Core Deployment & Best Practices:

7.1.x Session 2
10/13/20 15

LogRhythm Deployment Guide6 3 x.docx

 - HA Field Installation Guide

© LogRhythm, Inc. All rights reserved.

This document contains proprietary information, which is protected by copyright. The software described in
this guide is furnished under a software license or nondisclosure agreement. This software may be used or
copied only in accordance with the terms of the applicable agreement. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and
recording for any purpose other than the purchaser’s personal use without the written permission of
LogRhythm, Inc.

Warranty

The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of the merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for
any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or
use of this information.

Trademark

LogRhythm® is a trademark of LogRhythm, Inc.

LogRhythm Inc.

4780 Pearl East Circle

Boulder, CO 80301

(303) 413-8745

www.logrhythm.com

LogRhythm Customer Support

[email protected]

1.303.413.8745 [email protected]
 - HA Field Installation Guide

Contents  
Introduction.......................................................................................................................................1  
LogRhythm Certified Deployment Engineer Program ................................................................................1  
LogRhythm Certified Installation Process ............................................................................................1  
LogRhythm Implementation Support ..................................................................................................2  

System Monitor ..................................................................................................................................3  

Install Windows Agent .....................................................................................................................3  
Install Linux Agent ..........................................................................................................................8  
Flat file collection .......................................................................................................................... 10  

Syslog collection ........................................................................................................................... 13  

Windows Host Wizard ........................................................................................................................ 14  
Agent Functionality ........................................................................................................................... 17  
Validate a Log Source ....................................................................................................................... 17  
Using Tail ..................................................................................................................................... 17  
Using Investigator ......................................................................................................................... 19  
Life of a Log..................................................................................................................................... 20  
Correlation and Contextualize............................................................................................................. 20  

Personal Dashboard .......................................................................................................................... 21  

Global Log Processing Rules ............................................................................................................... 21  
Creating a GLPR ............................................................................................................................ 22  
Create User ID ................................................................................................................................. 24  
Create Notification Policy ................................................................................................................... 24  
Notification Groups ........................................................................................................................... 25  
User Profiles .................................................................................................................................... 26  
Security Roles .............................................................................................................................. 27  
Templates, Reports & Packages .......................................................................................................... 28  
Log Volume Report ........................................................................................................................... 28  
Diagnostic Alarms ............................................................................................................................. 30  
Silent Log Sources ............................................................................................................................ 31  

1.303.413.8745 [email protected]
Introduction
This document will explain the LogRhythm Certification Deployment process and document the
recommended steps and configuration settings.

This document should be used by a LogRhythm Certified Deployment Engineer to implement a

LogRhythm SIEM solution. In the event a software solution is required, the engineer should contact
LogRhythm Professional Services for guidance.

While the settings defined below are the recommended configurations, you will, at times, see a need
to deviate from them. If an engineer implements a deviation, it is recommended that he or she
document that deviation along with an explanation of why it was necessary.

This document includes information and instructions on the following:

•   LogRhythm Certified Deployment Engineer Program

•   Step-by-Step Core Installation
•   Knowledge Base Import
•   Tuning LogRhythm

LogRhythm Certified Deployment Engineer Program

The LogRhythm Certified Deployment Engineer Program was developed to support the channel for
delivering Certified LogRhythm Professional Services days. The program ensures that the quality of
the LogRhythm implementations is maintained.

LogRhythm implementations should be completed by a LogRhythm Certified Deployment Engineer

(LCDE).

The LogRhythm Certified Deployment Engineer is qualified to do basic configurations, such as device
patching, implementing the LogRhythm recommended tuning guide, and configuring log collection
from common devices, such as MS Windows, Unix, or standard Syslog devices.

The LogRhythm Certified Deployment Engineer Specialist1 is qualified to do advanced configurations,

such as multi-appliance installations, creation of new processing rules, and configuring log collection
from advanced devices, such as CheckPoint Firewall, Oracle, or SQL server.

No other certified professional is permitted to deliver LogRhythm Certified Professional Services days.

In addition, LogRhythm will stand behind all LogRhythm Certified Professional Services days and take
remedial actions, where appropriate, for any certified delivered day that does not meet customer
expectations.

