LogRhythmCoreDeploymentGuide7.1.x

Core Deployment & Best Practices: 7.1.x 02/01/2016

LogRhythm Deployment Guide6 3 x.docx

- HA Field Installation Guide

© LogRhythm, Inc. All rights reserved. This document contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of LogRhythm, Inc.

Warranty The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of the merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information.

Trademark LogRhythm® is a trademark of LogRhythm, Inc.

LogRhythm Inc. 4780 Pearl East Circle Boulder, CO 80301 (303) 413-8745 www.logrhythm.com LogRhythm Customer Support [email protected]

1.303.413.8745

[email protected]


Contents Introduction ....................................................................................................................................... 1 LogRhythm Certified Deployment Engineer Program ................................................................................ 1 LogRhythm Certified Installation Process ............................................................................................ 1 LogRhythm Implementation Support .................................................................................................. 2 Pre-Requisites for Appliance Installation ................................................................................................ 2 Pre-Requisites for LRSS Installations ..................................................................................................... 2 Appliance Pre-Installation Assumed ....................................................................................................... 3 LRSS Pre-Installation Assumed ............................................................................................................. 4 Platform Managers, Data Processors and All-in-one Appliances .............................................................. 4 Data Indexer Appliances .................................................................................................................. 4 Discuss Deployment Model Characteristics ............................................................................................. 4 LRSS Step-by-Step Installation Guide ................................................................................................... 5 Download and Mount LogRhythm ISO ................................................................................................ 5 Run the LRSS Package ..................................................................................................................... 5 Appliance or Post LRSS Install Step-by-Step Installation .......................................................................... 5 Windows Host Configurations ............................................................................................................ 5 Verify IP, Windows Name, DNS, and Domain ................................................................................... 5 Set Date, Time, and Time Zone ..................................................................................................... 6 Update LogRhythm Softw are ......................................................................................................... 7 Update SQL Account Passw ords ..................................................................................................... 8 Linux Host Configurations ................................................................................................................. 9 Ensure Server Time ..................................................................................................................... 9 Ensure IP.................................................................................................................................... 9 Check Drive Space and Partitioning ................................................................................................ 9 Update LogRhythm Softw are ......................................................................................................... 9 Configure LogRhythm Services ........................................................................................................ 10 Configure LogRhythm Job Manager Service ................................................................................... 10 Configure LogRhythm ARM Service ............................................................................................... 16 Configure LogRhythm Mediator Service ......................................................................................... 11 Configure LogRhythm AI Engine Service ....................................................................................... 13 Configure LogRhythm System Monitor Service ............................................................................... 10 Configure the Data Indexer(s) ..................................................................................................... 19 Configure LogRhythm Console ........................................................................................................ 22 Initial Console Configuration ........................................................................................................ 22 Knowledge Base Configuration ........................................................................................................... 29

1.303.413.8745

[email protected]


Synchronization Settings ................................................................................................................ 29 Recommended Modules ................................................................................................................. 32 Entity Guidelines .............................................................................................................................. 33 Entity Overview ............................................................................................................................ 33 Build the Entity Structure ............................................................................................................ 33 Add Network Definitions ............................................................................................................. 34 Entity Hosts Properties ............................................................................................................... 37 Appliance Guidelines ......................................................................................................................... 39 Platform Manager Configuration ...................................................................................................... 39 Global data Management Setti ngs ................................................................................................ 39 Global System Settings and Backups ............................................................................................ 40 Backup Cleanup Task ................................................................................................................. 41 Active Directory Integration ........................................................................................................ 45 Global Risk Based Priority Criteria (RBP) ....................................................................................... 46 Data Processor Configuration (optional) ........................................................................................... 47 AI Engine Port Configuration (Optional) ............................................................................................ 50 Configure LogRhythm Restore Archive Database ................................................................................ 51 Tuning ......................................................................................................................................... 54 Advanced Configuration Tool ....................................................................................................... 54 Disable Java Updates ..................................................................................................................... 66 Starting LogRhythm ...................................................................................................................... 54 Associate the New System Monitor Agent ......................................................................................... 56 Configure the New System Monitor Agent to Listen for Syslog ............................................................. 57 Associate the New Log Sources ....................................................................................................... 58 System Monitor on DX Appliances ................................................................................................... 59 Installation ............................................................................................................................... 59 Configuration ............................................................................................................................ 59 Acceptance ............................................................................................................................... 60 Add Log Sources ........................................................................................................................ 60 Enable LogRhythm Diagnostic Alarms .............................................................................................. 62 Enable AIE Rules ................................................................................. Error! Bookmark not defined. Add Network Monitors (Optional) ..................................................................................................... 63 LogRhythm Threat Intelligence Service ...................................................... Error! Bookmark not defined. LogRhythm Web Console ................................................................................................................... 65 Requirements ............................................................................................................................... 65 Web Console Installation ................................................................................................................ 65

1.303.413.8745

[email protected]


Extended Deployment Topics ............................................................................................................. 69

1.303.413.8745

[email protected]

Introduction This document will explain the LogRhythm Certification Deployment process and document the recommended steps and configuration settings. This document should be used by a LogRhythm Certified Deployment Engineer to implement a LogRhythm SIEM solution. In the event a software solution is required, the engineer should contact LogRhythm Professional Services for guidance. While the settings defined below are the recommended configurations, you will, at times, see a need to deviate from them. If an engineer implements a deviation, it is recommended that he or she document that deviation along with an explanation of why it was necessary. This document includes information and instructions on the following: • • • •

LogRhythm Certified Deployment Engineer Program Step-by-Step Core Installation Knowledge Base Import Tuning LogRhythm

LogRhythm Certified Deployment Engineer Program The LogRhythm Certified Deployment Engineer Program was developed to support the channel for delivering Certified LogRhythm Professional Services days. The program ensures that the quality of the LogRhythm implementations is maintained. LogRhythm implementations should be completed by a LogRhythm Certified Deployment Engineer (LCDE). The LogRhythm Certified Deployment Engineer is qualified to do basic configurations, such as device patching, implementing the LogRhythm recommended tuning guide, and configuring log collection from common devices, such as MS Windows, Unix, or standard Syslog devices. The LogRhythm Certified Deployment Engineer Specialist 1 is qualified to do advanced configurations, such as multi-appliance installations, creation of new processing rules, and configuring log collection from advanced devices, such as CheckPoint Firewall, Oracle, or SQL server. No other certified professional is permitted to deliver LogRhythm Certified Professional Services days. In addition, LogRhythm will stand behind all LogRhythm Certified Professional Services days and take remedial actions, where appropriate, for any certified delivered day that does not meet customer expectations.

LogRhythm Certified Installation Process The LogRhythm Certified Installation Process has been designed to ensure the quality of LogRhythm implementations. Certified installations can only be completed by a LCDE. LCDE consultants have an obligation to follow the process described below in order to successfully implement the LogRhythm solution within the customer organization. All steps in the process should be documented and captured on the LogRhythm deployment checklist.

