7.22.0 GA Release Notes - 1 October 2025
Experience the power of next-level security with LogRhythm SIEM 7.22! This version continues to make improvements to the Web Console, as well as adding new functionality for the Open Collector to better monitor and manage your beats whether they were created using command line or the web UI!
What’s new in SIEM 7.22:
Maintenance
New Metric Widget for Data Indexer (DX) Dashboards
Visualize data across all your logs, not just events, with Data Indexer Dashboards. And now in LogRhythm SIEM version 7.22, you can take data visualization to even further with the new Metric Widget. Easily display the Count, Sum, Minimum, Maximum, or Average of supported fields using any query applied at the widget level.
For more information, refer to the Metric Widget documentation topic.

Improved Sync from Open Collector to Web Console
With new improvements to our Admin API, we are excited to introduce improved functionality for tracking Open Collector Beats in the Web Console. In LogRhythm SIEM version 7.14, the capability to deploy new beats was added to the Web Console, but any beats configured using the “old” command line syslog method were unable to be displayed. Now, leveraging our APIs, the Open Collector can provide details around all running beats in the LogRhythm SIEM Web Console, whether they were configured in the Web Console UI or using the command line interface. With this improvement, you can manage and observe all of your beats in one place!
To begin using this functionality, refer to the Initialize Long-Running LRCTL section of the Configure Open Collector Connection to the SIEM (WebUI) documentation. These steps allow for an API connection between the SIEM and the Open Collector to provide the information necessary for beat management in the Web Console.
Data Processor Shipping Logs to Multiple Data Indexer Clusters
Security teams often operate across multiple data centers and multiple regions to ensure business continuity. Outages or regional failures can interrupt investigations and compliance reporting if data is not accessible everywhere it is needed.
The new multi-cluster log forwarding capability allows organizations to send log data to multiple clusters at once, ensuring resiliency across geographies. Even if one cluster goes offline, log data remains available in other regions. This provides uninterrupted visibility that supports investigations, compliance audits, and operational continuity.
As part of this feature, Data Processor to Data Indexer communication now supports compression.
For more information, refer to Configure a Data Processor to Duplicate Data Indexer Logs.
Introducing the Web Console Threat Center
As part of our long-term vision, Web Console’s new Threat Center combines the Alarms and Cases options into a single tab within the Web Console, allowing for security analysts to focus on the Threat Center as a whole rather then Alarms or Cases individually.

New O365 Beat
A new O365 Beat has been added to the Open Collector, replacing the API collection previously done through the System Monitor Agent. This new beat will address some issues that customers were experiencing when using API collection for the O365 Management Activity log source.
For more information, refer to O365 Beat.
Share Web Console Searches
Previously, when creating an ad hoc search in the Web Console, the only way to share that search with another analyst was to save the search and update the permissions so that the other analyst could see the saved search. Now, searches can easily be shared with other analysts simply by copying and sharing the Web Console URL.
For more information, refer to the Share Searches section of the Save Searches topic.
Log Source Enhancements and Updates
LogRhythm SIEM 7.22 introduces updates designed to enhance the speed, consistency, and compatibility of data collection with third-party platforms. These enhancements include:
New log sources based on customer requests and feedback
Improvements around Forcepoint log source collection
New and Updated Log Sources
This past quarter of bi-weekly LogRhythm SIEM Knowledge Base updates included 54 enhanced or improved log sources, and eight newly introduced log sources. This allows customers to expand their security capabilities by increasing log visibility within the LogRhythm SIEM.
The following log sources have been added or updated:
New Log Sources | Updated or Improved Log Sources | ||
---|---|---|---|
|
|
|
|
Platform Updates
LogRhythm 7.22 is packed with platform updates to improve security, performance, and stability. Spend more time hunting for threats and less time managing the platform.
Security Improvements
As attackers evolve, the SIEM itself must remain hardened to protect sensitive log data and maintain trust. Without continual improvements to security and reliability, even strong detection capabilities can be undermined.
