Skip to main content
Skip table of contents

Least Privileged User: PM, Disaster Recovery


LogRhythm’s Disaster Recovery solution includes LogRhythm SIEM software running in two LogRhythm deployments: one on a primary site and one on a secondary site. The primary site includes the active Platform Manager, which sends replicated data to the secondary Platform Manager. The secondary site essentially becomes a “hot standby” in a planned outage, natural disaster, or attack.

Shared Resources

ReadWriteRead & ExecuteModifyFull ControlChildren Inherent
Microsoft SQL


LogRhythm System


Registry Access


Database Access

The DR services require admin rights for all LogRhythm SQL databases.


The ports used for replication between the two sites are open (not locked down by a firewall). The DR setup will automatically open ports secured by Windows Firewall, but not by other types of firewalls.

LogRhythm SQL Mirroring uses Port 5022. This is locked down to the replication interface (standalone network adapter).

DNS Infrastructure

All components within the primary and secondary sites must include a common DNS infrastructure. When configuring the DNS infrastructure, follow these guidelines:

  • Platform Managers. A common DNS record can point to either the IP address of the primary Platform Manager or the IP address of the secondary Platform Manager.
  • Data Indexers and AI Engines. The Data Indexers and AI Engines point to the Platform Manager using a DNS name rather than an IP address. Remote Data Indexers and AI Engines should also support DNS for connecting to either a primary site or a secondary site.
  • Agents. The Agents can use DNS to identify new Mediator host connections. The Agent resolves the DNS name to IP upon every new connection attempt. Agents can also be redirected to new Data Indexers using the Deployment Manager in the LogRhythm Console.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.