Skip to main content
Skip table of contents

Configure a Data Processor to Duplicate Data Indexer Logs

Starting with LogRhythm SIEM version 7.22, Data Processors (DPs) have the ability to send data to multiple Data Indexer (DX) clusters. This configuration sends two identical copies of every log to both clusters, providing cluster-level redundancy of DX data. This feature supports an output of up to two clusters per DP. Each cluster can be single- or multi-node, Windows or Linux.

This feature can be used to provide DX cluster redundancy, or to assist with cluster migrations.

Searching against both clusters (repositories) will produce duplicate results. If multiple clusters will remain in place for redundancy purposes, users should select only a single repository to search from to avoid duplicate results.

Requirements

In order to configure a DP to duplicate DX data:

  • When used for redundancy purposes, both DX clusters should have the same type and size.

  • When used for Cluster Migration strategy, the indexing rate should be limited to the smallest of the two clusters.

Configuration

To configure a Data Processor to duplicate Data Indexer data:

  1. Identify the Cluster ID of the secondary DX Cluster using SQL:

    1. Open SQL Management studio and authenticate as LogRhythmAdmin or SA.

    2. Select New Query.

    3. Run the following query in the query line at the top of the screen:

      CODE 
      SELECT * FROM [LogRhythmEMDB].[dbo].[NGPCluster]

    4. Retrieve the ClusterID number of the cluster to which you want to send additional data.
      In the example below, the second copy of logs needs to be sent to the “logrhythm” cluster, so the correct ClusterID is 6:

  2. Stop the LogRhythm Mediator Server Service.

  3. Open the scmedsvr.ini file in a text editor.

The default location of this file is "C:\Program Files\LogRhythm\LogRhythm Mediator Server\config\scmedsvr.ini"

  1. At the bottom of the file, add new lines under the [OPTIONAL] section.

If the [OPTIONAL] header is not present, you can add it.

CODE 
[OPTIONAL]
DP2DXLogCompression=True
SecondaryDXClusterID=6

The SecondaryDXClusterID is the value pulled from step 1.

  1. Save the updated file.

  2. Restart the LogRhythm Mediator Server Service.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close