With LogRhythm SIEM version 7.22, you’ll have:
Stronger self-signed certificates (SSLs),
Updated installer packages that include a version's YAML file, ensuring each component has been upgraded, and
Signing of all LogRhythm built executables.
Dependency Updates
As part of our ongoing commitment to maintaining third-party dependencies for stability and security improvements, the following packages have been updated:
Data-Indexer Java Corretto JRE updated to version 8.0.462,
.NET 8 Core updated to version 8.0.18,
Grafana updated to version 11.6.5,
InfluxDB updated to version 1.11.8,
Go Update to version 1.24.2 for Procman and Deployment/Common Packages, and
NodeJS Updates to API Gateway.
An API Gateway NodeJS update was partially released for Windows only. Note that NodeJS (a requirement of API Gateway) no longer supports CentOS 7. Customers are advised to upgrade their Linux-based Data Indexers, as CentOS 7 support will cease in LogRhythm 7.23 SIEM (January 2026) release. LogRhythm 7.22 SIEM is the last release with support for CentOS 7 based Data Indexers. Refer to the Notice of Eventual Deprecation section for more information.
LogRhythm Echo Version 2.0.4
LogRhythm Echo was updated to version 2.0.4 with this release of the LogRhythm SIEM.
In order to upgrade to version 2.0.4 of LogRhythm Echo, you must first uninstall LogRhythm Echo completely and then install the new version. If you have created custom use cases, be sure to backup the usecases.db file in the Echo directory and restore it after the installation.
This new version of LogRhythm Echo contains security fixes. Customers are able to view resolved LogRhythm Echo security-related issues on the Community.
For more information on LogRhythm Echo, refer to the LogRhythm Echo documentation.
New PATCH Endpoint for the Admin API’s /agents URI
The PATCH endpoint has been added for the /agents URI in the Admin API, which can partially update an agent with some fields missing without causing errors. For more information, refer to the LogRhythm APIs documentation.
Notice of Eventual CentOS 7 and RHEL 7 Deprecation
Due to compatibility issues with dependency services that no longer support older operating systems, CentOS 7 and RHEL 7 will reach end-of-life for Data Indexer support beginning with LogRhythm SIEM version 7.23 (January 2026). Beginning with version 7.22 (October 2025), additional features will be added to perform operating system (OS) version checking with data indexer (DX) services and provide warnings for users to upgrade their DX OS versions.
Because the end-of-life for CentOS 7 was June 30, 2024, meaning that the operating system no longer receives security updates, it is strongly recommended to upgrade your Data Indexer operating systems as soon as possible.
For more information about migrating your DXs from CentOS/RHEL7 to Rocky/RHEL 9, refer to the Data Indexer CentOS to Rocky Upgrades guide.
Resolved Issues & Improvements
The following issues have been resolved either via a defect fix or a platform improvement in LogRhythm SIEM 7.22.