LogRhythm Certified Installation Process

The LogRhythm Certified Installation Process has been designed to ensure the quality of LogRhythm
implementations. Certified installations can only be completed by a LCDE.

LCDE consultants have an obligation to follow the process described below in order to successfully
implement the LogRhythm solution within the customer organization.

All steps in the process should be documented and captured on the LogRhythm deployment checklist.

1
This certification is forthcoming.

February 17, 2016 1

LogRhythm Inc |
After the deployment, this checklist document should be provided to the end customer.

LogRhythm Implementation Support

The LCDE can call upon LogRhythm Professional Services team for installation support.

The LCDE will need to provide details of what the installation session’s goals and objectives are.
Contact details for the LogRhythm Professional Services team are available at the end of this
document.

February 17, 2016 2

LogRhythm Inc |
System Monitor

The System Monitor Agent, also called an Agent, is a software component that provides local and
remote log data collection across various English-based operating systems including Windows and
*NIX. See the System Monitor Agent Operating System Support table for a complete list of supported
operating systems.

The agent serves as a central log data collector, collecting logs from many devices, servers,
databases, and applications, performing host activity monitoring and forwarding logs, via
authenticated TLC connections, to the Data Processor. It consists of the following Windows Service:
System Monitor Service.

We will install a Windows and a Linux agent. The windows agent will be configured for local collection
and the Linux agent for flat file collection (/var/log/messages). Syslog will be demonstrated and
general agent functionality will be reviewed.

System Requirements:

CPU RAM Disk

1GHz min 2GHz recommended 1GB min 2GB recommended 10GB (includes log storage)

Install Windows Agent

Software requirements:

.NET 4.0 or 4.5

Installation

Log in to the host machine where the new Agent will reside.

Download the appropriate agent version from the support portal. Install the Agent by running the
downloaded LRSystemMonitor_7.x.x.xxx.exe or LRSystemMonitor_64_7.x.x.xxxx.exe file.

If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click
Install.

February 17, 2016 3

LogRhythm Inc |
Follow the instructions for the Setup Wizard:

February 17, 2016 4

LogRhythm Inc |
Accept license agreement and click Next.

Use the default installation path whenever possible and click next.

February 17, 2016 5

LogRhythm Inc |
Clicking the Space button shows how much space available and required. Install the Realtime FIM
driver, if desired. Select the Realtime FIM Driver menu and then select “This feature will be installed
on local hard drive” and then click Next.

You are now ready to install the agent. Click Install.

February 17, 2016 6

LogRhythm Inc |
Click Finish.

Launch the System monitor Local Configuration Manager. The General tab of the System Monitor
Local Configuration Manager is displayed.

Replace CHANGE_THIS with the static IP address or fully qualified domain name (System Monitor 6.2
or above) of the appropriate Data Processor. By allowing a domain name, LogRhythm deployment
connection settings using an internal host name can control IP address assignment through their DNS
server.

Enter the static IP address [of the host running the SM Agent] to use when connecting to the Data
Processor. This must be an IP address not a hostname. Click Apply.

Click the Windows Service tab, change the startup type to automatic and start the service. Click OK.

February 17, 2016 7

LogRhythm Inc |
Note: If you intend to peqrform remote collection with this agent it must be configured to run using

an account which FIX ME.

Install Linux Agent

Download the appropriate package for your version of Nix and install via your preferred method. You
can automate via any automation suite (such as chef or puppet) or use the following chart to
determine the method for your OS:

Check Remove/Uninstall
*NIX Type Upgrade Install
Version Agent

tar xf filename.tar
lslpp -l
AIX N/A installp -u scsm
scsm
installp -a -d . scsm

dpkg -p
Debian N/A dpkg -r scsm dpkg -i filename.deb
scsm

rpm -U rpm -q
Fedora* rpm -e scsm rpm -i filename.rpm
filename.rpm scsm

tar xf filename.tar
HP-UX N/A swlist scsm swremove scsm
swinstall -s
/tmp/filename.depot \*

rpm -q
Oracle Linux N/A rpm -e scsm rpm -i filename.rpm
scsm

tar xf filename.tar
pkginfo -l
Solaris SPARC N/A pkgrm scsm
scsm
pkgadd -d . scsm

