7.20.0 GA Release Notes - 1 April 2025

We are pleased to announce LogRhythm SIEM version 7.20! LogRhythm 7.20 introduces Data Indexer dashboards to the web console, SentinelOne Beat log collection, a generic JSON TCP connection for System Monitor agents, and much more. With this update, get a smoother, more streamlined experience due to behind-the-scenes upgrades, better dashboard results, and experience the performance and stability of LogRhythm’s latest SIEM release.

What’s new in SIEM 7.20:

Maintenance

Data Indexer Dashboards in the Web Console

Introducing Data Indexer Dashboards! You can populate widgets on a dashboard using the entire SIEM data set by directly querying the Data Indexer layer. By querying the Data Indexer directly, analysts can view up to 30 days of data in a widget. That's 80x more visibility than Event dashboards! No more trying to figure out which logs are classified as an Event or stored in the Web Console Cache. Access the data you need by querying large datasets over longer periods of time. Refer to the Web Console Dashboards topic for more information on these new Data Indexer dashboards.

SentinelOne Beat Collection

LogRhythm SIEM’s addition of SentinelOne Beat Collection enables customers to bring SentinelOne EDR alerts and detections into the SIEM. With the new Open Collection Architecture, this beat can be deployed straight from the web console, avoiding CLI and remote access steps!

For information on initializing beats from within the LogRhythm Web Console, refer to Log Collection in Web Console. For information on configuring the SentinelOne Beat using the legacy syslog method, refer to SentinelOne Beat.

Migration from GCR to JFrog Artifactory for Collection

LogRhythm SIEM’s Beat delivery was previously managed by Google’s Container Registry (GCR). Due to GCR reaching End of Life, LogRhythm SIEM beats are now hosted by JFrog Artifactory. The URL will change in the Open Collector version file hosted on GitHub. Upon restarting a beat or the LRCTL service, the image will be pulled from the new JFrog repository.

There will be no impact on collection regarding this update; this change only impacts how updates are obtained.

If your organization restricts the outbound connections the Open Collector can make, firewall changes will be necessary to support continued Open Collector operations. Refer to the Open Collector Networking and Communication topic for more information on these firewall changes.

Generic JSON TCP Connection to System Monitor Agents

Your security stack is ever-changing and it’s critical to have all the components feeding into the SIEM. With more vendors adopting a JSON approach to logging, you need an easy way to collect JSON logs. That’s why we’ve expanded the System Monitor Agent’s JSON listener to support standard TCP. By leveraging the JSON listener and the JSON Policy Builder, you can ingest critical sources from anywhere! Refer to Generic JSON Collector for more information.

Log Source Additions and Improvements

As part of the bi-weekly LogRhythm SIEM Knowledge Base updates over the last quarter, 40 log sources have been updated and/or improved, and five new log sources have been added, allowing for customers to increase their security footprint with log visibility within the LogRhythm SIEM.

The following log source names have changed:

Old Name	New Name
Syslog - Forcepoint CASB	Syslog - Forcepoint CASB CEF
Syslog - Manage Engine AD Self Service Plus	Syslog - ManageEngine AD Self Service Plus

The following log sources have been added or updated:

New Log Sources	Updated or Improved Log Sources
Syslog - Aruba Switch Flat File - Falco Syslog - Open Collector - SentinelOne API Syslog - Lepide Data Security Platform Syslog - LinkShadow CEF	Syslog - Check Point Log Exporter Syslog - Crowdstrike Falconhost CEF Syslog - DarkTrace CEF Syslog - Digital Guardian CEF Syslog - F5 BIG-IP ASM CEF Syslog - Fortinet FortiGate Syslog - Generic Linux OS Syslog - Huawei Access Router Syslog - IPSWITCH MOVEit Server Syslog - LogRhythm Network Monitor Syslog - Open Collector Azure Event Hub Syslog - Trend Micro Deep Security CEF Flat File - Microsoft IIS FTP W3C Extended Format	LogRhythm Diagnostic Messages MS Event Log For XP/2000/2003 - Application MS Windows Event Logging - Application MS Windows Event Logging - Backup MS Windows Event Loggins XML - Application Syslog - Cisco Web Security Syslog - Linux Host Syslog - MS Windows Event Logging XML - Application Syslog - Pure Storage Syslog - Snare Windows 2008 Event Log Syslog - SonicWall Syslog - Sophos XG Firewall	Syslog - Apache Access log Syslog - DarkTrace CEF Syslog - Guardium Database Activity Monitor Syslog - Open Collector Syslog - Palo Alto Networks Syslog - Trend Micro Deep Discovery Director Syslog - Trend Micro Vision One CEF Syslog - VMWare vCenter Server API - Office365 Management Activity Flat File - ClamAV Anti-Virus Syslog - BitDefender Syslog - Cisco Firepower Threat Defense Syslog - Cisco Prime Infrastructure Syslog - Forcepoint CASB CEF Syslog - Ubiquiti Security Gateway