1

This certification is forthcoming. February 17, 2016

LogRhythm Inc |

1

After the deployment, this checklist document should be provided to the end customer.

LogRhythm Implementation Support The LCDE can call upon LogRhythm Professional Services team for installation support. The LCDE will need to provide details of what the installation session’s goals and objectives are. Contact details for the LogRhythm Professional Services team are available at the end of this document.

Pre-Requisites for Appliance Installation The requirements below must be met to successfully install a LogRhythm Appliance solution: •

•

•

•

•

LogRhythm license: Sent to the customer directly but also available from LogRhythm Professional Services. o Optional licenses may be required for High Availability (HA) and Dell iDRAC. LogRhythm service accounts: o Job Manager: The LogRhythm Job Manager service may write report files to remote file systems. o Mediator: The LogRhythm Mediator service may write flat archive files to remote file systems. o System Monitor: The LogRhythm System Monitor service is used to collect logs from remote Windows Servers or secured flat files. A list of devices and logs that need to be collected (scope should be defined in the pre-sales recommended solution) TCPIP configuration settings: A minimum of one IP number is required, although a second can be configured for a separate management network. DNS IP information is required for name resolution. Domain information: Adding the LogRhythm appliance(s) to an Active Directory domain enables single sign on within the LogRhythm console, as well as providing Active Directory contextualization of log data. Add the LogRhythm appliance(s) to an Active Directory domain also provides dynamic host importation, through Windows Host Wizard.

Pre-Requisites for LRSS Installations To successfully install a LogRhythm Software solution, ensure you follow the steps below: •

Verify Customer-provided platform meets minimum requirements for performance specifications outlined in customer’s Recommended Solution Document or SOW (i.e., matching hardware to meet 3000/4000 series, 5000/6000 series, or 7000 series LogRhythm hardware) o Customer-provided Windows Platform must be Windows 2008 R2 Enterprise. o Ensure that drives have been partitioned for LogRhythm installation. Note: Disk configurations utilizing shared SAN storage for SQL databases (both MDF and LDF files) are not supported. ONLY dedicated SAN storage configured in RAID 1/5/10 is supported. Note: SAN storage is supported for Archive (offline) storage, shared reports storage. Customer has downloaded LRSS Installation Package and copied to the target environment hosts. o Ensure that you have downloaded any updated LogRhythm patches/Software Releases to ensure current working version prior to installing LRSS. Customer has downloaded and installed Microsoft .NET 4.0 on each target environment Windows host. Customer has downloaded and installed the Data Indexer ISO to any Data Indexer appliances. LogRhythm license: This would have been sent to the customer directly, but is also available from LogRhythm Professional Services. !

!

•

•

• •

February 17, 2016 LogRhythm Inc |

2

•

•

•

•

LogRhythm service accounts: o Job Manager: The LogRhythm Job Manager service may write report files to remote file systems. o Mediator: The LogRhythm Mediator service may write flat archive files to remote file systems. o System Monitor: The LogRhythm System Monitor service is used to collect logs from remote Windows Servers or secured flat files. A list of devices and logs that need to be collected (scope should be defined in the pre-sales recommended solution) TCP/IP configuration settings: A minimum of one IP number is required, although a second can be configured for a separate management network. DNS IP information is required for name resolution. Domain information: Adding the LogRhythm appliance(s) to an Active Directory domain enables single sign on within the LogRhythm console, as well as providing Active Directory contextualization of log data. Add the LogRhythm appliance(s) to an Active Directory domain also provides dynamic host importation, through Windows Host Wizard.

Appliance Pre-Installation Assumed It’s assumed the follow tasks were completed before beginning LogRhythm installation.

1

Activate Windows

2

Configure appliance static IP address.

3

Configure the server’s host name.

4

Add the appliance to Active Directory (if applicable).

5

Ensure that the appliance can be accessed via the remote desktop application.


3

LRSS Pre-Installation Assumed It’s assumed the follow tasks were completed before beginning an LRSS installation.

Platform Managers, Data Processors and All-in-one Appliances

1

Install Windows 2008 R2.

2

Activate Windows.

3

Install Microsoft .NET 4.0.

4

Download all LogRhythm software.

5

Configure appliance static IP address.

6

Configure the server’s host name.

7

Add the appliance to Active Directory (if applicable).

8

Ensure that the appliance can be accessed via the remote desktop application.

Data Indexer Appliances

1

Downloaded and installed Data Indexer ISO image.

2

Completed initial login setup prompts – IP, subnet mask, default gateway and NTP servers.

3

Ensure that the appliance can be accessed via SSH.

Discuss Deployment Model Characteristics Review the selected deployment model from the pre-sales Recommended Solution, and review with the customer their deployment optimization. Note: This guide will generally utilize the Performance Optimized model. Collection Optimized

Performance Optimized

Search Optimized

Size to Max MPS Rate

Yes

No

No

Size to Max RIX Processing Rate

No

Yes

No

Size to Max Indexing Rate

No

No

Yes

All logs/flows/events archived

Yes

Yes

Yes


4

All logs/flows/events searchable

Yes

Yes

Yes

All LogRhythm Events indexed for fastest search/reporting

No

Yes

Yes

All logs/flows/events indexed for fastest search/reporting

No

No

Yes

All logs/flows/events analyzed by AIE

No

Yes

Yes

Risk-Based Event Forwarding

No

Yes

Yes

Legacy Compliance Module support

No

Yes

Yes

Next Gen Compliance Automation Suites support

No

Yes

Yes

LRSS Step-by-Step Installation Guide The following section should be completed prior to continuing with Post LRSS/Appliance Step-by-Step Installation.

Download and Mount LogRhythm ISO As part of the software solution, the customer is provided with a link to download the LRSS ISO and if applicable, the Data Indexer ISO. These packages should be downloaded and mounted to the target system.

Run the LRSS Package Reference the LRSS Installation and Getting Started Guide on the LogRhythm Support Portal. https://support.logrhythm.com/link/portal/5657/5730/ArticleFolder/93/LogRhythm-Solution-SoftwareLRSS

Appliance or Post LRSS Install Step-by-Step Installation The below steps should be completed and documented as part of LogRhythm Certified Installation (LCI). LogRhythm Professional Services can provide guidance or clarification on any of the below steps. LogRhythm Professional Services contact details are provided at the end of this document.

Windows Host Configurations Platform Managers (PM), Data Processors (DP) and all-in-one appliances run on Windows Server. Take the following steps to complete the initial server setup.

Verify IP, Windows Name, DNS, and Domain 1. 2.

Ensure that the server has been assigned a static IP and server name. Optionally, confirm a primary DNS server has been configured and that the server has been added to the domain.


5

Set Date, Time, and Time Zone 1. 2.

Click on the clock in the lower right of the Windows task bar. Select Change date and time settings…

3.