tar xf filename.tar
pkginfo -l
Solaris x86 N/A pkgrm scsm
scsm
pkgadd -d . scsm

Red Hat Enterprise/ rpm -U rpm -q

rpm -e scsm rpm -i filename.rpm
CentOS* filename.rpm scsm

rpm -U rpm -q
Red Hat Linux* rpm -e scsm rpm -i filename.rpm
filename.rpm scsm

rpm -U rpm -q
SUSE* rpm -e scsm rpm -i filename.rpm
filename.rpm scsm

February 17, 2016 8

LogRhythm Inc |
 Check Remove/Uninstall
*NIX Type Upgrade Install
Version Agent

dpkg -p
Ubuntu N/A dpkg -r scsm dpkg -i filename.deb
scsm

Once installed you must configure it via the command line. Navigate to the Agent configuration
folder: cd /opt/logrhythm/scsm/config folder and use a text editor to change the scsm.ini file.

#############################################################
# LogRhythm System Monitor Agent Configuration File
# Copyright 2008-2012 LogRhythm, Inc.
#
# Comments begin with '#', blank lines are ignored
#############################################################

# Mediator sections - up to 3 Mediators are supported.

# Each Mediator has its own section with an incrementing header number: [Mediator n]
[Mediator 1]

# IP address of the Mediator this Agent will connect to. DNS names are not recognized.
Host=CHANGE_THIS

# Port number the Mediator is listening on

ServerPort=443

# IP address or index of the address to use for transmitting messages to the Mediator.
# This is either a static IP v4/v6 address (recommended) or the zero-based index of the
# address to use from a list of all available IP addresses. The default is to select
# an address from all available IPv4 addresses. To select an address from all available
# IPv6 addresses, append '|6' to the index number (e.g., use '0|6' to specify the first
# available IPv6 address). Valid values are:
#
# - static IP Address
# - index of address to use, for example:
# - '0' for the first available IPv4 address
# - '0|6' for the first available IPv6 address
# - '2' for the third available IPv4 address
# - '2|6' for the third available IPv6 address
#
ClientAddress=CHANGE_THIS

# Port number to use for transmitting messages to the Mediator.

ClientPort=3333

Save your changes and close the file. Start the agent via /etc/init.d/scsm start or service scsm start.
We recommend changing the ClientAddress as many Nix variants have more than one NIC.

Logging location is /opt/logrhythm/scsm/logs

February 17, 2016 9

LogRhythm Inc |
Flat file collection

Open Deployment Manager and go to System Monitors. Right click on an appropriate System Monitor
Agent and click properties. On the Agent Settings right click in the log list and select New.

February 17, 2016 10

LogRhythm Inc |
The Log Message Source Properties dialog box will be displayed.

1.   Insure that the proper host and collection agent are specified
2.   Select the appropriate Log Message Processing Engine Policy
3.   Click the ellipse next to Log Message Source Type

The Log Source Type Selector will be displayed. The next steps are specific to collecting
/var/log/messages flat file. In the Text Filter type Linux and click Apply. Select System: Flat File –
Linux Host Secure Log and click OK.

February 17, 2016 11

LogRhythm Inc |
On the Log Message Source Properties dialog box select the Flat File Settings Tab. Click the ellipse
next to the Date parsing format and select Linux Host Secure Log. Enter the file path
/var/log/messages. Click OK. Click OK on the System Monitor Agent Properties.

February 17, 2016 12

LogRhythm Inc |
Syslog collection

We will examine gathering logs from a syslog source next. This guide assumes that the customer has
configured a log source to send syslog to a System Monitor that has been deployed.

***Reference help guide, search for Device Configuration Guides which lists various Syslog
sources***

Navigate to the Deployment Manager then System Monitors tab. In the bottom pane select an
appropriate agent right click and select properties.

Click on the Syslog and Flow Settings tab and check Enable Syslog Server. Click OK.

Any syslog pointed to this agent will show up under the Log Sources tab with a status of Pending.
Click the action check box, right click on the source and select Change Log Source Type. Select an
appropriate log source type. Right click again, select Actions, Accept, Defaults.

February 17, 2016 13

LogRhythm Inc |
Windows Host Wizard

Windows Host Scanner connects to Active Directory to find Windows systems on the domain. Eligible
systems returned by the scan can be selected for remote log collection. Correctly defined permissions
are essential to identify systems and collect logs. Only GlobalAdmin has access to the wizard.