Bug # | Component | Description |
---|---|---|
ENG-11171 | Reporting | An issue where Auditing reports were not abiding by selected filters in certain situations has been resolved. |
ENG-40508 | Log Processing Policy | The Check Point Log Exporter parser has been updated to correctly parse the Host(Origin) field. |
ENG-49033 | APIs (Metrics) | The Metrics API service now correctly fails to start if invalid credentials are set in the Configuration Manager, and the error handling surrounding this situation has been improved. |
ENG-49806 | APIs (Admin) | The Admin API now correctly validates and processes list items containing control characters rather than causing a potential crash. Additionally, the error handling surrounding this situation has been improved. |
ENG-52567 | System Monitor Agents | An issue with an O365 Message Tracking agent failing to collect logs in certain situations has been resolved by enhancing retry logic to prevent stoppage. |
ENG-61279 | APIs (Admin) | The hosts Admin API endpoint can now correctly be filtered by Hostname. |
ENG-61555, | System Monitor Agents | The O365 Management Activity Beat has been released with LogRhythm SIEM version 7.22 in order to address issues with O365 Management Activity log collection. For more information, refer to the O365 Beat documentation. |
ENG-61888, | Web Console | Issues with performing a pivot search within the Web Console, including the search failing to abide by a widget’s timeframe, using an incorrect search operator, and searching all indexed logs rather than the widget’s displayed events, have been resolved. |
ENG-62398 | Web Console | An issue with the “Add Logs to Case” action adding all logs from a search to the case rather than only the selected logs has been resolved. |
ENG-63108 | Web Console | An issue with Lucene queries not correctly formatting strings containing “escape” characters (such as a backslash \) has been resolved. |
ENG-63335 | Data Indexer | The Data Indexer preinstall script has been updated to install sshpass on Rocky Linux version 9+. |
ENG-63425 | APIs (Admin) | The PATCH endpoint has been added for the /agents URI in the Admin API, which can update a partial agent with some fields missing without causing errors. For more information, refer to the LogRhythm APIs documentation. |
ENG-63716 | Log Processing Policy | The Graph API parser has been updated to correctly parse the Login, Sender, Recipient, Subject, and Email subject fields. |
ENG-63744 | System Monitor Agents | An issue with SNMP Connections settings being wiped after being saved in certain situations when using the Collector license type has been resolved. |
ENG-63763 | Active Directory | An issue where created user accounts were unable to connect to the Active Directory has been resolved. |
ENG-63877 | Web Console | An issue that was preventing the import of an exported Events Dashboard file into a Data Indexer (DX) Dashboard, and unnecessary trend requests being created as a result, has been resolved. |
ENG-68117 | Data Indexer | An issue with Data Indexer installations failing in certain situations has been resolved by updating the Data Indexer installer to include the “include_tasks” module that was introduced in ansible 2.4. |
ENG-68464 | Deployment Manager | An issue with batch-modifying log source types in Deployment Manager that was throwing a “specified cast is not valid” error has been resolved. |
ENG-69964 | Log Processing Policy | The Proofpoint parser has been updated to correctly parse the ThreatStatus field. |
ENG-70958 | Alarms | An issue with using Alarms Viewer and Alarm Reports failing to return any results and timing out in certain situations has been resolved. |
ENG-70986, | Log Processing Policy | The Azure Event Hub parser has been updated to correctly parse a number of fields, including Client IP, Host, Policy, Report ID, and Request URI. |
ENG-72630 | Log Processing Policy | The MS Graph API parser has been updated to correctly parse the userPrincipalName, errorCode, failureReason, browser, displayName, resourceDisplayName, and isInteractive fields. |
ENG-72672 | AI Engine | An issue with the AI Engine start-up code that was throwing PK SQL errors has been resolved. |
ENG-73383 | System Monitor Agents | An issue with Qualys API agents failing to successfully download from the Knowledge Base (KB) has been resolved by adding a KBFetchBackDays parameter, which allows for only retrieving KB entries from a specified date range. |
ENG-73526 | Client Console | A note has been added to the Virtual Log Message Source Properties “Additional Settings” tab of child log sources indicating that collection start configurations are set on the parent log source and cannot be modified on the child. Additionally, if changes to this option need to be made, the child log source will need to be recreated. |
ENG-73587 | Web Console | Lucene Search performance has been enhanced to correct delays and missed keystrokes that were occurring in certain situations. |
ENG-73651 | Data Indexer | Elasticsearch and Data Indexer services have been updated to support Windows Server 2025 and to prevent issues that were arising as a result of a WMIC being deprecated in Server 2025. |
