Skip to main content
Skip table of contents

7.22.0 GA Release Notes - 1 October 2025

Experience the power of next-level security with LogRhythm SIEM 7.22! This version continues to make improvements to the Web Console, as well as adding new functionality for the Open Collector to better monitor and manage your beats whether they were created using command line or the web UI!

What’s new in SIEM 7.22:

Maintenance

New Metric Widget for Data Indexer (DX) Dashboards

Visualize data across all your logs, not just events, with Data Indexer Dashboards. And now in LogRhythm SIEM version 7.22, you can take data visualization to even further with the new Metric Widget. Easily display the Count, Sum, Minimum, Maximum, or Average of supported fields using any query applied at the widget level.

For more information, refer to the Metric Widget documentation topic.

image-20250930-220732.png

Improved Sync from Open Collector to Web Console

With new improvements to our Admin API, we are excited to introduce improved functionality for tracking Open Collector Beats in the Web Console. In LogRhythm SIEM version 7.14, the capability to deploy new beats was added to the Web Console, but any beats configured using the “old” command line syslog method were unable to be displayed. Now, leveraging our APIs, the Open Collector can provide details around all running beats in the LogRhythm SIEM Web Console, whether they were configured in the Web Console UI or using the command line interface. With this improvement, you can manage and observe all of your beats in one place!

To begin using this functionality, refer to the Initialize Long-Running LRCTL section of the Configure Open Collector Connection to the SIEM (WebUI) documentation. These steps allow for an API connection between the SIEM and the Open Collector to provide the information necessary for beat management in the Web Console.

Data Processor Shipping Logs to Multiple Data Indexer Clusters

Security teams often operate across multiple data centers and multiple regions to ensure business continuity. Outages or regional failures can interrupt investigations and compliance reporting if data is not accessible everywhere it is needed. 

The new multi-cluster log forwarding capability allows organizations to send log data to multiple clusters at once, ensuring resiliency across geographies. Even if one cluster goes offline, log data remains available in other regions. This provides uninterrupted visibility that supports investigations, compliance audits, and operational continuity. 

As part of this feature, Data Processor to Data Indexer communication now supports compression.

For more information, refer to Configure a Data Processor to Duplicate Data Indexer Logs.

Introducing the Web Console Threat Center

As part of our long-term vision, Web Console’s new Threat Center combines the Alarms and Cases options into a single tab within the Web Console, allowing for security analysts to focus on the Threat Center as a whole rather then Alarms or Cases individually.

image-20250930-220755.png

New O365 Beat

A new O365 Beat has been added to the Open Collector, replacing the API collection previously done through the System Monitor Agent. This new beat will address some issues that customers were experiencing when using API collection for the O365 Management Activity log source.

For more information, refer to O365 Beat.

Share Web Console Searches

Previously, when creating an ad hoc search in the Web Console, the only way to share that search with another analyst was to save the search and update the permissions so that the other analyst could see the saved search. Now, searches can easily be shared with other analysts simply by copying and sharing the Web Console URL.

For more information, refer to the Share Searches section of the Save Searches topic.

Log Source Enhancements and Updates

LogRhythm SIEM 7.22 introduces updates designed to enhance the speed, consistency, and compatibility of data collection with third-party platforms. These enhancements include:

  • New log sources based on customer requests and feedback

  • Improvements around Forcepoint log source collection

New and Updated Log Sources

This past quarter of bi-weekly LogRhythm SIEM Knowledge Base updates included 54 enhanced or improved log sources, and eight newly introduced log sources. This allows customers to expand their security capabilities by increasing log visibility within the LogRhythm SIEM.

The following log sources have been added or updated:

New Log Sources

Updated or Improved Log Sources

  • Syslog - Imperva Data Risk Analytics CEF

  • Syslog - NetApp ONTAP Audit Log

  • Syslog - Symantec ICDX CEF

  • Syslog - Fortinet FortiSwitch

  • Syslog - Skyhigh Secure Web Gateway

  • Syslog - Skyhigh Cloud Access Security Broker CEF

  • Syslog - ManageEngine ADAudit Plus

  • Syslog - Forescout eyeInspect CEF

  • Flat File - Cisco AMP for Endpoints 

  • Flat File - Cisco Umbrella DNS 

  • Flat File - Linux Audit Log

  • Flat File - MS IAS/RAS Server NPS DB Log Format 

  • Flat File - MS IAS/RAS Server Standard Log Format 

  • Flat File - Oracle WebLogic 11g Access Log

  • MS Windows Event Logging XML – Security

  • MS Windows Event Logging XML – System 

  • Syslog - Apache Error Log

  • Syslog - Cisco FirePOWER 

  • Syslog - Cisco Firepower Threat Defense

  • Syslog - Cisco Meraki 

  • Syslog - Cisco Nexus Switch

  • Syslog - Citrix Netscaler 

  • Syslog - Ensilo NGAV 

  • Syslog - F5 BIG-IP ASM 

  • Syslog - F5 BIG-IP ASM v12 

  • Syslog - Forcepoint Web Security 

  • Syslog - Forcepoint Web Security CEF Format 

  • Syslog - Fortinet FortiAuthenticator 

  • Syslog - Fortinet FortiGate 

  • Syslog - Imperva Data Risk Analytics CEF 

  • Syslog - Kaspersky Security Center 

  • Syslog - Kaspersky Security Center 

  • Syslog - Linux Host 

  • Syslog - McAfee Email And Web Security 

  • Syslog - Mimecast Email 

  • Syslog - MobileIron 

  • Syslog - MS Windows Event Logging XML - Security 

  • Syslog - Netskope CEF 

  • Syslog - Open Collector - Msgraphbeat 

  • Syslog - Palo Alto Firewall 

  • Syslog - Symantec ICDX CEF 

  • Syslog - Versa Networks SD-WAN 

  • Syslog - VMWare NSX/NSX-T 

  • Syslog - VMWare vCenter Server 

  • Syslog – BeyondTrust BeyondInsight LEEF 

  • Syslog – BitDefender

  • Syslog – Vormetric Data Security Manager

  • UDLA - LREnhancedAudit 

Platform Updates

LogRhythm 7.22 is packed with platform updates to improve security, performance, and stability. Spend more time hunting for threats and less time managing the platform.

Security Improvements

As attackers evolve, the SIEM itself must remain hardened to protect sensitive log data and maintain trust. Without continual improvements to security and reliability, even strong detection capabilities can be undermined. 

With LogRhythm SIEM version 7.22, you’ll have:

  • Stronger self-signed certificates (SSLs),

  • Updated installer packages that include a version's YAML file, ensuring each component has been upgraded, and

  • Signing of all LogRhythm built executables.

Dependency Updates

As part of our ongoing commitment to maintaining third-party dependencies for stability and security improvements, the following packages have been updated:

  • Data-Indexer Java Corretto JRE updated to version 8.0.462,

  • .NET 8 Core updated to version 8.0.18,

  • Grafana updated to version 11.6.5,

  • InfluxDB updated to version 1.11.8,

  • Go Update to version 1.24.2 for Procman and Deployment/Common Packages, and

  • NodeJS Updates to API Gateway.

An API Gateway NodeJS update was partially released for Windows only. Note that NodeJS (a requirement of API Gateway) no longer supports CentOS 7. Customers are advised to upgrade their Linux-based Data Indexers, as CentOS 7 support will cease in LogRhythm 7.23 SIEM (January 2026) release. LogRhythm 7.22 SIEM is the last release with support for CentOS 7 based Data Indexers. Refer to the Notice of Eventual Deprecation section for more information.

LogRhythm Echo Version 2.0.4

LogRhythm Echo was updated to version 2.0.4 with this release of the LogRhythm SIEM.

In order to upgrade to version 2.0.4 of LogRhythm Echo, you must first uninstall LogRhythm Echo completely and then install the new version. If you have created custom use cases, be sure to backup the usecases.db file in the Echo directory and restore it after the installation.

This new version of LogRhythm Echo contains security fixes. Customers are able to view resolved LogRhythm Echo security-related issues on the Community.

For more information on LogRhythm Echo, refer to the LogRhythm Echo documentation.

New PATCH Endpoint for the Admin API’s /agents URI

The PATCH endpoint has been added for the /agents URI in the Admin API, which can partially update an agent with some fields missing without causing errors. For more information, refer to the LogRhythm APIs documentation.

Notice of Eventual CentOS 7 and RHEL 7 Deprecation

Due to compatibility issues with dependency services that no longer support older operating systems, CentOS 7 and RHEL 7 will reach end-of-life for Data Indexer support beginning with LogRhythm SIEM version 7.23 (January 2026). Beginning with version 7.22 (October 2025), additional features will be added to perform operating system (OS) version checking with data indexer (DX) services and provide warnings for users to upgrade their DX OS versions.

Because the end-of-life for CentOS 7 was June 30, 2024, meaning that the operating system no longer receives security updates, it is strongly recommended to upgrade your Data Indexer operating systems as soon as possible.

For more information about migrating your DXs from CentOS/RHEL7 to Rocky/RHEL 9, refer to the Data Indexer CentOS to Rocky Upgrades guide.

Resolved Issues & Improvements

The following issues have been resolved either via a defect fix or a platform improvement in LogRhythm SIEM 7.22.