Adjust the date, time, and time zone accordingly.


6

Update LogRhythm Software Ensure that the LogRhythm server is on the latest GA release and update if needed. 1.

Select the Windows Start a. Type “add remove” b. Open Add or remove programs

2.

Check for latest GA version of LR software.

3.

If out of date, log into support.logrhythm.com a. Select Downloads b. Select the latest GA version c. Download and follow the Upgrade Guide


7

Update SQL Account Passwords Customers should change the LogRhythm Default Passwords for all SQL account types. The following procedure should be performed on PM and XM LogRhythm appliances. 1.

2. 3.

Launch the MS SQL Server Management Studio and login as the user sa using the default LogRhythm password. Navigate to Security -> Logins for the SQL server Locate each of the following accounts and modify the password to a customer-defined password. Make sure to note the new password for the following configuration steps. a. LogRhythmAdmin b. LogRhythmAIE c. LogRhythmAnalyst d. LogRhythmARM e. LogRhythmJobMgr f. LogRhythmLM g. LogRhythmNGLM h. LogRhythmWebUI i. sa Note: After changing the SA password, the user will need to close MS SQL Management Studio then re-launch and re-authenticate.

4.

Next ensure that the local system Administrator account has been added to the SQL Server as a sysadmin as shown below:

5.

Ask the client about establishing a Domain-level administration account, which would allow for an additional failsafe in case the local administrator account would be locked out for any reason.

Note: The local Administrator account may have already been added (see image above). Double-click on that account to access the Login Properties window and to verify the permissions. If the account does not exist, right-click on the Logins node and choose new login to add the Windows account to this SQL server. Note: Step 5 provides an emergency access to MS SQL server in case the sa user password is lost.


8

Linux Host Configurations LogRhythm Data Indexer (DX) appliances run on CentOS. The customer should have completed the initial login prompts to configure networking and server time settings.

Ensure Server Time 1. 2.

Login to the DX appliance as logrhythm using the default password via SSH. Run the command date to view and verify the time.

Ensure IP 1. 2.

Login to the DX appliance as logrhythm using the default password via SSH. Run the command ifconfig to view and verify the server IP address.

Check Drive Space and Partitioning Check to ensure that the drive space has been allocated correctly. The majority of the space should be allocated to /user/local. The space partitioned for each DX will be dependent on the server purchased, refer to the server data sheet for specific specifications. 1. 2.

Login to the DX appliance as logrhythm using the default password via SSH. Run the command df -h to view and verify space allocated to /user/local.

Update LogRhythm Software Ensure that the LogRhythm server is on the latest GA release and update if needed. 1.

If out of date, log into support.logrhythm.com a. Select Downloads b. Select the latest GA version c. Download the Upgrade Guide i. Follow the guide to upgrade


9

Configure LogRhythm Services Configure LogRhythm System Monitor Service Before the LogRhythm System Monitor service can be started, it needs to be configured via the System Monitor Configuration Manager . Follow the steps below to change the settings in the General tab: 1.

Under Start >> All Programs >> LogRhythm select System Monitor Configuration Manager Change the below settings in the General tab: a. The CHANGE_THIS value next to “Server:” should be changed to the IP address or FQDN of the XM appliance for single-appliance installs or DP appliance for multiappliance installs b. The system monitor IP address should be changedto the IP address of the locallyinstalled NIC that you would like to use to communicate with the Data Processor. If left at 0, it will automatically select the first available NIC, which may work if there is only a single NIC installed on the system. However, it is recommend to explicitly put the IP address here. c. Click on the Windows Servicetab at the bottom.


10

On the Windows Services tab: 1. 2.

Set the Startup Type to Automatic. a. Do not start the service yet. Click OK.

Configure the Data Processor Before the LogRhythm Mediator Server service can be started, it needs to be configured via the Data Processor Configuration Manager . The steps below should be verified and configured to successfully complete this step: 1.

Under Start >> All Programs >> LogRhythm select Data Processor Configuration Manager Follow the below steps to change the settings in the General tab: a. The CHANGE_THIS value next to “Server:” should be changed to the IP address or FQDN of the XM appliance for single appliance installs or PM appliance for multiappliance installs. b. In the password field, enter the password chosen by the customer or the default password logrhythm!1if the defaults were used. c. Click the Test Connectionto ensure your settings are correct.

d.

Click the Windows Servicestab at the bottom.


11

On the Windows Services tab: 1. 2.

Set the Startup Type to Automatic. a. Do not start the service yet. Click OK.


12

Configure LogRhythm AI Engine Service Before the LogRhythm AI Engine service can be started, it needs to be configured via the AI Engine Configuration Manager . Follow the steps below to change the settings in the General tab: 1.

Under Start >> All Programs >> LogRhythm select AIEngine Configuration Manager Follow the below steps to change the settings in the General tab: a. The CHANGE_THIS value next to “Server:” should be changed to the IP address or FQDN of the XM appliance for single appliance installs or PM appliance for multiappliance installs. b. In the password field, enter the password chosen by the customer or the default password logrhythm!1if the defaults were used. c. Click the Test Connectionto ensure your settings are correct. d. Click the Windows Servicetab at the bottom.


13

On the Windows Service tab: 1. 2.

Set the Startup Type for both services to Automatic. a. Do not start the services yet. Click OK.


14

Configure the Platform Manager LogRhythm Job Manager Service Before the LogRhythm Job Manager service can be started, it needs to be configured via the Platform Manager Configuration Manager . Follow the steps below to change the settings: 1.

Under Start >> All Programs >> LogRhythm select Platform Manager Configuration Manager Follow the below steps to change the settings in the Job Manager tab: a. The CHANGE_THIS value next to “Server:” should be changed to the IP address or FQDN of the XM appliance for single appliance installs, or PM appliance for multiappliance installs. b. In the password field, enter the password chosen by the customer or the default password logrhythm!1if the defaults were used. c. Click the Test Connectionto ensure your settings are correct. d. Click the Alarming and Response Manager tab.


15

Configure LogRhythm ARM Service Before the LogRhythm Alarming and Response Manager service can be started, it needs to be configured via the Platform Manager Configuration Manager . Follow the steps below to change the settings: 1. 2. 3. 4.

The CHANGE_THIS value next to “Server:” should be changed to the IP address or the FQDN of the XM appliance for single appliance installs or PM appliance for multi-appliance installs. In the password field, enter the password chosen by the customer or the default password logrhythm!1if the defaults were used. Click the Test Connectionto ensure your settings are correct. Click the Windows Servicestab at the bottom.


16


17

On the Windows Service tab: 1. 2.

Set the Startup Type for both services to Automatic. a. Do not start the services yet. Click OK.


18

Configure the Data Indexer(s) Before services are started, the Data Indexer(s) should be configured via the web configuration page. Follow the steps below to configure the settings of a single DX or cluster: 1.

