LogRhythm SIEM Databases
The Web Console draws information from the following LogRhythm SIEM databases.
| This Web Console function... | Extracts data from this database... |
|---|---|
| Alarms | Alarms (LogRhythm_Alarms): The Alarms Database includes data related to all alarms, alarm notifications, and alarm histories generated by the LogRhythm Alarming and Response Manager (ARM). |
| Case Management | CMDB (LogRhythm_CMDB): The Case Management Database includes data for all cases as well as most of the associated evidence. |
| Dashboard Events Analyzer drill down | Events Database (LogRhythm_Events): Contains log data that qualified as an Event. |
| Dashboard Rate gauge/ Dashboard Trend chart | LogMart (LogRhythm_LogMart): Contains log metadata that qualified as an Event, or data that was sent because of a processing rule. LogMart also includes tracking statistics for the log data volume. |
| List Management | EMDB (LogRhythmEMDB): The Platform Manager Database includes all configuration information. |
| Reports | Alarms (LogRhythm_Alarms): The Alarms Database includes data related to all alarms, alarm notifications, and alarm |
| Search | Data Indexer (Elasticsearch): The Data Indexer's Elasticsearch contains all the collected log data (both raw logs and associated metadata). |
| User Preferences (layouts, settings, etc.) | EMDB (LogRhythmEMDB): The Platform Manager Database includes all configuration information. |
Strategic Guidance on LogMart Usage
LogMart is a legacy database component from a previous architecture. While it remains supported for specific, pre-existing reporting needs, it is not recommended for new deployments or use cases.
Key Considerations
Performance: LogMart was not designed for high-volume data forwarding and can become a performance bottleneck, especially for unique logs that do not aggregate well. As a best practice, disable log forwarding to LogMart by default.
Limited Use Case: LogMart’s only intended function is historical, count-based reporting at the log source level. It should not be used for operational monitoring, health checks, or performance analysis.
Future Direction: The long-term product strategy is to retire LogMart in favor of modern, indexer-based analytics and the Metrics-API. You should prioritize using native dashboarding and reporting tools for all new analysis.
As of LogRhythm SIEM version 7.23, LogMart is a legacy component slated for future retirement. It is not recommended to build new processes that rely on LogMart. If you have a specific reporting need, enable forwarding only for the precise classification types required and for logs that will aggregate well.