Install a New LogRhythm Deployment

March 22, 2023

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by copyright
and possible non-disclosure agreements. The Software described in this Guide is furnished under the End User License
Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the Software. This Software
may be used or copied only in accordance with the Agreement. No part of this Guide may be reproduced or transmitted
in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other
than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of
any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of
merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm
385 Interlocken Crescent, Suite 1050
Broomfield, CO 80021
(303) 413-8745
www.logrhythm.com

Phone
Support (7am - 6pm, Monday-Friday)
Toll Free in North America
(MT) +1-866-255-0862
Direct Dial in the Americas
(MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Review Assumptions ........................................................................................................ 5
The LogRhythm Infrastructure Installer ......................................................................... 5
Review the Requirements for a New LogRhythm Deployment ..................................... 6
LogRhythm Licensing ..............................................................................................................................6
SQL Server Licensing ...............................................................................................................................6
LogRhythm Component Compatibility...................................................................................................6
Platform Requirements .........................................................................................................................10
Virtualization Platform Considerations ................................................................................................16
Networking and Communication..........................................................................................................18
Select a Method of Deploying LogRhythm.................................................................... 19
LogRhythm Reference Architecture ......................................................................................................20
Amazon Web Services Installations ......................................................................................................98
Google Cloud Installations ..................................................................................................................103
Microsoft Azure Installations ...............................................................................................................105
Download Software to Install a New LogRhythm Deployment ................................. 108
Install LogRhythm ........................................................................................................ 109
Configure Hardware or Virtual Machine..............................................................................................109
Shut Down Antivirus and Endpoint Protection Software ..................................................................109
Install the LogRhythm Databases for the Platform Manager or XM ..................................................109
Run the LogRhythm Install Wizard......................................................................................................110
Use the LogRhythm Configuration Manager ......................................................................................114
Install the LogRhythm Data Indexer ........................................................................... 117
(Optional) Deploy ISO image to Each Linux Data Indexer Node........................................................117
Install the Data Indexer on Linux.........................................................................................................120
(Optional) Use the Data Indexer Node Installer..................................................................................123
Add a Node to an Existing Cluster .......................................................................................................125
Information about Automatic Maintenance .......................................................................................133

LogRhythm, Inc. | Contents 3

 Complete Additional LogRhythm Installation Tasks ................................................. 136
Configure or Verify Communication Ports..........................................................................................136
Verify SQL Server Authentication and LogRhythm Databases ..........................................................137
Verify LogRhythm Installation .............................................................................................................138
Verify Web Console Processes .............................................................................................................138
Install Other Agents .............................................................................................................................139
Configure the LogRhythm Software....................................................................................................140
Add Realtime Antivirus Exclusions for LogRhythm ............................................................................140
Supplemental Information for Installations............................................................... 143
Troubleshoot the LogRhythm Configuration Manager ......................................................................143
Back Up and Restore a LogRhythm Configuration.............................................................................143
Add Additional Components to an Existing Deployment ..................................................................144
Add Additional Web Consoles .............................................................................................................146
Generate Self-Signed Certificates for the Web Console.....................................................................147
Remove the Web Console ....................................................................................................................149

LogRhythm, Inc. | Contents 4

Install a New LogRhythm Deployment

This document helps you determine a platform for the LogRhythm Software and provides instructions for installing
LogRhythm on your own systems.

 We recommend that you perform these procedures with the assistance of LogRhythm Professional Services.

Review Assumptions
Before installing the LogRhythm Software, ensure the following:
• Administrative permissions to complete the assigned preparation and installation.
• Dedicated hardware and/or virtual environments are configured as outlined in this installation guide.

 Configuring your dedicated hardware or virtual environment outside the parameters listed in this document
may prevent the LogRhythm Software from operating and performing properly. LogRhythm does not support
non-standard configurations. If your environments cannot be configured to the standard configurations,
contact LogRhythm to determine whether a custom solution is possible.

 The LogRhythm installer is not supported on systems that use compressed drives.

The LogRhythm Infrastructure Installer

The LogRhythm Deployment Tool, also called the Infrastructure Installer, coordinates the installation and configuration
of the LogRhythm Common Components (LR Common) across a set of machines.
LRCommon currently contains:
• LogRhythm API Gateway
• LogRhythm Service Registry
• LogRhythm Metrics Collection
Note the following requirements of the Infrastructure Installer:
• User Access. The user needs to be able to log on to each host in the deployment in order to run the Host
Infrastructure Installer.
• Elevated Execution. The tool executes local commands under an elevated context. The user running the tool
must have permission to elevate the execution.
• Network Time. The times on the hosts must be synchronized. This is a requirement for SSL certificates that are
shared among the hosts in the deployment. If times are not synchronized, this tool will likely report that consul
is unable to elect a leader.

 If this prerequisite is not met, the deployment may not function properly after installation is complete.

Review Assumptions 5
Install a New LogRhythm Deployment

Review the Requirements for a New LogRhythm Deployment

LogRhythm Licensing
The LogRhythm Solution requires a LogRhythm license file which contains a LogRhythm Master License and
Component Licenses. The Master License is tied to an individual customer for a single deployment of LogRhythm (1
Platform Manager and 1 or more Data Processors). Component Licenses fall within the Master License and are used to
license specific LogRhythm components within the same LogRhythm deployment.
A LogRhythm license file can contain the following component and subscription licenses:
• Platform Manager License (always included)
• Data Processor License(s)
• Software License
• Appliance License
• Log Message Source License(s)
• Quantity License
• Unlimited License
• System Monitor Lite License
• System Monitor Pro License
• System Monitor Collector license
• Advanced Intelligence Engine License (separate volume license)
• GeoIP Resolution Subscription License
To learn more about LogRhythm Licensing, see the Licensing topic in the Enterprise SIEM Help. The LogRhythm End
User Licensing Agreement (EULA) contains specific details regarding licensing and is the legal agreement for the
solution you purchased.

SQL Server Licensing

Your LogRhythm Software includes a SQL Server license. However, you must also acquire a Client Access Licenses (CAL)
for every LogRhythm user, as outlined in the SQL Server End User License Agreement (EULA). An initial number of CALs
are included at the time of purchase. To understand how many CALs you have purchased or to purchase additional
CALs, contact LogRhythm Support or your sales representative. The SQL Server EULA contains specific details
regarding licensing and the legal agreement between you and Microsoft. It serves as your proof of purchase.

LogRhythm Component Compatibility

All LogRhythm components in a deployment, except for System Monitor, must be versioned with the same major and
minor number. System Monitor versions 6.x and 7.x are supported.

Database and SQL Server Versions

This LogRhythm version requires Microsoft SQL Server 2016 Standard SP1 (version 13.0.4001.0) or Microsoft SQL Server
2019 (version 15.0.2000.5). Higher cumulative updates and service packs within these versions are also supported. In
this LogRhythm 7.x release, the schema version of all LogRhythm SQL databases is the same: 7.x.x.yyyy.

Review the Requirements for a New LogRhythm Deployment 6

Install a New LogRhythm Deployment

LogRhythm 7.9.0 introduced support for SQL Server 2019 on standard deployments. If you are running Microsoft SQL
Server 2016 Standard on your appliance, there is no need to upgrade to Microsoft SQL Server 2019. If you want to
upgrade to SQL Server 2019, see Upgrade SQL Server 2016 to SQL Server 2019.

 Upgrades to existing High Availability (HA) and Disaster Recovery (DR) environments are not supported.
LogRhythm 7.12.0 supports SQL Server 2019 on new installations of HA and DR deployments only.

System Monitor Component Support

Earlier versions of System Monitor are compatible with this version of LogRhythm. The table below lists the System
Monitor versions that are compatible with LogRhythm 7.x.

System Monitor Versions Compatible with LogRhythm 7.x

System Monitor v6.x v7.x

System Monitor (Windows) Yes Yes

System Monitor (*NIX) Yes Yes

Component Operating System Support

This section describes operating systems and LogRhythm component compatibility for LogRhythm 7.12. The following
table defines the LogRhythm support levels used in subsequent tables.
LogRhythm 7.9.0 introduced support for Windows Server 2019 on standard deployments. If you are running Windows
Server 2016 on your appliance, there is no need to upgrade to Windows Server 2019. For a guide on upgrading to
Windows Server 2019, see Upgrade Windows Server 2016 to Windows Server 2019.

 Upgrades to existing High Availability (HA) and Disaster Recovery (DR) environments are not supported.
LogRhythm 7.12.0 supports Windows Server 2019 on new installations of HA and DR deployments only.

Certified Support (CS) Limited Support (LS) Unsupported (US)

Fully tested per LogRhythm quality Limited testing, but likely to work based on Not tested.
assurance processes. engineering assessment and/or field
verification.

Review the Requirements for a New LogRhythm Deployment 7

Install a New LogRhythm Deployment

Certified Support (CS) Limited Support (LS) Unsupported (US)

LogRhythm patches bugs. LogRhythm may patch bugs. LogRhythm does not patch bugs.

Full LogRhythm Technical Support. Limited LogRhythm Technical Support. No LogRhythm Technical Support.

The following table shows the support levels for LogRhythm components on various 64-bit operating systems.

 Any operating system not included in the following table is not supported.

LogRhythm 7.12 Operating System Support Levels

64-bit Data Data Platform AI LogRhyth Web Client Open

Operating Indexer Processor Manager Engine m API Console Console Collector
System

Windows 7 US US US US US US LS US

Windows US US US US US US LS US
8/8.1

Windows 10 US US US US US US LS US

Windows 11 US US US US US US LS US

Windows US US US US US US LS US
Server 2008

Windows US US US US US US LS US
Server 2008
R2

Windows US US US US US US LS US
Server 2012

Review the Requirements for a New LogRhythm Deployment 8

Install a New LogRhythm Deployment

LogRhythm 7.12 Operating System Support Levels

64-bit Data Data Platform AI LogRhyth Web Client Open

Operating Indexer Processor Manager Engine m API Console Console Collector
System

Windows LS LS LS LS LS LS LS US
Server 2012
R2

Windows CS1 CS CS CS CS CS CS US
Server 2016

Windows US US US US US US US US
Server 2016
Core

Windows CS1 CS CS CS CS CS CS US
Server 20192

Windows US US US US US US US US
Server 2019
Core

Windows US US US US US US LS US
Server 2022

CentOS 7.x CS US US US US US US US
Minimal

CentOS 7.6 or CS US US US US US US CS
greater

CoreOS US US US US US US US CS

RHEL 7 CS US US US US US US US

1
The Data Indexer is only supported on Windows operating systems for XMs and Gen3 appliances.

Review the Requirements for a New LogRhythm Deployment 9

Install a New LogRhythm Deployment

2
Upgrading from Windows Server 2016 to 2019 on existing High Availability (HA) and Disaster Recovery (DR) environments is not supported.

Platform Requirements

Server Roles
Different LogRhythm server roles perform key tasks for log collection, analysis, and reporting in the LogRhythm SIEM.
When you install LogRhythm on your own systems, you need the following server roles:
• Platform Manager. The Platform Manager provides the central event management and administration of the
LogRhythm SIEM, including:
• Configuration information for all agents, log sources, and log source types.
• Knowledge Base, which includes all processing rules, built-in reports (for compliance), built-in alarms,
and other processing-related information.
• The Alarming and Response Manager, which is a Windows service responsible for processing alarm rules
and taking appropriate response such as sending e-mails to those on a notification list or sending SNMP
traps to an SNMP server.
• The Job Manager, which is responsible for scheduled report job generation, Agent and Data Processor
heartbeat monitoring, Active Directory synchronization, and health monitoring.
You can install the Platform Manager on a dedicated appliance (recommended for large environments) or on the
same system as the Data Processor and Data Indexer (called an XM appliance, if you need an all-in-one
appliance). The Platform Manager also includes an embedded AI Engine license, which allows you to install AIE
on the same system. There is only one Platform Manager in the SIEM environment.
• Data Processor. The Data Processor provides high-performance, distributed, and highly available processing of
machine and forensic data. Data Processors receive machine and forensic data from Collectors and Forensic
Sensors. The Data Processor archives data and distributes both the original copy and the structured copy to
other LogRhythm components for indexing, machine based analytics, and alarming.
• Data Indexer. The Data Indexer provides high-performance, distributed, and highly scalable indexing and
searching of machine and forensic data. Data Indexers store both the original and structured copies of data to
enable search-based analytics. The Data Indexer can be installed in an XM configuration on Windows, Red Hat
Enterprise Linux 7, or CentOS 7.x Minimal using our distributed CentOS 7.x ISO image.
• AI Engine. The AI Engine is an optional component that detects conditions occurring over multiple data sources
and time ranges. It provides real-time visibility into risks, threats, and critical operations issues. AI Engine
includes more than 100 preconfigured rule sets that you can use in the wizard-based, drag-and-drop interface.
You can install the AI Engine on the same system as the Platform Manager or you can install it on a dedicated
system.
• System Monitor. The System Monitor collects all log, flow, and machine data, then transfers that data to the Data
Processor. Because a System Monitor is required on each LogRhythm appliance, the LogRhythm installer
automatically deploys it with other applicable roles. You can also deploy the System Monitor using a separate
installer file (for example, silent installations in large environments).

 The LogRhythm dedicated appliance for remote log collection is called a Data Collector appliance.

Review the Requirements for a New LogRhythm Deployment 10

Install a New LogRhythm Deployment

Volume/Disk Configurations
LogRhythm requires specific volume/disk configurations, which can consist of physical disks or virtual disks with logical
volumes.

 LogRhythm is not supported on systems that use shared disks. Installing on a system that uses shared disks
can have a significant negative impact on performance.

• Physical Disks. One or more physical disks must exist on the dedicated hardware or virtual machine within a
specific volume. The amount can range from a minimum of 2 up to 98 disks per system.
• Virtual Disks (usable space). Virtual disks are a collection of physical disks that deliver redundancy and
performance improvements through hardware RAID technology. The amount can range from 2 to 10 virtual disks
per system.
• Logical Volumes. A logical volume is a partition of a virtual disk addressed with a unique drive letter in Windows
(for example, drive C or drive D). The logical volumes contain specific files and data related to the installation
(see the following table for more information about the contents of each drive). Any LogRhythm server that
contains a Platform Manager includes four logical volumes. The Windows Indexer should include at least two
logical volumes, and the logical volume that contains log data should be on a dedicated virtual disk using
dedicated physical disks.

 You should configure and use the logical volumes as documented.

Component Logical Volume Volume Label Label Contents

Platform Manager C Drive (C:\) n/a Operating System, SQL Server program
files, and LogRhythm program files

D Drive (D:\) Data LogRhythm SQL Server data files

(Requires NTFS allocation unit size of
64k Bytes)

L Drive (L:\) Log Files LogRhythm SQL Server transaction log

files (Requires NTFS allocation unit size
of 64k Bytes)

T Drive (T:\) Temp DB SQL Server Temp DB data file and SQL
Server Temp DB transaction log file
(Requires NTFS allocation unit size of
64k Bytes)

Review the Requirements for a New LogRhythm Deployment 11

Install a New LogRhythm Deployment

Component Logical Volume Volume Label Label Contents

S Drive (S:\) n/a LogRhythm Application State for High

IOPS

Data Processor, AI Engine, C Drive (C:\) n/a Operating System and LogRhythm
System Monitor program files

S Drive (S:\) n/a LogRhythm Application State for High

IOPS

Web Console C Drive (C:\) n/a Operating System and LogRhythm

program files

D Drive (D:\) n/a Web Console Indicies

Data Indexer vgroup1 n/a Operating System and LogRhythm

program files

vg_data /usr/local/logrhythm Elasticsearch Data, mapped to /usr/

local/logrhythm

Performance Requirements

 The specifications provided are minimum requirements for your dedicated virtual machine and dedicated
hardware. Your system should be configured so that the end result has the minimum specification
requirement value or greater. If your hardware or virtual machine does not fit into an existing appliance
configuration, contact LogRhythm Professional Services to discuss a possible custom installation. Collection
rates are listed as a guideline. The rates may vary given different hardware configurations and drivers.

The performance specifications are based on the following assumptions:

• 100% of logs are from Syslog
• Average raw log message size = 400 Bytes
• Average online log row size (includes index) = 900 Bytes
• Average online event row size (includes index) = 1,035 Bytes
• Average archive entry size = 400 Bytes
• Average archive compression rate = 20:1
• 100% of logs are archived
• 2% of logs processed by the deployment that are considered an Event (data of interest)

Review the Requirements for a New LogRhythm Deployment 12

Install a New LogRhythm Deployment

• 10% of Events that are considered a Monitored Event based on Risk Based Priority (RBP)
Additional notes regarding performance specifications:
• Virtual Machines. Deploying on virtual machines incurs overhead. As a result, your actual performance will vary.
A performance degradation of 10-15% is expected when compared to running on a dedicated physical machine.
• Dedicated drives. LogRhythm is an I/O-intensive solution that requires dedicated physical drives to achieve the
published rates specified. LogRhythm makes no distinction between Direct Attached Storage (DAS) or Storage
Area Network (SAN), but the disk volumes must be dedicated.

Power Supply/Mode
LogRhythm recommends that all LogRhythm systems be connected to an uninterruptible power supply. A power cut
may cause an Elasticsearch failure that leads to a loss of indices.
All systems hosting LogRhythm Services (Virtual or Physical) must have their power mode configured for "High-
Performance", this disables power saving features in order to ensure optimal CPU ready states. Negative performance
impacts will be observed in a power-save mode profile.
For example, for HP ProLiant servers:
1. Set the Power Regulator Mode to Static High Mode.
2. Disable Processor C-State Support.
3. Disable Processor C1E Support.
4. Disable QPI Power Management.
5. Enable Intel Turbo Boost.
For Dell PowerEdge servers:
1. Set the Power Management Mode to Maximum Performance.
2. Set the CPU Power and Performance Management Mode to Maximum Performance.
3. Processor Settings: set Turbo Mode to enabled.
4. Processor Settings: set C States to disabled.

Web Console Requirements

 If your LogRhythm instance is deployed in a dark site, download the necessary standalone .NET installers
from Microsoft Support before beginning the upgrade. Otherwise, the Web Services Installer will attempt to
download it during the upgrade and the upgrade will fail without internet connectivity.

You can install the Web Console software on a server, virtual server, or LogRhythm appliance that meets the
requirements listed in the following table.

 LogRhythm currently supports up to three Web Console instances with 60 concurrent users.

 To avoid conflicts, it is recommended that Web Console users are either created manually or through Active
Directory (AD), but not both.

Review the Requirements for a New LogRhythm Deployment 13

Install a New LogRhythm Deployment

System Requirements

LogRhythm Appliance Install the Web Console on any of the following LogRhythm appliance models:
• LR-WS3410 LogRhythm Web Services Appliance (includes the Web
Console installer)
• PM5400 and PM7400 series appliances
• XM4400 and XM6400 series appliances

 • Do not install the Web Console on older generation

LogRhythm appliances, such as the LRX or LR series.
• Do not install the LogRhythm SOAP API service on the same
appliance that is used to run the Web Console. Note that the
SOAP API is not the same service as the Case API. The Case
API can be safely installed on the same appliance as the Web
Console.

Review the Requirements for a New LogRhythm Deployment 14

Install a New LogRhythm Deployment

System Requirements

Your own server Install the Web Console on a server or virtual environment that meets the
following specifications:

Hardware Operating Disk/Vol 1 Disk/Vol 2

System Config Config

• 1 x 2.6 GHz Windows 2019 Physical Disk: Physical Disk:

8 Core CPU x64 Standard
Edition • 2 x 300 GB • 2 x 400 GB
• 16 vCPU 10K RPM SSD SATA
• 32 GB RAM SAS RAID 1 • 3 DWPD
• H730 RAID • Hardware • RAID 1
controller IOPS: 150 • Hardware
with 2GB • Recomme IOPS:
Cache nded IOPS: 85,000
• 2 x 1 Gigabit 150 • Recomme
Ethernet nded
NICs Virtual Disk:
IOPS:
• 278 GB 1,000
usable
Virtual Disk:
Logical Volume:
• 368 GB
• C Drive usable
(278 GB)
Logical
Volume:
• D Drive
(368 GB)

Web Console UI You can access the Web Console UI from any computer running Google Chrome,
Mozilla Firefox, Microsoft Edge, or Internet Explorer 11.

The Web Console requires certain ports for its use, as listed in the following table.

Port Requirements

SSL Default Port (8443/443) The Web Console is configured to use Port 8443 for SSL by default. This avoids
potential conflicts with the LogRhythm Mediator that uses Port 443 on XM
systems. If you are not installing the Web Console on the same system as the
LogRhythm Mediator, you can change the port to 443 or to another port number
during the installation.

Review the Requirements for a New LogRhythm Deployment 15

Install a New LogRhythm Deployment

Port Requirements

Port 8501 During installation, the 8501 port is opened for the LogRhythm API Gateway. This
port provides routing, load balancing, SSL termination, and authentication
termination to deployed Web Services.

Port 43 To execute a whois query using contextualization, port 43 must be opened. For
more information on using contextualization, see the Use Contextualize topic in
the Web Console User Guide.

Virtualization Platform Considerations

The LogRhythm software can be deployed on physical, virtual or cloud environments. The LogRhythm Appliance
Platforms are validated and tested using known resource quantities at specific log processing and indexing rates. When
deploying LogRhythm on virtualized or cloud environments, it is important to adhere to performance best practices for
the selected hypervisor for highly resource intensive workloads.
• Data Collectors. Receive, collect and forward log data. Operating under a light footprint make these systems
good candidates for virtualization.
• Data Processors. Handle processing, data enrichment, and data distribution to the other LogRhythm
components. These systems rely heavily on CPU and Memory resources while also needing access to large disks
for Long Term Archives.
• Data Indexers. Indexing and search of log data through Elasticsearch. These systems can be run in a clustered
configuration with resource utilization focused on CPU and disk I/O.

