Transcription

Getting Started Guide:LogRhythm Windows Appliance Software ConfigurationAfter you complete the hardware installation of your LogRhythm Windows Appliance, this document will guideyou through the initial configuration of your LogRhythm deployment.IMPORTANT: Please work with your LogRhythm Professional Services Consultant to complete the proceduresoutlined in this guide.PrerequisitesBefore starting your configuration, you will need: The LogRhythm License file (.LIC), usually provided in an emailThe factory default password for your deploymentConfigure and Start LogRhythm ComponentsConfigure Platform Manager Services1.On the Start Menu, click to open Apps, and then click Platform Manager Configuration Manager.2.On the Job Manager tab, complete the following fields:3.4. Server – the name or IP address of the Platform Manager database server Password – the factory default passwordOn the Alarming and Response Manager tab, complete the following fields: Server – the name or IP address of the Platform Manager database server Password – the factory default passwordClick OK.Configure Data Processor Service1.On the Start Menu, click to open Apps, and then click Data Processor Configuration Manager.2.On the General tab, complete the following fields:3. Server – the name or IP address of the Platform Manager database server Password – the factory default passwordClick OK. LogRhythm, Inc. All rights reservedPage 1 of 18

Configure System Monitor Agent Service1.On the Start Menu, click to open Apps, and then click System Monitor Configuration Manager.2.On the General tab, complete the following fields:3. Server – the name or IP address of the Data Processor server System Monitor IP Address – the IP address of the System Monitor Host Entity ID – default is zero for system assigned IDClick OK.Log in to the Client Console1.On the Start Menu, click to open Apps, and then click LogRhythm Console.2.Complete the following fields:3. User ID – logrhythmadmin Password – the factory default passwordClick OK.Complete New Deployment WizardEnter the following information in the New Deployment Wizard:1.Windows host name of the Platform Managera.Enter the host name where the Platform Manager is located. This can be found by right-clicking MyComputer and selecting Properties. Click the Computer Name tab and get the Full Computer Nameup to the first period where the domain name will start.b. If the appliance type is XM, all LogRhythm components are contained in a single appliance.2.IP address of the Platform ManagerEnter the IP address where the Platform Manager is located. Appliances are shipped with two NetworkInterface Cards (NICs). Typically, one NIC is used for Console connections, while the other NIC is used fordatabase intercommunications. The IP address entered here will serve as a Console connection interface. LogRhythm, Inc. All rights reservedPage 2 of 18

3.The Platform Manager is also a Data Processor (e.g., an XM appliance)If this is an XM Appliance — all LogRhythm components are contained in a single appliance — select thischeckbox.4.The Platform Manager is also an AI Engine ServerIf AI Engine is installed on the Platform Manager — not deployed as a standalone appliance — select thischeckbox.5.LogMart DB Server OverrideIf the LogMart database is installed on a different host, enter the host IP address here.6.LogRhythm License fileNote: This file is provided by LogRhythm Support after purchase and shipment of the appliance(s), and itis required to access and configure LogRhythm.a.Navigate to the location of the license file (*.lic) by clicking the ellipses at the far right.b. Locate and select the master license file and click Open. The path and file name are listed in theLicense File text box.c.8.Click OK.When prompted, select the appropriate Data Processor licensing mode from the available, validoptions. The mode depends on:a.Software (n available licenses) - Select this option to identify a software only purchaseb. Appliance Mode for software and appliance purchase - Select this option to identify a softwareand appliance purchasec.9.Data Processor MPS mode for software and appliance purchase - Select this option to use aMessages Per Second licenseClick Next. LogRhythm, Inc. All rights reservedPage 3 of 18

10. You are prompted to select the Log Source licensing mode from the available valid options: Limited orUnlimited.11. Select the appropriate mode, and then click OK.All dialog boxes close and the main Client Console window is displayed. LogRhythm, Inc. All rights reservedPage 4 of 18