Open Chrome and type the IP of a DX host into the URL Note: If the DX is running on a Windows host, you will need to specify port 9100. For example: http://127.0.0.1:9100/ a. Login using the user admin and the default LogRhythm password.


19

2.

If you have changed the default SQL password for the LogRhythmNGLMuser, select Change Password under the Carpenter Configsection. a. Enter the new password and select Change Password

3.

Under the Carpenter Config section, update the EMDB Host so that it matches the IP of your PM or XM server.


20

4.

Change the default cluster name for the DX(s). In environments with multiple clusters, duplicate cluster names are not allowed. Name each cluster a descriptive, unique name.

5.

Scroll further down and find the path.data parameter. This is where the Elasticsearch log repository will be written to. a. For a Linux DX host this path should be: /usr/local/logrhythm/db/elasticsearch/data b. For a Windows DX host this path should be: D:\LRIndexer\elasticsearch\data c. If you have more than one drive for data, you can specify multiple locations in the following format: D:\LRIndexer\elasticsearch\data,E:\LRIndexer\elasticsearch\data D:\LRIndexer\elasticsearch\data,E:\ LRIndexer\elasticsearch\data


21

Configure LogRhythm Console Before the LogRhythm services can be started, the Desktop Console must be opened. Complete the following steps in the initial configuration wizard:

1.

Under Start >> All Programs >> LogRhythm select LogRhythm Console. The below login screen will be presented. Complete the login screen with relevant details. a.

b. c. d.

Server: Name or IP Address of the XM appliance for single appliance installs or PM appliance for multi-appliance installs User ID: LogRhythmAdmin Password: Chosen By Customer or logrhythm!1if default Click OK

Initial Console Configuration Once you have successfully logged on for the first time, you will be presented with several windows. Each window will walk you through the initial configurations required to complete first time setup. 1.

The LogRhythm New Platform Manager Deployment Wizard. a. Enter the Windows host name for Platform Manager: Windows host name of the XM appliance for single appliance installs or PM appliance for multi-appliance installs b. Enter IP Address for Platform Manager: IP address of the XM appliance for single appliance installs or PM appliance for multi-appliance installs c. Is the Platform Manager also a Data Processor: True for single appliance; false for multi appliance. d. Is the Platform Manager also an AI Engine server: True for all new appliances unless they have purchased a separate dedicated AIE Server; this may not be true for LRSS installations. e. Browse to the License File (Customer license files are provided by LogRhythm upon purchase. This file should be save locally on the LogRhythm server).


22

2.

3.

If the LogRhythm server is an XM, the License Wizard will be presented. Complete the wizard by selecting the appliance license and the log source license. a. Select the Appropriate License for your deployment. b. Click Next.

c.

Select the Appropriate License for your deployment (limited or unlimited)

d.

Click OK.

You will be presented with the Knowledge Base Import Wizard. a. Select appropriate import radial and then select OK.


23

b.

4.

The Knowledge Base will be unpacked and validated. This may take time.

After the Knowledge Base has unpacked, you will see a status report at the bottom of the interface. Review for potential errors. a. Select Next.


24

5.

b.

Select OK.

c.

Select Close.

Next you will see a message asking you to specify the platform the Platform Manager is running on. Note: With a single-appliance install, this will be the XM appliance. With a multi-appliance install, this will be the PM appliance. a. Click OK.


25

6.

The Platform Selector dialog will be displayed. a. Select the platform your Platform Manager is running on.

7.

Back in the Platform Manager Properties dialog: a. Select the Enable Reporting Engine check box.


26

b.

8.

c. d.

Enter an email into the Email From Addressfield. Note: This will be the From Address in all emails LogRhythm sends. In most cases, it does not need to be a real email address. Check with your email administrator to verify correct settings. Type in the IP addressof your mail relay. If your email server requires a username and password, provide that as well.

e.

Click OK.

If the LogRhythm Server is an XM, a message asking you to specify the Data Processor platform will appear. If the DP is being set up as a separate server, the DP will have to be manually created by right clicking and choosing ‘New’ on the Data Processor tab in the Deployment Manager. Note: In a single-appliance install, this will be the XM appliance; in a multi-appliance install, this will be the DP appliance. a. Click OK.


27

9.

In the Data Processor Properties dialog: a. Select the platform the Data Processor is running on.


28

b.

Assign the Data Processor to the DX Cluster by selecting a Cluster Name.

c.

Click OK.

Knowledge Base Configuration Synchronization Settings Now that the initial software configuration is complete, configure the Knowledge Base to check for updates automatically. To start, follow these steps: 1. 2.

Open the LogRhythm Consoleand close all other windows within the Console. Click Tools > Knowledge >Knowledge Base Manager. The Knowledge Base Manager will appear.


29

3.

Click Synchronization Settings.

a.

On the Synchronization Mode Tab , select a Common Event Migration Option. Note: If the “Do not synchronize if Common Event migration detected” option is selected, all downloaded KBs after a common event change have been detected will not be applied automatically. You may want to advise your customers that they will either need to disable this option or check for new downloaded KBs on a weekly basis in order to manually run the Common Event Change Manager. In general, it is best to disable this option on most deployments and describe to your clients how this will affect their data on an ongoing basis.


30

b.

Click on the Schedule tab.

i. ii.

Select the drop down for Start On. Click Today.

iii.

Set the Check for Knowledge Base updates time interval to a time outside the LogRhythm maintenance window (12:15am—3:00am). For example, 11:00 PM every day would be a good time.


31

c.

Click on the Proxy Settingstab and add in the customer proxy server and port if the server needs to go through a proxy to reach the Internet. Example below.

d.

Click OK to save settings.

Recommended Modules Follow the below steps to enabled additional recommended Knowledge Base modules. The modules are required to complete other sections in this guide around AIE, and the Threat Intelligence Service. 1.

2. 3. 4. 5. 6. 7. 8.

Enable additional Knowledge Base Modules. Recommended Minimum: a. Core Threat Detection b. Threat Intelligence Service c. Threat Intelligence Service : Open Source Apply additional modules outlined in RecSol or Statement of Work. Note: Do not enable Intelligent Indexing for any imported Knowledge Base Module. Right click. Mouse over Actions. Click Enable. Ensure the Enable Intelligent Indexing on Module Objects option is NOT selected. Select the Synchronize Stored Knowledge Base . Allow the knowledge synchronization update to complete.


32

Entity Guidelines Entity Overview It is important that a base structure of customer Entities is configured and populated. Entities impact virtually every aspect of LogRhythm SIEM, including but not limited to, Data Organizational Management, Access Control, Directionality, Risk Based Priority, AIE rules, Reports, and much more. Below is a recommended Entity structure with associated Risk and Treat values as well as recommended risk and threat values for server types.