 New installations of the Data Indexer on Windows are only supported in an XM configuration.

• Platform Manager. Centralized configuration management, knowledge base data, alarming and reporting, runs
on a SQL backend. Standalone Platform Managers focus on memory and disk I/O utilization. In smaller
environments, however, AIE and Web Console may be run on these systems, increasing the resource
requirements
• AIE. Advanced real-time correlation engine requires CPU and memory resources for long term trend analysis.
• Web Console. User-friendly Web interface to the threat lifecycle, requires mostly CPU and memory resources.
Planning system resources for each of these components will depend on the data volume and use-cases for each
component. LogRhythm Appliance Platforms provide known performance and resource allocations, allowing
customers to scale using known quantities. In many cases, a customer will elect to split up LogRhythm roles onto their
own individual systems rather than running a single, very large instance (XM).
Please refer to VMware Best Practices for Performance Tuning of Latency-Sensitive Workloads for best practices that
should be followed if LogRhythm is hosted on a vSphere hypervisor
Please refer to Microsoft Performance Tuning for Hyper-V Servers if you are using Microsoft Hyper-V

Review the Requirements for a New LogRhythm Deployment 16

Install a New LogRhythm Deployment

Virtualization or Hyperconverged Platform Considerations

LogRhythm performs testing and validation of all components using physical hardware. However, the entire
LogRhythm ecosystem can be run virtually or in the cloud when provided with adequate resourcing.
• CPU. When planning CPU resources in a shared environment, you must consider context switching and wait-
times associated with CPU core availability through the hypervisor. For this reason, LogRhythm recommends
using vCPU reservations through the hypervisor to ensure appliance specification rates can be met.
• Considerations should be made when hyperthreading is being used — LogRhythm vCPU counts assume
hyperthreaded cores.
• CPU Ready time is a metric that records the amount of time a virtual machine is ready to use CPU but was
unable to schedule time because all CPU resources are busy. It is important to observe percentage of CPU
ready time on each hypervisor when under peak load. A value more than 10% of CPU ready time is an
indication of vCPU oversubscription on the hypervisor which will negatively impact LogRhythm
performance.
• Memory. Memory management within virtualized environments should always provide enough memory for all
guests on the hypervisor with overhead available for the hypervisor itself. Overcommitting memory will result in
poor performance and stability issues within the LogRhythm ecosystem. For LogRhythm Appliances requiring
large memory footprints, non-uniform memory access (NUMA) boundaries should be considered. Guests should
not be allocated CPU or memory resources beyond that which can be provided within a single NUMA boundary.
• Disk Volumes. Data Indexers and Platform Managers rely heavily on disk size, IOPS, random seek, and overall
capacity.
• The Data Indexer will use all disk resources available to the system, and it requires a high baseline of
resources based on the Appliance Platform. For this reason, LogRhythm requires dedicated disk
resources be committed to the system.
• Shared storage removes any benefit associated with Data Indexer clustering since all systems in the
cluster participate in searching and indexing of data — the use of shared disks is not supported.
• Many flash-optimized storage solutions provide IOPS rates based on optimized data, which is usually a
small subset of the data on the SAN/blended storage. For this reason, it is recommended to use IOPS
calculations for the disks where LogRhythm data stores exist, not the small flash-optimized data. This is
particularly true of Data Indexers because data used for searching will most certainly exceed the flash
optimized storage tier.
• All Flash storage is recommended for any virtualization environment
• Each LogRhythm logical volume should be provisioned on its own logical unit number (LUN) and not
shared with other virtual infrastructure or other LogRhythm components.
• Storage connectivity should realize an average latency of 10ms or less. Higher latencies can cause
unpredictable behavior, particularly with the Platform Manager and Data Indexer.
• Networking. Communication between LogRhythm Core Components, particularly Data Indexer clusters, requires
low latency and line-speed 1Gb/s links, at a minimum.

Virtualization Deployment Best Practices

The following best practices will allow LogRhythm to make the most of the resources available in a virtualized
environment. Note, however, that the performance and stability of the system relies 100% on the quality of the
underlying hardware.

Virtual Host (Hypervisor) Requirements

• Intel or AMD server class x86-64-bit chip architecture with hyperthreading.

Review the Requirements for a New LogRhythm Deployment 17

Install a New LogRhythm Deployment

• Dedicated disk volumes following IOPS/RAID specifications of the appliance platform.

• IOPS numbers should be compared using disks that store LogRhythm data and using nonoptimized random
seek per second, not sequential — automated storage tiering solutions are strongly discouraged.

Virtual Machine System Requirements

Full reservations for vCPU and vMemory with no CPU or memory over-commitment on the physical hosts.
• Where applicable, install hypervisor integration services/tools on platform guest VMs (PM, DP, AIE, DX, DC, etc.).
• Where applicable, enhanced network controllers should be used.
• Provision virtual disks as Eager Zero Thick where applicable.
• Avoid NFS disks due to higher latency, network variations, and file locking issues.

Virtualization Redundancy and High Availability

There are a number of solutions native to hypervisors that are designed to provide high availability and dynamic
resource migrations. While these solutions are not formally tested with the LogRhythm ecosystem, users should be
aware of the additional overhead associated with these servers and the impact that they could have on LogRhythm

Virtualization Snapshots and Backups

LogRhythm provides native backup mechanisms for SQL databases on the PM and archives. When combined, these two
can be used to restore a LogRhythm deployment back to 100% functionality and historical data. For this reason, and
due to the disk I/O penalties associated with snapshots, customers are strongly discouraged from taking snapshots of
their LogRhythm systems in a virtual environment. If needed, OS-level backups can be done using 3rd party software,
but is not required for LogRhythm system restoration.

Networking and Communication

There are a large number of ports that need to be open for the different LogRhythm components to communicate. For
more information, see the Networking and Communication topic in the Enterprise SIEM Help.

Review the Requirements for a New LogRhythm Deployment 18

Install a New LogRhythm Deployment

Select a Method of Deploying LogRhythm

The following sections describe LogRhythm appliance platforms and performance specifications for each, as well as
information about installing LogRhythm on cloud-based platforms. You can use this information to determine what
kind of systems you will use for installing LogRhythm.
• LogRhythm Reference Architecture
• Amazon Web Services Installations
• Google Cloud Installations
• Microsoft Azure Installations

Select a Method of Deploying LogRhythm 19

Install a New LogRhythm Deployment

LogRhythm Reference Architecture

Gen5 Reference Architecture

The tables in this section describe LogRhythm appliance platforms and performance specifications for each. You can
use this information to determine what kind of systems you will use for installing LogRhythm.

 New installations of the Data Indexer are only supported on the Linux platform. The Data Indexer is only
supported on Windows in an XM configuration.

 SAN storage is supported only in LogRhythm's software only solution and not in LogRhythm appliances. With
respect to appliances, SAN storage is supported only for inactive archives.

 In the tables that follow, Allocation Unit Size is abbreviated as AUS. Where not otherwise specified, default
AUS is expected.

Select a Method of Deploying LogRhythm 20

Install a New LogRhythm Deployment

Appliance Reference Architecture

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config

LR-DC3500 Series Max Collection Rate: 25,000 • 1 x 3.6 GHz 4 Core CPU Windows 2019 x64 Standard Physical Disk:
• 8 vCPU Edition
• 2 x 300 GB 10K RPM SAS
• 16 GB RAM RAID 1
• H730P RAID controller • Hardware IOPS: 150
• 2 x 1 Gigabit Ethernet • Recommended IOPS:
NICs 150
Virtual Disk:
• 278 GB usable
Logical Volume:
• C Drive (200 GB)
• D Drive (78 GB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 21

Install a New LogRhythm Deployment

Reference Performance (MPS) Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config

Platform System

LR-WC3500 Web Console: • Hardware: 1 x 2.3 GHz 16 Core Windows Physical Disk: Physical Disk:
Series CPU 2019 x64
• Max Event Rate: Standard • 2 x 240 GB M.2 SSD • 2 x 480 GB SSD SATA
1,000 • Min: 16vCPU Hardware: 32 vCPU • 0.3 DWPD • 3 DWPD
Edition
• Max Concurrent • Min: 32 GB RAM Hardware: 48 GB • RAID 1 • RAID 1
Users: 35 RAM • Hardware IOPS: 85,000 • Hardware IOPS: 85,000
• H750 RAID controller with 8GB • Recommended IOPS: • Recommended IOPS:
Cache 150 1,000
• 2 x 10 Gb/s NICs
• 2 x 1 Gb/s NICs Virtual Disk: Virtual Disk:
• 220 GB usable • 480 GB usable
Logical Volume: Logical Volume:
• OS Drive (220 GB) • D Drive (480 GB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 22

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform (MPS) System

LR-XM4500 Data Processor: • 1 x 2.2 GHz 10 Core Windows Physical Disk: Physical Disk: Physical Disk:
Series CPU 2019 x64
(combined • Max Standard • 2 x 240 GB M.2 SSD • 6 x 600 GB 10K RPM • 2 x 480 GB SSD
Processing • 20 vCPU • 0.3 DWPD SAS SATA
PM, DP, DX, Edition
Rate: 2,000 • 96 GB RAM • RAID 1 • RAID 5 + 1 HS • 3 DWPD
AIE, Web, DC)
• PERC H750 RAID • Hardware IOPS: • Hardware IOPS: 450 • RAID 1
AI Engine: Controller with 8GB 85,000 • Recommended • Hardware IOPS:
• Max Cache • Recommended IOPS: 450 85,000
Processing • 2 x 10 Gb/s NICs IOPS: 150 • Recommended
• 2 x 1 Gb/s NICs Virtual Disk:
Rate: 2,000 IOPS: 500
Virtual Disk:
• 2.2 TB usable
Data Indexer: Virtual Disk:
• 220 GB usable
Logical Volume:
• Indexing • 440 GB usable
Logical Volume:
Rate: 2,000 • D Drive (2033 GB,
Logical Volume:
• OS Drive (220 GB) 64K AUS)
Platform
Manager: • L Drive (150 GB, 64K • S Drive (390 GB)
AUS) • T Drive (50 GB, 64K
• Max AUS)
LogMart
Rate: 20
• Max Events
Rate: 20
Web Console:
• Max
Concurrent
Users: 5

Select a Method of Deploying LogRhythm 23

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform (MPS) System

LR-XM6500 Data Processor: • 2 x 2.2 GHz 10 Core Windows Physical Disk: Physical Disk: Physical Disk:
Series CPU 2019 x64
(combined • Max Standard • 2 x 240 GB M.2 SSD • 14 x 1.2 TB 10K RPM • 2 x 480 GB SSD
Processing • 40 vCPU • 0.3 DWPD SAS SATA
PM, DP, DX, Edition
Rate: 5,000 • 192 GB RAM • RAID 1 • RAID 5 + 1 HS • 3 DWPD
AIE, Web, DC)
• PERC H750 RAID • Hardware IOPS: • Hardware IOPS: • RAID 1
AI Engine: Controller with 8GB 85,000 1233 • Hardware IOPS:
• Max Cache • Recommended • Recommended 85,000
Processing • 2 x 10 Gb/s NICs IOPS: 150 IOPS: 1233 • Recommended
Rate: 5,000 • 2 x 1 Gb/s NICs IOPS: 1,000
Virtual Disk: Virtual Disk:
Data Indexer: Virtual Disk:
• 220 GB usable • 13600 GB usable
• Max • 440 GB usable
Logical Volume: Logical Volume:
Indexing
Logical Volume:
Rate: 5,000 • OS Drive (220 GB) • D Drive (13000 GB,
64K AUS) • S Drive (390 GB)
Platform
Manager: • L Drive (600 GB, 64K • T Drive (50 GB, 64K
AUS) AUS)
• Max
LogMart
Rate: 100
• Max Events
Rate: 100
Web Console:
• Max
Concurrent
Users: 10

Select a Method of Deploying LogRhythm 24

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform (MPS) System

LR-XM8500 Data Processor: • 2 x 3.0 GHz 12 Core Windows Physical Disk: Physical Disk: Physical Disk:
Series CPU 2019 x64
(combined • Max Standard • 2 x 240 GB M.2 SSD • 24 x 1.2 TB 10K RPM • 2 x 800 GB SSD
Processing • 48 vCPU • 0.3 DWPD SAS SATA
PM, DP, DX, Edition
Rate: • 256 GB RAM • RAID 1 • RAID 5 + 1 HS • 3 DWPD
AIE, Web, DC)
10,000 • PERC H750 RAID • Hardware IOPS: • Hardware IOPS: • RAID 1
Controller with 8GB 85,000 2538 • Hardware IOPS:
AI Engine: Cache • Recommended • Recommended 85,000
• Max • 2 x 10 Gb/s NICs IOPS: 150 IOPS: 2538 • Recommended
Processing • 2 x 1 Gb/s NICs IOPS: 1,500
Virtual Disk: Virtual Disk:
Rate:
Virtual Disk:
10,000 • 220 GB usable • 24568 GB usable
• 736 GB usable
Data Indexer: Logical Volume: Logical Volume:
Logical Volume:
• Max • OS Drive (220 GB) • D Drive (23568 GB,
Indexing 64K AUS) • S Drive (686 GB)
Rate: • L Drive (1000 GB, • T Drive (50 GB, 64K
10,000 64K AUS) AUS)
Platform
Manager:
• Max
LogMart
Rate: 200
• Max Events
Rate: 200
Web Console:

Select a Method of Deploying LogRhythm 25

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform (MPS) System

• Max
Concurrent
Users: 15

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 26

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config Disk/Vol 4 Config
Platform (MPS) System

LR- Platform • 1 x 2.2 GHz 10 Windows Physical Disk: Physical Disk: Physical Disk: not applicable
PM5500 Manager: Core CPU 2019 x64
Series Standard • 2 x 240 GB M.2 • 8 x 600 GB 15K • 2 x 480 GB SSD
• Max • 20 vCPU SSD RPM SAS SATA
Edition
LogMart • 128 GB RAM • 0.3 DWPD • RAID 10 • 3 DWPD
Rate: • PERC H750 • RAID 1 • Hardware IOPS: • RAID 1
800 RAID • Hardware IOPS: 1,128 • Hardware IOPS:
• Max Controller with 85,000 • Recommended 85,000
Events 8GB Cache • Recommended IOPS: 1,128 • Recommended
Rate: • 2 x 10 Gb/s IOPS: 150 IOPS: 500
NICs Virtual Disk:
400
• 2 x 1 Gb/s NICs Virtual Disk: Virtual Disk:
• 2200 GB usable
AI Engine:
• 220 GB usable • 440 GB usable
Logical Volume:
• Max MPS
Logical Volume: Logical Volume:
Rate: • D Drive (2000
20,000 • OS Drive (220 GB, 64K AUS) • S Drive (390 GB)
GB) • L Drive (200 GB, • T Drive (50 GB,
Web Console:
64K AUS) 64K AUS)
• Max
Concurr
ent
Users:
15

Select a Method of Deploying LogRhythm 27

Install a New LogRhythm Deployment

Reference Performance Hardware Operating Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config Disk/Vol 4 Config
Platform (MPS) System

LR- Platform • 2 x 2.6 GHz 12 Windows Physical Disk: Physical Disk: Physical Disk: Physical Disk:
PM7500 Manager: Core CPU 2019 x64
Series Standard • 2 x 240 GB M.2 • 18 x 900 GB 15K • 4 x 900 GB 15K • 2 x 960GB SSD
• Max • 48 vCPU SSD RPM SAS RPM SAS SATA
Edition
LogMart • 196 GB RAM • 0.3 DWPD • RAID 10 • RAID 10 • 3 DWPD
Rate: • PERC H750 • RAID 1 • Hardware IOPS: • Hardware IOPS: • RAID 1
2,000 RAID • Hardware IOPS: 2538 564 • Hardware IOPS:
• Max Controller with 85,000 • Recommended • Recommended 85,000
Events 8GB Cache • Recommended IOPS: 2538 IOPS: 564 • Recommended
Rate: • 2 x 10 Gb/s IOPS: 150 IOPS: 1,000
NICs Virtual Disk: Virtual Disk:
1,000
• 2 x 1 Gb/s NICs Virtual Disk: Virtual Disk:
• 7452 GB usable • 1656 GB usable
AI Engine:
• 220 GB usable • 920 GB usable
Logical Volume: Logical Volume:
• Max MPS
Logical Volume: Logical Volume:
Rate: • D Drive (7452 • L Drive (1656 GB,
30,000 • OS Drive (220 GB, 64K AUS) 64K AUS) • S Drive (870 GB)
GB) • T Drive (50 GB,
Web Console:
64K AUS)
• Max
Concurr
ent
Users:
35

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 28

Install a New LogRhythm Deployment

Reference Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform

LR-DP5500 Series Data Processor: • 1 x 2.6 GHz 12 Core Windows 2019 x64 Physical Disk: Physical Disk: Physical Disk:
CPU Standard Edition
• Max Processing • 2 x 240 GB M.2 • 4 x 2 TB 7.2K • 2 x 960GB SSD
Rate: 15,000 • 24 vCPU SSD RPM SAS SATA
• 64 GB RAM • 0.3 DWPD • RAID 5 + 1 HS • 3 DWPD
• PERC H750 RAID • RAID 1 • Hardware • RAID 1
Controller with • Hardware IOPS: 148 • Hardware
8GB Cache IOPS: 85,000 • Recommende IOPS: 85,000
• 2 x 10 Gb/s NICs • Recommende d IOPS: 148 • Recommende
• 2 x 1 Gb/s NICs d IOPS: 150 d IOPS: 750
Virtual Disk:
Virtual Disk: Virtual Disk:
• 3.6 TB usable
• 220 GB usable • 920 GB usable
Logical Volume:
Logical Volume: Logical Volume:
• D Drive (3.6
• OS Drive (220 TB) • S Drive (920
GB) GB)

Select a Method of Deploying LogRhythm 29

Install a New LogRhythm Deployment

Reference Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config Disk/Vol 3 Config
Platform

LR-DP7500 Series Data Processor: • 2 x 3.0 GHz 12 Core Windows 2019 x64 Physical Disk: Physical Disk: Physical Disk:
CPU Standard Edition
• Max Processing • 2 x 240 GB M.2 • 8 x 2 TB 7.2K • 2 x 1.92 TB
Rate: 40,000 • 48 vCPU SSD RPM SAS SSD SATA
• 128 GB RAM • 0.3 DWPD • RAID 5 + 1 HS • 3 DWPD
• PERC H750 RAID • RAID 1 • Hardware • RAID 1
Controller with • Hardware IOPS: 395 • Hardware
8GB Cache IOPS: 85,000 • Recommende IOPS: 85,000
• 2 x 10 Gb/s NICs • Recommende d IOPS: 395 • Recommende
• 2 x 1 Gb/s NICs d IOPS: 150 d IOPS: 1500
Virtual Disk:
Virtual Disk: Virtual Disk:
• 11 TB usable
• 220 GB usable • 1.8 TB usable
Logical Volume:
Logical Volume: Logical Volume:
• D Drive (11
• OS Drive (220 TB) • S Drive (1.8
GB) TB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 30

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-DX3500 Series Data Indexer: • 1 x 2.3 GHz 12 Core CentOS 7.x or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• Pinned Indexing Rate: • 2 x 240 GB M.2 • 10 x 1.2 TB 10K
5,000 • 24 vCPU SSD RPM SAS
• Clustered Indexing • 64 GB RAM • 0.3 DWPD • RAID 5 + 1 HS
Rate: 3000/node • PERC H750 RAID • RAID 1 • Hardware IOPS:
Controller with 8GB • Hardware IOPS: 793
Cache 85,000 • Recommended
• 2 x 10 Gb/s NICs • Recommended IOPS: 793
• 2 x 1 Gb/s NICs IOPS: 150
Virtual Disk:
Virtual Disk:
• 8.8 TB usable
• 220 GB usable
Logical Volume:
Logical Volume:
• Data Drive (8.8TB)
• OS Drive (220
Volume Size:
GB)
/usr/local/logrhythm
Volume Size:
8800 GB
/
200 GB

Select a Method of Deploying LogRhythm 31

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-DX5500 Series Data Indexer: • 1 x 2.6 GHz 14 Core CentOS 7.x or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• Pinned Indexing Rate: • 2 x 240 GB M.2 • 16 x 1.2 TB 10K
10,000 • 28 vCPU SSD RPM SAS
• Clustered Indexing • 128 GB RAM • 0.3 DWPD • RAID 5 + 1 HS
Rate: 6,000/node • PERC H750 RAID • RAID 1 • Hardware IOPS:
Controller with 8GB • Hardware IOPS: 1410
Cache 85,000 • Recommended
• 2 x 10 Gb/s NICs • Recommended IOPS: 1410
• 2 x 1 Gb/s NICs IOPS: 150
Virtual Disk:
Virtual Disk:
• 15.45 TB usable
• 220 GB usable
Logical Volume:
Logical Volume:
• Data Drive (15.45
• OS Drive (220 TB)
GB)
Volume Size:
Volume Size:
/usr/local/logrhythm
/
16000 GB
200 GB

Select a Method of Deploying LogRhythm 32

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-DX7500 Series Data Indexer: • 2 x 2.6 GHz 14 Core CentOS 7.x or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• Pinned Indexing Rate: • 2 x 240 GB M.2 • 26 x 1.92 TB SSD
20,000 • 56 vCPU SSD SATA
• Clustered Indexing • 256 GB RAM • 0.3 DWDP • 3 DWPD
Rate: 12,000/node • PERC H750 RAID • RAID 1 • RAID 5 + 1 HS
Controller with 8GB • Hardware IOPS: • Hardware IOPS:
Cache 85,000 85000
• 2 x 10 Gigabit • Recommended • Recommended
Ethernet NICs IOPS: 150 IOPS: 2750
• 2 x 1 Gigabit Ethernet
NICs Virtual Disk: Virtual Disk:
• 220 GB usable • 39 TB usable
Logical Volume: Logical Volume:
• OS Drive (220 • Data Drive (39 TB)
GB)
Volume Size:
Logical Volume:
/usr/local/logrhythm
• OS Drive (546 39 TB
GB)
Volume Size:
/
200 GB