Complete Knowledge Base Import WizardAfter completing the New Deployment Wizard, the New Knowledge Base Deployment Wizard is displayed.1.Deploy the Knowledge Base by selecting one of the three following options: I have Internet access and want to automatically download the KB (recommended).a.Proxy Server Address - Enter the Proxy Server Address for the KB Downloadb. Proxy Server Port - Enter the port number for the serverc.Select the Proxy Server Requires Authentication check boxd. Enter the appropriate credentials and Host name, if necessary e.Click OK. The Knowledge Base is downloaded.f.Click OK. Proceed to the Knowledge Base Importer Wizard section.I do not have Internet access or want to manually download the KB.The Manual Knowledge Base Download window appears. LogRhythm, Inc. All rights reservedPage 5 of 18

Perform one of the following steps: Export Knowledge Base Request File - Select this option to export a Knowledge Base request fileand upload it to the Support Portal:i.Click OK and download the file to your drive. The Export Successful page appears.ii.Click OK. The Knowledge Base Not Loaded page appears.iii.Click OK and the Console closes.Contact Customer Support - Select this option to obtain the Knowledge Base file from CustomerSupport:i.From a computer with Internet access, log into the Support Portal athttps://support.logrhythm.com.ii.Go to the Downloads to section to access the latest version of the Knowledge Base.The request screen displays.iii.Choose from the following:a.Upload the Request File downloaded from the Consoleb. Enter the License ID, the Deployment ID, and the Product Versioniv.Click Get Knowledge Base.v.Save the Knowledge Base file and transfer it to the computer on which you are loading theConsole.vi.Restart the Console and follow the instructions in the “I have already manuallydownloaded the KB section.” LogRhythm, Inc. All rights reservedPage 6 of 18

I have already manually downloaded the KB - Select this option to manually import theKnowledge Base file.i.The Knowledge Base Export Wizard appears and starts unpacking and validating theKnowledge Base file. The file is checked for compatibility with your current deploymentand is prepared for import. This may take several minutes.ii.Upon completion the message Knowledge Base unpacked appears in the status. Click Nextto import the Knowledge Base.2.When the Knowledge Base Updated message is displayed, click OK.3.On the Knowledge Base Import Wizard, click Close. LogRhythm, Inc. All rights reservedPage 7 of 18

Configure the PlatformAfter completing the Knowledge Base import, the Missing Platform Manager Platform message is displayed.1.Click OK.2.In the Platform Manager Properties dialog box, click the browse icon next to the Platform box.3.In the Platform Selector table, select the row corresponding to your appliance, and then click OK.4.Enter the Email From Address, and then click OK. LogRhythm, Inc. All rights reservedPage 8 of 18

The Missing Data Processor Platform error message is displayed.5.Click OK.6.In the Data Processor Properties dialog box, click the browse icon next to the Platform box.7.In the Platform Selector table, select the row corresponding to your appliance, and then click OK.8.The Restart Component message is displayed.9.Click OK. LogRhythm, Inc. All rights reservedPage 9 of 18

Specify Advanced Data Processor Properties1.In the Data Processor Properties dialog box, click Advanced.The Data Processor Advanced Properties dialog box is displayed.2.Change the ActiveArchivePath from C:\LogRhythmArchives\Active to D:\LogRhythm Archives\Active.3.Change the InactiveArchivePath from C:\LogRhythmArchives\Inactive to D:\LogRhythmArchives\Inactive.4.Click OK.The Restart Component message is displayed.5.Click OK.Start the Platform Manager Services1.Click the Platform Manager tab.2.Click Start.Start the Data Processor Services1.Click the Data Processors tab.2.Select the Action box next to your Data Processor.3.Right-click the selected Data Processor, click Actions, and then click Service Start.Start the System Monitor Agents Services1.Click the System Monitors tab.2.Select the Action box next to the System Monitor Agent.3.Right-click the selected System Monitor, click Actions, and then click Service Start.The System Monitor Agent is displayed in the top pane and listed as pending.4.Select the Action box next to the pending Agent.5.Right-click the selected Agent, and then click Associate.The “Associate New System Monitor Agent with an Existing Agent” message is displayed.6.Select the Agent and click OK.The “Associate Successful” message is displayed.7.Click OK. LogRhythm, Inc. All rights reservedPage 10 of 18

