offers a number of performance improvements:

  • Better service memory management under duress leading to increased stability

  • Lower overall CPU resource consumption under identical load profiles

  • Higher peak and sustained load handling on identical systems

  • Greatest benefits on newer Windows Operating Systems (Server 2022)

This change introduces the installation of .NET 8 as part of the Installation Wizard along with new Environment Variables used for runtime configuration of .NET 8. These variables should not be modified except under the direction of support or engineering.

Resolved Issues

Bug #




Web Console: Services

The Web Console services now automatically restart or recheck the EMDB IP in the service registry if they cannot connect to the SQL server, ensuring continuous operation without manual intervention.


Job Manager

The Job Manager now excludes disabled users from Scheduled Report Jobs, logs when no recipients are available, and displays recipient names in a new column in the Scheduled Report Job grid.


Admin API

The Admin API now supports network transfers between entities with clear documentation.


Client Console

The Case Details Report now successfully pulls data for the selected date range.


Client Console Search

When searching Host records, the results now accurately omit Host Entities that no longer contain the search criteria in their properties.



When running reports for the same time frame, Log Volume by Log Source Type and Log Volume by Log Source now show the same log count.


System Monitory Package Manager

The System Monitor version number is no longer truncated in the System Monitor Package Manager.


Client Console: User Profile Manager

Changing a User Profile without updating the password no longer causes login issues for that user account.



Documentation for Add Network Records from File now includes clarification regarding special characters and quotes in string fields.


Smart Response Plugin

Custom modifications made to Smart Response plugin scripts are now retained indefinitely.


Alarm API

The Alarm API now uses the following format for date time fields: yyyy-MM-ddTHH:mm:ss.fff


Web Console

When entering the Trigger Time in the Web Console Alarms grid view, pressing the backspace key now deletes only one character at a time in decimal numbers.


Admin API

After upgrading and accepting a System Monitor Agent via the Admin API, the Deployment Manager now functions normally upon relaunch, with all IPs verified as valid and the NetMon tab building successfully.


Message Processing

The relay regex now parses raw syslog log messages as expected.


Admin API

The Admin API now accepts Linux System Monitor Agents without generating GUID validation errors.


Log Sources

Log Message Processing Settings are no longer greyed out for custom log sources.


Alarming and Reporting Manager (ARM)

Suppression settings configured in AIE rules and Alarm rules now work as expected.


Web Console

The CSV export now includes all selected logs, regardless of applied filters, allowing users to export the entire set of selected logs, not just the filtered view.


AI Engine: MPE Rules

The system no longer triggers alarms for MPE Null Log Sources. The new patch ensures proper log message handling, preventing the recurrence of the issue.


Smart Response Plugin

Updated Smart Response scripts now include valid, non-expired certificates. This ensures proper execution in secured environments without errors.


Web Console: SSO

Selecting “Continue with SSO” in the Web Console redirects to the SSO page for authentication, regardless of pre-filled username and password values. This ensures proper SSO authentication flow and security compliance.


Error Messages

The SCMPE log now shows the raw log message in the regex rule matching time-out warning messages to aid in timeout troubleshooting.



System now accepts pending System Monitor Agents with -1 set for the IP address.


Web Console

The Drilldown on a Widget with a specific time range opens the Analyze Page displaying only the events within the Widget's time range settings. The Analyze Page shows the exact number of events matching those in the Widget's drilled-down data.


Web Console

After upgrading to version 7.15, the contextualize panel auto-populates user account info in the contextualize field upon clicking the username in the Top User widget.


Job Manager: Reports

Scheduled reports via Job Manager now correctly display the local time the report was run, matching the time set in the schedule.


Agents: Gsuite Log Collection

The System Monitor JSON parser now accurately extracts and displays email addresses from LICENSES_SETTINGS type Gsuite logs.


Agents: Gsuite Log Collection

This update adds group name parsing functionality for Gsuite logs in the Open Collector JSON parsing engine for System Monitor.



Case management reports exported as CSVs maintain correct field alignment without shifting or inserting JSON fields incorrectly into columns.



System Monitor: AIX

The AIX System Monitor Agent build and package now allow successful installation of the 7.16 System Monitor Agent on AIX 7.2.


Alarm API

In HA and DR environments, Alarm API calls are correctly routed without returning a 500 internal server error.



Accepted System Monitor Agents no longer appear in the Pending Agents list.


AIE Cache Drilldown API

The AIE Cache Drilldown API now functions correctly without requiring the Content-Type header, ensuring consistent behavior with other APIs.


System Monitor

An issue with spelling errors in the System Monitor JSON parsing policy file has been resolved.


Web Console

The Web Console display now correctly shows the entire search results bar without cutting off the bottom of the browser window.


Agents: Azure EventHub Log Collection

Added parsing support for the riskEventTypes_v2 field for the Syslog - Open Collector - Azure Event Hub log source type.


Agents: Cisco AMP Log Collection

Additional parsing rules are now added for Cisco AMP logs in the Open Collector JSON parsing engine for System Monitor.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view in the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #

Found In Version







Web Console

After upgrading to 7.12 or 7.13, the CAC authorization used to log in to the Web Console stops working.

Expected Results: The CAC authorization should work when logging in to the Web Console.

Workaround: There is currently no workaround for this issue.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.