Enhancements & Resolved Issues

Platform Updates

LogRhythm 7.20 is packed with platform updates to improve security, performance, and stability. Spend more time hunting for threats and less time managing the platform.

Centralized Metrics

Centralized Metrics now stores data for 30 days by default on all deployments. The Centralized Metrics UI (Grafana) has been updated to the latest version. Customers using custom configurations for alerting or angular based dashboards may experience breaking changes.

LogID Field in Log Distribution Services

The Log Distribution Services (LDS) formatting options have been updated with the ability to include a LogID for each forwarded log. This provides a simple and easy way to track a log message through processes and pipelines once it leaves the SIEM. Refer to Create Log Distribution Receivers for information on how to use this field for your Log Distribution Services.

Resolved Issues & Improvements

Bug #	Component	Description
ENG-22880	Search	A Warm Index Service Registry lock that is applied during searches of warm indices no longer fails to remove itself in certain situations, which prevented subsequent searches of the same indices.
ENG-40143	Reporting	Scheduling a report that includes the “Network (Impacted)” column now correctly displays this column in the report results.
ENG-47211	Reporting	An issue with reporting that was caused by proxy settings remaining enabled after a Job Manager KB sync has been resolved by automatically disabling proxy settings just after a KB sync.
ENG-48332	Service Registry	PowerShell scripts are now signed by default.
ENG-48732	APIs	Retiring an Agent via the Admin API now correctly retires system and non-system log sources associated with that Agent.
ENG-50447 ENG-56588	Client/Web Console	An issue that prevented users from drilling down on inspector grid results in certain situations when the results are grouped by the Command field has been resolved.
ENG-53934	Log Parsing	The AWS GuardDuty parser has been updated to include the “SIP” field.
ENG-57010 ENG-57014	AI Engine	An “Unable to load details. Reload to try again.” error message now appears when three consecutive API calls fail to pull AI rule details in the Web Console inspector. Previously, there was no feedback when the details failed to load.
ENG-58363	APIs	The Alarm API now correctly pulls the Objectname field in API responses.
ENG-59126	AI Engine	Exporting an AIE rule, retiring it, and then re-importing it now correctly re-enables the retired rule and the associated common event.
ENG-59428	Enhanced Auditing	The LogRhythmEMDB build script has been modified to prevent LogRhythm Enhanced Auditing from being reset to the default configuration during upgrades. Customers can disable Enhanced Auditing by running the LogRhythm_EMDB_Audit_Drop_All_Tables_Triggers stored procedure. Refer to the Collect Enhanced Audit Logs topic for information on this process.
ENG-60932	AI Engine and Agents	The AI Engine Comm Manager and System Monitor Agent Secure Syslog listeners using self-signed certs will now default to a key length of 3072.
ENG-61685	Data Indexer	Because firewalld is required for the Data Indexer to be installed in a healthy state, the Data Indexer installer now fails earlier in the installer if firewalld is not installed or if it is inactive.
ENG-61861	Data Indexer	The Linux Data Indexer has had its firewall rules updated to automatically whitelist ports for the API Gateway and Service Registry.
ENG-61968	Alarm Rules	Alarm rules (non-AIE) with more than one event for occurrences no longer fail to trigger in certain situations when their thresholds have been met.
ENG-62263	NetMon	An issue with the Network Monitor heartbeat time being converted to the Notification Timezone instead of the local time zone of the Console host has been resolved.
ENG-62271	Data Indexer	An issue that arose in LogRhythm SIEM version 7.18 where log4j version 2.11.1 may flag on scanners as being affected by a remote code execution vulnerability has been resolved.
ENG-62533	Log Parsing	The Cisco Umbrella parser has been updated to correctly parse the “URL” and “action” fields.
ENG-62626 ENG-63605	Agents	When a Windows Agent loses connection with the Data Processor memory queue management will now correctly function, this ensures agents are stable and can reconnect when the service outage is resolved.
ENG-62914	Log Parsing	The Duo Authentication Security parser has been updated to include the “login” field.
ENG-62922	Log Parsing	The Azure Event Hub parser has been updated to include Azure network logs.
ENG-62946	Reporting	An issue with the “compress reports” functionality for a scheduled report being dependent on an “export” path being configured has been resolved.
ENG-62975	Agents	An issue with System Monitor Agents not starting on Oracle Linux 7 has been resolved.
ENG-63049	Agents	An issue with Agents collecting from the O365 Management Activity log source stopping after a single cycle in certain situations has been resolved.
ENG-63188	Log Parsing	The Carbon Black parser has been updated to address an issue with parsing MPE rule 1011281.
ENG-63338	AI Engine	An issue with AI Engine alarms without suppression applied failing to trigger has been resolved.
ENG-63433	APIs	An issue with the Admin API leaving connections to the SQL server open in certain situations, causing high memory usage and port exhaustion, has been resolved.
ENG-63601	Agents	An issue with URL path encoding when collecting from the O365 Management Activity log source that could cause logs to fail to collect has been resolved.
ENG-63606	Web Console	The Component Status widget no longer fails to render data in certain situations.
ENG-63667	Web Console	An issue causing the “Live Data” button to disappear from the UI in certain situations when viewing the Alarm tab has been resolved.
ENG-63686	Service Registry	The Service Registry now reliably writes its last index value on restart, preventing API Gateway connections from going stale.
ENG-63696	Web Console	An issue with Legend data not being visible in the Analyzer page for TopX widgets in certain situations has been resolved.
ENG-63713	Installations	Two issues with the LogRhythm Install Wizard that were causing potentially unnecessary reboots during the installation process have been resolved.
ENG-63806	AI Engine	An issue with the AIE not starting in certain situations when a workload has not been assigned to an engine has been resolved.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view in the Community.