Click the Deployment Manager button or on the Tools menu, click Administration, then click
Deployment Manager.

On the Tools menu, click Administration, then click Windows Host Wizard.

February 17, 2016 14

LogRhythm Inc |
The Windows Host Wizard appears. Click ‘Scan Domains for Computers’.

Click Yes, No or Cancel to stop the operation.

Progress is displayed at the bottom of the window. You can stop scanning while actively scanning by
clicking ‘Stop Scanning Domains’.

When scanning is complete computers the displayed in the Active Directory Computers tab

February 17, 2016 15

LogRhythm Inc |
Use the Add Log Sources context menu command to add additional log sources to be collected from
one or more computers. Log Sources will not be added to checked computers where they already exist
or are invalid. Many sources are added by default. Scroll to the right of the Windows Host Wizard
Active Directory Computers tab to see which are added by default for the selected hosts.

Select one or more hosts by clicking the action box. Right-click in the grid to show the context menu
then Click Actions, Accept, Assign Remote System Monitor Agent. Select the appropriate
system monitor agent:

Click OK and then Yes. The hosts are now listed under the Active tab at the bottom of the window.
Clicky OK or Apply to save these changes. You must click OK or Apply.

February 17, 2016 16

LogRhythm Inc |
Agent Functionality
The agent serves as a central log data collector, collecting logs from many devices, servers,
databases, and applications, performing host activity monitoring and forwarding logs, via
authenticated TLC connections, to the Data Processor. It consists of the following Windows Service:
System Monitor Service. LogRhythm Compatibility and System Monitor Functionality Guide
Chart.

LogRhythm provides the following two types of Agent licenses:

System Monitor Lite

System Monitor Pro (*Additional License diff in Help Guide under SysMonitor)

Real time FIM requires Pro License

Validate a Log Source

Using Tail

Using LogRhythm's Tail tool is similar to using the Investigator. However, a Tail will query for new logs
and update your log/event list in real-time. Tail is primarily used to track real-time and near time logs

February 17, 2016 17

LogRhythm Inc |
and events. The concept of the Tail command should be familiar to users of UNIX/Linux based
operating systems. Tails that you save are only available to your user login.

1.   Open the LogRhythm Console.

2.   Click Tail on the toolbar

OR
On the Tools menu, click Monitor, and then click Tail from the menu > Tail Wizard appears.

3.   Select Configure New Tail

4.   Click Next.
The Select Log Sources to Query window appears.

5.   Select which source to query:

•   All available Log Sources:

All log sources available to your user account will be queried.

•   Selected Log Source Lists:

Check which Log Source Lists to query from the grid that appears.

•   Selected Log Sources:

Check which Log Sources to query from grid that appears.

6.   Click Next.

The Specify Event Selection window appears.

7.   Select an option from the Add New Field Filter.

Note: The Account by Active Directory Groupfilter is only available to Global Administrators and Global
Analysts. Restricted Analysts and Restricted Administrators may not create or edit anAccount by
Active Directory Group filter.

8.   For detailed instructions on adding filters, see Using the Filter Editor.

February 17, 2016 18

LogRhythm Inc |
 9.   Click Next.
The Select Log Repositories to Query window appears.

10.  Specify the log repositories to include in the query:

a.   To include the Platform Manager database in the query, select the Query the Platform Manager
check box.

b.   To select the Data Processor databases to query, select the Query all default Data
Processors check box or select the individual check boxes Query the following Data Processors list.

c.   In the Settings section, specify:

•   History to Load: how much previous history should be loaded (up to 1 week).

•   Refresh Rate: how often new logs should be queried for (between 1 and 60 seconds).

•   Query Timeout: how long the query can run before it times out (5 to 600 seconds)

•   Aggregate Log Cache Size: how many aggregate logs to store in memory (1 to
10,000).

•   Log Cache Size: the number of individual logs to cache in memory (between 1 and
10,000).

•   Include Raw Log in Query Results: check to include the raw logs in the query results.

11.  Click Next.

12.  To save this Tail so you can use it again without doing all the set up:

1.   Enter a name and description.

2.   Select the Permissions and Record Type.

The tables below explain the options for each user type and the drop down selections available.