Select a Method of Deploying LogRhythm 33

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-DXW5120 Data Indexer: • 1 x 2.2 GHz 10 Core CentOS 7.x or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• Max Indexing Rate: 0 • 2 x 240 GB M.2 • 12 x 12 TB 7.2K
• 20 vCPU SSD RPM SATA
• 128 GB RAM • 0.3 DWPD RAID 1 • RAID 5 + 1 HS
• PERC H750 RAID • Hardware IOPS: • Hardware IOPS:
Controller with 8GB 85,000 750
Cache • Recommended • Recommended
• 2 x 10 Gigabit IOPS: 150 IOPS: 750
Ethernet NICs
• 2 x 1 Gigabit Ethernet Virtual Disk: Virtual Disk:
NICs • 220 GB usable • 108 TB usable
Logical Volume: Logical Volume:
• OS Drive (220 • Data Drive
GB) (108 TB)
Volume Size: Volume Size:
/ /usr/local/logrhythm
200 GB 108TB

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 34

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-AIE7500 Series AI Engine: • 2 x 3.0 GHz 12 Core Windows 2019 x64 Standard Physical Disk: Physical Disk:
CPU Edition
• Max MPS: 75,000 • 2 x 240 GB M.2 • 2 x 2 TB SSD SATA
• Max Number of • 48 vCPU SSD • 3 DWPD
Rules: 2,000 • 128 GB RAM • 0.3 DWPD • RAID 1
• PERC H750 RAID • RAID 1 • Hardware IOPS:
Controller with 8GB • Hardware IOPS: 85,000
Cache 85,000 • Recommended
• 2 x 10 Gb/s NICs • Recommended IOPS: 2,000
• 2 x 1 Gb/s NICs IOPS: 150
Virtual Disk:
Virtual Disk:
• 1.8 TB usable
• 220 GB usable
Logical Volume:
Logical Volume:
• S Drive (1.8 TB)
• OS Drive (220 GB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 35

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-NM3500 1 Gb Network Monitor • 1 x 2.3 GHz 12 Core CentOS 7.6 or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• 2 x 240 GB M.2 • 8 x 600 GB 10K RPM
• 24 vCPU SSD SAS
• 64 GB RAM • 0.3 DWPD • RAID 5 + 1 HS
• PERC H750 RAID • RAID 1 • Hardware IOPS:
Controller with 8GB • Hardware IOPS: 717
Cache 85,000 • Recommended
• 2 x 10 Gb/s NICs • Recommended IOPS: 717
• 2 x 1 Gb/s NICs IOPS: 150
Virtual Disk:
Virtual Disk:
• 3312 GB usable
• 220 GB usable
Logical Volume:
Logical Volume:
• Data Drive (3312
• OS Drive (220 GB) GB)

Select a Method of Deploying LogRhythm 36

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-NM5500 5 Gb Network Monitor • 2 x 2.6 GHz 14 Core CentOS 7.6 or Red Hat Physical Disk: Physical Disk:
CPU Enterprise Linux 7
• 2 x 240 GB M.2 • 24 x 600 GB 10K
• 56 vCPU SSD RPM SAS
• 128 GB RAM • 0.3 DWPD • RAID 5 + 1 HS
• PERC H750 RAID • RAID 1 • Hardware IOPS:
Controller with 8GB • Hardware IOPS: 2115
Cache 85,000 • Recommended
• 2 x 10 Gb/s NICs • Recommended IOPS: 2115
• 2 x 1 Gb/s NICs IOPS: 150
Virtual Disk:
Virtual Disk:
• 12284 GB usable
• 220 GB usable
Logical Volume:
Logical Volume:
• Data Drive (12232
• OS Drive (220 GB) GB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

Select a Method of Deploying LogRhythm 37

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

SANM5026 (direct attached 12 Gbps SAS PERC H840 RAID Controller not applicable Physical Disk: not applicable
storage for NM) with 8 GB Cache
• 24 x 1.2 TB 10K
RPM SAS
• RAID 5 + 1 HS
• Hardware IOPS:
2538
Virtual Disk:
• 24464 GB usable
Logical Volume:
• Data Drive (24464
GB)

SAAR5120 (direct attached 12 Gbps SAS PERC H840 RAID Controller not applicable Physical Disk: not applicable
storage for archives) with 8 GB Cache
• 24 x 12 TB 7200
RPM SAS
• RAID 5 + 1 HS
• Hardware IOPS:
1135
Virtual Disk:
• 120 TB usable
Logical Volume:
• Archive Drive (120
TB)

Select a Method of Deploying LogRhythm 38

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

SAPM5020 (direct attached 12 Gbps SAS PERC H840 RAID Controller not applicable Physical Disk: Physical Disk:
storage for PM) with 8 GB Cache
• 20 x 900 GB 15K • 4 x 900 GB 15K
RPM SAS RPM SAS
• RAID 10 • RAID 10
• Hardware IOPS: • Hardware IOPS:
2820 564
Virtual Disk: Virtual Disk:
• 8280 GB usable • 1656 GB usable
Logical Volume: Logical Volume:
• E Drive (8280 GB) • M Drive (1656 GB)

Data Collector Web Console XM Platform Manager Data Processor Data Indexer AI Engine Network Monitor Storage Arrays

Virtual Sandboxes

 The virtual platforms described in the table below are for labs/sandbox use only. They are not intended for production use.

Select a Method of Deploying LogRhythm 39

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-XMVS Data Processor: • 8 vCPU Windows 2019 x64 Standard Disk: Disk:
(combined PM, DP, DX virtual • 32 GB RAM Edition
server) • Max Processing • Recommended • Recommended
Rate: 500 • 1 NIC IOPS: 150 IOPS: 150
For labs/sandbox use only
Data Indexer: Logical Volume: Logical Volume:
• Max Indexing Rate: • C Drive (100 GB) • D Drive (150 GB,
500 • L Drive (20 GB, 64K 64K AUS)
AUS)
Platform Manager:
• T Drive (10 GB, 64K
• Max LogMart Rate: AUS)
50
• Max Events Rate:
25

LR-PMVS1 Platform Manager: • 4 vCPU Windows 2019 x64 Standard Disk: Disk:
(dedicated PM virtual server) • 16 GB RAM Edition
• Max LogMart Rate: • Recommended • Recommended
For labs/sandbox use only 50 • 1 NIC IOPS: 150 IOPS: 150
• Max Events Rate:
Logical Volume: Logical Volume:
25
• C Drive (100 GB) • D Drive (150 GB,
• L Drive (20 GB, 64K 64K AUS)
AUS)
• T Drive (10 GB, 64K
AUS)

Select a Method of Deploying LogRhythm 40

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Hardware Operating System Disk/Vol 1 Config Disk/Vol 2 Config

LR-DPVS1 Data Processor: • 4 vCPU Windows 2019 x64 Standard Disk: not applicable
(dedicated DP virtual server) • 8 GB RAM Edition
• Max Processing • Recommended
For labs/sandbox use only Rate: 500 • 1 NIC IOPS: 150
Logical Volume:
• C Drive (100 GB)
• D Drive (50 GB)

LR-DXVS1 Data Indexer: • 4 vCPU CentOS 7.6 or Red Hat Disk: Disk:
(dedicated DX virtual server) • 16 GB RAM Enterprise Linux 7
• Max Indexing Rate: • Recommended • Recommended
For labs/sandbox use only 500 • 1 NIC IOPS: 150 IOPS: 150
Logical Volume: Logical Volume:
• OS Drive (100 GB) • Data Drive (150 GB)

AWS Platform Reference Architecture

 AWS EC2 instances should be considered minimums. In some environments, higher performance instances may be required.

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 41

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-DC3400 Max Collection Rate: 15,000 AWS: m6a.xlarge Windows 2019 x64 Disk Type: Disk Type:
Standard
Max Remote Windows Log vCPU: 4 gp3 - 250 GB gp3 - 100 GB
Sources: 500 Edition
Memory: 16GB Volume Size: Volume Size:
C Drive: 250 GB D Drive: 100 GB
Description: Description:
Operating System State

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 42

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Disk/Vol Disk/Vol Config 4
Type Config 1 Config 2 Config 3

LR-XM4500 Series Data Processor: AWS: Windows 2019 x64 Disk Type: Disk Type: Disk Type: (none)
(Combined PM/DP/DX/AIE/ r6i.4xlarge Standard Edition
• Max Processing gp3 - 250 GB gp3 - 800 GB gp3 - 1500
Web Server)
Rate: 2,000 vCPU: 16 GB
Volume Volume Size:
AI Engine: Memory: Size: Volume
D Drive: 500
128GB Size:
• Max Processing C Drive: 250 GB
GB E Drive:
Rate: 2,000 S Drive: 100 GB
1500 GB
Description
Data Indexer: L Drive: 150 GB
: Description
• Indexing Rate: T Drive: 50 GB :
Operating
2,000 System Elasticsearc
Description:
Platform Manager: h Data
SQL DB / SQL
• Max LogMart Logs /
Rate: 20 State / Temp
• Max Events
Rate: 20
Web Console:
• Max Concurrent
Users: 5

Select a Method of Deploying LogRhythm 43

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Disk/Vol Disk/Vol Config 4
Type Config 1 Config 2 Config 3

LR-XM6500 Series Data Processor: AWS: Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(Combined PM/DP/DX/AIE/ m6a.12xlarg Standard Edition
• Max Processing gp3 - 250 GB gp3 - 3000 GB gp3 - 9000 gp3 - 200 to 800 GB
Web Server) e
Rate: 5,000 GB
Volume Volume Size: Volume Size:
vCPU: 48
AI Engine: Size: Volume
D Drive: 2700 L Drive: 800 GB (if DR
Memory: Size:
• Max Processing C Drive: 250 GB is used)
192GB
GB E Drive:
Rate: 5,000 S Drive: 250 GB or
9000 GB
Description
Data Indexer: T Drive: 50 GB L Drive: 200 GB (if DR
: Description
not used)
• Max Indexing Description: :
Operating
Rate: 5,000 Description:
System SQL DB / Elasticsearc
Platform Manager: State / Temp h Data SQL Logs

• Max LogMart
Rate: 100
• Max Events
Rate: 100
Web Console:
• Max Concurrent
Users: 10

Select a Method of Deploying LogRhythm 44

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Disk/Vol Disk/Vol Config 4
Type Config 1 Config 2 Config 3

LR-XM8500 Series Data Processor: AWS: Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(Combined PM/DP/DX/AIE/ m6a.16xlarg Standard Edition
• Max Processing gp3 - 250 GB gp3 - 5000 GB gp3 - 16000 gp3 - 200 to 800 GB
Web Server) e
Rate: 10,000 GB
Volume Volume Size: Volume Size:
vCPU: 64
AI Engine: Size: Volume
D Drive: 4500 L Drive: 800 GB (if DR
Memory: Size:
• Max Processing C Drive: 250 GB is used)
256GB
GB E Drive:
Rate: 10,000 S Drive: 450 GB or
16000 GB
Description
Data Indexer: T Drive: 50 GB L Drive: 200 GB (if DR
: Description
not used)
• Max Indexing Description: :
Operating
Rate: 10,000 Description:
System SQL DB / Elasticsearc
Platform Manager: State / Temp h Data SQL Logs

• Max LogMart
Rate: 200
• Max Events
Rate: 200
Web Console:
• Max Concurrent
Users: 15

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 45

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PMC-Small Platform Manager only: AWS: Windows 2019 x64 Disk Type: Disk Type: (none)
Standard Edition
• Max Events Rate: r6i.xlarge gp3 - 250 GB gp3 - 500 GB
20 vCPU: 4 Volume Size: Volume Size:
• Max LogMart Rate:
0-Disabled Memory: 32GB C Drive: 250 GB D Drive: 350 GB

Deployments under Description: L Drive: 50 GB

5000mps Operating System S Drive: 50 GB
DR/HA not supported T Drive 50 GB
Description:
SQL DB / SQL Logs /
State / Temp

Select a Method of Deploying LogRhythm 46

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PMC-Large Platform Manager only: AWS: Windows 2019 x64 Disk Type: Disk Type: (none)
Standard Edition
• Max Events Rate: m5a.2xlarge gp3 - 250 GB gp3 - 1000 GB
100 vCPU: 8 Volume Size: Volume Size:
• Max LogMart Rate:
0-Disabled Memory: 32GB C Drive: 250 GB D Drive: 750 GB

Deployments between Description: L Drive: 100 GB

5,000 to 10,000mps Operating System S Drive: 100 GB
DR/HA not supported T Drive 50 GB
Description:
SQL DB / SQL Logs /
State / Temp

Select a Method of Deploying LogRhythm 47

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PM5500 Series Platform Manager: AWS: Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
• Max LogMart Rate: r6i.4xlarge gp3 - 250 GB gp3 - 1900 GB gp3 - 200 to 800 GB
800 vCPU: 16 Volume Size: Volume Size: Volume Size:
• Max Events Rate:
400 Memory: 128GB C Drive: 250 GB D Drive: 1600 GB L Drive: 800 GB (if DR is
used)
AI Engine: Description: S Drive: 250 GB
or
Operating System T Drive 50 GB
• Max MPS Rate:
L Drive: 200 GB (if DR
20,000 Description:
not used)
Web Console: SQL DB / State / Temp
Description:
• Max Concurrent SQL Logs
Users: 15

Select a Method of Deploying LogRhythm 48

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PM7500 Series Platform Manager: AWS: Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
• Max LogMart Rate: m6a.8xlarge gp3 - 250 GB gp2 gp3 - 200 to 800 GB
2,000 vCPU: 32 Volume Size: Volume Size: Volume Size:
• Max Events Rate:
1,000 Memory: 128GB C Drive: 250 GB D Drive: 5000 GB L Drive: 800 GB (if DR is
used)
AI Engine: Description: S Drive: 500 GB
or
Operating System T Drive 50 GB
• Max MPS Rate:
L Drive: 200 GB (if DR
30,000 Description:
not used)
Web Console: SQL DB / State / Temp
Description:
• Max Concurrent SQL Logs
Users: 35

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 49

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC3500 Data Processor: AWS: r6i.xlarge Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Edition
• Max Processing vCPU: 4 gp3 - 250 GB gp3 - 150 GB sc1 - adjustable
Rate: 1,000 Memory: 32GB Volume Size: Volume Size: Volume Size:
AI Engine: C Drive: 250 GB S Drive: 150 GB E Drive: 500 GB
• Max Processing Description: Description: Description:
Rate: 1,000
Operating System State Inactive Archives
Web Console:
(adjustable)
• Max Concurrent
Users: 5

LR-DPAWC5500 Data Processor: AWS: Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
r6i.2xlarge Edition
• Max Processing gp3 - 250 GB gp3 - 250 GB sc1 - adjustable
Rate: 5,000 vCPU: 8
Volume Size: Volume Size: Volume Size:
AI Engine: Memory: 64GB
C Drive: 250 GB S Drive: 250 GB E Drive: 1000 GB
• Max Processing Description: Description: Description:
Rate: 5,000
Operating System State Inactive Archives
Web Console:
(adjustable)
• Max Concurrent
Users: 5

Select a Method of Deploying LogRhythm 50

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC7500 Data Processor: AWS: Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
m6i.4xlarge Edition
• Max Processing gp3 - 250 GB gp3 - 500 GB sc1 - adjustable
Rate: 10,000 vCPU: 16
Volume Size: Volume Size: Volume Size:
AI Engine: Memory: 64GB
C Drive: 250 GB S Drive: 500 GB E Drive: 2000 GB
• Max Processing Description: Description: Description:
Rate: 10,000
Operating System State Inactive Archives
Web Console:
(adjustable)
• Max Concurrent
Users: 15

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 51

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform Type

LR-DP5500 Data Processor: AWS: Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Series c6i.8xlarge Edition
• Max Processing gp3 - 250 GB gp3 - 500 GB sc1 - adjustable
Rate: 15,000 vCPU: 32
Volume Size: Volume Size: Volume Size:
Memory: 64GB
C Drive: 250 GB S Drive: 500 GB E Drive: 2000 GB
Description: Description: Description:
Operating System Active Archives and LR Inactive Archives
State (adjustable)

LR-DP7500 Data Processor: AWS: Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Series c6i.12xlarge Edition
• Max Processing gp3 - 250 GB gp3 - 1200 GB sc1 - adjustable
Rate: 40,000 vCPU: 48
Volume Size: Volume Size: Volume Size:
Memory: 96GB
C Drive: 250 GB S Drive: 1200 GB E Drive: 8000 GB
Description: Description: Description:
Operating System Active Archives and LR Inactive Archives
State (adjustable)

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 52

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-AIE7500 Series AI Engine: AWS: c6i.12xlarge Windows 2019 x64 Standard Disk Type: Disk Type:
Edition
• Max MPS: 75,000 vCPU: 48 gp3 - 250 GB gp3 - 500 GB
• Max Number of Rules: Memory: 96GB Volume Size: Volume Size:
2,000
C Drive: 250 GB D Drive: 500 GB
Description: Description:
Operating System AIE State/Data

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 53

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4
Platform Config 1

LR-DX1500 Data Indexer: AWS: r5.2xlarge AWS Marketplace Disk Type: Disk Type: (none) (none)
Series Image:
• Pinned vCPU: 4 gp3 - 250 GB gp3 - 4400 GB
Indexing Rate: CentOS 7 (x86_64) -
Memory: 64GB Volume Size: Throughput -
1,000 with Updates HVM
default
/
by Amazon Web
IOPS - default
Services 250 GB
Volume Size:
Description:
/usr/local/
Operating
logrhythm
System
4400 GB
Description:
Elasticsearch Data

Select a Method of Deploying LogRhythm 54

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4
Platform Config 1

LR-DX3500 Data Indexer: AWS: AWS Marketplace Disk Type: Disk Type: (none) (none)
Series m6i.4xlarge Image:
• Pinned gp3 - 250 GB gp3 - 8800 GB
Indexing Rate: vCPU: 16 CentOS 7 (x86_64) -
Volume Size: Throughput -
5,000 with Updates HVM
Memory: 64GB default
• Clustered /
by Amazon Web
IOPS - default
Indexing Rate: Services 250 GB
3000/node Volume Size:
Description:
/usr/local/
Operating
logrhythm
System
8800 GB
Description:
Elasticsearch Data

Select a Method of Deploying LogRhythm 55

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4
Platform Config 1

LR-DX5500 Data Indexer: AWS: AWS Marketplace Disk Type: Disk Type: (none) (none)
Series m6i.8xlarge Image:
• Pinned gp3 - 250 GB gp3 - 16000 GB
Indexing Rate: vCPU: 32 CentOS 7 (x86_64) -
Volume Size: Throughput -
10,000 with Updates HVM
Memory: 128GB 300MB/s
• Clustered /
by Amazon Web
IOPS - 5000
Indexing Rate: Services 250 GB
6,000/node Volume Size:
Description:
/usr/local/
Operating
logrhythm
System
16000 GB
Description:
Elasticsearch Data

Select a Method of Deploying LogRhythm 56

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4
Platform Config 1

LR-DX7500 Data Indexer: AWS: AWS Marketplace Disk Type: Disk Type: Disk Type: (none)
Series m6i.16xlarge Image:
• Pinned gp3 - 250 GB gp3 - 16000 GB gp3 - 16000 GB
Indexing Rate: vCPU: 64 CentOS 7 (x86_64) -
Volume Size: Throughput - Throughput -
20,000 with Updates HVM
Memory: 256GB 300MB/s 300MB/s
• Clustered /
by Amazon Web
IOPS - 5000 IOPS - 5000
Indexing Rate: Services 250 GB
12,000/node Volume Size: Volume Size:
Description:
LVM - /usr/local/ LVM - /usr/local/
Operating
logrhythm logrhythm
System
16000 GB 16000 GB
Description: Description:
Elasticsearch Data Elasticsearch Data

LR-DXW5120 Data Indexer: AWS: AWS Marketplace Disk Type: Disk Type: Disk Type: Additional disks
Series r5a.4xlarge Image: based on TTL
• Max Indexing gp3 - 250 GB st1 - 16000 GB st1 - 16000 GB
(dedicated required
Rate: 0 vCPU: 16 CentOS 7 (x86_64) -
warm tier) Volume Size: Volume Size: Volume Size:
with Updates HVM
Memory: 128GB
/ LVM - /usr/local/ LVM - /usr/local/
by Amazon Web
logrhythm logrhythm
Services 250 GB
16000 GB 16000 GB
Description:
Description: Description:
Operating
System Elasticsearch Data Elasticsearch Data

Select a Method of Deploying LogRhythm 57

Install a New LogRhythm Deployment

Google Cloud Platform Reference Architecture

 Google Cloud instance sizes should be considered minimums. In some environments, higher performance instances may be required.