Build the Entity Structure There are multiple approaches to configuring entities. The most common and recommended approach to setting up the entity structure for small to medium sized customers is to create parent entities based on your company’s office and/or store locations. Under each parent entity, child entities should be created for each logical zone in the network. And for each child entity, a network should be created with the associated IP range(s) and Threat and Risk levels. Please see the tables below for an example and recommendations. If the entities have not already been configured, do so now. If they were previously setup during core, the structure should be reviewed and updated accordingly. For enterprise customers, it may make more sense to build the parent entities as device type, for example, “Windows Servers” and “Linux Servers”. Larger environments are more difficult to keep track of where servers live since due to the amount and frequency of change. Especially with virtual server infrastructures. Parent Entity

Child Entity

Associated Network Risk

Associated Networks Threat

Location 1 (HQ)

Guest Wifi

1

5 (Unknown who is on network)

Location 1 (HQ)

DMZ

9 (High exposure)

1

Location 1 (HQ)

Desktops

5

3

Location 1 (HQ)

Mobile

5 (Medium exposure)

3 (Unknown where devices have been)

Location 1 (HQ)

Servers

2 (low exposure)

1

Location 1 (HQ)

Network Devices

7

2

Location 2 (EMEA)

Guest Wifi

1

5 (Unknown who is on network)

Location 2 (EMEA)

DMZ

9 (High exposure)

1

Location 2 (EMEA)

Desktops

5

3

Location 2 (EMEA)

Mobile

5 (Medium exposure)

3 (Unknown where devices have been)

Location 2 (EMEA)

Servers

2

1

Location 2 (EMEA)

Network Devices

7

2

Note: For DAC Deployments – Break down child entities as needed. Example child entity name Windows Servers and Linux Servers for DAC between Windows Administrators and Linux Admins.


33

Host Type Desktop

Host Location

Risk

!"#$%&

BehindDMZ

1

1

5

3

Server

DMZ

9

2

Server

Data Center

4

1

Laptop/Mobile Device

1. 2. 3. 4.

To create the Entity structure, click on Deployment Manager Click on the Entities Tab Right Click > New Root Entityin the tree on the left to create a Root Entity Note: It is a good idea to rename the default Primary Entity. Highlight the desired Root Entity and Right Click > New Child Entityto create a Child Entity

Add Network Definition s For each Entity, a network range or ranges should be defined along with the associated risk and threat levels, zone and location. Use the example Entity structure table above for recommendations on risk and threat levels. 1.

To add a network, highlight an Entity and in the Entity Networkspane, Right click > New Network.


34


35

2. 3. 4. 5.

Add in a Network Name Assign an IP address range (slash notation not supported). Select the Network’s Zone. Add a Network Location.

6.

Select a Network Risk Level. Note: Risk levels should be set per relative importance of the assets contain within this IP address range. For example, PCI Cardholder Data assets may be set to a higher relative Risk Value (such as 7 or higher) than non-PCI assets, which may be set to a risk level lower than 7. Note: Risk values on a network object are applied when a host that resides on this network (contains an IP address within this range) is the Impacted Host.


36

7.

Choose the Threat Leveltab and set a threat value. Note: Threat levels should be set per relative importance of the assets contain within this IP address range. For example, PCI Cardholder Data assets may be set to a higher relative Threat Value (such as 7 or higher) than non-PCI assets, which may be set to a risk level lower than 7. Note: Threat values on a network object are applied when a host that resides on this network (contains an IP address within this range) is the Origin Host.

Entity Hosts Properties As additional servers and log sources are brought into LogRhythm, host records will be added to the Entity structure. It is important to also assign risk and threat values, a zone and a location to individual hosts. The host values take precedence over network values, even if the host values are blank. Additionally, you can move hosts between Entities if needed by selecting Edit > Reorganization Wizard in the main menu of the Entities tab. 1. 2. 3.

To edit a host’s properties, select the Entity in which it lives. Navigate to the Entity Hostswindow pane. Select the Actions check box next to each Entity Host you want to modify.


37

4.

Right Click > Actions > Edit Properties.

5.

In the Host Batch Properties Editor a. Check Set Zone check box i. Select the Host Zonemost appropriate for the selected Host System b. Check the Set Locationcheck box i. Set the Location most

c.

appropriate for the selected Host System Check Set Risk Level i. Select the appropriate Risk Level most appropriate for the selected Host System Note: Risk levels should be set per relative importance of the host. For example, PCI Cardholder Data assets may be set to a higher relative Risk Value (such as 7 or higher) than nonPCI assets, which may be set to a risk level lower than 7. Note: Risk values on a host object are applied when that host is the Impacted Host.

d.

Check the Set Threat Level i. Select the appropriate Threat Levelmost appropriate for the selected Host System. Note: Threat levels should be set per relative importance of this host. For example, PCI Cardholder Data assets may be set to a higher relative Threat Value (such as 7 or higher) than non-PCI assets which may be set to a risk level lower than 7. Note: Threat values on a host object are applied when that host is the Origin Host.


38

Appliance Guidelines Platform Manager Configuration Before the LogRhythm services can be started, several advanced tuning parameters should be set manually and the Advanced Configuration Tool should be run, which can be found in a section below.

Global data Management Settings 1. 2.

Click on the Platform Manager Tab. Click on Global Data Management Settings.

i.

From the Global Settingswindow: Select the desired Data Management Profile based on the information collected above (page 4 of this guide) in the Data Management Profile Options section. **Note: Collection Optimized will continue to index Events. All other logs will go straight to archive.


39

Global System Settings and Backups 1.

Click Global System Settings.

a.

b.

For Identity Inference , enabling this feature can cause a performance degradation of 10%. Best practice is to disable Identity Inference by default and discuss the potential performance impact with the customer. Locate the BackupPath_EMDBand enter D:\LR Backups Note. Ask your customers if they have an alternate path for the backup location for the EMDB; if so, set the location to that path. Ensure the SQL Server Agent service account has write access to any path specified here. If they do not have another path, you can create and utilize D:\LR Backups.


40

i.

Make sure to also create this path on the Windows end.

Backup Cleanup Task If a cleanup task is not created to delete old backups, the disk where the backups are written to will eventually fill up. Follow the below instructions to create a cleanup job in MS SQL Management Studio.

1. 2. 3.

4.

Login to MS SQL Management Studio as the sa user. Expand the Management tree Right Click on Maintenance Plans > New Maintenance Plan…

Name the new maintenance plan


41

5.

From the Toolbox, click and drag the Maintenance Cleanup Task into the new maintenance plan.

6.

Double click the new task to open the properties dialog.

a. b.

Enter the file path where the Backups are located into the Folder field. Add “bak” to the File extensionfield. Note: do not add a period before the extension, it is not necessary and will cause the cleanup to fail.


42

c.

7.

Enter how long the customer wished to keep backups into the File age field.

Now select the Calendar icon to schedule the maintenance job.


43

a. b. c. d.

8.

Change the occurrence field to Daily. Set the Recurs Everyfield to 1 day. Set the Occurs once atfield to 12:00pm. Select OK

Click the Save button to save the maintenance task.