Bug #

Component

Description

ENG-11171

Reporting

An issue where Auditing reports were not abiding by selected filters in certain situations has been resolved.

ENG-40508

Log Processing Policy

The Check Point Log Exporter parser has been updated to correctly parse the Host(Origin) field.

ENG-49033

APIs (Metrics)

The Metrics API service now correctly fails to start if invalid credentials are set in the Configuration Manager, and the error handling surrounding this situation has been improved.

ENG-49806

APIs (Admin)

The Admin API now correctly validates and processes list items containing control characters rather than causing a potential crash. Additionally, the error handling surrounding this situation has been improved.

ENG-52567

System Monitor Agents

An issue with an O365 Message Tracking agent failing to collect logs in certain situations has been resolved by enhancing retry logic to prevent stoppage.

ENG-61279

APIs (Admin)

The hosts Admin API endpoint can now correctly be filtered by Hostname.

ENG-61555,
ENG-61703,
ENG-62359

System Monitor Agents

The O365 Management Activity Beat has been released with LogRhythm SIEM version 7.22 in order to address issues with O365 Management Activity log collection. For more information, refer to the O365 Beat documentation.

ENG-61888,
ENG-61899

Web Console

Issues with performing a pivot search within the Web Console, including the search failing to abide by a widget’s timeframe, using an incorrect search operator, and searching all indexed logs rather than the widget’s displayed events, have been resolved.

ENG-62398

Web Console

An issue with the “Add Logs to Case” action adding all logs from a search to the case rather than only the selected logs has been resolved.

ENG-63108

Web Console

An issue with Lucene queries not correctly formatting strings containing “escape” characters (such as a backslash \) has been resolved.

ENG-63335

Data Indexer

The Data Indexer preinstall script has been updated to install sshpass on Rocky Linux version 9+.

ENG-63425

APIs (Admin)

The PATCH endpoint has been added for the /agents URI in the Admin API, which can update a partial agent with some fields missing without causing errors. For more information, refer to the LogRhythm APIs documentation.

ENG-63716

Log Processing Policy

The Graph API parser has been updated to correctly parse the Login, Sender, Recipient, Subject, and Email subject fields.

ENG-63744

System Monitor Agents

An issue with SNMP Connections settings being wiped after being saved in certain situations when using the Collector license type has been resolved.

ENG-63763

Active Directory

An issue where created user accounts were unable to connect to the Active Directory has been resolved.

ENG-63877

Web Console

An issue that was preventing the import of an exported Events Dashboard file into a Data Indexer (DX) Dashboard, and unnecessary trend requests being created as a result, has been resolved.

ENG-68117

Data Indexer

An issue with Data Indexer installations failing in certain situations has been resolved by updating the Data Indexer installer to include the “include_tasks” module that was introduced in ansible 2.4.

ENG-68464

Deployment Manager

An issue with batch-modifying log source types in Deployment Manager that was throwing a “specified cast is not valid” error has been resolved.

ENG-69964

Log Processing Policy

The Proofpoint parser has been updated to correctly parse the ThreatStatus field.

ENG-70958

Alarms

An issue with using Alarms Viewer and Alarm Reports failing to return any results and timing out in certain situations has been resolved.

ENG-70986,
ENG-72577,
ENG-73133

Log Processing Policy

The Azure Event Hub parser has been updated to correctly parse a number of fields, including Client IP, Host, Policy, Report ID, and Request URI.

ENG-72630

Log Processing Policy

The MS Graph API parser has been updated to correctly parse the userPrincipalName, errorCode, failureReason, browser, displayName, resourceDisplayName, and isInteractive fields.

ENG-72672

AI Engine

An issue with the AI Engine start-up code that was throwing PK SQL errors has been resolved.

ENG-73383

System Monitor Agents

An issue with Qualys API agents failing to successfully download from the Knowledge Base (KB) has been resolved by adding a KBFetchBackDays parameter, which allows for only retrieving KB entries from a specified date range.

ENG-73526

Client Console

A note has been added to the Virtual Log Message Source Properties “Additional Settings” tab of child log sources indicating that collection start configurations are set on the parent log source and cannot be modified on the child. Additionally, if changes to this option need to be made, the child log source will need to be recreated.

ENG-73587

Web Console

Lucene Search performance has been enhanced to correct delays and missed keystrokes that were occurring in certain situations.

ENG-73651

Data Indexer

Elasticsearch and Data Indexer services have been updated to support Windows Server 2025 and to prevent issues that were arising as a result of a WMIC being deprecated in Server 2025.

