LogRhythm NDR Prerequisites
Network Requirements
LogRhythm NDR External Addresses
The LogRhythm NDR appliance needs access to our cloud management node with the following IP address and ports. Configure your firewall to allow outbound communication from our appliance to these addresses.
Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
LogRhythm NDR Appliance | CCN created as part of LogRhythm NDR provisioning | 443 | TCP | CCN Control |
LogRhythm NDR Appliance | CCN created as part of LogRhythm NDR provisioning | 4505 | TCP | Salt Server |
LogRhythm NDR Appliance | CCN created as part of LogRhythm NDR provisioning | 4506 | TCP | Salt Server |
| LogRhythm NDR Appliance | https://github.com/logrhythm/minion-install/raw/main/install-salt-minion.sh | 443 | TCP | Salt server intall script |
LogRhythm NDR Appliance | Ability to connect to external DNS | 53 | DNS | Resolve IPs |
LogRhythm NDR Appliance | Public Ubuntu Repositories/Can be configured to use local repos | 80 443 | HTTP HTTPS | Download package updates |
LogRhythm NDR Appliance | whois.arin.net | 443 | HTTPS | Internet access from analytics side |
LogRhythm NDR Appliance | rest.db.ripe.net | 443 | HTTPS | Internet access from analytics side |
LogRhythm NDR Appliance | rdap.apnic.net | 443 | HTTPS | Internet access from analytics side |
LogRhythm NDR Appliance | virustotal.com | 443 | HTTPS | Internet access from analytics side |
LogRhythm NDR Appliance | whois.internic.net | 43 | WHOIS | Internet access from analytics side |
| LogRhythm NDR Appliance | Third party integration URL | 443 | TCP | Third party API integration (optional) |
LogRhythm NDR Internal Addresses
Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
LogRhythm NDR Appliance | Internal NTP Server | 123 | UDP | Ensure time source is correct |
LogRhythm NDR Appliance | LogRhythm Collector | 514 | TCP/UDP | Send logs to LogRhythm |
LogRhythm NDR Appliance | SSH (Putty) | 22 | TCP | Access appliance |
LogRhythm NDR Appliance | Active Directory |
| TCP | Pull in AD hosts and users |
iDrac Configuration
Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
LogRhythm NDR Appliance iDrac | Web page | 80, 443, 5900, 5901 | TCP, HTTP, HTTPS, VNC | iDrac control |
Customer Laptop
Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
Laptop Desktop to access LogRhythm NDR Cloud | CCN created as part of LogRhythm NDR provisioning *.misnet.io | 443 | TCP | Access to UI |
Active Directory Account Creation
LogRhythm NDR requires a read-only account to query the Active Directory domain controller and see user logon and logoff events. If you are using a domain admin account, you will need to create a read-only account to query the LDAP server for user and host organization information. For more information on creating a read-only account, see Create an Active Directory Account.