44

Active Directory Integration If the customer wishes to integrate the Platform Manager or XM with Active Directory: 1.

Click on Active Director Domain Manager.

a.

In the Active Directory Domain Manager window: i. ii.

Click the icon Enter the appropriate information in the following fields: 1. Domain Name 2. Organizational Unit(optional) Note: Ensure that you use Active Directory OU Notation for this option.

iii. iv.

v.

3. Username 4. Password 5. Confirm Password Check Include in Active Directory Synchronization Check Include in Active Directory Group Based Authorization if the customer intends on utilizing Active Directory Groups for LogRhythm Access via Active Directory Group Based Authentication. Check Scan Sub Unitsif the customer intends on including information from sub-Organizational Units in Active Directory.


45

b.

Select the Details Tab. i. Click on Validate to test the configuration, and validate results in the Domain Details box, located below the Validate button. ii. If successful, click OK to close the window.

c.

On the Active Directory Domain Manger Window, click on OK to return back to the Platform Managertab.

Global Risk Based Priority Criteria (RBP) This setting acts as a filter for Events, if an event does not meet this criteria, it will not be inserted into the Events database. Thus it is important to have risk and threat values assigned to your networks and host on the Entities tab. LogRhythm recommends tuning the Global Risk Based Criteria on the Platform Manager tab so that events are less than or equal to 5% of the deployment’s total log volume. For example, if total volume is 10,000 messages per second, events should be 500 messages per second or less. Running the Log Volume Executive Summary report from Report Center will provide you with your Event rate. To begin tuning, lower the Global RPB Criteria to 20. This will start filtering in events that have an RBP value of 20 or high and is a good place to start. Make sure to update the entity structure with the appropriate Risk and Threat values as changes to the structure are made or as host and log sources are added. Over the next several days of the deployment, the Global RPB Criteria should be increased or decreased to reach the 5% goal.

1.

Set the Global Risk Based Priority (RBP) Criteria to 20.

a.

Click Apply.


46

Data Processor Configuration (optional) For customers that intend on utilizing two NICs or IP Addresses with a dedicated AIE host: 1. 2.

Open the LogRhythm Deployment Manager and then select the Data Processors tab . Locate the Data Processor you want to adjust. a. Right-click on the Data Processor. b. Click Properties.

c.

When the new window appears, select Advanced:


47

d.

3.

e. f. g. On the a.

Locate the ClientAddress property under the AIE Provider section of the DP’s Advanced Properties, as shown below:

Input the IP address of the NIC that will be used by this DP to communicate with AIE. Click Apply to save. Click OK to close the Advanced Properties Window AI Engine tab Select Properties


48

b. c. d.

e.

f. g. h.

By default, the Data Processor will use its previously defined primary IP as the AI Engine sending and receiving address. Override the Client (DP) address to utilize the IP address dedicated to DP to AIE traffic. Override the Server (AIE) address to utilize the listening IP address dedicated to AIE to DP traffic on the dedicated AIE appliance.

Optionally, specify the client management and data ports for situations where firewalls exist between the DP and AIE appliances and the return port must be known. These ports should be defined by the customer’s Network administrators prior to enabling this configuration. Click OK to close the properties window. Click Apply to save the configuration. Click Ok to close the DP Properties Pane.


49

AI Engine Port Configuration (Optional) 1.

For configurations where the default AIE Listen Ports of 30000 and 30001 must be changed per network requirements. From the Deployment Manager: "# Click on the AI Engine Tab. $# Choose the Servers sub-tab. %# Select the AIE Server, right-click and choose Properties.

&#

On the AI Engine Server Properties window, choose Advanced.


50

'#

Locate the ComMgr ServerDataPortand ServerManagementPortand adjust the ports per the defined ports specified by the customer’s Network Security team.

(#

Click Apply. Click Ok. Click Ok to close the AI Engine Server Properties Window.

)# *#

Configure LogRhythm Restore Archive Database LogRhythm uses the Restore ArchiveDatabase to restore logs from the archive log files. The Second Look Wizard is used to recover the logs to the Recovery Archive database. Before the Second Look Wizard can recover the archive files it must have a place defined that it can use to recover the files to, this is the Restore Archive Database. The Recovery Archive Database can be configured using the following steps: 1. 2.

Open Deployment Manager. Data Processortab.


51

3.

Right-click and choose New.

a. b. c. d. e.

Host: Name of the LogRhythm Appliance Platform:Select Appliance that LogRhythm is installed on. Data Processor Name:Changed to “ - Restored Archives” Cluster Name:Data Indexer Cluster where the restored logs will be stored. Operating Mode:Changed to “Online Archive – Data Processor is online for use in archive restoration and analysis.”

f.

Click OK.


52

4.

g.

Highlight the newly created DP record and in the lower window pain, Right Click > New.

h.

In the Log Repository Properties dialog, there is no need to change any setting. Click OK.

Repeat Configure LogRhythm Restore Archive Database section for any additional RADBs. Typically, an RADB would be configured for each cluster of DXs. An environment with two DP/DX pairs configured in pinned mode would have an RADB repository on each DX. An environment with one DP and a cluster of 4 DX servers, would only have one RADB reposity configured.


53

Tuning Advanced Configuration Tool For each appliance being configured, run the Advanced Configuration Tool (ACT) to ensure consistent default settings for tuning parameters are being set. Note: The ACT should be included with all Appliances shipped by LogRhythm; however, if it is not located under the C:\LogRhythm directory, it can be downloaded from the LogRhythm Support Portal. 1. 2. 3.

Launch the ACT. Input the SA level account and password for the appliance. Click Connect.

4.

The ACT will load the tuning parameters for the specified Appliance type and compare those against the parameters found in the EMDB. Click Commit Changes to update the appliance to the correct tuning parameters for this appliance.

Starting LogRhythm Once the LogRhythm Services have been configured, you can start the services via the LogRhythm service configuration windows. Below the Platform Manger Local Configuration window is shown as an example. Make sure to follow this example for each of the following configuration windows found in Start > Apps. • • • •

AIEngine Configuration Manager Platform Manager Configuration Manager Data Processor Configuration Manager System Monitor Configuration Manager

After start services, switch over to the log file tabs in each of the configuration managers to check for errors and startup messages. Then open the LogRhythm Desktop Client to check for heartbeats and notices on the Deployment Monitor (remember the Deployment Monitor updates periodically so give it a few minutes for the heartbeats to show up).


54

* Note – A Service Account may be enabled for each of the components within LogRhythm Appliance Environment. The Service Account is required to have Local System Administrative access to the appropriate system. * Note – In order to establish a Service Account, please have the client request the approval and creation of a service account through their own local policies. Typically this takes place from the Network Administration team.


55

Associate the New System Monitor Agent On initial startup the locally installed agent will show up as pending. The agent can be associated to the already defined system monitor agent record by following the below steps: 1. 2.