3.   Configure Intelligent Indexing.

•   Select Enable Intelligent Indexing, if desired.

•   Select Enable Expiration Date, if desired.

4.   Click Save.

13.  Click Next to start the query.

The Tail viewer shows an Aggregate Log/Event Listing and a Log/Event list on the same screen. Both
lists will update in real-time.

Using Investigator

This feature has a lot of similarity to the Tail tool, only variations are listed below

February 17, 2016 19

LogRhythm Inc |
 1.   Select investigate from the tool bar

2.   Select Configure New Investigation, and then click Next.

3.   Under Select Search Type, select the type of data to return:

•   The Platform Manager Search option only returns events.

•   The Data Processor Search only

returns log metadata and events. (10
days)

•   The LogMart Search option returns

aggregate data and statistics by Log
Miner. (365 days)

The Load Raw Log with Query Results option

returns raw log data. It is not available for LogMart
investigations

Life of a Log

https://logrhythm.vanillaforums.com/discussion/3585/logrhythm-siem-life-of-a-log#latest

Events - “Actionable Logs” should be maximum 1-5% of total logs. (90 day Time to Live)

Web Console and Personal Dashboard only show Events

Elasticsearch – Searchable data, whenever you query a Data Processor this references the Data
Indexer (80% Capacity of allocated storage)

LogMart – High-level metadata (default 365 days)

Correlation and Contextualize

After you perform an Investigation, Log Miner, Tail, or Personal Dashboard search, you can use
correlate and/or Contextualize to drill down into search results.

Correlate - Allow you to filter off of 1 meta data field

Contextualization - Allows you to run a tracert or “whois” against a single server

1.   After having run an investigation, tail or Dashboard search R-Click>Contextualize or

Correlation>select field

February 17, 2016 20

LogRhythm Inc |
Personal Dashboard
The LogRhythm Personal Dashboard is a high-level analytical tool that you configure to meet your
specific needs.

For more information, please refer to My Preferences.

Open Personal Dashboard

To access Personal Dashboard from the Client Console, do any of the following:

•   Click Personal Dashboard on the main toolbar.

•   On the Tools menu, click Monitor, and then click Personal Dashboard.

•   Press Ctrl+P on the keyboard.

The Personal Dashboard appears with the Tool Selector on the left and the graphs and tables on the
right.

Global Log Processing Rules

Global Log Processing Rules (GLPR) are a part of the Advanced Data Management settings which
provide a way to override settings defined in Classification Based Data Management (CBDM) or
Standard Data Management modes (Log Message Source, Log Processing Policy). GLPR provides a
way to apply Data Management settings across all Data Processors, Log Sources and Log Processing
Policies to logs that meet your specific criteria.

GLPR overrides are globally applied to log messages that match Classification Criteria (such as
Network/Deny, Authentication/Failure, etc), and are customized with Include and/or Exclude Filters for
log metadata. This flexibility provides a manageable way to determine how logs are processed

February 17, 2016 21

LogRhythm Inc |
throughout the system, regardless of settings used by various Log Sources and/or Log Processing
Policies. Logs that do not match the GLPR filters will be processed normally per CBDM or Standard
Data Management settings.

Creating a GLPR

A GLPR can be created in two ways:

1.   From the Deployment Manager>Tools> Administration> Global Log Processing Rule

Manager. The Global Log Processing Rule Manager appears.

2.   Click the New icon or right-click and select New

3.   The Global Log Processing Rule Wizard opens to the Classification Criteria tab.

Note: If the GLPR was created from the context menu, the Classification Criteria is set to the
classification of the selected log/event.

4.   Click Add Item.

The Classification Selector appears.

February 17, 2016 22

LogRhythm Inc |
 5.   Select an option from the Classification Type Filter list.

The Classification list populates.

6.   Select one or more items from the Classification list. Click OK to return to the Global Log
Processing Rule Wizard. Repeat the process to add as many additional filters as needed. Under
Risk Based Priority (RBP) Criteria, specify a minimum Risk Based Priority (RBP) log
messages must meet to match the rule.