Configure the Data IndexerAccessing and configuring the Data Indexer differs slightly between Windows and Linux. Please refer to theappropriate procedure below according to your Data Indexer operating system.Configure the Data Indexer on WindowsNOTE: You must perform these steps for each Data Indexer (XM or DPX) in your deployment. Ensure that theLogRhythm DX – AllConf and LogRhythm DX – Configuration Server services are running beforetrying to connect to the Data Indexer.Configure the Data Indexer via the configuration web page hosted on the Data Indexer. Please note the followingrequirements: On a Windows Data Indexer, you can only access the web page locally or through a remotedesktop/terminal services session to the appliance You can only access the web page using Google Chrome, Mozilla Firefox (latest versions of each), orInternet Explorer 11.NOTE: Do not attempt to modify any configuration files. If you have any issues, please contactLogRhythm Support.To access the web page and configure the Data Indexer, do the following:1.Log in to the DPX appliance as an administrator.2.Start one of the supported Internet browsers.3.Type the following in the address bar: localhost:9100The Data Indexer Configuration sign in page is displayed.4.Type admin in the Username box and the LogRhythm default password in the Password box, and thenclick Sign In. LogRhythm, Inc. All rights reservedPage 11 of 18

5.Modify or verify the following settings:Anubis ConfigAnubis sends logs to the Mediator in batches. The frequency at which batches are sent is determined bythe Accumulator Conf settings shown below. A batch of logs will be sent when any one of the followingthresholds is met: Entries to Accumulate, Max Batch Size Bytes, or Seconds To AccumulateNOTE: The default values assume 1500 byte logs and should work well for most indexing rates.ParameterValueAccumulator ConfEntries to AccumulateThe number of logs to accumulate before sending to the Mediator. The default is 50,000.Max Batch Size BytesThe maximum size in bytes that a batch of logs can become before sending to the Mediator. Thedefault is 15,000,000.Max Log Size BytesThis can be left at the default value of 1,000,000.Seconds To AccumulateThe maximum amount of time in seconds to wait before sending to the Mediator. The default is 5.Gigawatt DB ConfigThis is the path to the database used for messaging within the Indexer system.NOTE:You can use any directory you want for Gigawatt Db, but it should not be on the C: drive.You should overwrite the default and change it to something like the following:D:\Logrhythm\data indexer\gigawatt\dbGigawatt Db PathRelay ConfigThese values can be left at their defaults.Carpenter ConfigParameterValueDb PasswordThis is the password used by the LogRhythmNGLM SQL account. Services on the Data Indexer use this accountto connect to the EMDB and read/update tables.NOTE:It is highly recommended and LogRhythm best practice to change all MS SQL account passwordswhen setting up a deployment. After you change the LogRhythmNGLM password in Microsoft SQLServer Management Studio, you must set Db Password to the same value. You should change thepassword in Microsoft SQL Server Management Studio first, then change it on the Data Indexerpage.Db UsernameThis should be left unchanged unless you have renamed the LogRhythmNGLM SQL account in SQL ServerManagement Studio.Emdb HostThis must be set to the external IP address of your Platform Manager appliance, where the EMDB database ishosted.Minutes To RestThis can be left at the default value.Sql Paging SizeThis can be left at the default value.Cluster Node ConfigParameterValueNode Info[n]HostnameCannot be changedPublic IPThis must be set to the external IP address of your DPX appliance or server. LogRhythm, Inc. All rights reservedPage 12 of 18

Elasticsearch Server ConfigParameterValueElasticsearch Server Settings[n]Namecluster.nameValueIf you only have one DPX appliance, you can leave this value at the default (logrhythm). If you have more thanone DPX appliance, change this value so that each cluster name is unique. For example, logrhythm01,logrhythm02, and logrhythm03.The cluster name for each DPX appliance must be different. When you have finished making changes on theData Indexer Configuration page, ensure that you assign the correct cluster to each Data Processor. Formultiple DPX appliances, ensure that the cluster is assigned to the Data Processor running on the sameappliance.For example, if clusters are named as follows: DPX-A dxa, DPX-B dxb, and DPX-C dxc, Data Processor Ashould point to cluster dxa, Data Processor B should point to cluster dxb, and Data Processor C should point tocluster dx