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-DC3400 Max Collection Rate: 15,000 n2-standard-4 Windows 2019 x64 Standard Disk Type: Disk Type:
Edition
Max Remote Windows Log vCPU: 4 pd-standard - 250 GB pd-standard - 100 GB
Sources: 500
Memory: 16GB Volume Size: Volume Size:
C Drive: 200 GB D Drive: 100 GB
Description: Description:
Operating System LR State

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 58

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config Disk/Vol
Type Config 1 3 Config 4

LR-XM4500 Series Data Processor: n2- Windows 2019 x64 Disk Type: Disk Type: Disk Type: (none)
(Combined PM/DP/ highmem- Standard Edition
• Max Processing pd-standard - pd-balanced - 800 GB pd-balanced -
DX/AIE/Web Server) 16
Rate: 2,000 250GB 1500 GB
Volume Size:
vCPU: 16
AI Engine: Volume Size: Volume Size:
D Drive: 500 GB
Memory:
• Max Processing C Drive: 250 E Drive: 1500 GB
128GB L Drive: 100 GB
GB
Rate: 2,000 Description:
S Drive: 150 GB
Description:
Data Indexer: Elasticsearch
T Drive: 50 GB
Operating Data
• Indexing Rate:
System Description:
2,000
SQL Databases/ES Data/SQL
Platform Manager:
Logs/LR State/SQL Temp
• Max LogMart
Rate: 20
• Max Events
Rate: 20
Web Console:
• Max
Concurrent
Users: 5

Select a Method of Deploying LogRhythm 59

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config Disk/Vol
Type Config 1 3 Config 4

LR-XM6500 Series Data Processor: n2-custom Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(Combined PM/DP/ Standard Edition
• Max Processing vCPU: 40 pd-standard - pd-balanced - 3000 GB pd-balanced - pd-
DX/AIE/Web Server)
Rate: 5,000 250GB 9000 GB ballanced -
Memory: Volume Size:
200 to 800
AI Engine: 196GB Volume Size: Volume Size:
D Drive: 2750 GB GB
• Max Processing C Drive: 250 E Drive: 9000 GB
S Drive: 250 GB Volume
GB
Rate: 5,000 Description: Size:
T Drive: 50 GB
Description:
Data Indexer: ElasticSearch L Drive: 800
Description: GB (if DR is
Operating Data
• Max Indexing used)
System SQL Databases/State/SQL
Rate: 5,000
Temp or
Platform Manager:
L Drive: 200
• Max LogMart GB (if DR
Rate: 100 not used)
• Max Events
Description
Rate: 100 :
Web Console: SQL Logs
• Max
Concurrent
Users: 10

Select a Method of Deploying LogRhythm 60

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Config Disk/Vol
Type Config 1 3 Config 4

LR-XM8500 Series Data Processor: n2-custom Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(Combined PM/DP/ Standard Edition
• Max Processing vCPU: 48 pd-standard - pd-balanced - 5000 GB pd-balanced - pd-
DX/AIE/Web Server)
Rate: 10,000 250GB 16000 GB ballanced -
Memory: Volume Size:
200 to 800
AI Engine: 256GB Volume Size: Volume Size:
D Drive: 4500 GB GB
• Max Processing C Drive: 250 E Drive: 16000
S Drive: 450 GB Volume
GB GB
Rate: 10,000 Size:
T Drive: 50 GB
Description: Description:
Data Indexer: L Drive: 800
Description: GB (if DR is
Operating ElasticSearch
• Max Indexing used)
System SQL Databases/SQL Logs/SQL Data
Rate: 10,000
Temp or
Platform Manager:
L Drive: 200
• Max LogMart GB (if DR
Rate: 200 not used)
• Max Events
Description
Rate: 200 :
Web Console: SQL Logs
• Max
Concurrent
Users: 15

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 61

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config 3
Platform Type 1

LR-PMC-Small Platform Manager only: n2- Windows 2019 x64 Disk Type: Disk Type: (none)
highmem-4 Standard Edition
• Max Events Rate: 20 pd-standard - pd-balanced - 500
• Max LogMart Rate: 0- vCPU: 4 250GB GB
Disabled Memory: Volume Size: Volume Size:
Deployments under 5000mps 32GB
C Drive: 250 GB D Drive: 350 GB
DR/HA not supported Description: L Drive: 50 GB
Operating S Drive: 50 GB
System
T Drive 50 GB
Description:
SQL DB / SQL
Logs / State /
Temp

Select a Method of Deploying LogRhythm 62

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config 3
Platform Type 1

LR-PMC-Large Platform Manager only: n2- Windows 2019 x64 Disk Type: Disk Type: (none)
standard-8 Standard Edition
• Max Events Rate: 100 pd-standard - pd-balanced -
• Max LogMart Rate: 0- vCPU: 8 250GB 1000 GB
Disabled Memory: Volume Size: Volume Size:
Deployments between 5,000 to 32GB
C Drive: 250 GB D Drive: 750 GB
10,000mps
Description: L Drive: 100 GB
DR/HA not supported
Operating S Drive: 100 GB
System
T Drive 50 GB
Description:
SQL DB / SQL
Logs / State /
Temp

Select a Method of Deploying LogRhythm 63

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config 3
Platform Type 1

LR-PM5500 Platform Manager: n2-custom Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Series Standard Edition
• Max LogMart Rate: 800 vCPU: 20 pd-standard - pd-balanced - pd-balanced - 200 to 800 GB
• Max Events Rate: 400 250GB 2000 GB
Memory: Volume Size:
AI Engine: 128GB Volume Size: Volume Size:
L Drive: 800 GB (if DR is used)
• Max MPS Rate: 20,000 C Drive: 250 GB D Drive: 1600 GB
or
Web Console: Description: S Drive: 300 GB
L Drive: 400 GB (if DR not used)
Operating T Drive: 100 GB
• Max Concurrent Users: 15 Description:
System
Description:
SQL Logs
SQL DB / State /
Temp

Select a Method of Deploying LogRhythm 64

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config Disk/Vol Config 2 Disk/Vol Config 3
Platform Type 1

LR-PM7500 Platform Manager: n2-custom Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Series Standard Edition
• Max LogMart Rate: 2,000 vCPU: 48 pd-standard - pd-balanced - pd-balanced - 200 to 800 GB
• Max Events Rate: 1,000 250GB 8200 GB
Memory: Volume Size:
AI Engine: 196GB Volume Size: Volume Size:
L Drive: 2000 GB (if DR is used)
• Max MPS Rate: 30,000 C Drive: 250 GB D Drive: 7500 GB
or
Web Console: Description: S Drive: 500 GB
L Drive: 500 GB (if DR not used)
Operating T Drive: 200 GB
• Max Concurrent Users: 35 Description:
System
Description:
SQL Logs
SQL DB / State /
Temp

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 65

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC3500 Data Processor: n2-highmem-4 Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Edition
• Max Processing vCPU: 4 pd-standard - 250GB pd-balanced - 150 pd-standard -
Rate: 1,000 GB adjustable
Memory: 32GB Volume Size:
AI Engine: Volume Size: Volume Size:
C Drive: 250 GB
• Max Processing S Drive: 150 GB E Drive: 500 GB
Description:
Rate: 1,000 Description: Description:
Operating System
Web Console: State Inactive Archives
• Max Concurrent (adjustable)
Users: 5

LR-DPAWC5500 Data Processor: n2-highmem-8 Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Edition
• Max Processing vCPU: 8 pd-standard - 250GB pd-balanced - 250 pd-standard -
Rate: 5,000 GB adjustable
Memory: 64GB Volume Size:
AI Engine: Volume Size: Volume Size:
C Drive: 250 GB
• Max Processing S Drive: 250 GB E Drive: 1000 GB
Description:
Rate: 5,000 Description: Description:
Operating System
Web Console: State Inactive Archives
• Max Concurrent (adjustable)
Users: 5

Select a Method of Deploying LogRhythm 66

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC7500 Data Processor: n2- Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
standard-16 Edition
• Max Processing pd-standard - 250GB pd-balanced - 500 pd-standard -
Rate: 10,000 vCPU: 16 GB adjustable
Volume Size:
AI Engine: Memory: 64GB Volume Size: Volume Size:
C Drive: 250 GB
• Max Processing S Drive: 500 GB E Drive: 2000 GB
Description:
Rate: 10,000 Description: Description:
Operating System
Web Console: State Inactive Archives
• Max Concurrent (adjustable)
Users: 15

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 67

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform Type

LR-DP5500 Series Data Processor: n2-custom Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Edition
• Max Processing Rate: vCPU: 24 pd-standard - pd-balanced - 500 pd-standard -
15,000 250GB GB adjustable
Memory:
64GB Volume Size: Volume Size: Volume Size:
C Drive: 250 GB S Drive: 500 GB E Drive: 2000 GB
Description: Description: Description:
Operating System Active Archives/LR Inactive Archives
State (adjustable)

LR-DP7500 Series Data Processor: n2-custom Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type:
Edition
• Max Processing Rate: vCPU: 48 pd-standard - pd-balanced - 1000 pd-standard -
40,000 250GB GB adjustable
Memory:
128GB Volume Size: Volume Size: Volume Size:
C Drive: 250 GB S Drive: 1000 GB E Drive: 8000 GB
Description: Description: Description:
Operating System Active Archives/LR Inactive Archives
State (adjustable)

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 68

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-AIE7500 Series AI Engine: n2-custom Windows 2019 x64 Standard Disk Type: Disk Type:
Edition
Max MPS: 75,000 vCPU: 48 pd-standard - 250GB pd-balanced - 500 GB
Max Number of Rules: 2,000 Memory: 128GB Volume Size: Volume Size:
C Drive: 250 GB S Drive: 500 GB
Description: Description:
Operating System AIE State/Data

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3

LR-DX1500 Series Data Indexer: n2-highmem-8 Image Family: Disk Type: Disk Type: (none)
centos-7
• Pinned Indexing vCPU: 8 pd-standard - 250 pd-balanced - 4400
Rate: 1,000 GB GB
Memory: 64GB
Volume Size: Volume Size:
/ /usr/local/
logrhythm
250 GB
4400 GB
Description:
Description:
Operating System
Elasticsearch Data

Select a Method of Deploying LogRhythm 69

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3

LR-DX3500 Series Data Indexer: n2-standard-16 Image Family: Disk Type: Disk Type: (none)
centos-7
• Pinned Indexing vCPU: 16 pd-standard - 250 pd-balanced - 8800
Rate: 5,000 GB GB
Memory: 64GB
• Clustered Indexing Volume Size: Volume Size:
Rate: 3000/node
/ /usr/local/
logrhythm
250 GB
8800 GB
Description:
Description:
Operating System
Elasticsearch Data

LR-DX5500 Series Data Indexer: n2-standard-32 Image Family: Disk Type: Disk Type: (none)
centos-7
• Pinned Indexing vCPU: 32 pd-standard - 250 pd-balanced - 16000
Rate: 10,000 GB GB
Memory:128GB
• Clustered Indexing Volume Size: Volume Size:
Rate: 6,000/node
/ /usr/local/
logrhythm
250 GB
16000 GB
Description:
Description:
Operating System
Elasticsearch Data

Select a Method of Deploying LogRhythm 70

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3

LR-DX7500 Series Data Indexer: n2-standard-64 Image Family: Disk Type: Disk Type: (none)
centos-7
• Pinned Indexing vCPU: 64 pd-standard - 250 pd-balanced - 32000
Rate: 20,000 GB GB
Memory: 256GB
• Clustered Indexing Volume Size: Volume Size:
Rate: 12,000/node
/ /usr/local/
logrhythm
250 GB
32000 GB
Description:
Description:
Operating System
Elasticsearch Data

LR-DXW5120 Data Indexer: n2-highmem-16 Image Family: Disk Type: *Disk Type: Additional disks based
(dedicated warm centos-7 on TTL required
• Max Indexing Rate: vCPU: 16 pd-standard - 250 pd-standard - 64000
tier)
0 GB GB
Memory: 128GB
Volume Size: Volume Size:
/ /usr/local/
logrhythm
250 GB
64000 GB
Description:
Description:
Operating System
Elasticsearch Data

 GCP only allows for a max volume of 64TB per instance. You will need to add multiple instances to meet the DXW5120 hardware appliance.

Select a Method of Deploying LogRhythm 71

Install a New LogRhythm Deployment

Azure Platform Reference Architecture

 Microsoft Azure instance sizes should be considered minimums. In some environments, higher performance instances may be required.

 For all platforms, use only read host cache on data disks, such as SQL data or Elasticsearch data.

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-DC3400 Max Collection Rate: 15,000 D4 v5 Windows 2019 x64 Standard Disk Type: Disk Type:
Edition
Max Remote Windows Log vCPU: 4 S15 - 256 GB S10 - 128 GB
Sources: 500
Memory: 16GB Volume Size: Volume Size:
C Drive: 256 GB D Drive: 128 GB
Description: Description:
Operating System State

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 72

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Disk/Vol Config 4
Platform Type Config 1 Config 3

LR-XM4500 Series Data Processor: E16 v5 Windows 2019 x64 Disk Type: Disk Type: Disk Type: (none)
(combined PM/DP/ Standard Edition
• Max vCPU: 16 S15 - 256 GB E30 - 1024 GB E40 - 2048 GB
DX/AIE/Web server)
Processing Memory: Volume Volume Size: Volume Size:
Rate: 2,000 128GB Size:
D Drive: 775 GB E Drive: 2048
AI Engine: C Drive: 256 GB
L Drive: 100 GB
GB
• Max Description:
S Drive: 100 GB
Processing Description
Elasticsearch
Rate: 2,000 : T Drive: 50 GB
Data
Data Indexer: Operating Description:
System
• Indexing Rate: SQL Data/SQL Logs/
2,000 LR State/SQL Temp

Platform Manager:
• Max LogMart
Rate: 20
• Max Events
Rate: 20
Web Console:
• Max
Concurrent
Users: 5

Select a Method of Deploying LogRhythm 73

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Disk/Vol Config 4
Platform Type Config 1 Config 3

LR-XM6500 Series Data Processor: D48 v5 Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(combined PM/DP/ Standard Edition
• Max vCPU: 48 S15 - 256GB E40 - 2048 GB E60 - 8192 GB P15 or P20 - 256 or 512
DX/AIE/Web server)
Processing GB
Memory: Volume Volume Size: Volume Size:
Rate: 5,000 192GB Size: Volume Size:
D Drive: 1748 GB E Drive: 8192
AI Engine: C Drive: 256 GB L Drive: 256 GB (if DR is
S Drive: 250 GB
GB used)
• Max Description:
T Drive: 50 GB
Processing Description or
Elasticsearch
Rate: 5,000 : Description:
Data L Drive: 512 GB (if DR
Data Indexer: Operating SQL Data/SQL Logs/ not used)
System LR State/SQL Temp
• Max Indexing Description:
Rate: 5,000 SQL Logs
Platform Manager:
• Max LogMart
Rate: 100
• Max Events
Rate: 100
Web Console:
• Max
Concurrent
Users: 10

Select a Method of Deploying LogRhythm 74

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Operating System Disk/Vol Disk/Vol Config 2 Disk/Vol Disk/Vol Config 4
Platform Type Config 1 Config 3

LR-XM8500 Series Data Processor: D64 v5 Windows 2019 x64 Disk Type: Disk Type: Disk Type: Disk Type:
(combined PM/DP/ Standard Edition
• Max vCPU: 64 S15 - 256GB E50 - 4096 GB E70 - 16384 P15 or P20 - 256 or 512
DX/AIE/Web server)
Processing GB
Memory: Volume Volume Size: Volume Size:
Rate: 10,000 256GB Size: Volume Size:
D Drive: 3645 GB E Drive: 16384
AI Engine: C Drive: 256 GB L Drive: 512 GB (if DR is
L Drive: 150 GB
GB used)
• Max Description:
S Drive: 250 GB
Processing Description or
Elasticsearch
Rate: 10,000 : T Drive: 50 GB
Data L Drive: 256 GB (if DR
Data Indexer: Operating Description: not used)
System
• Max Indexing SQL Data/SQL Logs/ Description:
Rate: 10,000 LR State/SQL Temp
SQL Logs
Platform Manager:
• Max LogMart
Rate: 200
• Max Events
Rate: 200
Web Console:
• Max
Concurrent
Users: 15

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 75

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PMC-Small Platform Manager only: E4 v5 Windows 2019 x64 Disk Type: Disk Type: (none)
Standard Edition
• Max Events Rate: vCPU: 4 S15 - 256GB P20 - 512 GB
20 Memory: 32GB Volume Size: Volume Size:
• Max LogMart Rate:
0-Disabled C Drive: 256 GB D Drive: 350 GB

Deployments under Description: L Drive: 50 GB

5000mps Operating System S Drive: 50 GB
DR/HA not supported T Drive: 50 GB
Description:
SQL Data / SQL Logs / LR
State / SQL Temp

Select a Method of Deploying LogRhythm 76

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PMC-Large Platform Manager only: D8 v5 Windows 2019 x64 Disk Type: Disk Type: (none)
Standard Edition
• Max Events Rate: vCPU: 8 S15 - 256GB P30 - 1024 GB
100 Memory: 32GB Volume Size: Volume Size:
• Max LogMart Rate:
0-Disabled C Drive: 256 GB D Drive: 750 GB

Deployments between Description: L Drive: 100 GB

5,000 to 10,000mps Operating System S Drive: 100 GB
DR/HA not supported T Drive: 50 GB
Description:
SQL Data / SQL Logs / LR
State / SQL Temp

Select a Method of Deploying LogRhythm 77

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PM5500 Series Platform Manager: E16 v5 Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
• Max LogMart Rate: vCPU: 16 S15 - 256GB P40 - 2048 GB P15 or P20 - 256 or 512
800 GB
Memory: 128GB Volume Size: Volume Size:
• Max Events Rate: Volume Size:
400 C Drive: 256 GB D Drive: 1848 GB
L Drive: 512 GB (if DR is
AI Engine: Description: S Drive: 100 GB
used)
Operating System T Drive: 100 GB
• Max MPS Rate: or
20,000 Description:
L Drive: 256 GB (if DR
Web Console: SQL Data / LR State / SQL not used)
Temp
• Max Concurrent Description:
Users: 15 SQL Logs

Select a Method of Deploying LogRhythm 78

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-PM7500 Series Platform Manager: D32 v5 Windows 2019 x64 Disk Type: Disk Type: Disk Type:
Standard Edition
• Max LogMart Rate: vCPU: 32 S15 - 256GB P50 - 4096 GB P20 or P30 - 512 or 1048
2,000 GB
Memory: 128GB Volume Size: Volume Size:
• Max Events Rate: Volume Size:
1,000 C Drive: 256 GB D Drive: 3896 GB
L Drive: 1048 GB (if DR is
AI Engine: Description: S Drive: 100 GB
used)
Operating System T Drive: 100 GB
• Max MPS Rate: or
30,000 Description:
L Drive: 512 GB (if DR
Web Console: SQL Data / LR State / SQL not used)
Temp
• Max Concurrent Description:
Users: 35 SQL Logs

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 79

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC3500 Data Processor: E4 v5 Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type & Volume
vCPU: 4
Edition
S15 - 256GB P10 - 128 GB Size1
• Max Processing
Rate: 1,000 Memory: 32GB Volume Size: Volume Size: Description:
AI Engine: C Drive: 256 GB S Drive: 128 GB Inactive Archives
• Max Processing Description: Description:
Rate: 1,000
Operating System State
Web Console:
• Max Concurrent
Users: 5

LR-DPAWC5500 Data Processor: E8 v5 Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type & Volume
vCPU: 4
Edition
S15 - 256GB P15 - 256 GB Size1
• Max Processing
Rate: 5,000 Memory: 64GB Volume Size: Volume Size: Description:
AI Engine: C Drive: 256 GB S Drive: 256 GB Inactive Archives
• Max Processing Description: Description:
Rate: 5,000
Operating System State
Web Console:
• Max Concurrent
Users: 5

Select a Method of Deploying LogRhythm 80

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DPAWC7500 Data Processor: D16 v5 Windows 2019 x64 Standard Disk Type: Disk Type: Disk Type & Volume
vCPU: 16
Edition
S15 - 256GB P20 - 512 GB Size1
• Max Processing
Rate: 10,000 Memory: 64GB Volume Size: Volume Size: Description:
AI Engine: C Drive: 256 GB S Drive: 512 GB Inactive Archives
• Max Processing Description: Description:
Rate: 10,000
Operating System State
Web Console:
• Max Concurrent
Users: 15

1
Inactive archives should use File Storage or a standard HDD disk.

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 81

Install a New LogRhythm Deployment

Reference Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3
Platform

LR-DP5500 Series Max Processing Rate: F32s v2 Windows 2019 x64 Disk Type: Disk Type: Disk Type & Volume
15,000
vCPU: 32
Standard Edition
S15 - 256GB P20 - 512 GB Size1

Memory: 64GB Volume Size: Volume Size: Description:

C Drive: 256 GB S Drive: 512 GB Inactive Archives

Description: Description:
Operating System State

LR-DP7500 Series Max Processing Rate: F64s v2 Windows 2019 x64 Disk Type: Disk Type: Disk Type & Volume
40,000
vCPU: 64
Standard Edition
S15 - 256GB P30 - 1024 Size1

Memory: 128GB Volume Size: Volume Size: Description:

C Drive: 256 GB S Drive: 1024 GB Inactive Archives

Description: Description:
Operating System State

1
Inactive archives should use File Storage or a standard HDD disk.

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 82

Install a New LogRhythm Deployment

Reference Platform Performance (MPS) Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2

LR-AIE7500 Series Max MPS: 75,000 F64s v2 Windows 2019 x64 Standard Disk Type: Disk Type:
Edition
Max Number of Rules: 2,000 vCPU: 64 S15 - 256GB P20 - 512 GB
Memory: 128GB Volume Size: Volume Size:
C Drive: 256 GB S Drive: 512 GB
Description: Description:
Operating System State

Data Collector XM Platform Manager DPAWC Data Processor AI Engine Data Indexer

Select a Method of Deploying LogRhythm 83

Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

L Data E8 v5 OpenLogic:CentOS: Disk Type : Disk Type: (none) (none) (none)

R Index 7.5:latest
vCPU: 8 S15 - 256GB E50 - 4096GB
- er:
D Memory: 64GB or latest CentOS 7.x Volume Size: Volume Size:
X
1 / /usr/local/
5 logrhythm
256 GB
0 4096 GB
0 Description:
S Description:
Operating System
er Elasticsearch Data
ie
s

Select a Method of Deploying LogRhythm 84

Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• P
i
n
n
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
1
,
0
0
Select a Method
0 of Deploying LogRhythm 85
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