7.   Click Next.

8.   You move to the Include Filters tab.

1.   Example might be

a.   Vendor Message ID (LR language for Windows Event ID)

1.   Examples:

Windows 674 Ticket Granted Renewed

Windows 537 Logon failure - The logon attempt failed for other reasons.

9.   Click Next.

You move to the Exclude Filters tab

10.  Click Next.

You move to the Log Source Criteria.

11.  Select Include All Log Sources. Default

February 17, 2016 23

LogRhythm Inc |
Include Log Sources from the Selected Lists.
Include the Selected Log Sources.

Choosing this option populates the grid below. Select the desired log sources in the grid.

12.  Click Next.

You move to the Settings tab.

Determine your Override and Expiration Settings. Consult the following table for more details.

13.  Click Next.

14.  You move to the Information tab.

15.  Enter a Name for the Global Log Procession Rule. Required. Enter a description if desired. Click
OK

Create User ID
1.   In Deployment Manager under the People tab

2.   Go to File > New OR R-Click > New in the window

3.   A note will appear Select Yes to create Individual or No to create a new role

4.   Enter in Name, contact method and info and select Save

•   If you select OK before selecting Save Contact Method will not save

Create Notification Policy

1.   From the LogRhythm Console, access the Deployment Manager.

2.   Tools > Distribution > Notification and Collaboration > Notification Policy Manager

3.   File> Select New SMTP Policy

February 17, 2016 24

LogRhythm Inc |
Notification Groups

Use the Notification and Collaboration Group Manager utility to add, modify, or delete an alarm
notification group. All group members defined in an alarm notification configuration receive Simple
Mail Transport Protocol (SMTP) or Simple Network Management Protocol (SNMP) alert notifications.

Notification groups can be set up manually or integrate with AD Group Based Authentication

1.   Deployment Manager > Tools > Distribution > Notification and Collaboration then
click Notification and Collaboration Group Manager.
2.   On the File menu, click New to open the Alarm Notification Group Properties window.

February 17, 2016 25

LogRhythm Inc |
 3.   Enter a Notification Group Name.
4.   Enter any necessary details in the Brief Description text box.
5.   Click the Add bar in the middle of the window.
6.   The Person Selector window displays.

7.   Select the person or role to add.

8.   Click OK.
9.   You return to the Alarm Notification Group Properties window.
10.  To remove a person or role, select the entry in the list and click Remove.
11.  Click OK to save your changes.

User Profiles

February 17, 2016 26

LogRhythm Inc |
User Profiles enable administrators to configure permissions to allow newly added hosts and log
sources to be granted and denied to users automatically. We can bring in Users from AD here as well.
You can also define permissions once and apply them across many users associated to a specific user
profile.

Security Roles
New profiles can be created for the Global Administrator, Global Analyst, Restricted Administrator,
Restricted Analyst, and Web Service Administrator security roles.

There can only be one Global Administrator security role.The global administrator role can be assigned
to any user. The following privileges can be assigned:

•   Global AI Engine Events that span Entities

•   SecondLook
•   LogRhythm API Access
•   Data Processors
•   Log Sources

Global Analysts and Restricted Analyst profiles can have Log Source Access Rights applied at the
following levels. Specific items can be granted or denied for the profile:

•   Entities (and child entities)

•   Log Source Lists
•   Log Sources

Restricted Administrator can be granted the following privileges:

•   Global AI Engine Events that span Entities

•   SecondLook
•   LogRhythm API Access
•   Entity (and Child entities)
•   Log Sources

Restricted Analysts can be given discretionary access where the analysts are granted access to Global
AI Engine Events or to a subset of AIE Events based on entities and child entities. This enables large
deployments the ability to restrict access and provide filtering when entity-based data segregation is
enabled.

The Web Service Administrator profile can only be assigned privileges for the following:

•   LogRhythm API Access

1.   Deployment Manager
2.   Tools > Administration > User Profile Manager
3.   Right Click > Select New
4.   Define User Profile and Privileges
5.   If this is in relation to a specific Entity apply on next tab
a.   Action – to select
b.   Grant - what entities user will have access
6.   Must click OK and create user before you can set AD Group Authorization
7.   Double click new User Profile and re-open properties to AD Group

February 17, 2016 27

LogRhythm Inc |
 a.   R-Click in Active Directory box
b.   Scroll and select Domain and Group Name then validate

Note: AD Sync happens every 60 minutes, users will populate next sync cycle

Templates, Reports & Packages

Templates A report template defines the report format including the columns, group order, sort
order, and so forth. The report configuration defines the data that is included in the
report. All available report templates are listed on the Report Templates tab.