Click on Deployment Manager. Click on the System Monitor AgentsTab. Under New System Monitor Agents , you should see your agent as pending:

3. 4.

Select the Action column for the new System Monitor Agent. Right click and select Associate:


56

5. 6.

The System monitor Association window will appear. Select the locally installed agent from the list. Click OK.

Configure the New System Monitor Agent to Listen for Syslog The LogRhythm System Monitor Agent will not listen for syslog sources until it is configured to do so. An Agent can be configured to listen for syslog by following the below steps: 1. 2.

Navigate to Deployment Manager > System Monitor Agents. Select the Action box to the left of the new Agent. a.

Right-click and select Properties.

b.

Select the Syslog and Flow Settingstab. Check the box next to Enable Syslog Server. •


57

c.

Select the Advanced settings button. Enter the LogRhythm System Monitor Agent’s IP address into the SyslogServerNICparameter. * Note – The default value is ‘0’ which is a zero-based index of the address to use from all available IP address. If there are multiple NICs available, it is recommended to specify the IP of the NIC you wish to use. Optionally, ‘0.0.0.0’ •

Accept the New Log Sources When syslog log sources are pointed to the LogRhythm Appliance, the log source will show up as pending. An agent will be associated to the defined syslog record by following the below steps: 1. 2. 3.

Navigate to Deployment Manager > Log Sources Locate the pending source in the top pain titled New Log Sources . Select the Action box to the left of the desired Log Source a. Right Click and select Actions > Change Log Source Type


58

4. 5.

Select the appropriate System Type which corresponds to the Log Source a. Right Click and select Actions > Resolve Log Source Hosts Right Click and select Actions > Accept > Customize (Or Default) a. Customize will allow you to select the following: Entity Structure Network Zone Location MPE Policy Risk Level Threat Level Select OK. • • • • •

6.

System Monitor on DX Appliances There is a LogRhythm System Monitor installer on each DX appliance which should be run, configured and the service should be started. Then the System Monitor can be accepted in the LogRhythm Console.

Installation 1. 2. 3.

4.

SSH and login to each DX host. Run the command cd ~/Soft. Run the ls command to view all files in the directory and check the System Monitor version a. If the version is not the most recent GA version, go to the support portal and download the latest GA installer. Run the Command sudo rpm –i

Configuration 1.

2. 3. 4.

Run sudo vi /opt/logrhythm/scsm/config/scsm.ini . a. Modify the ClientAddress(local DX IP address) and Host (DP address) parameters. b. Save the file by holding Shift+Z+Z. Start the System Monitor by running sudo systemctl start scsmd . Check to make sure it is running with the command sudo systemctl status scsmd . Repeat steps 1-3 for any additional DX appliances.


59

Acceptance 1. 2. 3. 4.

In the LogRhythm Console navigate to the System Monitorstab in the Deployment Monitor. Select the check box next to the pending agent. Right Click > Actions > Accept . Repeat steps 1-3 for any additional DX appliances.

Add Log Sources It is recommended to collect the secure log from each DX appliance. 1. 2.

In the LogRhythm Conssole navigate to the System Monitorstab in the Deployment Monitor. Double click an agent running on a DX host to open the Properties dialog. a. Right Click > Newin the Log Message Sources grid.


60

3.

b.

On the Basic Configuration tab set the following parameters: i. Log Message Source Type : Flat File – Linux Host Secure Log ii. Log Message Processing Engine (MPE) Policy : LogRhythm Default

c.

On the Flat File Settings tab set the following parameters: i. File Path: /var/log/secure ii. Date Parsing Format : Linux Host Secure Log

d. Select OK. Repeat steps 1 and 2 for any additional DX appliances.


61

Enable LogRhythm Diagnostic Alarms LogRhythm provides built-in capability to alarm on system health. We recommend you enable these alarms and add the Technical Point of Contact to the notification list. 1. 2.

Navigate to Deployment Manager > Alarm Rules Select the Action box next to the following alarms: AI Engine : Critical Condition AI Engine : Excessive Warnings AI Engine : Rule Suspended Due To Memory Triage AI Engine : Successive Errors QsEMP : Excessive Events Spooled to Disk • • • • • • • • • • • • • • • • • • • • •

3.

QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP QsEMP

:: : : : : : : : : : : : : : :

Excessive Logs Spooled to Disk Excessive Processed Unprocessed Logs Spooled to Disk LogRhythm Agent Heartbeat Missed LogRhythm AI Comm Manager Heartbeat Missed LogRhythm AI Engine Heartbeat Missed LogRhythm Appliance Hardware Warning LogRhythm CMDB Database Error LogRhythm CMDB Database Warning LogRhythm CMDB Stats Warning LogRhythm Component Critical Condition LogRhythm Database Maintenance Failure LogRhythm Failed To Submit Batch Job to DB LogRhythm GLPR Error LogRhythm Log Manager Heartbeat Missed LogRhythm MPE Rule Disabled LogRhythm Silent Log Source Error

Right-click and select Actions > Enable.


62

Add Network Monitors (Optional) If the customer has purchase a Network Monitor, it can be added to the Network Monitorstab for easy accessibility. 1. 2.

In the Deployment Manager, navigate to the Entities tab. Create a new host record for the Network Monitor appliance.

a. b. c.

Select the correct Entity and in the Entity Hosts pane Right Click > New . Name the host. Apply a location, zone, operating system (Linux) and risk and threat values.

d.

Add host identifiers.


63

3.

Switch tabs to the Network Monitors tab. a. Right Click > New.

b. c. d.

Apply a name (the name of the server works well). Select the entity host record. Insert the server IP.


64

LogRhythm Web Console Requirements Before the LogRhythm Web Console can be started, all LogRhythm Components must be started and the Console needs to have been configured for the specific appliance package per the client’s requirements. The Web Console must meet or beat the requirements outlined in the Web Console Installation Guide which can be found at the below Support Portal link. https://support.logrhythm.com/ics/support/DLRedirect.asp?fileNum=94621&deptID=5730

Web Console Installation The below steps will lead the Professional Services Consult through the installation and configuration of the Web Console Component: 1. 2.

Log onto the LogRhythm Support Portal and Navigate to the LogRhythm Web Console download link. Follow the Windows Installation Wizard prompts, with the following configuration details:

*Note- The ‘localhost’ setting should only be used if the Web Console will be installed upon the same device as the PM Component. If the Web Console is being installed on a dedicated device, then the IP Address or the Hostname of the PM should be designated within this field.


65

*Note- Port 8443 is the default port specified for this appliance. If the client wishes to use a different port, this is the step in which this will take place.

3.

5.

Complete the remained of the Web Console installation. a. The Service ‘LogRhythm Service Host’ will automatically begin after the successful installation of the Web Console. Open the desired Web Browser and navigate to either the IP Address or Hostname for the device that is hosting the Web Console. a. i.e. https://: example: https://mywebhost:8443 Enter the following credentials in the Web UI Login Prompt.

