Skip to main content
Skip table of contents

Configure LogRhythm DX


This section explains how to configure the LogRhythm DX (Data Indexer) to run in FIPS mode and communicate with the LogRhythm DPAWC machine using FIPs-approved algorithms.

Download and Install the LogRhythm FIPS Package

  1. Download the LogRhythm FIPS package (lrdx_fips.zip), available on the LogRhythm Community.

    The package consists of several applications that are required for running the LogRhythm in FIPS mode.

  2. Create the directory /usr/local/logrhythm/LogRhythmFIPS (with no space between LogRhythm and FIPS).
  3. Unzip the contents of lrdx_fips.zip into that directory.
    The package contains:
    • LogRhythm stunnel application and configuration files – stunnel and lrdx_stunnel.conf.
    • LogRhythm FIPS SIT application and .hsh file – lrsitapp and dxsvcs.hsh
    • OpenSSL 1.0.2u with FIPS Module 2.0.16 - libcrypto.so.1.0.0 and libssl.so.1.0.0.  Used by stunnel and lrsitapp

  4. Make the lrsitapp and OpenSSL libraries executable:

    CODE 
    sudo chmod a+x /usr/local/logrhythm/LogRhythmFIPS/lrsitapp
    CODE 
    sudo chmod a+x libcrypto.so.1.0.0
    CODE 
    sudo chmod a+x libssl.so.1.0.0
    CODE 
    sudo chmod a+x libnsl.so.1

Configure the Stunnel Solution for DPAWC Communications

The LogRhythm services use stunnel to encrypt the DX/DPAWC communications using FIPS-approved algorithms.

  1. Edit the stunnel configuration file /usr/local/logrhythm/LogRhythmFIPS/lrdx_stunnel.conf:
    • Change all instances of LR_DPAWC_IPADDRESS to the IP address of the LR DPAWC machine.
    • Change all instances of LR_DX_IPADDRESS to the IP address of the LR DX machine.
  2. Create the stunnel client and server certificates using your organization's Certificate Authority or the Red Hat 7 system's OpenSSL application:
    • Copy the lr_stunnel.pem file to /usr/local/logrhythm/LogRhythmFIPS/lr_stunnel.pem.
  3. Configure iptables for SQL Server JDBC clients to use stunnel (bulldozer and carpenter):

    • Configure iptables for the SQL Server client connection:

      CODE 
      iptables -t nat -A OUTPUT -p tcp --dport 1433 -j DNAT --to-destination LR_DX_IPADDRESS:14330

  4. Set the library path to the provided OpenSSL shared libraries:

    CODE 
    sudo cp /usr/local/logrhythm/LogRhythmFIPS/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0
    CODE 
    sudo cp /usr/local/logrhythm/LogRhythmFIPS/libssl.so.1.0.0 /lib64/libssl.so.1.0.0
    CODE 
    sudo cp /usr/local/logrhythm/LogRhythmFIPS/libnsl.so.1 /lib64/libnsl.so.1


  5. Start stunnel:

    CODE 
    sudo /usr/local/logrhythm/LogRhythmFIPS/stunnel 
/usr/local/logrhythm/LogRhythmFIPS/lrdx_stunnel.conf

    You must manually start stunnel each time the machine restarts.

Configure the LogRhythm API Gateway to Use the Stunnel Solution

Configuring the LogRhythm API Gateway involves setting the following system environment variables for the LogRhythm Service Registry to use:

VariableDescriptionValues
FIPS_GATEWAY_ENABLEDWhen set to "true", the LR API Gateway uses the FIPS_GATEWAY_IP and FIPS_GATEWAY_PORT settings instead of the default remote IP and default port of 8501. This forces all remote traffic to send to a specific IP port, expecting only one other instance of API Gateway. True/false
FIPS_GATEWAY_IPIP address to forward all non-loopback (remote) requests for LR API Gateway.A valid IPv4 address
FIPS_GATEWAY_PORTPort to forward all non-loopback (remote) requests for LR API Gateway.A valid TCP port

To set the environment variables:

  1. Create a fips_config environment variable file containing the ENV variables using the following command (replace the 10.5.0.147 below with the DX IP address):

    CODE 
    IP=10.4.0.157;printf "FIPS_GATEWAY_ENABLED=true\nFIPS_GATEWAY_IP=${IP}\nFIPS_GATEWAY_PORT=8503\n" > /tmp/fips_config
sudo mv /tmp/fips_config /usr/local/logrhythm/env/fips_config

  2. Set permissions:

    CODE 
    sudo chown persistent:persistent /usr/local/logrhythm/env/fips_config

  3. Verify the file was created:

    CODE 
    sudo cat /usr/local/logrhythm/env/fips_config

  4. Update the LogRhythmAPIGateway system service config to use the new fips_config environment file:

    CODE 
    sudo vi /usr/lib/systemd/system/LogRhythmAPIGateway.service

  5. Add the following line to the bottom of the [Service] section (just below the "KillSignal=SIGINT" line):

    EnvironmentFile=/usr/local/logrhythm/env/fips_config

  6. Create the firewall rule for the incoming stunnel connection to API Gateway. (The first command will add an immediate rule, the second will set it as permanent that will be set after a restart):

    CODE 
    sudo firewall-cmd --add-port=8502/tcp --zone=internal
    CODE 
    sudo firewall-cmd --add-port=8502/tcp --zone=internal --permanent

  7. Apply and reload the LogRhythmAPIGateway service changes:

    CODE 
    sudo systemctl daemon-reload
    CODE 
    sudo systemctl restart LogRhythmAPIGateway

  8. Restart all the LogRhythm DX services.

    Each LogRhythm service will indicate it is operating in FIPS-approved mode in its respective application log.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close