Reports Individual reports which can be modified or cloned

Packages Grouping of Reports

Log Volume Report

You use the Report Package Wizard to create new Report Packages and modify existing ones. You can
also browse Report Packages you cannot modify such as those requiring a higher permission setting.

To create a new report package go to Report Center > Tools > Report > Report Center and select
the Report Packages tab. Click the green New Report Package icon on the toolbar or right-click and
select New Report Package from the context menu. The Select Reports page of the Report
Package Wizard appears.

Select the desired reports to include in this Report Package and click Next.

The Override Log Source Criteria window appears.

February 17, 2016 28

LogRhythm Inc |
Enable the Override Log Source Settings check box if you want to override the log sources in the
individual reports. If required, specify the Log Sources to include in the Report and click Next.

Note: Log Volume reports (Class = Log Management) return data for all log sources. Specifying log
source criteria will not narrow the results

The Configuration window appears.

Enter the Report Period to specify the default reporting period and time zone. To further refine the
period, select Custom and choose On or After and Before dates and times. Enable the View
reports after running check box, if desired. Enable the Export and save reports check box, if
desired.

Select the Report Format to export the reports as Crystal Report, Adobe Acrobat, or Microsoft Excel
documents. Enter the Report Export Path and click Test Path. Enable the Compress check box to
compress the files into a single file. Select the File/Folder Name to specify the naming conventions.

Determine the Data Processor to query when preparing the reports. To query all online Data
Processors, select the Query all online-active Data Processors check box. To query specific Data
Processors, deselect the Query all online-active Data Processors check box and enable the check
box(es) preceding the desired Data Processor(s). Click Next.

The Package Details page appears.

February 17, 2016 29

LogRhythm Inc |
Enter the Package Name.

Enter the Description.

Select the Report Package Permissions.

Click OK to save the Report Package and exit the Report Package Wizard.

Diagnostic Alarms

Enable LogRhythm Diagnostic Alarms

LogRhythm provides built-in capability to alarm on system health. We recommend you enable these
alarms and add the Technical Point of Contact to the notification list.

Navigate to Deployment Manager > Alarm Rules

Select the Action box next to the following alarms:

AI Engine : Critical Condition

AI Engine : Excessive Warnings
AI Engine : Rule Suspended Due To Memory Triage
AI Engine : Successive Errors
QsEMP : Excessive Events Spooled to Disk
QsEMP : Excessive Processed Logs Spooled to Disk
QsEMP : Excessive Unprocessed Logs Spooled to Disk
QsEMP : LogRhythm Agent Heartbeat Missed
QsEMP : LogRhythm AI Comm Manager Heartbeat Missed
QsEMP : LogRhythm AI Engine Heartbeat Missed
QsEMP : LogRhythm Appliance Hardware Warning
QsEMP : LogRhythm CMDB Database Error
QsEMP : LogRhythm CMDB Database Warning
QsEMP : LogRhythm CMDB Stats Warning
QsEMP : LogRhythm Component Critical Condition
QsEMP : LogRhythm Database Maintenance Failure

February 17, 2016 30

LogRhythm Inc |
QsEMP : LogRhythm Failed To Submit Batch Job to DB
QsEMP : LogRhythm GLPR Error
QsEMP : LogRhythm Log Manager Heartbeat Missed
QsEMP : LogRhythm MPE Rule Disabled
QsEMP : LogRhythm Silent Log Source Error

Right-click and select Actions > Enable.

Silent Log Sources

We can alarm on a log sources that unexpectedly goes silent.

•   In Deploment Manager > Log Sources, double click on available log source

•   Under the Additional Settings tab note Silent Log Message Source Settings

•   Select Enable Silent Log Message Source Detection

•   Under the Alarm Rules Tab enable the Silent Log Source Error Alarm

February 17, 2016 31

LogRhythm Inc |
Alarm Description: Alarms on a LogRhythm Silent Log Source Error event which could indicate a log
source that has gone silent

February 17, 2016 32

LogRhythm Inc |