L Data D16 v5 OpenLogic:CentOS: Disk Type : Disk Type: (none) (none) (none)
R Index 7.5:latest
vCPU: 16 S15 - 256GB E60 - 8192GB
- er:
D Memory: 64GB or latest CentOS 7.x Volume Size: Volume Size:
X
3 / /usr/local/
5 logrhythm
256 GB
0 8192 GB
0 Description:
S Description:
Operating System
er Elasticsearch Data
ie
s

Select a Method of Deploying LogRhythm 86

Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• P
i
n
n
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
5
,
0
0
Select a Method
0 of Deploying LogRhythm 87
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• C
l
u
s
t
e
r
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
3
0 of Deploying LogRhythm
Select a Method 88
0
0
/
n
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

L Data D32 v5 OpenLogic:CentOS: Disk Type : Disk Type: (none) (none) (none)
R Index 7.5:latest
vCPU: 32 S15 E70 - 16384GB
- er:
D Memory: 128GB or latest CentOS 7.x Volume Size: Volume Size:
X
5 / /usr/local/
5 logrhythm
256 GB
0 16,384 GB
0 Description:
S Description:
Operating System
er Elasticsearch Data
ie
s

Select a Method of Deploying LogRhythm 89

Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• P
i
n
n
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
1
0
,
0
Select a Method
0 of Deploying LogRhythm 90
0
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• C
l
u
s
t
e
r
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
6
, of Deploying LogRhythm
Select a Method 91
0
0
0
/
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

L Data D64 v5 OpenLogic:CentOS: Disk Type : Disk Type: Disk Type: (none) (none)
R Index 7.5:latest
vCPU: 64 S15 E70 - 16384GB E70 - 16384GB
- er:
D Memory: 256GB or latest CentOS 7.x Volume Size: Volume Size: Volume Size:
X
7 / /usr/local/ /usr/local/
5 logrhythm logrhythm
256 GB
0
0 Description:
S Description: Description:
Operating System
er Elasticsearch Data Elasticsearch Data
ie
s

Select a Method of Deploying LogRhythm 92

Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• P
i
n
n
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
2
0
,
0
Select a Method
0 of Deploying LogRhythm 93
0
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• C
l
u
s
t
e
r
e
d
I
n
d
e
xi
n
g
R
a
t
e
:
1
2 of Deploying LogRhythm
Select a Method 94
,
0
0
0
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

L Data E16 v5 OpenLogic:CentOS: Disk Type : Disk Type: Disk Type: Disk Type: Additional disks
R Index 7.5:latest based on TTL
vCPU: 16 S15 S80 - 32,767GB S80 - 32,767GB S80 - 32,767GB
- er: required
D Memory: 128GB or latest CentOS 7.x Volume Size: Volume Size: Volume Size: Volume Size:
X
W / /usr/local/ /usr/local/ /usr/local/
5 logrhythm logrhythm logrhythm
256 GB
1
2 Description:
0 Description: Description: Description:
Operating System
S Elasticsearch Data Elasticsearch Data Elasticsearch Data
er
ie
s
(
d
e
di
c
at
e
d
w
ar
Select
m a Method of Deploying LogRhythm 95
ti
er
)
Install a New LogRhythm Deployment

R Perfo Instance Type Operating System Disk/Vol Config 1 Disk/Vol Config 2 Disk/Vol Config 3 Disk/Vol Config 4 Disk/Vol Config 5
e rman
f ce
e (MPS)
r
e
n
c
e
P
la
tf
o
r
m

• M
a
x
I
n
d
e
xi
n
g
R
a
t
e
:
0

Select a Method of Deploying LogRhythm 96

Install a New LogRhythm Deployment

 The DX warm storage values do not match to appliances and can be adjusted based on customer need, with a limit of 120TB total on DXW5120.

Select a Method of Deploying LogRhythm 97

Install a New LogRhythm Deployment

Amazon Web Services Installations

This section provides information about how to design and deploy LogRhythm in Amazon Web Services.

 It is assumed that the user has experience with Amazon Web Services EC2.

Design
Designing LogRhythm in AWS is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture provided in this section.

Windows Systems
Create Windows Virtual Machines using the standard EC2 instances from AWS. You will want to select the newest base
operating system supported on your version of LogRhythm.
• Select the size of the instance based on your appliance sizing needs using the Amazon Web Services Reference
Architecture table in the Reference Architecture topic.
• Create EBS storage to match the instance mappings for volume type and size.
• Root instance store volumes should not be used for LogRhythm storage.

Linux Systems (Data Indexer)

LogRhythm recommends installing a CentOS 7.x Minimal system or Red Hat Enterprise Linux (RHEL) 7 and adhering to
the following steps:
1. Select the size of the instance based on your appliance sizing needs using the Amazon Web Services References
Architecture table in the Reference Architecture topic.
2. Create EBS storage to match the instance mappings for volume type and size. Additional disks must be
configured after launching the instance and prior to installing the LogRhythm Data Indexer software. All data
disks should be mounted to /usr/local/logrhythm. For Data Indexers with a single volume:

 Root instance store volumes should never be used for LogRhythm storage. Dedicated disk(s) should be
mounted to /usr/local/logrhythm prior to installation of software.

a. For Single Data Disk DX Instances:

i. Confirm all disks are visible within the EC2 instance, you should see your additional storage as /
dev/xvdb or /dev/xvdc.
This can vary depending on instance type, but should follow a pattern where the first disk ends
with a, second disk with b, third disk with c, etc.

# sudo lsblk | grep disk

Select a Method of Deploying LogRhythm 98

Install a New LogRhythm Deployment

ii. Enter the following command to configure a partition on the disk. This will match your disk name
from above.
For example, "sudo parted /dev/xvdb"

# sudo parted /dev/xvdbmklabel gpt

mkpart
Partition Name = Leave Blank
File System Type = ext2
Start = 1
End = The size of this partition, for a 16TB drive enter 16000GB
pr
This will print the output, confirm this looks correct
quit

iii. Build the file system using this command, specifying the disk you used in the previous step:

# sudo mkfs.ext4 -m 0 /dev/xvdb

iv. Create the directory to which you wish to mount the disk.
This should always be /usr/local/logrhythm.

# sudo mkdir -p /usr/local/logrhythm/

v. Record the block UUID for the disk that you wish to mount:

# sudo blkid

 This is a necessary step. Never mount using the device name, always the UUID, or else
the drive mapping will fail following an instance change.

vi. Edit fstab and add this drive to be mounted to the directory you created previously "/usr/local/
logrhythm":

# sudo vi /etc/fstab
UUID=#########-####-####-####-############ /usr/local/logrhythm ext4
nodev,nosuid,nofail 1 2

vii. Mount the new drive:

# sudo mount -a

b. For Multiple Data Disk DX Instances (LVM)

Select a Method of Deploying LogRhythm 99

Install a New LogRhythm Deployment

i. Confirm all disks are visible within the EC2 instance.

You should see your additional storage as /dev/xvdb, /dev/xvdc, etc. This can vary depending on
instance type, but should follow a pattern where the first disk ends with a, second disk with b,
third disk with c, etc. Record these values, as you will use them in the next step.

# sudo lsblk | grep disk

ii. Create a volume group containing all data disks.

In this command, you will need to edit the disks based on your individual system recorded from
the previous step

# sudo vgcreate vg_lrdata /dev/xvdb /dev/xvdc /dev/xvdd

iii. Create a logical volume with data stripping for optimal performance.
In this command, the stripes quantity (-i) should match the number of disks in the volume group.
For example, if you have created a volume group with two disks, you should use two here.

# sudo lvcreate -i # -I 32 -l 100%FREE -n lv_lrdata vg_lrdata

iv. Format the filesystem:

# sudo mkfs.ext4 /dev/vg_lrdata/lv_lrdata

v. Record the block UUID for the disk that you wish to mount:

# sudo blkid

vi. Reload the System Daemon to permit mounting of the new volume:

# sudo systemctl daemon-reload

vii. Edit fstab and add this drive to be mounted to the directory you created previously "/usr/local/
logrhythm":

# sudo vi /etc/fstab
UUID=#########-####-####-####-############ /usr/local/logrhythm ext4
nodev,nosuid,nofail 1 2

viii. Create the directory to which you wish to mount the disk.
This should always be /usr/local/logrhythm.

# sudo mkdir -p /usr/local/logrhythm/

ix. Mount the new drive:

Select a Method of Deploying LogRhythm 100

Install a New LogRhythm Deployment

# sudo mount -a

3. Create a LogRhythm user.

a. Log into the AWS instance and elevate to the root user:

# sudo su

b. Add new user called logrhythm:

# adduser logrhythm

c. Set the password for the LogRhythm user:

# passwd logrhythm

d. Provide and confirm the password for the LogRhythm user.

e. Add the LogRhythm user to the wheel group:

# usermod -aG wheel logrhythm

f. Ensure permissions on the /usr/local/logrhythm path are correct for your LogRhythm user:

# sudo chown -R logrhythm.logrhythm /usr/local/logrhythm/

g. Navigate to the LogRhythm user:

# su - logrhythm

4. Configure the SSH key.

a. Generate the SSH key:

# ssh-keygen -t rsa

b. Accept all defaults and do not enter a password.

c. Navigate to the ssh key:

# cd /home/logrhythm/.ssh

d. Copy and authorize the key:

Select a Method of Deploying LogRhythm 101

Install a New LogRhythm Deployment

# cp id_rsa.pub authorized_keys

e. SSH into the instance and add the SSH key to the list of known hosts:

# ssh localhost

f. Enter yes when prompted to continue connecting.

g. Log in as the newly created LogRhythm user.
5. Install the Data Indexer.
a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:

# sudo mv <filename> /home/logrhythm/Soft

b. Run the DX installer:

# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/Soft/plan.yml

c. When prompted for the SSH password, press Enter with no input.
d. When prompted for the Sudo password, enter the password for the LogRhythm user created in earlier
steps.

Select a Method of Deploying LogRhythm 102

Install a New LogRhythm Deployment

Google Cloud Installations

This section provides information about how to design and deploy LogRhythm in Google Cloud.

 It is assumed that the user has experience with Google Cloud and Google Compute.

Design
Designing LogRhythm in GCP is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.

Windows Systems
Create Windows Virtual Machines using the Compute Engine VM instances from GCP. Select the newest base operating
system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the Google Cloud Reference Architecture
table in the Reference Architecture topic.
• Create disk storage to match the instance mappings for volume type and size.

Linux Systems (Data Indexer)

1. Create a CentOS 7.x or Red Hat Enterprise Linux 7 virtual machine using the Compute Engine VM instances from
GCP.
• Select the newest base operating system supported on your version of LogRhythm.
• Select the machine type based on your appliance sizing needs using the Google Cloud Reference
Architecture table in the Reference Architecture topic.
• Create disk storage to match the instance mappings for volume type and size.
2. Create a LogRhythm user.
a. Log into the DX using root.
b. Add new user called logrhythm:

# adduser logrhythm

c. Set a password for the logrhythm user:

# passwd logrhythm

d. Set and confirm the LogRhythm users's password.

e. Add the LogRhythm user to the wheel group:

# usermod -aG wheel logrhythm

Select a Method of Deploying LogRhythm 103

Install a New LogRhythm Deployment

f. Navigate to the LogRhythm user:

# su - logrhythm

Select a Method of Deploying LogRhythm 104

Install a New LogRhythm Deployment

Microsoft Azure Installations

This section provides information about how to design and deploy LogRhythm in Microsoft Azure.

 It is assumed that the user has experience with Microsoft HyperV and Azure services.

Design
Designing LogRhythm in Azure is similar to on-premise deployments. Assess the volume needs of your organization and
match them to the LogRhythm Reference Architecture.

Windows Systems
Create Windows Virtual Machines using the standard compute instances from Azure. Select the newest operating
system supported on your version of LogRhythm.
• The VM disk type should be SSD.
• Select the size of the instance based on your appliance sizing needs using the Azure Reference Architecture table
in the Reference Architecture topic.
• Storage should be set to use managed disks.
After creating the instance, you will need to add data disks to match the reference architecture. By default, the Windows
instances will create a temporary OS disk that is used for swap and emptied with every shutdown.

 If using instances with included Local Storage, you must change the drive letter of the swap space disk from D
to something else. On XM and PM systems the LogRhythm Database Install Tool requires the D drive be used
for database storage. If you install to this swap disk, all of the databases will be removed with the virtual
machine is shut down.

Linux Systems (Data Indexer)

LogRhythm recommends installing a CentOS 7.x minimal image or Red Hat Enterprise Linux 7 and adhering to the
following steps:
1. Use SSD for the VM disk type.
2. Select the size of the instance based on your appliance sizing needs using the Azure Reference Architecture table
in the Reference Architecture topic.
3. Set storage to use managed disks.
4. Set up VM access as SSH with the LogRhythm user. Doing so makes step 5 unnecessary and you can skip to step
6.
5. Create LogRhythm user.

 Skip this section if the LogRhythm user was already created to access the VM. If the user already exists
with SSH access, skip to the Install the Data Indexer section below.

Select a Method of Deploying LogRhythm 105

Install a New LogRhythm Deployment

a. Log into the Azure instance and elevate to the root user:

# sudo su

b. Add a new user called logrhythm:

# adduser logrhythm

c. Set the password for the LogRhythm user:

# passwd logrhythm

d. Provide and confirm the desired password for the LogRhythm user.
e. Add the LogRhythm user to the wheel group:

# usermod -aG wheel logrhythm

f. Navigate to the LogRhythm user:

# su - logrhythm

6. Configure the SSH key.

a. Generate the SSH key:

# ssh-keygen -t rsa

b. Accept all defaults and do not enter a password.

c. Navigate to the SSH key:

# cd /home/logrhythm/.ssh

d. Copy and authorize the key:

# cp id_rsa.pub authorized_keys

e. SSH into the instance and add the SSH key to the list of known hosts:

# ssh localhost

f. Enter yes when prompted to continue connecting.

g. Log in as the newly created LogRhythm user.
7. Install the Data Indexer.

Select a Method of Deploying LogRhythm 106

Install a New LogRhythm Deployment

a. Prepare the DX install by moving the DX installer, plan.yml, and hosts file to the Soft directory:

# sudo mv <filename> /home/logrhythm/Soft

b. Run the DX installer:

# sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts /home/logrhythm/

Soft/hosts --plan /home/logrhythm/Soft/plan.yml

c. When prompted for the SSH password, press Enter with no input or enter the LogRhythm user password.
d. When prompted for the Sudo password, enter the password for the LogRhythm user created in earlier
steps.

Select a Method of Deploying LogRhythm 107

Install a New LogRhythm Deployment

Download Software to Install a New LogRhythm Deployment

Before starting the installation process, you should download the LogRhythm tools and software that will be needed
during setup, as follows:
1. Ensure you have access to the LogRhythm Database Install Tool. A download link should have been provided
along with your LogRhythm license. If you cannot locate this tool, contact LogRhythm Support.
2. Download the LogRhythm Installation Wizard, available on the LogRhythm Community.
3. If you are installing a Data Indexer or cluster of Indexers on Linux, download the Installation ISO from the link
provided with your LogRhythm license.
4. Download TLS 1.2 Patches and Hotfixes, available on the LogRhythm Community.
To enable communication over TLS 1.2 for all LogRhythm 7.12.x components, your base deployment must meet the
following requirements:
• Platform Manager is running SQL Server 2016 Standard SP1 or SQL Server 2019.
• LogRhythm 7.12.x core components on Windows are running Microsoft .NET Framework 4.7.2.

 .NET 4.7.2 will be installed by component installers that require it.

After ensuring that your base deployment meets the above requirements, .NET 4.7.2 rollup updates are required on all
Windows appliances or servers running LogRhythm components.

 If the target appliance is up-to-date with important Windows updates, some hotfixes may not be required. If
this is the case, the installer indicates that.

Installers for all the required patches and hotfixes are available in a .zip file on the Community Downloads page for the
current release, under TLS 1.2 Support. You should download LR_75x_TLS_support.zip, extract its contents, and then
distribute the required installers to the required appliances or computers in your deployment.

Download Software to Install a New LogRhythm Deployment 108

Install a New LogRhythm Deployment

Install LogRhythm
Configure Hardware or Virtual Machine
This section describes how to configure your dedicated hardware or virtual machine, based on the Reference
Platform you selected.
1. Make sure your hardware or virtual machine is running Windows Server 2016 or Windows Server 2019 (both 64-
bit).
2. If necessary, enable .NET Framework 3.5.
a. Log in to the server as an administrator.
b. Start Server Manager.
c. Under Configure this local server, click Add roles and features.
The Add Roles and Features Wizard appears.
d. Under Installation Type, select Role-based or feature-based installation.
e. Under Server Selection, select your local server.
f. Under Features, expand the .NET Framework 3.5.1 Features node, select .NET Framework 3.5.1, and
then click Next.
g. Confirm your selection on the next page, click Install, and follow any additional guidance provided by the
installer.
3. Initialize and configure disks according to LogRhythm components. For more information, see the volume and
disk configurations in the Reference Platform section of this guide.
a. Initialize the newly created hard disks via disk management by going to Administrative
Tools, Computer Management, Storage, and Disk Management.
b. Set up disk partitions and volumes.
4. Run Windows Update to ensure the latest patches, updates, and service packs are installed.
5. If not installed, download and install .NET Framework 4.7.2 as it is required by the Database Install Tool. You can
download the Microsoft .NET Framework 4.7.2 standalone installer here.
The .NET Framework 4.7.2 installation requires 4.5 GB of free disk space.

Shut Down Antivirus and Endpoint Protection Software

Shut down any antivirus or endpoint protection software you have running on all LogRhythm systems.

 In the case of endpoint protection software, you may need to uninstall the software from all LogRhythm
systems as it has been known to interfere with the LogRhythm solution.

When the LogRhythm installation is complete, you can enable or install antivirus or endpoint protection software again.

Install the LogRhythm Databases for the Platform Manager or XM

 A download link to the LogRhythm Database Install Tool should have been provided to you along with your
LogRhythm license. Contact LogRhythm Support if you cannot locate this tool.

Install LogRhythm 109

Install a New LogRhythm Deployment

The Platform Manager, and therefore an XM setup, contains LogRhythm’s SQL Server databases. Use the LogRhythm
Database Install tool to:
• Install SQL Server 2016 Standard SP2 or SQL Server 2019
• Apply the LogRhythm license for SQL Server
• Create the default LogRhythm users
• Create the initial databases, tables, stored procedures, and so on
• Size the databases as a percentage of disk space

 The database installation can take up to 30 minutes. If you are installing on a virtual machine, it could take
longer.

To install the LogRhythm databases:

1. Log in to the Platform Manager or XM server and copy the LogRhythm Database Install Tool archive to a new
directory.
2. Locate the archive and extract it to a new directory on a local drive.
3. Browse to the new directory, right-click LogRhythmDatabaseInstallTool.exe, and then click Run as
administrator.
The server role page appears.
4. Select the system’s target role. If you are installing a standalone Platform Manager, select PM. If you are
installing an XM server, select XM.

 If any of the drives on the server do not have enough space for the installation, the value under Will
Use is highlighted in red. You need to reconfigure the system disks to provide enough space for the
installation.

5.Click Install.
6.If you want to change the default SQL Server password for the sa account, click Change Default SQL Password.
7.Type the password for the sa account, and then click Save.
8.When you are ready to proceed, click Install.
9.The tool installs SQL Server and configures all of the necessary settings. This process may take up to ten
minutes, during which the screen appears to be inactive.
10. When the installation is finished, click Done to close the Database Install Tool.

Run the LogRhythm Install Wizard

The LogRhythm Install Wizard can be used to install one or more applications or server roles on each server in your
deployment. The wizard is designed for simplicity, so you can pick the applications or roles you are installing, and the
wizard does everything else.
The installation of one or more applications should not take more than 10 minutes to complete. If you are installing an
XM setup with all applications, the installation may take up to 15 minutes depending on your server specifications. If
you are installing on a virtual machine, the installation times will be slightly increased.
Use the LogRhythm Install Wizard to install or upgrade LogRhythm components in your deployment. You must run the
Install Wizard on each appliance or server in your deployment, and select the appliance configuration that you want to
install or upgrade.

Install LogRhythm 110

Install a New LogRhythm Deployment

 • The LogRhythm Install Wizard requires .NET Framework version 4.7.2 or above.
• If you are installing or upgrading the Data Indexer or Web Console, ensure that Windows Firewall
Service is running before starting the Install Wizard to allow firewall rules to be created and so the
Common installer can open port 8300.
• Do not try to run the wizard from a network share. Run the wizard locally on each appliance.
• For systems with UAC (Vista and later), always run installers as a Local Administrator with elevated
privileges. The person performing the installation must be in the Local Admin group, unless the
domain is managed and the Group Policy Object dictates that only Domain Administrators can run
installers.
• When installing the Web Console, it is recommended that you run the LogRhythm Install Wizard to
install all Web Console services. You may choose to install the Web Console as a stand-alone
installation or as part of the XM Appliance or Platform Manager (PM) configurations.

 When the Client Console is installed on a fresh system, additional software packages must be installed such as
Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET Framework
4.7.2. For this reason, the Client Console installer may take 30 minutes or more to complete.

1. Log in as an administrator on the appliance or server where you are installing or upgrading LogRhythm software.
2. Copy the entire LogRhythm Install Wizard directory to a new directory on the local server.
3. Open the Install Wizard directory, right-click LogRhythmInstallWizard.exe, and then click Run as
administrator.
The Welcome screen appears.
4. Click Next to proceed.
The wizard asks you to confirm that you have prepared the LogRhythm databases for the upgrade.
5. Click one of the following:
• If you have run the Database Install or Upgrade Tool on each Platform Manager or XM server (or EM or LM
server on 6.3.9 deployments), click Yes to continue.
• If you have not prepared the LogRhythm databases on all required appliances, click No to cancel the
wizard, install or upgrade all of the required databases, and then continue with this procedure.
The End User License Agreement appears.
6. Read the agreement carefully. By accepting the terms in the agreement, you agree to be bound by those terms.
7. If you accept the terms of the agreement, select the I accept the terms in the license agreement check box, and
then click Next.
The configuration selector appears. Depending on the selected configuration, the wizard upgrades or installs a
specific application or set of applications.