ENG-74270

Client Console

The “Operating System Version” dropdown in the Host Batch Properties Edit window has been updated to include more recent operating systems, as well as an “Other” option that allows for manual entry of the operating system. This “Other” option has also been added to the “Operating System Version” dropdown in the properties window for a single Host.

ENG-74399

Web Console

An issue that was preventing exported Event Dashboards created prior to LogRhythm SIEM version 7.20 from being imported into the Web Console has been resolved.

ENG-74481

Data Indexer

When updating values for the Columbo Warm and Ultra-Warm Tiers in Configuration Manager, the valid value ranges are now correctly enforced, and the description for the Ultra-Warm Tier has been updated to correctly display 182 as the maximum.

ENG-74507

Log Processing Policy

The MS Graph API parser has been updated to correctly parse the responsecode field.

ENG-74932

System Monitor Agents

The “Agent Port” field on the System Monitor Agent Properties window no longer accepts negative values.

Agents that were already configured with negative values in the Agent Port field must be updated to a valid positive value after upgrading to LogRhythm SIEM version 7.22, and then restart the Mediator service.

ENG-75826

System Monitor Agent

An issue with activating the SNMP receiver that was generating errors in the scsm.log file and causing SNMP ingestion to fail has been resolved.

ENG-75910

Web Console

When selecting the “View Logs” option on a widget from a Data Indexer Dashboard, the resulting grid now correctly identifies the results as “logs” rather than “events.”

ENG-75929

Log Processing Policy

The Mimecast parser has been updated to correctly parse a number of new fields.

ENG-77486

Configuration Manager

The Configuration Manager has been updated to accept Integrated Authentication; for example, settings the Database Authentication Strategy to “Windows Account Type” and the Web Console Services to run using a Windows Account no longer causes an error in the Web Indexer log.

ENG-77499

System Monitor Agents

An issue that was causing certain System Monitor Configuration Policies applied to Linux agents to incorrectly assign those agents to a Data Processor Pool has been resolved.

ENG-78135

System Monitor Agents

An issue that was preventing Agents from being upgraded to the new .NET 8 utility introduced in LogRhythm SIEM version 7.21 has been resolved.

ENG-78401

Installation

An issue with Rocky Linux installation that was preventing the critical /home/logrhythm/soft directory from being created in certain situations has been resolved.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view in the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #

Found In Version

Components

Description

Notes

ENG-75431

7.21

Web Indexer

Following an upgrade to version 7.21, customers with existing Dashboard widgets using wildcard Lucene filters may experience blank widgets if the filter contains capital letters.

For example:
classificationName:Warn* - “No data available”

classificationName:warn* - Works as expected

Expected Results: The Web Console UI should automatically send all search requests to the Web Indexer in lowercase so that capital or lowercase letters can be used in Lucene wildcard searches.

Workaround Options: Replace existing wildcard Lucene filters with lowercase text. Use SQL to get an inventory of all widgets using wildcard filters. For more assistance, reach out to LogRhythm Support and reference this defect number (ENG-75431) for the SQL query.

ENG-75096

7.21

Web Indexer

Following an upgrade from versions prior to 7.20 to 7.21 or higher, some customers are experiencing blank widgets in the Web Console.

During the upgrade to 7.21, web indices were migrated to a new Lucene version. Some customers with very large web indices or systems with limited memory may be experiencing “out of memory” (OOM) conditions with the Web Indexer migration tool, or the Web Indexer migration tool window closes before migration finishes.

Expected Results: Web Indices should be migrated smoothly as part of the upgrade.

Workaround Options:

  1. Re-Run the Web Indexer Migration Tool from “C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Indexer\dependencies\index-upgrade”

  2. Stop the Web Indexer, delete the web indices directory, and restart Web Indexer. The cache will rebuild on its own; however, search/drill-down tasks from the last 24 hours are lost but can be re-run from the UI without data loss.

ENG-35302

Multiple

AI Engine

Alarm with “not observed” rule block is firing even when a log or multiple logs are present.

Expected Results: Alarm should not fire if log is present and is within the time window.

Workaround: There is currently no workaround for this issue.

ENG-42942

Multiple

Data Indexer

Data Indexer Investigations on multi-node clusters may produce different result counts when keyword searches are run multiple times.

Expected Results: All results should be returned each time an investigation is performed.

Workaround: Dev binaries are available for testing, please open a support case if you experience this issue.

ENG-61278

7.19

APIs

After upgrading to LogRhythm SIEM version 7.19, servers running Windows Server 2012 R2 may throw errors when attempting to use the LogRhythm API or connecting through API Gateway.

Expected Results: The LogRhythm API should function as expected.

Workaround: A workaround for this issue has been documented at LogRhythm API Gateway Error on Windows Server 2012 R2.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.