Skip to main content
Skip table of contents

Install and Configure LogRhythm UEBA Components

CloudAI is now named LogRhythm UEBA.

However, both names are referenced in our documentation. While the product name is now LogRhythm UEBA, the user interface (UI) continues to reference CloudAI.

The LogRhythm UEBA (formerly CloudAI) configuration steps 6-10 below changed on LogRhythm version 7.6.0. If you have an existing CloudAI installation and are upgrading LogRhythm 7.5.1 (or earlier) to LogRhythm 7.6.0 (or newer), you must repeat steps 6-10 below on your Platform Manager (or XM) for CloudAI to function properly.

After you establish your UEBA subscription, you will receive a certify-<companyname>-windows.zip installer.

All traffic to LogRhythm UEBA is initiated from the SIEM and goes over TCP/443, using HTTP over TLS. Watchtower and Transporter on the Data Indexer communicate with the appropriate url depending on the GCP location, and the Web Console API on the PM communicates with ui.analytics.logrhythm.com.

To complete the installation and configuration of CloudAI:

  1. Extract the contents of the .zip file to an accessible location on your machine. To do this, enter the password provided.

  2. Run the Certify installer in the .zip file on your Platform Manager: 
    • In the extracted folder, double-click the Certify.msi file to run it.

    • If the installer runs successfully, it creates a folder to store the certificates. The default location for the certificates is C:\Program Files\LogRhythm\Data Indexer\Certify.

      Certify does not need to be run on any Data Indexer in the deployment. You only need to install Certify on the Platform Manager.

  3. Open a command prompt as an administrator and go to C:\Program Files\LogRhythm\LogRhythm Authentication Services\LogRhythm Authentication API\updateAICloudCertificate.

  4. Run configure.bat, and in the window that opens, provide the following information:

    FieldDescription
    UsernameYour LogRhythm Web Console user name for an account with administrative privileges to update the EMDB.
    PasswordThe corresponding password for the user name. 
    Company nameYour company name as it is defined in your CloudAI account. This can also be found in the name of the certify zip file: certify-<companyname>-windows.zip
    Public key file nameC:\Program Files\LogRhythm\Data Indexer\Certify\TAC.pub (This is the absolute path to the TAC.pub file installed by Certify). If the TAC.pub file is installed in the default location provided, this prompt can be left blank.
    Private key file nameC:\Program Files\LogRhythm\Data Indexer\Certify\TAC.key (This is the absolute path to the TAC.key file installed by Certify). If the TAC.key file is installed in the default location provided, this prompt can be left blank.

    The configure.bat script will display the following message when completed:

    Successfully updated the application used to verify requests to the AI Cloud.

    Type any key to exit

    Once completed, type any key, and the window will close and the script will exit.

  5. After configure.bat has finished running, restart the LogRhythm Authentication API service.
  6. Launch the Configuration Manager:
    1. Click Show on the Advanced View option.
    2. On the left-side navigation menu, click CloudAI.
    3. Change the Enable CloudAI field to Enabled.
  7. (Optional) To configure the URL the Web Console will communicate with, launch the LogRhythm Configuration Manager.
    1. Click Show on the Advanced View option.
    2. On the left-side navigation menu, click CloudAI.
    3. Change the CloudAI Results API URL field to the target data center.

    4. Click Save.

      Only use the URL provided for your region by customer support. You must also change the CloudAI Ingest API URL setting in the Configuration Manager to the endpoint provided.

      Do NOT change this after initial setup without contacting LogRhythm Support.

  8. (Optional) To configure the URL the Transporter service on the Data Indexer sends log metadata to, launch the LogRhythm Configuration Manager. 
    1. Click Show on the Advanced View option.
    2. On the left-side navigation menu, click CloudAI.

    3. Change the CloudAI Ingest API URL field to the target data center.

    4. Click Save.

      Only use the URL provided for your region by customer support. You must also change the CloudAI Results API URL setting in the Configuration Manager to the endpoint provided.

      Do NOT change this after initial setup without contacting LogRhythm Support.

  9. (Optional) To configure a regular proxy for CloudAI Web Console configuration, launch the LogRhythm Configuration Manager. 
    1. Click Show on the Advanced View option.

    2. Locate the CloudAI Proxy URL field in the configuration.

    3. Change the CloudAI Proxy URL field to target your proxy.

    4. Click Save.

      The Proxy Server must be a valid URL pointed to a regular proxy, not a transparent proxy. Transparent proxy paths are configured at a system level and do not require LogRhythm configuration. The Proxy Server field routes all external CloudAI traffic through the regular proxy provided.

      If your regular proxy uses a trusted CA certificate, you do not need to configure the proxy CA certificate in the LogRhythm Configuration Manager. If your regular proxy uses a self-signed or untrusted CA certificate, complete the following steps.

    5. Locate the CloudAI Proxy CA Certificate field in the configuration.

    6. Click Choose File and select the public certificate of the proxy in PEM format OR Change the CloudAI Proxy CA Certificate field to be the contents of the public certificate of the proxy in PEM format.

    7. Click Save.

  10. (Optional) To configure a transparent proxy for CloudAI Web Console configuration, launch the LogRhythm Configuration Manager. 

    If your transparent proxy uses a trusted CA certificate, no configuration is needed in the LogRhythm Configuration Manager. If your transparent proxy uses a self-signed or untrusted CA certificate, complete the following steps.

    1. Click Show on the Advanced View option.

    2. Locate the CloudAI Proxy CA Certificate field in the configuration.

    3. Click Choose File and select the public certificate of the proxy in PEM format OR Change the CloudAI Proxy CA Certificate field to be the contents of the public certificate of the proxy in PEM format.

    4. Click Save.


Verify the Configuration

Verify that you are successfully sending data to CloudAI:

  1. Open one of the supported browsers and go to http://localhost:3000/ on your Platform Manager.

  2. On the Home menu at the upper-left corner of the page, click Data Indexer.
  3. On the Data Indexer sub-menu, click the CloudAI dashboard.
  4. Expand the bar at the bottom of the page labeled CloudAI Metrics (<name of data indexer>).
  5. Examine the CloudAI HTTP Responses graph. Make sure the graph shows a line labelled 200 (OK): <cloudai url>.
  6. Close the browser.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close