 For certain configurations, you can optionally select to install or upgrade the AI Engine.

 If you select the Web Console, it is installed to the default location, C:\Program
Files\LogRhythm\LogRhythm Web Services. For instructions on how to install the Web Console to a
custom location, see the Use the LogRhythm Configuration Manager section in this guide.

8. For each appliance that you install, select the target appliance configuration, according to the following table.

Install LogRhythm 111

Install a New LogRhythm Deployment

If you are upgrading an existing PM + DP appliance or another configuration that is not represented in the Install
Wizard, select one of the available configurations and then run the wizard again to install the next configuration.

7.x.x Configuration Select…

XM XM

Platform Manager PM

Data Processor DP

Client Console Client Console

Web Console Web Console

AI Engine AIE

Data Collector/System Monitor DC

LogRhythm Diagnostics Tool LRD Tool

LogRhythm Diagnostics Tools Agent LRD Agent

9. When you have selected the target configuration, click Install.

The LogRhythm Deployment Tool appears.
The options available on the main page of the Deployment Tool depend on whether you are upgrading an
existing deployment or installing a new one. Select either Configure New Deployment or Upgrade
Deployment, depending on your situation.
10. Follow the on-screen instructions to create a Deployment Package. Additional help is available by clicking the
question mark icon in the upper-right of the tool.
When you are finished preparing your deployment, you will be returned to the Install Wizard.
11. Observe for any failures as the wizard installs or upgrades the applications according to the selected
configurations.

 When the Client Console is installed on a fresh system, additional software packages must be installed
such as Microsoft Visual C++ Redistributable packages, SAP Crystal Reports runtime engine, and .NET
Framework 4.7.2. For this reason, the Client Console installer may take 30 minutes or more to
complete.

Progress in the installation screen is indicated as follows:

Install LogRhythm 112

Install a New LogRhythm Deployment

Color Meaning

Green The application was installed successfully. A message about the application and
installed version
is also printed below the status indicators.

Blue The application is being installed.

Yellow The current or a newer version of the application is already installed.

Red Something went wrong and the application was not installed. Additional details will be
printed
below the status indicators. If something went wrong, check the installer logs located in
the following location:
C:\LogRhythm\Installer Logs\<install date and time>\

 During the Web Console installation or upgrade, if you receive a message that notifies you of an error
with your Windows Installer package, go into each folder in C:\Program Files\LogRhythm\LogRhythm
Web Services and run the unzip.bat file as an administrator. For other failures, run a Repair.

 By default, the wizard installs the LogRhythm Diagnostics Tool, and it can be configured prior to the
next step. For more information, refer to LogRhythm Diagnostics Tool.

12. Configure your deployment using the LogRhythm Configuration Manager that appears after the installation or
upgrade is complete.
The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited
settings are shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode,
grouped according to which service they affect. You can filter the settings that are displayed by clicking one of
the options on the left — All (no filtering), Authentication, or Web Services. When settings are filtered, you should
enable the Advanced view to ensure you can see all settings. For more information, see the Use the LogRhythm
Configuration Manager section in this guide.

 While the Configuration Manager is still open, review your previous Web Console configuration values
(backed up before starting the upgrade), turn on the advanced view, and validate or set all of the
values in the Configuration Manager, especially the following:
• Global, Database Server. This is the IP address of your Platform Manager where the EMDB is
installed.

Install LogRhythm 113

Install a New LogRhythm Deployment

• Web Global, Database Password. This is the password for the LogRhythmWebUI user, used by
the Admin API for connecting to the EMDB. If the password is not correct, the Admin API will
display an error.
• Web Console UI values. Verify all settings for all Web Console instances.
When finished, click Save, back up your current configuration to file, and then close the Configuration
Manager.

 After you validate and save your configuration, it is strongly recommended that you make a new back
up. Save the file in a safe location in case you need to restore it later.

13. To close the LogRhythm Install Wizard, click Exit.

 If you need to install additional components that were not included in the selected configuration, run the
Install Wizard again and select the necessary components.

 Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm
Enterprise for information on logging into the console, completing the new deployment wizard, and assigning
licenses.

Use the LogRhythm Configuration Manager

 If you are using multiple Web Console instances, the Configuration Manager lets you apply individual
configurations to each instance. Each instance, for single or multiple Web Consoles, will be identified in the
Configuration Manager as Web Console UI - HOSTNAME, where HOSTNAME is the Windows host name of the
server where the Web Console is installed.
Configuring the Data Indexer for Windows and Linux has moved from the individual clusters to the
Configuration Manager on the Platform Manager.
Each Cluster has it’s own section under Data Indexers that looks like this:
Data Indexer - Cluster Name: <ClusterName> Cluster Id: <ClusterID>

 The Cluster Name and Cluster ID come from the Environment variables, DX_ES_CLUSTER_NAME
and DXCLUSTERID on each server. The Cluster Name can be modified in the Configuration Manager.
If you change the Cluster Name, the name should be less than 50 characters long to ensure it
displays properly in drop-down menus. The DXCLUSTERID is automatically set by the software and
should not be modified.

Install LogRhythm 114

Install a New LogRhythm Deployment

 Until you have had a chance to tune your deployment, and to avoid potential performance issues with AIE
Cache Drilldown, you should disable the AIE Drill Down Cache API after upgrading.

The LogRhythm Configuration Manager has two modes: Basic and Advanced. The most commonly edited settings are
shown in Basic mode. Advanced mode displays all settings, including those shown in Basic mode, grouped according to
which service they affect. You can filter the settings that are displayed by clicking one of the options on the left — All (no
filtering), Authentication, or Web Services. When settings are filtered, you should enable the Advanced view to ensure
you can see all settings.
To expand the screen and see all options at once, click the View menu in the upper-left corner of the LogRhythm
Configuration Manager window, then click Toggle Full Screen.
At the bottom of the LogRhythm Configuration Manager window, a service status indicator shows which Services are
active or inactive. A blue light indicates that all services are up. A red light indicates that one or more services are down.
You can hover the mouse over the indicator to see a list of which services are down. In Advanced mode, the indicator
light also appears next to each group header.

 If your LogRhythm Configuration Manager appears grainy, you may need to turn on Windows Font Smoothing.
You can read how to do so here: http://www.microsoft.com/typography/ClearTypeFAQ.mspx

To configure settings in the LogRhythm Configuration Manager:

1. Find the setting you want to configure by doing one of the following:
• In the Search box, type a term that appears in either the name or description of the configuration. Note
that headers and user input data won't be searched. Search returns results from both Basic and
Advanced modes, even if Advanced is not toggled on.
• Scroll through the Basic or Advanced configuration mode until you find the option you want. The
Configuration Manager is used to configure settings such as user ID, password, authentication strategy,
and log level for the following components:
• LogRhythm Database
• Admin API
• AIE Drilldown Cache API
• Alarm API
• API Gateway
• Authentication API
• Case API
• CloudAI
• Data Indexer - (one section per cluster)
• Help and Documentation
• Search API
• Notification Service
• SQL Service
• Web Console API
• Web Console UI
• Web Indexer
• Web Services Host SPI
• Windows Authentication Service
2. Enter the configuration you want. Note the following features:

Install LogRhythm 115

Install a New LogRhythm Deployment

• The LogRhythm Configuration Manager provides informational text as appropriate about what the
settings do and what unit data must be entered in.
• Configuration changes that could affect the performance of the environment include a written warning
beneath the input box.
• For organizations using Smart Cards, the Automatic Logout Time setting for Web Console API should be
increased from the default of zero.
• Upgrading to a new SIEM version may cause the LogRhythmWebUI Database Password to reset to the
default password in the Alarm API section in the Configuration Manager. If you had previously changed
this password, you must reenter your LogRhythmWebUI Database Password in the Alarm API section in
the Configuration Manager.
• When Web Console Smart Card Authorization is enabled, the other Authentication API settings will
become unavailable.
• Multi-factor authentication requires users to set up authentication tools on their devices.
For more information, see the Log in to the Web Console topic in the Enterprise SIEM Help.
3. Click Save after making changes to the configuration. You can also click Save in the Edit menu in the upper-left
corner of the Configuration Manager. The configuration file is saved to %APPDATA%\LogRhythm Configuration
Manager\presets. You can make additional configuration backups. For more information, see Back Up and
Restore section below.

 If you make a configuration change and then change that configuration again back to the previously
saved setting, the Save button will be deactivated and the last saved values persist. To undo a single
configuration change, click Edit in the upper-left corner of the LogRhythm Configuration Manager, and
then click Undo. You can also press Ctrl+Z. If you need to undo several configuration changes at once,
clicking the Revert Unsaved Changes button sets all configurations back to their last saved values.

The affected service or services restart automatically and the changes are applied. A restart time of up to 60 seconds is
normal.

Install LogRhythm 116

Install a New LogRhythm Deployment

Install the LogRhythm Data Indexer

(Optional) Deploy ISO image to Each Linux Data Indexer Node
The Linux Data Indexer can be installed with a CentOS 7.x Minimal system or Red Hat Enterprise Linux (RHEL) 7. To
simplify the installation, LogRhythm provides an ISO image that contains the CentOS operating system and the Data
Indexer installer package. To use RHEL 7, you need to download and install it from the Red Hat website, and then follow
the configuration instructions in this guide.

 Before powering on and configuring a Linux Indexer appliance for the first time, ensure that only one of the
network interfaces is connected to your active network with an Ethernet cable. If you are using a virtual
machine, ensure that only one network interface is configured to connect or come up when the virtual
machine is powered on.

Prepare for the Installation

Before you begin, make sure you have done the following:
• Download the installation ISO. The installation ISO requires two physical disks in the Data Indexer system.

 The ISO download link to should have been provided to you along with your LogRhythm license.
Contact LogRhythm Support if you cannot locate this link.

• For a virtual installation, create a new virtual machine that meets the following requirements:
• OS Type is Linux
• OS Version is Red Hat 64-bit
• Hard drive, RAM, and processor meet the requirements stated above
• Two disks
• In the boot order of the system, Hard Disk should be listed before the CD/optical drive
• Note the IP address to be applied to each node, the netmask, the IP address of your default gateway, and the IP
address of two NTP servers to use.
• If you are installing a cluster of Data Indexers, note the following:
• Each Data Indexer server must be of identical specification. For example, the same appliance model, or
same configuration of processors, hard drives, network interfaces, and RAM.
• You must image each node with CentOS 7.x or RHEL 7, but you only need to run the package installer on
one of the cluster nodes.
• Your cluster can contain one or 3-10 physical hot nodes, and 1-10 warm nodes (optional).

Install CentOS Minimal

 If you are using a Red Hat Enterprise Linux 7 system, skip this procedure and go to the Create the LogRhythm
User section.

Install the LogRhythm Data Indexer 117

Install a New LogRhythm Deployment

The ISO installation creates the required “logrhythm” user, creates and sizes all of the required partitions, and prompts
you for network, DNS, and NTP settings upon first logon.
1. If you are installing on a physical computer, burn the ISO image to a DVD. For a virtual install, mount the ISO for
the installation.
2. Boot the computer from the DVD, or start the virtual machine with the mounted ISO.
3. When the boot screen appears, use the arrow keys and the Enter key to select Install CentOS 7.
The operating system will be installed, which can take up to 10 minutes.
4. When prompted to log on, type logrhythm for the login and the default LogRhythm password for the password.
You are prompted to run the initial configuration script. The script is optional, but your Indexer will be
configured to use DHCP on the primary Ethernet adapter, which is not a supported configuration for a
production environment.
5. To run the script, type y.
You are prompted for network, DNS, and NTP details. At each prompt, detected or default values are displayed
in parentheses.
6. To accept these values, press Enter.
7. Enter the network and NTP information, as follows:

Prompt Description

IP Address The IP address that you want to assign to this Data Indexer node.

Netmask The netmask to use.

Default Gateway The IP address of the network gateway.

Domain name servers The IP address of one or more domain name servers (DNS). If any servers
were found via DHCP, they will be displayed as the defaults. If no servers
were found, the Google DNS servers will be displayed as the defaults.

NTP servers The IP address of one or more NTP servers. Enter the IP address of each
server one at a time, followed by Enter. When you are finished, press Ctrl +
D to end.

After completing the items in the configuration script, the system tests connectivity to the default gateway and
the NTP servers. If any of the tests fail, press n when prompted to enter addresses again.

 If you plan to deploy the Indexer in a different network environment and you expect the connectivity
tests to fail, you can press y to proceed.

After confirming the NTP values, you will be logged on as the logrhythm user.
8. Restart the network interfaces to apply the new settings:

Install the LogRhythm Data Indexer 118

Install a New LogRhythm Deployment

sudo systemctl restart network

9. Restart chrony to apply NTP changes:

sudo systemctl restart chronyd

10. To stop the sudo password prompt, add the following line to the sudoers file using the sudo
visudo command:

logrhythm ALL=(ALL) NOPASSWD: ALL

 If you are installing a cluster of Data Indexers, repeat the ISO installation on each Data Indexer node.

Create the LogRhythm User on the RHEL 7 System

 If you are using a CentOS Minimal system, skip this step. The ISO installation creates the user automatically.

1. Log on to the host and elevate to the root user:

# sudo su

2. Add a new user called logrhythm:

# adduser logrhythm

3. Set the password for the logrhythm user:

# passwd logrhythm

4. Provide and confirm the desired password for the logrhythm user.
5. Add the logrhythm user to the wheel group:

# usermod -aG wheel logrhythm

6. Navigate to the logrhythm user:

# su - logrhythm

Install the LogRhythm Data Indexer 119

Install a New LogRhythm Deployment

7. To stop the sudo password prompt, add the following line to the sudoers file using the sudo
visudo command:

logrhythm ALL=(ALL) NOPASSWD: ALL

8. (Optional.) If you are using the ISO file to install the Data Indexer, use the following command to update Red
Hat's yum tool:

# sudo yum update

 Performing this update requires internet access. Customers without internet access or who aren't
using the ISO file to install the Data Indexer should perform patching according to their usual
procedures.

Install the Data Indexer on Linux

Install a Single-node Cluster

If you have more than one node in your cluster, follow the instructions in the Install a Multi-node Cluster section.

 Before starting the Data Indexer installation, ensure that firewalld is running on all cluster nodes. To do this,
log on to each node and run: sudo systemctl start firewalld

1. Log on to your Indexer appliance or server as logrhythm.

2. Go to the /home/logrhythm/Soft directory where you copied the updated installation or upgrade script.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation.
The contents of the file might look like the following:
10.1.23.65 LRLinux1 hot
10.1.23.67 LRLinux2 warm

3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi :

a. To create the hosts file and open for editing, type vi hosts .
b. To enter INSERT mode, type i.
c. Enter the IPv4 address, hostname to use for the Indexer, and box type, separated by a space.
d. Press Esc.
e. To exit and save your hosts file type :wq .

Install the LogRhythm Data Indexer 120

Install a New LogRhythm Deployment

 The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.

4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the PreInstall.sh file to /
home/logrhythm and execute the script.

 This cannot be run as sudo or the DX Installer will fail.

sh ./PreInstall.sh

5. Generate a plan file which includes the IP of the Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:

sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts

file> --plan /home/logrhythm/Soft/plan.yml --es-cluster-name <cluster_name>

Press Tab after starting to type out the installer name, and the filename autocompletes for you.

 **--es-cluster-name is required only for fresh setup not for an upgrade.

7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer. Common components are installed at /usr/local/logrhythm/.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log

 This process may take up to 10 minutes.

When the installation or upgrade is complete, a confirmation message appears.

8. Check the status of services by typing sudo systemctl at the prompt, and look for failed services.

 If the installation or upgrade fails with the error — failed to connect to the firewalld daemon — ensure that
firewalld is running on all cluster nodes and start this procedure again. To do this, log on to each node and
run: sudo systemctl start firewalld

Install the LogRhythm Data Indexer 121

Install a New LogRhythm Deployment

Install a Multi-node Cluster

Run the install once for each cluster, the package installer installs a Data Indexer on each node. Run it on the same
machine where you ran the original installer.

 Before starting the Data Indexer installation or upgrade, ensure that firewalld is running on all cluster nodes.
To do this, log on to each node and run: sudo systemctl start firewalld

1. Log on to your Indexer appliance or server as logrhythm.

2. Change to the /home/logrhythm/Soft directory where you copied the script.
You should have a file named hosts in the /home/logrhythm/Soft directory that was used during the original
installation.
The contents of the file might look like the following:
10.1.23.65 LRLinux1 hot
10.1.23.67 LRLinux2 warm

3. If you need to create a hosts file, use vi to create a file in /home/logrhythm/Soft called hosts.
The following command sequence illustrates how to create and modify a file with vi :

a. To create the hosts file and open for editing, type vi hosts .
b. To enter INSERT mode, type i.
c. Enter the IPv4 address, hostname to use for the Indexer, and box type, separated by a space.
d. Press Esc.
e. To exit and save your hosts file type :wq .

 The box type parameter is optional. If not designated, the installer will assign a box type of hot. Do not
use fully qualified domain names for Indexer hosts. For example, use only LRLinux1 instead
of LRLinux1.myorg.com.

4. To install DX and make the machine accessible without a password, download the DataIndexerLinux.zip file
from the Documentation & Downloads section of the LogRhythm Community, extract the the PreInstall.sh file
to /home/logrhythm and execute the script.

 This cannot be run as sudo or the DX Installer will fail.

sh ./PreInstall.sh

5. Generate a plan file which includes the IP of Linux DX system and copy the plan.yml from the newly created
LRDeploymentPackage folder from XM to the node from where DX-Installation will be done.
6. Run the installer with the hosts file argument:

Install the LogRhythm Data Indexer 122

Install a New LogRhythm Deployment

sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts <absolute path to .hosts

file> --plan /home/logrhythm/Soft/plan.yml --es-cluster-name <cluster_name>

Press Tab after starting to type out the installer name, and the filename autocompletes for you.

 **--es-cluster-name is required only for fresh setup not for an upgrade.

7. If prompted for the SSH password, enter the password for the logrhythm user.
The script installs or upgrades the Data Indexer on each of the DX machines. Common components are installed
at /usr/local/logrhythm.
LogRhythm Common Components (API Gateway and Service Registry) logs:
sudo journalctl -u LogRhythmAPIGateway > lrapigateway.log
sudo journalctl -u LogRhythmServiceRegistry > lrserviceregistry.log

 This process may take up to 10 minutes.

When the installation or upgrade is complete, a confirmation message appears.

8. Check the status of services by typing sudo systemctl at the prompt, and look for “failed” services.

 If the installation or upgrade fails with the following error — failed to connect to the firewalld daemon —
ensure that firewalld is running on all cluster nodes and start the installation again. To do this, log on to each
node and run: sudo systemctl start firewalld

(Optional) Use the Data Indexer Node Installer

The LogRhythm Data Indexer (LRDX) Node Installer is available to users that have purchased a DX 7500. The installer
leverages the resources on the DX 7500 to improve the indexing and TTL performance by adding a second Elasticsearch
instance to each DX 7500.
The LRDX Node Installer installs and adds the second instance of Elasticsearch to the DX cluster on each DX host.

 The LRDX Node Installer is needed to hit the specified performance numbers for the DX 7500.

Prerequisites
A CPU core of at least 50 and 124 GB of RAM are required for the LRDX Node Installer to run.

Install a New DX 7500

Before installing the LRDX Installer, you need to follow the standard installation documentation for the version of
software you are deploying. For more information, see Install a New LogRhythm Deployment.

Install the LogRhythm Data Indexer 123

Install a New LogRhythm Deployment

1. Connect to the Data Indexer system as a LogRhythm user.

2. Download the LRDXNodeinstaller-<version>.centos.x86_64.run package installer to the Logrhythm user’s
home directory on one of your Data Indexer appliances (for example, /home/logrhythm/Soft). The installer is
available on the Support/Partner downloads section of the LogRhythm Community.
3. Change to the soft directory:

cd Soft

4. Run the LRDX Node Installer with the host file created in the initial install:

sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --add

The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
10.1.23.91 LRLinux1 hot

 The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.

5. When prompted for the SSH password, enter the password for the LogRhythm user.

Uninstall a Node
To uninstall the software or a Linux node:
1. Move the data from the secondary Elasticsearch node back to the primary by running:

sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --move

 The time required to complete this task depends on the amount of data stored.

2. Remove the secondary node by running:

sudo sh <installer> --hosts /home/logrhythm/Soft/hosts --remove

The hosts file must follow a defined pattern of {IPv4 address}, {hostname}, {boxtype}(mandatory) on each line.
The file might look like the following:
10.1.23.91 LRLinux1 hot

 The box type parameter is mandatory in the hosts file, if not designated the installer will fail with a —
missing parameter— error.

Install the LogRhythm Data Indexer 124

Install a New LogRhythm Deployment

 If the data move to the primary Elasticsearch node is not completed, this operation fails so that data
loss is avoided.

Add a Node to an Existing Cluster

Adding a node to an existing cluster requires running the DX installer and will cause downtime for the Data Indexer. The
steps for adding a node are generally the same but may differ slightly depending on the type of node being added and
the current cluster size.

Prerequisites
These instructions assume:
• the Data Indexer ISO has already been installed on the new server.
• the node is in place and online.
• the first run has been executed and configured.
• the new node has the static IP address set.
• the new node has the hostname set.
• the new node has NTP configured.
• the Soft directory exists.
• the “logrhythm” user/password is set to match the existing “logrhythm” user.

 See Prepare for the Installation for more information.

Downtime
The amount of downtime experienced by the cluster will depend on the hardware, number of open indices, and their
relative sizes. The larger the indices are, the longer full recovery may take. All data processed by the Data Processors
will be spooled to the DXReliablePersist state folder until the cluster is recovered, and the data can be inserted into the
cluster.