ENG-74270 | Client Console | The “Operating System Version” dropdown in the Host Batch Properties Edit window has been updated to include more recent operating systems, as well as an “Other” option that allows for manual entry of the operating system. This “Other” option has also been added to the “Operating System Version” dropdown in the properties window for a single Host. |
ENG-74399 | Web Console | An issue that was preventing exported Event Dashboards created prior to LogRhythm SIEM version 7.20 from being imported into the Web Console has been resolved. |
ENG-74481 | Data Indexer | When updating values for the Columbo Warm and Ultra-Warm Tiers in Configuration Manager, the valid value ranges are now correctly enforced, and the description for the Ultra-Warm Tier has been updated to correctly display 182 as the maximum. |
ENG-74507 | Log Processing Policy | The MS Graph API parser has been updated to correctly parse the responsecode field. |
ENG-74932 | System Monitor Agents | The “Agent Port” field on the System Monitor Agent Properties window no longer accepts negative values. Agents that were already configured with negative values in the Agent Port field must be updated to a valid positive value after upgrading to LogRhythm SIEM version 7.22, and then restart the Mediator service. |
ENG-75826 | System Monitor Agent | An issue with activating the SNMP receiver that was generating errors in the scsm.log file and causing SNMP ingestion to fail has been resolved. |
ENG-75910 | Web Console | When selecting the “View Logs” option on a widget from a Data Indexer Dashboard, the resulting grid now correctly identifies the results as “logs” rather than “events.” |
ENG-75929 | Log Processing Policy | The Mimecast parser has been updated to correctly parse a number of new fields. |
ENG-77486 | Configuration Manager | The Configuration Manager has been updated to accept Integrated Authentication; for example, settings the Database Authentication Strategy to “Windows Account Type” and the Web Console Services to run using a Windows Account no longer causes an error in the Web Indexer log. |
ENG-77499 | System Monitor Agents | An issue that was causing certain System Monitor Configuration Policies applied to Linux agents to incorrectly assign those agents to a Data Processor Pool has been resolved. |
ENG-78135 | System Monitor Agents | An issue that was preventing Agents from being upgraded to the new .NET 8 utility introduced in LogRhythm SIEM version 7.21 has been resolved. |
ENG-78401 | Installation | An issue with Rocky Linux installation that was preventing the critical /home/logrhythm/soft directory from being created in certain situations has been resolved. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view in the Community.
Known Issues
The following issues have each been found and reported by multiple users.
Bug # | Found In Version | Components | Description | Notes |
---|---|---|---|---|
ENG-75431 | 7.21 | Web Indexer | Following an upgrade to version 7.21, customers with existing Dashboard widgets using wildcard Lucene filters may experience blank widgets if the filter contains capital letters. For example: classificationName:warn* - Works as expected | Expected Results: The Web Console UI should automatically send all search requests to the Web Indexer in lowercase so that capital or lowercase letters can be used in Lucene wildcard searches. Workaround Options: Replace existing wildcard Lucene filters with lowercase text. Use SQL to get an inventory of all widgets using wildcard filters. For more assistance, reach out to LogRhythm Support and reference this defect number (ENG-75431) for the SQL query. |
ENG-75096 | 7.21 | Web Indexer | Following an upgrade from versions prior to 7.20 to 7.21 or higher, some customers are experiencing blank widgets in the Web Console. During the upgrade to 7.21, web indices were migrated to a new Lucene version. Some customers with very large web indices or systems with limited memory may be experiencing “out of memory” (OOM) conditions with the Web Indexer migration tool, or the Web Indexer migration tool window closes before migration finishes. | Expected Results: Web Indices should be migrated smoothly as part of the upgrade. Workaround Options:
|
ENG-35302 | Multiple | AI Engine | Alarm with “not observed” rule block is firing even when a log or multiple logs are present. | Expected Results: Alarm should not fire if log is present and is within the time window. Workaround: There is currently no workaround for this issue. |
ENG-42942 | Multiple | Data Indexer | Data Indexer Investigations on multi-node clusters may produce different result counts when keyword searches are run multiple times. | Expected Results: All results should be returned each time an investigation is performed. Workaround: Dev binaries are available for testing, please open a support case if you experience this issue. |
ENG-61278 | 7.19 | APIs | After upgrading to LogRhythm SIEM version 7.19, servers running Windows Server 2012 R2 may throw errors when attempting to use the LogRhythm API or connecting through API Gateway. | Expected Results: The LogRhythm API should function as expected. Workaround: A workaround for this issue has been documented at LogRhythm API Gateway Error on Windows Server 2012 R2. |