6.

a. User ID : LogRhythmAdmin b. Password: Chosen By Customer or default logrhythm!1if default. Click OK.

4.

Disable Java Updates Untested Java versions can cause issues and it is recommended to turn off the automatic updates. The following steps should be completed on LR servers running the Web Console. 1.

Click the Windows Starticon and start typing “configure java” to search for and open the Configure Javawindow.

2.

Select the Update tab.


66


67

3.

Unselect the Check for Updates Automatically option.

a.

4.

Select Do Not Check.

Select OK save and close the Java configuration window.


68

Extended Deployment Topics System Monitor Auto Update The Windows System Monitor Agent software can be centrally upgraded on-demand or according to a schedule from the LogRhythm Client Console. Administrators can use the System Monitor Package Manager to upload Agent installer packages to their Manager and then push those packages out to one or more System Monitor Agents, either on demand or at a scheduled time. Additionally, there are options for version rollback as well as managing multiple Agent versions concurrently. System Monitor Policy-Based Administration System Monitor Agents (Windows and UNIX) can now be configured using a policy-based template. Users can create a System Monitor Agent policy and set each Agent property using default or custom values. Policies can be applied to one or more Agents, individually or in a batch. The Agent’s property values are assigned to the values set in the policy. System Monitor Agents assigned to a policy cannot be configured individually by an administrator, ensuring the Agent’s settings are aligned to only the known, allowed configuration. Case Management (Web Console) Case Management in the Web Console gives LogRhythm analysts incident response management capabilities that are fully integrated into their Security Intelligence Platform, providing more effective and efficient completion of day-to-day tasks. A case includes an “evidence locker” containing log data, alarms, or notes that provide an analyst with a single, centralized view to all associated evidence assigned to the case. Case Collaboration (Web Console) A case collaborator is either A) a user who has been assigned to help work on a case by the case's owner or B) a former case owner who remains assigned to a case by its subsequent owner. Collaborators can view all the evidence and notes that have been attached to a case and add to them as needed. Collaborators can edit or remove any notes or evidence that they add to a case, but they cannot edit or remove any of the contributions made by other users. Web Console Usage Auditing Web Console usage activity is captured in audit logs available in User Activity Reports. The main activity categories include the following: • • • • • • • •

User Login/Logout Main Dashboard Analyst Grid Alarm Analyze Case Reports Search

Threat Activity Map (Web Console) The Web Console supports a Threat Activity Map Web Widget for Dashboards providing a geographic representation of events with color coding for srcin and impacted locations and size indicating volume. Analysts can zoom in on specific regions to get a more detailed view of the locations. Doubleclicking on nodes on the map will launch a search for the locations represented by that node.


69

Search Pivoting (Web Console) Users of LogRhythm Web Console can perform a targeted search from the Analysis tab to pivot the investigation based on the selected data. Similar to the right-click correlation capability available in the client Console, Search Pivoting advances the Search capability by enabling an analyst to select multiple metadata fields to construct a new search from the search results. Saving Searches (Web Console) For quick access to routine searches, you can save any searches that you build from the Advanced Search dialog box. Your saved searches are available on the Searches page, where you can also access your search history and the searches that other users have shared with you. Managing the Searches Page (Web Console) Searches can be edited or deleted from the Searches page as needed. You can also filter the list of searches displayed by keywords in their descriptions. Report Viewing (Web Console) Web Console Report Viewing allows Web Console users to search for and download previously generated reports. The Reports tab allows access to all reports available to the logged in user, with filters and search capabilities to quickly identify and view reports. Day Mode (Web Console) Users can toggle the display of the Web Console between Night and Day. In Day mode, the background of the pages displayed in the browser is white instead of black. This preference is customizable on a per user basis. File Integrity Monitoring Multi-policy support LogRhythm administrators can assign multiple FIM policies to a single host. This feature reduces administrative overhead when creating, maintaining and managing FIM hosts with multiple applications that require unique policies. Administrators can create and manage FIM policies specific to a host type, operating system, or application and assign multiple policies to the same target host. Any overlapping policies assigned to the same host are automatically mitigated. Registry Integrity Monitor (RIM) The Registry Integrity Monitor (RIM) provides independent, real-time auditing of modifications to Windows registries. When RIM detects a change, the System Monitor Agent generates a log and sends it to the Data Processos where it can manage it like any other log. The logs can be forwarded to LogMart and to the Platform Manager so alarms can be generated and included in reports. Restricted Administrator The Restricted Administrator User profile adds another layer of security to a LogRhythm deployment. In previous releases, only Global Administrators had access to functions related to managing entities. Therefore, one Global Administrator (one user account) was responsible for managing all of the entities in a LogRhythm deployment. Now, through the use of the Restricted Administrator profile, different users can be given access to specific entities without being exposed to all of the entities in the same LogRhythm deployment. Log Source Virtualization Log Source Virtualization allows LogRhythm administrators to identify and separate multiple log sources that are accessed from a common source on a single host. Log Source Virtualization helps to ensure that each log source is processed by the appropriate set of rules. For example, the Linux Syslog log source is a composite of many log sources, including but not limited to the Linux Audit Log, Apache Log, MySQL Log, and many more. The poor performing Linux log source can be split up virtually by this feature into individual log sources thus improving log processing performance. Log February 17, 2016 LogRhythm Inc |

70

Source Virtualization is a signature based feature, and utilizes custom Regular Expressions that will identify the “type” of log and process it individually as the target log source type. Advanced Intelligence Engine Risk-based Priority In LogRhythm 6.3.0, the AI Engine Statistical and Trend AI Engine rule blocks support Risk-Based Priority (RBP) as a data field. This update enables the AI Engine to identify statistical anomalies in the risk rating assigned to different activities. Remote SmartResponse Execution LogRhythm SmartResponse is extended to allow more than one action to be executed from a remote Windows System Monitor Agent when an individual Alarm is generated. Multiple SmartResponse Actions per Alarm LogRhythm SmartResponse™ is enhanced to enable users to specify one or more SmartResponse actions per Alarm. The multiple actions are treated as whole, independent, autonomous actions, and they can be executed in parallel or in sequence. Results from multiple actions are presented in the Alarm Viewer just like the results from single-action Alarms. When a user chooses to run multiple SmartResponse actions in parallel, all actions are initiated at the same time, which is when the Alarm is generated. When a user chooses to run multiple SmartResponse actions in sequence, the actions are executed in the specified order, one after the other. No action can be initiated unless its predecessor action is complete. Actions in parallel will execute regardless of whether the action before it fails or succeeds. List Expiring Values LogRhythm standard Lists have been enhanced to allow individual items to expire. An optional expiration setting removes List items after the configurable amount of time has passed from when the List items were added.


71

LogRhythmCoreDeploymentGuide7.1.x

Recommend Documents