Hardware Configuration
All hot nodes in the cluster require matching resources. Do not add a node to the cluster if the new node does not have
matching CPU, disk/partition, and memory configurations for the existing nodes in the cluster. Hot and Warm node
hardware configurations may be different, although all hot nodes in the cluster should have the same configuration,
and all warm nodes in the cluster should have the same configuration. A mismatch in CPU, Memory, or disk/partition
sizes may cause performance issues and can affect the number of hot and warm indices available across the entire
cluster. Warm nodes will still be used for data ingestion.

Install the LogRhythm Data Indexer 125

Install a New LogRhythm Deployment

Data Indexer Installer

Run the installer from the same node the installer was originally run from. Do not run the installer on the new
node. Adding a new node to the cluster requires configuration changes on all nodes. Running the installer from
the install node will ensure these configurations are pushed to all nodes in the cluster.
Verify that you are installing the correct version of the LogRhythm Data Indexer. If an incorrect version is installed, the
Data Indexer cannot be downgraded without fully uninstalling the software.
Verify the current installed version by viewing the version file on an existing node:

cat /usr/local/logrhythm/version

Cluster Health
Elasticsearch is not required to be in a green state while adding a node, but it is best practice to verify the cluster is
green before adding the node to ensure the process is successful.
Run the following command on any existing node to see the cluster health:

curl localhost:9200/_cluster/health?pretty

Verify that the status is green. If the cluster status is yellow or red, we recommend correcting any issues with the
cluster before proceeding.

Cluster Size
Consider the size of the cluster before adding a node, as there are some restrictions to the sizes of a single cluster.
• Total maximum cluster size is 30 Elasticsearch nodes
• A cluster may have a maximum of 20 physical nodes
• A cluster may have up to 10 software nodes

Cluster Configurations:
A possible configuration: 1 or 3-10 Hot physical Nodes + 0-10 2XDX software nodes + 0-10 Warm Nodes.
A single cluster may not contain only two physical hot nodes (including when 2XDX and warm nodes are part of the
cluster). This is to avoid a “split-brain” scenario. Hot nodes on a cluster can be 1 or 3 to a maximum of 10 physical hot
nodes.
A single cluster must contain at least one hot node and can contain from 0 up to 10 warm nodes.
2XDX only applies to DX7500 nodes as 2XDX software can only be installed on servers with 256 GB memory and 56 vcpu.
Each physical hot node can have one additional instance of the 2XDX (hot software node) if they meet the resource
requirements. It is not recommended that you install 2XDX on virtual servers as performance can be impacted. If 2XDX
nodes are used in a cluster, it should be installed on all physical hot nodes in the cluster.

Install the LogRhythm Data Indexer 126

Install a New LogRhythm Deployment

Installation Procedure
Follow this sequence for installation:
1. Verify that the new node is online and ready to be added to the cluster, noting the current IP and hostname of
the new node.
The node should be started and ready for the LogRhythm software to be installed.

 You should not need to copy or edit any files for the new node.

Note the Hostname and IP Address from the server as these will need to be added to the plan, and to the hosts
files for the installed node in later steps.
Use the following commands to get the Hostname and IP of the server. The hostname must be set to the expect
hostname before adding the node to the cluster.
Hostname: hostname
IP Address: ip a
2. Identify the install node and verify the currently installed version of Data Indexer.

 If you start the install with a LogRhythm Data Indexer version higher than the current installed version
on the cluster, you may need to reimage the new server to install a lower version.

a. Verify the currently installed version by running the following command on any existing node in the
cluster:

cat /usr/local/logrhythm/version

b. When the DX installer is executed in later steps, you will need to run the installer from the same node the
DX installer was originally ran on. Usually, this is the first node in the cluster and will be the node that has
the existing hosts file created for the original install.
c. If you are unsure and need to identify the node, you can use 1 or both of the following methods:
i. Check the /home/logrhythm/ and /home/logrhythm/Soft directory on the node for the hosts
file. This is the file that was created during the original install. The hosts file will contain all
existing nodes, their respective IPs, and the box type. This file does not need to exist on all nodes
in the cluster, only the previous install node.
ii. You can also verify if a node is the primary host by viewing the primary_host file on each node.

cat /usr/local/logrhythm/env/primary_host

If is_primary_host=True, then this is the node on which the installer was last run.
If is_primary_host=False or (blank), then this is not the node on which the installer was last run.

3. Create an updated LRII package using the LogRhythm Infrastructure Installer on the Platform Manager that
includes the new nodes IP address.
a. On the Platform Manager server, open the LogRhythm Infrastructure Installer from the LogRhythm
programs group.
b. Click Add/Remove Host.

Install the LogRhythm Data Indexer 127

Install a New LogRhythm Deployment

c. Click Add Host.

d. Add the IP Address of the new DX host, and optionally, the host nickname.
e. Click Save.
f. Click Create Deployment Package.
g. Verify the IP Addresses in the list and click Create Deployment Package.
h. Select the folder location in which to create the new LRDeploymentPackage, and click Select Folder.
Once the package is created it will provide the path to the LRDeploymentPackage folder. Copy this path
to the clipboard if necessary to help locate the newly created package.
i. Click Next Step.
j. Click Run Host Installer on This Host.
This will start the install of the newly generated LRII package on the Platform Manager.
Once the LRII install completes on the Platform Manager, expand “Step 2”. At this point, leave the
LogRhythm Deployment Tool screen open on the Platform Manager, you will return to this screen after
the node is installed.

 Do not close the LogRhythm Deployment Tool window until the cluster is successfully verified. Closing
the tool at this step may require starting the process over at the beginning (including the DX install
itself) to be able to validate the deployment.

4. Copy the necessary files to the Data Indexer install node. The currently installed version may already be present
in the Soft folder. You will not need to copy any files to the new node as the Data Indexer installer will copy
necessary files to all nodes in the cluster during install.
a. Using WinSCP, or similar, copy the plan.yml file (from the newly created LRDeploymentPackage folder
you selected on in the previous steps) to the /home/logrhythm/Soft directory on the Data Indexer install
node (not the new node you are adding to the cluster). This file contains the updated plan information
for the common components.

 Make sure you are using the newly generated plan.yml file. Using a previously generated plan
file may render the Data Indexer unable to communicate with other LogRhythm services and
servers.

b. Verify that the Data Indexer installer and the PreInstall.sh file are both present in the Soft folder.

 If these files are missing, re-verify that this is the node the installer was originally ran from. If the files
were deleted since the last install, download the standalone Linux Data Indexer version installer zip
from the community and copy the two files included in the zip to the Soft folder.
PreInstall.sh
LRDataIndexer-{version}.centos.x86_64.run

5. Update the existing hosts file on the installer node with the new node information. The hosts file is usually
created in the /home/logrhythm/Soft directory but may be in /home/logrhythm/. This file should already
contain the IP Hostname, and box type, of the existing nodes in the cluster.
a. Edit the LR specific hosts file used by the Data Indexer Installer using vi or similar editor.

Install the LogRhythm Data Indexer 128

Install a New LogRhythm Deployment

sudo vi /home/logrhythm/Soft/hosts

Type i to enter insert mode.

Edit the necessary lines.
Press Esc to exit insert mode.
Press shift + ; to enter command mode.
Write and quit to exit, type: wq
b. Add a new line with the IP Address, Hostname, and box type (either hot or warm) in the following
format:

<IP> <HOSTNAME> <box type>

Example: 192.168.0.1 mydxhostname hot

 box type is optional if there are only hot nodes in the cluster. If the other host lines have the
box type, it will need to be added with the new line. If warm nodes exist or you are adding a
warm node, the box type will need to be set for all hosts for a successful configuration during
install.

6. Run the PreInstaller.sh script (on the installer node) to setup PubKey (password-less) Authentication.
a. (Optional) If you had to copy PreInstall.sh, you will need to set execute permission on the PreInstall.sh
script.

sudo chmod +x /home/logrhythm/Soft/PreInstall.sh

b. Execute the PreInstall.sh script:

sh /home/logrhythm/Soft/PreInstall.sh

c. Enter the current ssh password for the logrhythm user (password used to connect to the server).
d. Enter the path to the hosts file updated in the last step.
The script will run through multiple steps.

 Some steps of the PreInstall.sh may show a warning or error depending on the current configuration.
These can be ignored if the Testing ssh as logrhythm user using Public Key Authentication section
shows SSH OK, for all hosts in the host file. If SSH: Failed shows for any host, review the output and fix
any SSH issues prior to running the DX installer.

 The Data Indexer installer WILL fail if PubKey Authentication is not successfully setup prior to running
the installer.

7. Run the Data Indexer installer to add the node to the cluster. Run the install command following the Data
Indexer from the commands below. You will need to supply the full path to the hosts file, the full path plan.yml

Install the LogRhythm Data Indexer 129

Install a New LogRhythm Deployment

file, enter the existing cluster name, and add the “—force” switch. The force switch is needed because you are
running the installer against the same installed version.

 This step assumes the cluster health is green. The existing cluster name can be found in the
LogRhythm Console on the Clusters Tab, under Deployment Monitor.

a. Change to the Soft directory:

cd /home/logrhythm/Soft

b. Run the Base Command:

sudo sh LRDataINdexer-<version>.centos.x86.64.run --hosts <full path to

hosts> --plan <full path to plan.yml> --es-cluster-name=<existingclustername>
--force

Example:

sudo sh LRDataIndexer-10.0.0.121-1.centos.x86_64.run --hosts /home/

logrhythm/Soft/hosts --plan /home/logrhythm/Soft/plan.yml --es-cluster-
name=mycluster --force

The Data Indexer installer will execute and run through the full install, adding the new node to the cluster. Once
the successful message is displayed, the node has been added to the cluster. If you receive a message that the
install failed, review the /var/log/persistent/ansible.log for the reasons for the failure, correct any underlying
issues, and run the install command again.
8. (Optional) If the newly added node is a DX7500 node, run the secondary LR DX Node Installer to add the 2XDX
software to the newly installed node.

 The LRDXNodeInstaller is a separate installer from the Data indexer installer available from the
downloads page.

On the install node, execute the LRDXNodeInstaller using the following Base Command:

sudo sh /usr/local/logrhythm/DXNodeInstaller-<version>.centos.x86_64.run --add --

hosts <fullpathtohosts> --ma

Example:

sudo sh /usr/local/logrhythm/DXNodeInstaller-11.0.0.4.centos.x86_64.run --add --

hosts /home/logrhythm/Soft/hosts --ma

Install the LogRhythm Data Indexer 130

Install a New LogRhythm Deployment

9. Run the following command to verify that the node was successfully added to the cluster with the correct box
type:

curl localhost:9200/_cat/nodeattrs?v

All nodes for the cluster should be present along with the current box type. Any 2XDX nodes can be identified as
they will show as <hostname>-data for the node name.
You can also run the cluster health command to verify the total number of nodes present in the cluster:

curl localhost:9200/_cluster/health?pretty

Troubleshooting
After the install completes, all Data Indexer services will automatically start on all nodes. it may take a minute or two for
Elasticsearch to start on all nodes.
If the Elasticsearch API endpoint does not respond after 5 minutes, check the Elasticsearch /var/log/elasticsearch/
<clustername>.log file to identify any errors Elasticsearch may be experiencing on startup. The Elasticsearch Service
log will exist on each node in the cluster. You may need to check the log on each individual node to determine the full
extent of any issues with the service or cluster starting. The log will be named the same as the cluster name provided in
the install command.
Get the service status on a specific node:

sudo systemctl status elasticsearch

Tail the Elasticsearch log:

tail -f /var/log/elasticsearch/<clustername>.log

When the Elasticsearch node services start and the master node is elected, the cluster health will go from red -> yellow
-> green. It may take an extended period (hours) for all existing indices to be recovered after the install. The cluster
health command will show you the percentage of index shards recovered. Indexing and search will be available once
the primary shards have been recovered.
The cluster health change from red to yellow is usually relatively fast, but the time between the health change from
yellow to green will depend on the number of indices, and their shard sizes.

 Performance may be impacted while the cluster recovers.

You can verify the status of index recovery using the following command on any node:

Install the LogRhythm Data Indexer 131

Install a New LogRhythm Deployment

watch -n2 ‘curl -s localhost:9200/_cat/recovery?v | grep -v done’

The number of shards that are recovered at any time is throttled by Elasticsearch settings.
If shards stop showing in the recovery list, and the cluster health has not yet reported green, please contact LogRhythm
Support to investigate why shards are not initializing or assigning as expected.

Validate the Linux Indexer Installation

To validate a successful upgrade of the Linux Indexer, check the following logs in /var/log/persistent:
• ansible.log echoes console output from the upgrade, and should end with details about the number of
components that upgraded successfully, as well as any issues (unreachable or failed)
• logrhythm-node-install.sh.log lists all components that were installed or updated, along with current versions
• logrhythm-cluster-install.sh.log should end with a message stating that the Indexer was successfully installed
Additionally, you can issue the following command to verify the installed version of various LogRhythm services, tools,
and libraries, as well as third party tools:

sudo yum list installed | grep -i logrhythm

1. Verify that the following LogRhythm services are at the same version as the main installer version:
• Bulldozer
• Carpenter
• Columbo
• GoMaintain
• Transporter
• Watchtower
2. Verify that the following tools/libraries have been installed:
• Cluster Health
• Conductor
• Persistent
• Silence
• Unique ID
• Upgrade Checker
3. Verify the following version of this service:
• elasticsearch 6.8.3

Verify a Warm Node

To identify whether a warm node is working correctly after installation, perform the following:
1. Verify Warm Node configuration:

curl localhost:9200/_cat/nodeattrs?v

Install the LogRhythm Data Indexer 132

Install a New LogRhythm Deployment

2. Verify Node Settings in /usr/local/logrhythm/env/es_datapath:

[root@DX01 env]# cat /usr/local/logrhythm/env/es_datapath

DX_ES_PATH_DATA=/usr/local/logrhythm/db/elasticsearch/data
DX_ES_CLUSTER_NAME=<cluster name>
DX_ES_DISCOVERY_ZEN_PING_UNICAST_HOSTS=<IPs of eligible master nodes>
DX_ES_DISCOVERY_ZEN_MINIMUM_MASTER_NODES=<# of eligible master nodes/2 (rounded
down) +1>
DX_ES_BOX_TYPE=warm
DX_ES_IS_MASTER=false

3. On each node in /usr/local/logrhythm/transporter/logs.json, verify the number of shards and replicas based on
number of hot nodes:

"number_of_shards": "<physical hot nodes * 2>"

"number_of_replicas": (this will be "0" for single hot node or "1" for a multi hot
node cluster)

 For 2XDX, physical nodes are only used for the shard calculation. A three-node 2XDX will have six
shards.

4. Verify warm node functionality:

a. Wait until Elasticsearch's heap moves an open index to the warm node as a closed index.
b. Verify that GoMaintain does not throw errors when moving the index to the warm node as Closed.
c. (Optional) Perform an investigation against a closed index on the warm node (though this step alone will
not confirm that the warm node is working).

Information about Automatic Maintenance

Automatic maintenance is governed by several settings in GoMaintain Config:

Disk Utilization Limit

Disk Util Limit. Indicates the percentage of disk utilization that triggers maintenance. The default is 80, which means
that maintenance starts when the Elasticsearch data disk is 80% full.

 The value for Disk Util Limit should not be set higher than 80. This can have an impact on the ability of
Elasticsearch to store replica shards for the purpose of failover.

Maintenance is applied to the active repository, as well as archive repositories created by SecondLook. When the Disk
Usage Limit is reached, active logs are trimmed when “max indices” is reached. At this point, GoMaintain deletes
completed restored repositories starting with the oldest date.

Install the LogRhythm Data Indexer 133

Install a New LogRhythm Deployment

The default settings prioritize restored repositories above the active log repository. Restored archived logs are
maintained at the sacrifice of active logs. If you want to keep your active logs and delete archives for space, set your min
indices equal to your max indices. This forces the maintenance process to delete restored repositories first.

Force Merge Configuration

Force Merge Config. Combines index segments to improve search performance. In larger deployments, search
performance could degrade over time due to a large number of segments. Force merge can alleviate this issue by
optimizing older indices and reducing heap usage.

 Do not modify any of the configuration options under Force Merge Config without the assistance of
LogRhythm Support or Professional Services.

Parameter Default Value

Merging Enabled If set to true, merging is enabled. If set to false, merging is false
disabled.

Logging of configuration and results for force merge can be found in C:\Program
Files\LogRhythm\DataIndexer\logs\GoMaintain.log.

Index Configs
The DX monitors Elasticsearch memory and DX storage capacity.
GoMaintain tracks heap pressure on the nodes. If the pressure constantly crosses the threshold, GoMaintain decreases
the number of days of indices by closing the index. Closing the index removes the resource needs of managing that data
and relieves the heap pressure on Elasticsearch. GoMaintain continues to close days until the memory is under the
warning threshold and continues to delete days based on the disk utilization setting of 80% by default.
The default config is -1. This value monitors the systems resources and auto-manages the time-to-live (TTL). You can
configure a lower TTL by changing this number. If this number is no longer achievable, the DX sends a diagnostic
warning and starts closing the indices.
Indices that have been closed by GoMaintain are not actively searchable in 7.6 but are maintained for reference
purposes. To see which indices are closed, run a curl command such as the following:

curl -s -XGET 'http://localhost:9200/_cat/indices?h=status,index' | awk '$1 ==

"close" {print $2}'

Open a browser to http://localhost:9200/_cat/indices?v to show both open and closed indices.

Indices can be reopened with the following query as long as you have enough heap memory and disk space to support
this index. If you do not, it immediately closes again.

Install the LogRhythm Data Indexer 134

Install a New LogRhythm Deployment

curl -XPOST 'localhost:9200/<index>/_open?pretty'

After you open the index in this way, you can investigate the data in either the Web Console or Client Console.

Install the LogRhythm Data Indexer 135

Install a New LogRhythm Deployment

Complete Additional LogRhythm Installation Tasks

Configure or Verify Communication Ports
LogRhythm installers should open the TCP ports required for component communications. Additional configuration
may be required, as described in this section. For more information on ports, see the Networking and Communication
topic in the Enterprise SIEM Help.

 If you need assistance with any of the procedures listed below, contact your system or network administrator.

Configure Access for Remote Consoles

Users should access their LogRhythm deployment using a Client Console that is installed on their local workstation or
through Citrix/Terminal Services (that is, not via the Client Console that is installed on the XM or Event Manager/
Platform Manager). For this reason, some configuration to allow remote access may be required after upgrading to
7.12.x.
If any intermediary firewalls are enabled between any LogRhythm Client Consoles, including the Windows Firewall on
any LogRhythm appliance, you must add the following rule to each firewall if access to the Data Indexer IP address is
not already allowed by applied policies:
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13130
ALLOW from {Client Console IP} to {Data Indexer IP} on TCP Port 13132

Verify Ports on the Linux Data Indexer

To verify which ports are listening for incoming traffic on a Linux Indexer node, log on to the Indexer node as logrhythm
and run the following command:

sudo firewall-cmd --permanent --zone=public --list-all

This lists all the public ports opened for DX:

• 8501/tcp
• 8300/udp
• 8301/udp
• 8300/tcp
• 8301/tcp
If you need to open any incoming ports on the Linux Indexer, do the following:
1. Log on to the Indexer node as logrhythm and run the following commands:

sudo firewall-cmd --zone=public --add-port=port/tcp --permanent

Complete Additional LogRhythm Installation Tasks 136

Install a New LogRhythm Deployment

sudo firewall-cmd –-reload

2. Repeat the steps above on each Linux Data Indexer.

Verify Ports on the Windows Data Indexer or the Data Processor

To verify allowed ports on a Windows server host:
1. Log on to the Windows server as an administrator.
2. Open a command prompt and run the following command:

netsh firewall show state

Ports that are currently open on all interfaces are displayed below the firewall status.

 The netsh command has been deprecated but should still work on Windows Server 2008 R2, 2012 R2,
and 2016. If necessary, start Windows Firewall and search for the ports that are allowed on the current
server.

If you need to allow any ports on a Windows server host:

1. Log on to the Windows server as an administrator.
2. Open a command prompt and run the following command:

netsh advfirewall firewall add rule name="rule name" dir=in action=allow

protocol=TCP localport=port

Verify SQL Server Authentication and LogRhythm Databases

To verify authentication on the Platform Manager or XM server:
1. Click Start, Apps, and then Microsoft SQL Server Management Studio.
2. In the Connect to Server window, enter the following information:
a. Authentication. SQL Server Authentication
b. Login. sa
c. Password. Enter the appropriate password
3. Click Connect.
The Microsoft SQL Server Management Studio window opens.
4. Expand the Databases folder. You should see the following LogRhythm Databases:
• LogRhythm_Alarms
• LogRhythm_CMDB
• LogRhythm_Events
• LogRhythm_LogMart
• LogRhythmEMDB
5. Exit Microsoft SQL Server Management Studio.

Complete Additional LogRhythm Installation Tasks 137

Install a New LogRhythm Deployment

Verify LogRhythm Installation

Verify that the installation completed successfully by checking for the LogRhythm components in Add/Remove
Programs.
1. Click Start, Control Panel, and Add/Remove Programs.
2. Search for the following LogRhythm components on each server type and verify the version within the support
information link.

LogRhythm Component XM PM DP DX AIE Collector

Advanced Intelligence (AI) Engine X X X

Alarming Manager X X

Console* X X

Data Indexer (DX) X X

Job Manager X X

Mediator Server Service X X

System Monitor Service** X X X X X

Common X X

* The Console can be installed on any supported system.

** The System Monitor can be installed on any supported system. At a minimum, you must install it on the XM or PM.
If you have any issues with the installation, contact LogRhythm Support. C:\LogRhythm\InstallLogs contains the
install logs that may supply useful error messages for support.

