Detailed Export File Contents From the Diagnostics Tool

This page describes the files produced by each export action in the LogRhythm Diagnostics Tool v3.1.0. Unlike earlier versions, v3.1.0 does not produce a single consolidated ZIP archive. Instead, each export action produces one or more discrete files targeted to the analysis type.

Export Logs (Per-Node ZIP Archives)

Initiated from the Export Logs tab. The Diagnostics Tool discovers all registered lr-diagnostics-agent instances via Consul/Service Registry and downloads a separate ZIP archive for each selected node.

Filename:lrdiag-export-<nodename>.zip

Characters that are invalid in Windows filenames (/ \ : * ? " < > |) in the node name are replaced with a hyphen (-).

ZIP Contents

Each per-node ZIP contains:

File/Folder

Description

Component log files

LogRhythm application log files for the component(s) installed on that node. The specific logs vary by component type (PM, DP, AIE, DX, Web Console).

services.json

JSON array listing all LogRhythm services on the node, including serviceName, displayName, status (running/stopped), and installed.

Platform Sizing Export

Initiated from the Download Report button on the Platform Sizing tab after a sizing run completes.

HTML Report

Filename: logmart-assessment-<YYYYMMDD-HHMMSS>.html

A self-contained HTML file with embedded styles and Chart.js charts. Sections include:

  • Sizing summary and recommendations

  • DP utilization (processing and archiving rates vs. licensed/sustained/peak)

  • AIE engine power assessment

  • DX cluster sizing assessment

  • N-1 redundancy analysis

  • (If selected) Top 20 log sources by volume

Excel Workbook

Filename: logmart-assessment-<YYYYMMDD-HHMMSS>.xlsx

A multi-sheet Excel workbook. Sheets include:

Sheet

Contents

Summary

Deployment overview and sizing recommendations.

DP Utilization

Per-DP processing and archiving rate data.

AIE Engine

AI Engine processing rate data.

DX Cluster

Data Indexer cluster indexing rate data.

N-1 Analysis

Redundancy headroom per tier.

Log Sources (optional)

Top 20 log sources by volume (only present if the option was selected before running).

Platform Health Export

Initiated from the Download Report button on the Platform Health tab.

Filename: health-report-<YYYYMMDD-HHMMSS>.html

A self-contained HTML file. Sections include:

  • SQL Server database sizes, free space, and utilization

  • LogRhythm database versions and last update timestamps

  • SQL maintenance job history

  • Database backup history

  • InfluxDB connectivity status

  • Per-component disk utilization

  • LogRhythm service status for each component node

AIE Performance Export

Initiated from the Download Report button on the AIE Performance tab.

Filename: aie-performance-<YYYYMMDD-HHMMSS>.html

A self-contained HTML file. Sections include:

  • Per-rule performance metrics (runtime cost, memory cost, event forwarding/feedback rates)

  • Per-block performance metrics

  • Rule change audit history

  • Workload configuration

  • Slow, costly, and noisy rule rankings

  • Stale block list

  • .dat spool time-series charts

MPE Performance Export

Initiated from the Download Report button on the MPE Performance tab. One file is generated per Data Processor.

Filename: mpe-performance-<hostname>-<YYYYMMDD-HHMMSS>.html

Characters that are invalid in Windows filenames (/ \ : * ? " < > |) in the hostname are replaced with an underscore (_).

A self-contained HTML file. Sections include:

  • Worst overall MPE rules by volume-weighted CPU cost

  • Worst no-match rules (highest wasted CPU)

  • Worst match rules (highest match CPU)

  • High-overhead policies

  • Rule ordering recommendations

  • Regex timeout occurrences (from scmpe.log EVID=2052)

Deprecated Outputs

The following output files and folders from Diagnostics Tool v2.x are not produced by v3.1.0:

Old Artifact

Notes

DATAINDEXER_CLUSTER_<name>/ folder

Elasticsearch GET request JSON files are no longer collected

Miscellaneous/ folder

EMDB bulk CSV exports (topology, log source types, AIE rules, alarm rules, GLPRs, etc.) are no longer collected

*_perfmon.csv files

Windows Performance Monitor counters are no longer collected

capacity_analysis.txt

Replaced by the Platform Sizing HTML/Excel export

LRD2_Logs/ folder

Diagnostics Tool internal logs are no longer bundled into exports

export_<datestamp>.log

Data collection log is no longer written into the export output

Per-component nested ZIPs

Replaced by flat per-node ZIPs from the Export Logs tab