Skip to main content
Skip table of contents

Configure LogRhythm DX

This section explains how to configure the LogRhythm DX (Data Indexer) to run in FIPS mode and communicate with the LogRhythm DPAWC machine using FIPs-approved algorithms.

Download and Install the LogRhythm FIPS Package

  1. Download the LogRhythm FIPS package (lrdx_fips.tar), available on the LogRhythm Community.

    The package consists of several applications that are required for running the LogRhythm in FIPS mode.

  2. Create the directory /usr/local/logrhythm/LogRhythmFIPS (with no space between LogRhythm and FIPS).
  3. Untar the contents of lrdx_fips.tar into that directory.
    The package contains:
    • LogRhythm stunnel application and configuration files – stunnel and lrdx_stunnel.conf.
    • LogRhythm FIPS SIT application and .hsh file – lrsitapp and dxsvcs.hsh
    • OpenSSL 1.0.2u with FIPS Module 2.0.16 - and  Used by stunnel and lrsitapp
  4. Make the lrsitapp and OpenSSL libraries executable:

    sudo chmod a+x /usr/local/logrhythm/LogRhythmFIPS/lrsitapp
    sudo chmod a+x
    sudo chmod a+x

Configure the Stunnel Solution for DPAWC Communications

The LogRhythm services use stunnel to encrypt the DX/DPAWC communications using FIPS-approved algorithms.

  1. Edit the stunnel configuration file /usr/local/logrhythm/LogRhythmFIPS/lrdx_stunnel.conf:
    • Change all instances of LR_DPAWC_IPADDRESS to the IP address of the LR DPAWC machine.
    • Change all instances of LR_DX_IPADDRESS to the IP address of the LR DX machine.
  2. Create the stunnel client and server certificates using your organization's Certificate Authority or the Red Hat 7 system's OpenSSL application:
    • Copy the lr_stunnel.pem file to /usr/local/logrhythm/LogRhythmFIPS/lr_stunnel.pem.
  3. Configure iptables for SQL Server JDBC clients to use stunnel (bulldozer and carpenter):
    • Configure iptables for the SQL Server client connection:

      iptables -t nat -A OUTPUT -p tcp --dport 1433 -j DNAT --to-destination LR_DX_IPADDRESS:14330
  4. Set the library path to the provided OpenSSL shared libraries:

    sudo cp /usr/local/logrhythm/LogRhythmFIPS/ /lib64/
    sudo cp /usr/local/logrhythm/LogRhythmFIPS/ /lib64/

  5. Start stunnel:

    sudo /usr/local/logrhythm/LogRhythmFIPS/stunnel 

    You must manually start stunnel each time the machine restarts.

Configure the LogRhythm API Gateway to Use the Stunnel Solution

Configuring the LogRhythm API Gateway involves setting the following system environment variables for the LogRhythm Service Registry to use:

FIPS_GATEWAY_ENABLEDWhen set to "true", the LR API Gateway uses the FIPS_GATEWAY_IP and FIPS_GATEWAY_PORT settings instead of the default remote IP and default port of 8501. This forces all remote traffic to send to a specific IP port, expecting only one other instance of API Gateway. True/false
FIPS_GATEWAY_IPIP address to forward all non-loopback (remote) requests for LR API Gateway.A valid IPv4 address
FIPS_GATEWAY_PORTPort to forward all non-loopback (remote) requests for LR API Gateway.A valid TCP port

To set the environment variables:

  1. Create a fips_config environment variable file containing the ENV variables using the following command (replace the below with the DX IP address):

    IP=;printf "FIPS_GATEWAY_ENABLED=true\nFIPS_GATEWAY_IP=${IP}\nFIPS_GATEWAY_PORT=8503\n" > /tmp/fips_config
    sudo mv /tmp/fips_config /usr/local/logrhythm/env/fips_config
  2. Set permissions:

    sudo chown persistent:persistent /usr/local/logrhythm/env/fips_config
  3. Verify the file was created:

    sudo cat /usr/local/logrhythm/env/fips_config
  4. Update the LogRhythmAPIGateway system service config to use the new fips_config environment file:

    sudo vi /usr/lib/systemd/system/LogRhythmAPIGateway.service
  5. Add the following line to the bottom of the [Service] section (just below the "KillSignal=SIGINT" line):

  6. Create the firewall rule for the incoming stunnel connection to API Gateway. (The first command will add an immediate rule, the second will set it as permanent that will be set after a restart):

    sudo firewall-cmd --add-port=8502/tcp --zone=internal
    sudo firewall-cmd --add-port=8502/tcp --zone=internal --permanent
  7. Apply and reload the LogRhythmAPIGateway service changes:

    sudo systemctl daemon-reload
    sudo systemctl restart LogRhythmAPIGateway
  8. Restart all the LogRhythm DX services.

    Each LogRhythm service will indicate it is operating in FIPS-approved mode in its respective application log.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.