Deprecated Features

LogRhythm 7.20 includes changes which retire functionality/services which are no longer in use:

The SIP/Axon Integration code has been removed from the System Monitor agent and Client Console due to Axon reaching End of Life.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #	Found In Version	Components	Description	Notes
ENG-35302	Multiple	AI Engine	Alarm with “not observed” rule block is firing even when a log or multiple logs are present.	Expected Results: Alarm should not fire if log is present and is within the time window. Workaround: There is currently no workaround for this issue.
ENG-41651	7.12	Web Console	After upgrading to 7.12 or newer, the CAC authorization used to log in to the Web Console stops working.	Expected Results: The CAC authorization should work when logging in to the Web Console. Workaround: A workaround for this issue has been field validated and is available as a dev binary, please open a support case if you are experiencing this issue. We anticipate a permanent fix in the 7.21 release.
ENG-62332	7.18	Data Indexer	Clusters Containing >600 days of Hot TTL fail to create new indexes due to Shards Per Node limit	Workaround: Adjust GoMaintain TTL from -1 to 365days or less. Clear restore archive indexes using “curl -xdelete localhost:9200/logsar-*”
ENG-61278	7.19	APIs	After upgrading to LogRhythm SIEM version 7.19, servers running Windows Server 2012 R2 may throw errors when attempting to use the LogRhythm API or connecting through API Gateway.	Expected Results: The LogRhythm API should function as expected. Workaround: A workaround for this issue has been documented at LogRhythm API Gateway Error on Windows Server 2012 R2.
ENG-63836	7.20	Alarming and Response Manager	A manual installation of the Alarming and Response Manager (ARM) on new deployments may warn that a Runtime dependency failed to install. This is caused by the dependency already being installed.	Expected Results: If the dependency is already installed, the ARM installer should not attempt the installation. Workaround: Double check that the Runtime dependency is already installed and proceed with the ARM installation, ignoring the warning.