Verify Web Console Processes

The installer automatically starts the services and processes needed to run the Web Console. However, you should
ensure that these processes are running by doing the following:
1. Go to Services on your machines.
2. Verify that the following services have started:

Complete Additional LogRhythm Installation Tasks 138

Install a New LogRhythm Deployment

• LogRhythm API Gateway

• LogRhythm Authentication API
• LogRhythm Case API
• LogRhythm Service Registry
• LogRhythm Threat Intelligence API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Web Services Host API
3. Go to Task Manager on your machine.
4. Verify that the following services have started:
• java.exe (one instance)
• LogRhythm.Web.Services.ServicesHost.exe
• LogRhythmAPIGateway.exe
• LogRhythmAuthenticationAPI.exe
• LogRhythmCaseAPI.exe
• LogRhythmServiceRegistry.exe
• LogRhythmThreatIntelligence.exe
• lr-threat-intelligence-api.exe (32 bit)
• LogRhythmWebConsoleAPI.exe
• LogRhythmWebConsoleUI.exe
• LogRhythmWebIndexer.exe
• LogRhythmWebServicesHostAPI.exe
• nginx.exe *32 (a minimum of two instances)
• node.exe (four instances)
• procman.exe (eight instances)
• NSSM Service Manager

 NSSM is not a LogRhythm application, but a third-party service manager that provides a wrapper
around Java, Go, and other services to ensure that they run properly on Windows and that they are
restarted when they stop.

Install Other Agents

To install the LogRhythm System Monitor Agent on other machines, or to install the non-Windows System Monitor
Agents:
1. System Monitor installer files are available in the LogRhythm Install Wizard, in the Installers subfolder. Make sure
to use the appropriate file for 32-bit or 64-bit systems:
• LRSystemMonitor_7.12.x.xxxx.exe
• LRSystemMonitor_64_7.12.x.xxxx.exe
You can also download the Windows System Monitor installers from the release downloads page on
the LogRhythm Community.
2. Download *NIX System Monitor Agent packages from the release downloads page on the LogRhythm
Community. Text-based installation instructions for each package and platform are available, and additional
installation instructions are available in the System Monitor documentation.

Complete Additional LogRhythm Installation Tasks 139

Install a New LogRhythm Deployment

 For all *NIX operating systems that support Realtime FIM, the System Monitor requires root privileges.

Configure the LogRhythm Software

You can work directly with Professional Services to configure your LogRhythm Solution, or you can follow the steps in
the New Deployment Wizard topic in the LogRhythm SIEM Help. You can find additional resources on the LogRhythm
Community.

 The LogRhythm upgrade guides contain information about some post-upgrade (or postinstall) configurations
that are important to your deployment. You may want to review those guides to ensure that at least the
following items are addressed:
• Ensure that all Data Processors are assigned to a cluster
• Verify the IP Address of the LogMart Database Server

You need the following items for the deployment, whether you configure LogRhythm yourself or you work with
Professional Services:
• LogRhythm License File that is sent via email
• LogRhythm Knowledge Base (extension .lkb), which is located in the following folder: \LogRhythm\Install\KB

Add Realtime Antivirus Exclusions for LogRhythm

If you removed third party antivirus or endpoint protection software to conduct an upgrade or installation, reinstall it.
When running antivirus scanning software on a LogRhythm platform and/or on System Monitor Agent systems, be sure
to exclude the following directories from realtime antivirus scans. Scanning these directories has a major impact on the
performance of the LogRhythm platform. However, these locations should be scanned on a regularly scheduled basis.

 The following lists include the default directories. However, the location of any State folder (including AI
Engine, Job Manager, and SCARM) and archive data is customizable to use any location (for example, D:\). The
locations of these folders need to be excluded.

XM Appliance
If you have an XM appliance, apply the exclusions specified for the PM, DPX, and AIE (if installed).

PM Appliance
• D:\*.mdf
• L:\*.ldf
• T:\*.mdf
• T:\*.ldf
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

Complete Additional LogRhythm Installation Tasks 140

Install a New LogRhythm Deployment

• C:\tmp\indices\ (if Web Console is installed on the PM)

• If the Threat Intelligence Service (TIS) is installed:
• C:\Program Files\LogRhythm\LogRhythm Job Manager\config\list_import\*.*
• C:\Program Files\LogRhythm\LogRhythm Threat Intelligence Service\staging\HailATaxii\*.*

DP or DPX Appliance (Windows)

• All files in the directories and sub-directories of the paths stored in the environment variables %DXPATH%,
%DXCONFIGPATH%, and %DXDATAPATH%. By default, this is D:\Program Files\LogRhythm\Data Indexer\. To
view the environment variables, go to the Advanced System Settings, and click Environment Variables.
• D:\LogRhythmArchives\Active\*.lua
• X:\LogRhythmArchives\Inactive\*.lca (where X: is the location of the inactive archives, D: by default)
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.bin (where X: is the location of the state
folder)
• X:\Program Files\LogRhythm\LogRhythm Mediator Server\state\*.dgz (where X: is the location of the state
folder)
• C:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\data
• C:\Program Files\LogRhythm\Data Indexer\elasticsearch\data
• C:\Windows\Temp\jtds*.tmp

DX Appliance (Linux)
• /usr/local/logrhythm/db/elasticsearch/data (default path, includes both state and data files)

AIE Appliance
• C:\Program Files\LogRhythm\LogRhythm AI Engine\data\*.*
• C:\Program Files\LogRhythm\LogRhythm AI Engine\state\*.*
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos

 If the AIE service is running on the PM appliance, exclude these directories on the PM.

Collector Appliance or Agents Deployed on Servers

• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.bin
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.pos
• C:\Program Files\LogRhythm\LogRhythm System Monitor\state\*.suspense

 The above path is the default installation locations for the System Monitor Agent. If you install the Agent in a
different location (for example, D:\), update the exclusion as required.

Complete Additional LogRhythm Installation Tasks 141

Install a New LogRhythm Deployment

Agents Deployed Linux Servers

• /opt/logrhythm/scsm/state/*.pos
• /opt/logrhythm/scsm/state/*.suspense

Web Console
• D:\tmp\indices

High Availability Deployments

• C:\lk\* directory (or whichever folder LifeKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper> directory (or whichever folder DataKeeper is installed in)
• C:\Program Files (x86)\SIOS\DataKeeper\Bitmaps) (or whichever folder the bitmap file is stored in)
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{71A27CDD-812A-11D0- BEC7-08002BE2092F}
• Registry keys used by SIOS, available at the following link: http://docs.us.sios.com/WindowsSPS/8.6/SPS4W/
TechDoc/index.htm#DataKeeper/Administration/
Registry_Entries.htm%3FTocPath%3DDataKeeper%7CAdministration%7C_____10

 Once your LogRhythm installation is complete, refer to the collection of topics in Get Started with LogRhythm
Enterprise for information on logging into the console, completing the new deployment wizard, and assigning
licenses.

Complete Additional LogRhythm Installation Tasks 142

Install a New LogRhythm Deployment

Supplemental Information for Installations

Troubleshoot the LogRhythm Configuration Manager
If the LogRhythm Web Services Host, the LogRhythm API Gateway, or the LogRhythm Service Registry is not running,
you receive an error message and the LogRhythm Configuration Manager does not load. If you are not running the
LogRhythm version of SQL server, one of the following error messages displays:
• The LogRhythm Configuration Manager displays: Cannot communicate with Services Host API.
• The log file for Service Host API displays: 2016-07-18T15:28:05.080-06:00 [ERROR] [thread:6]
[class:Client.Session] **ERROR** Unable to load LogRhythm Master License: The SELECT permission was denied
on the object 'SCLicense', database 'LogRhythmEMDB', schema 'dbo’.
To resolve this issue:
1. Go to Services on your machine and stop the service SQL Server (MSSQLSERVER).
2. Restart the service LogRhythm Services Host API.
3. Open the LogRhythm Configuration Manager.
4. In the Database Server box, enter the correct Database Server IP address.
5. Click Save.
6. In the Services program on your machine, restart SQL Server (MSSQLSERVER).
The LogRhythm Configuration Manager does not load if a proxy server is enabled for LAN connections in Internet
Explorer.
To change the proxy server settings for Internet Explorer:
1. On the Internet Options dialog box, select the Connections tab.
2. Click LAN Settings.
The Local Area Network (LAN) Settings dialog box appears.
3. Clear the Use a proxy server for your LAN (These settings will not apply to dial-up or VPN connections)
check box.
4. Click OK.
If you require a proxy server for LAN connections, contact LogRhythm Support.

Back Up and Restore a LogRhythm Configuration

When you click Save in the LogRhythm Configuration Manager, the configuration file is saved to %APPDATA%
\LogRhythm Configuration Manager\presets. However, you can create a backup of any configuration and save it to any
location to use later to restore a given configuration or share with other users.
To back up a configuration:
1. Make any changes you want. Boxes with changes are outlined in blue.
2. Select Backup/Restore from the menu.
3. Click Backup to File.
4. Name the file and save it to the location you want.
5. (Optional) Click Save in the lower right of the LogRhythm Configuration Manager to apply the changes
immediately.
To restore a configuration:

Supplemental Information for Installations 143

Install a New LogRhythm Deployment

1. Select Backup/Restore from the menu.

2. Select one of the following:
• Restore from File. Prompts you to open a configuration backup file. After you open the file, boxes with
changes are outlined blue.
• Restore from Last Saved. Reverts to the configuration saved in %APPDATA%\LogRhythm Configuration
Manager\presets. You can also click Revert Unsaved Changes to apply the settings in that file. Boxes with
changes are outlined blue.
• Restore from Default. Returns all configuration settings to the installation defaults. Boxes with changes
are outlined blue.
3. In the lower right of the LogRhythm Configuration Manager, click Save to apply the new settings.

Add Additional Components to an Existing Deployment

The LogRhythm Infrastructure Installer assists in the installation of Common Components across all LogRhythm
appliances and runs as the LogRhythm Infrastructure Installer (LRII) in the Install Wizard. The Common Components are
required on each appliance (Platform Manager, Data Processor, Data Indexer, Web Console, and AI Engine) to enable
communication between components. The Infrastructure Installer builds a deployment package that you can use to
manually deploy the Common Components on each appliance in a distributed configuration. Using this method, there
is no need to relax security posture of your deployment to install Common Components. The tool is required every time
you install or upgrade a LogRhythm component to ensure that all components are communicating properly. If the tool
is not utilized during an installation or upgrade, the deployment will not be functional and you will not be able to index
or retrieve data.

 You must have the IP address of each LogRhythm server in your deployment, with the exception of those
running the Client Console or standalone System Monitors. You will also need SQL database credentials (sa or
equivalent user) for the EMDB and the ability to log in to each of the LogRhythm servers to run the
deployment package that the Deployment Tool generates.

1. In the Start menu on the machine where you have LogRhythm installed, click LogRhythm, and then LogRhythm
Infrastructure Installer.
2. Click Add/Remove Hosts.
3. Click Add Host.
4. Enter the information for the new host and click Save.
5. Click Deployment Properties.
6. If necessary, change the Deployment Properties to match your deployment, and then click OK.
7. Click Create Deployment Package.
8. Follow the instructions provided by the Infrastructure Installer.
9. When you have finished, return to the home page of the Infrastructure Installer and click Verify Deployment
Status.
10. When the Infrastructure Installer indicates that your deployment is healthy, use the LogRhythm Installation
Wizard to install your new component.
11. License, configure, and add the new component according the instructions provided in the LogRhythm Client
Console Help or LogRhythm Web Console Help.

Supplemental Information for Installations 144

Install a New LogRhythm Deployment

Logs
Installer logs are located in C:\LogRhythm\InstallerLogs, in a folder with the date you completed the installation. The
_LIW will show basic information about the Install Wizard, and the LogRhythm_ Infrastructure_Installer_Silent will
show more information about the Deployment Tool.
In addition, you can find more information about the Deployment Tool install at C:\Program
Files\LogRhythm\LogRhythm Infrastructure Installer\logs or in the MSI log on the server, located at %Temp%.
The Linux DX installer logs are located at /var/log/persistent. You can run cat logrhythmclusterinstall.sh.log or
lorhythm-node-install.sh.log to view the contents of these logs.

Troubleshooting
Below are some potential issues that may arise when running the Deployment Tool.

Not all servers are shown in the EMDB results

The search does not find standalone Web Consoles or System Monitors. You must manually add your standalone Web
Consoles. There is no need to add the standalone System Monitors.

Linux deployment package will not run

You may have to switch to the directory where the package is located and run the following command prior to running
the Linux installer:
sudo chmod +x LRII_linux
After this has been completed, you can run the Linux package with the following command:
sudo ./LRII_linux

The Deployment Tool was successful, but cannot index or process

Ensure that you also run the Install Wizard on all of your nodes and/or the Linux DX upgrade package. These are still
required to be run on your nodes in addition to the Deployment Package.

My Deployment Status Verification says that not everything is active

Check your list of hosts in the Deployment Tool for accuracy. You may need to run the Deployment Package on the
inactive servers again. Follow the instructions above to run the packages.

My upgrade won't start because Elasticsearch is not running

You may see a message stating: You cannot upgrade: Please run 'sudo systemctl start elasticsearch'.
Elasticsearch needs to be running to check your indices for incompatible versions. Start the service as indicated, run the
curl command mentioned in the error until the cluster health is green, and then try the install again.

Supplemental Information for Installations 145

Install a New LogRhythm Deployment

When upgrading my Linux DX, I received an error that states the LRII Plan file is invalid
You may not have added the plan file location to the executable path. Make sure you use the full execution path. It
should be similar to the following:
sudo sh LRDataIndexer-<version>.centos.x86_64.run --hosts
/home/logrhythm/soft/hosts --plan /home/logrhythm/soft/plan.yml

The LogRhythm Service Registry can't start during an upgrade

This error occurs when the Service Registry service is not started when LRII runs or it was started after the Deployment
Tool loaded. The C:\Program Files\LogRhythm\LogRhythm Infrastructure Installer\data directory is cleared prior to
running LRII because it recreates a new configuration for this upgrade.
There is a backup script that saves all key values prior to running the Deployment Tool so that the data directory can be
recovered if necessary. If needed, these files are in the depconf folder.

Unable to query for legacy deploymentType value

This error message may appear if your key values have been removed. It should automatically restore them for you, but
if you run into this issue, you can run the following steps to restore the key values.
1. Open PowerShell.
2. Type the following:
cd c:\Program Files\LogRhythm\LogRhythm Common\LogRhythm Service Registry\-
backup
3. Run the following:
$ConsulPath = "C:\LogRhythm\Deployment\data\consul.exe"
4. Find a previous backup at the location in step 2 that is larger than the most recent backups.
Most likely, the recent backups are 0 in size and you should pick the latest with a size larger than that.
5. Run the following script:
Get-Content .\kvexport-<date of backup>.json | & $ConsulPath kv import -
6. Restart the LogRhythm Deployment Tool.

Add Additional Web Consoles

You should only install the Web Console with the LogRhythm Install Wizard, regardless of whether or not you are adding
it to the PM or as a standalone appliance/server. For a standalone installation, be sure to follow the instructions
regarding the LogRhythm Infrastructure Installer — run your deployment package on the Web Console server and then
run the Install Wizard to install the single Web Console configuration.
Any time you add a new Web Console to an existing LogRhythm deployment, you must rerun the LogRhythm
Infrastructure Installer for the new component to be able to communicate. For further instructions, see Add a
Component to an Existing LogRhythm Deployment.

Supplemental Information for Installations 146

Install a New LogRhythm Deployment

 The Web Console can be accessed on Google Chrome (version 54 or higher is recommended), Mozilla Firefox
(version 50.0.1 or higher is recommended), or Internet Explorer 11. The Web Console is not supported on
tablets, mobile devices, or touch screens.

Configure the Web Console With the LogRhythm Configuration Manager

The LogRhythm Configuration Manager is an application that allows you to easily set up environmental variables and
configure them as needed during the lifetime of the Web Console.

Configure Smart Card/CAC Authentication

 Smart Card/CAC authentication is not supported on Firefox.

To configure Smart Card/CAC authentication:

1. To obtain the environment's Certificate Authority Trust chain, concatenate the set of all SSL certificates
including the root certificates, the certificates that sign the end-user certificates, and all intermediate certificates
into a single file.

 Do not manually insert line breaks within the certificates. The certificates do not need to be in any
specific order.

2. In the Web Services Configuration Manager, complete the following:

a. In the Certificate Authority Trust section, click Choose file.
b. Select the single certificates file created in step 1. The contents of the certificate file populate the
Certificate Authority Trust field.
c. In the Authentication section, set the Web Console Multi-factor Authentication Type to Smart Card.

Generate Self-Signed Certificates for the Web Console

The Web Console installer automatically generates a self-signed SSL certificate for you and saves it here: C:\Program
Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp.
However, it is best practice to generate your own self-signed certificates or import certificates signed by a third party.
When configuring your own SSL Certificates for the Web Console, each certificate needs to be configured separately.
Some guidance on doing so can be found on the Digital Ocean website and the OpenSSL website, but your IT
department should follow their own policies and security practices.
Your IT department should set up proper certificates for your domain, install those on the internal systems, and
maintain them appropriately.

 The LogRhythm Web Console supports .pem and .crt files only. If you convert to a .crt file using OpenSSL, be
sure to use the -nokeys flag.

Supplemental Information for Installations 147

Install a New LogRhythm Deployment

1. Ensure the private key is unencrypted. The private key should not require a password.
2. Concatenate the certificate with the issuing and root Certificate Authority (CA) into a single file, if necessary.
3. Open the LogRhythm Configuration Manager.
4. To add the public key to the SSL Public Key parameter, click Choose File and select the public key in the file
browser.
5. To add the private key to the SSL Private Key parameter, click Choose File and select the private key in the file
browser.
6. Save your changes, and restart services, if necessary.

Trust the Self-Signed Certificate from a Client PC

Untrusted self-signed certificates can cause the Web Console to perform poorly. Self-signed certificates that are not
trusted prevent browsers from caching https requests, which causes Web Console pages to load slowly.
To prevent this problem by configuring trusted certificates:
1. Delete the following folders:
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls
• C:\Program Files\LogRhythm\LogRhythm Web Services\LogRhythm Web Console UI\tls_temp
2. Run the installer for the latest version of the Web Console on a Windows machine. If you have already installed
the Web Console, run the following script as an administrator: C:\Program Files\LogRhythm\LogRhythm Web
Services\LogRhythm Web ConsoleUI\generate_keys.bat
3. Do one of the following:
• Method 1. Certificate trusted for all users of a system
i.
From the Web Console server, run the Microsoft Management Console (mmc.exe).
ii.
On the File menu, click Add/Remove Snap-in.
iii.
Add the Certificates Snap-in.
iv.
Select Computer account > Local computer.
v.
Run the Microsoft Management Console with the Certificate Snap-in on the client system.
vi.
Import the LogRhythm Self-Signed Certificate file from C:\Program Files\LogRhythm\LogRhythm
Web Services\LogRhythm Web Console UI\tls_temp (or your own Self-Signed Certificate) file into
the Trusted Root Certification Authorities store. The certificate will be trusted for all users of this
system.
• Method 2. Certificate trusted for current user only
• In Internet Explorer 11
1. Run Internet Explorer as an administrator.
2. Go to your Web Console deployment.
3. Click Continue to this website (not recommended).
4. Click Certificate error in the address bar.
5. In dialog box, click View certificates.
6. On the General tab, click Install Certificate, and then click Next when the wizard opens.
7. Select Place all certificates in the following store.
8. Click Browse and select Trusted Root Certification Authorities.
9. Click OK and Next.
10. Click Finish.
• In Firefox

Supplemental Information for Installations 148

Install a New LogRhythm Deployment

1. Go to the Web Console.

A security certificate error page appears.
2. Click the arrow next to I Understand the Risks to expand the section.
3. Click Add Exception.
4. At the bottom of the dialog box, select Permanently store this exception.
5. Click Confirm Security Exception.
• In Chrome
1. Browse to the Web Console.
A security certificate error page appears.
2. Click Advanced, and then click Proceed to [Web Console].
3. In the address bar, click the broken padlock icon.
4. Next to the Your connection to this site is not private warning, click Details.
5. Click View certificate.
6. Select the Details tab.
7. Click Copy to File.
8. Follow the steps in the wizard to save the certificate as a PKCS #7 (.P7B) certificate in a
place you can easily locate it.
9. After you finish exporting the certificate, go to Settings in your browser.
10. At the bottom of the screen, click Show advanced settings.
11. In the HTTPS/SSL section, click Manage certificates.
12. Select the Trusted Root Certification Authorities tab.
13. Click Import.
14. Follow the steps in the wizard to import the certificate you saved in Step h. You must save
the certificate to the Trusted Root Certificate Authorities store.
15. Select the newly imported certificate in the Trusted Root Certification Authorities tab, and
then click Advanced.
16. At the bottom of the dialog box, select Include all certificates in the certification path,
and then click OK.
17. Restart Chrome.

Remove the Web Console

If you need to uninstall the Web Console, log in as an Administrator, go to Add/Remove Programs, and uninstall the
LogRhythm Web Console. During the uninstallation, the following components are stopped and removed:
• LogRhythm Case API
• LogRhythm Web Console API
• LogRhythm Web Console UI
• LogRhythm Web Indexer
• LogRhythm Web Services Host API
• LogRhythm Threat Intelligence API
• LogRhythm Web Services Configuration Manager (program)
After removing the Web Console, any files that were generated by the runtimes of the services above remain. All
installation directories are still present. Below are some examples of the types of files that remain on the system:
• log files
• temporary or buffer files
• generated keys or certificates
• .pid files

Supplemental Information for Installations 149

Install a New LogRhythm Deployment

If you want to completely remove the Web Services, it is safe to remove the entire LogRhythm Web Services directory. If
you plan to reinstall Web Services, it is not necessary to remove the Web Console folder structure.

Supplemental Information for Installations 150