Cloud SIEM - LogRhythm Configuration Notes - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Thursday, March 12, 2020

Cloud SIEM - LogRhythm Configuration Notes

Working on LogRhythm, and here are some words from there website about their product:

"The LogRhythm NextGen SIEM Platform combines patented machine-based analytics, user and entity behavior analytics (UEBA), network detection and response (NDR), and security orchestration, automation, and response (SOAR) in a single, unified architecture, delivered from the cloud or as an on-prem solution. LogRhythm Cloud provides a complete NextGen SIEM experience with the ease and flexibility of a SaaS solution so that your team can concentrate on the most important task — protecting your organization."

This post is to record some of my configuration notes during working on a LogRhyThm lab environment to test the features and fuctions.

Enterprise Cloud SIEM Architecture

LogRhythm SMA Installation

System Monitor Agent Remote Collection Installation for Windows 2008+

Firewall Rules

Make sure the following ports are not blocked by any firewalls between the SysMon server and the
target server:
o TCP 135
o UDP 137
o UDP 138
o TCP 139
o TCP 445

In the Windows Inbound Firewall Rules on the target server, enable the following services:
o Remote Event Log Management (RPC)


Start RPC (Remote Event Log Management) service on each individual windows server


The "LogRhythm System Monitor" service must be using a domain account (not the "Local
System" account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each remote server. They can assign it manually or push it via GPO.

Assign the System Monitor's service account read permissions to the following two registry entries:
·        HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
·        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing

Note:  By default, the event log readers group would have read permission to the above keys. If the account is added to local event log readers group, it should give read permission to above two registry keys. Ask to verify.

LogRhythm SMA Upgrade

Windows hosts running System Monitors prior to version 7.2.x may still have .NET 4.0 installed.
During the upgrade, .NET 4.5.2 will be installed. The installation of .NET 4.5.2 requires a system reboot. If you see any System Monitors in your deployment that stop sending heartbeats after the upgrade, you may need to manually reboot the System Monitor host to complete the .NET installation.

1. Inform SIEM Platform team prime about the start of the upgrade.
2. If the collector server is a virtual machine, perform a VM snapshot before the upgrade.
3. Log in with the Administrator account or an account having administrative privileges to the
system where the System Monitor Agent is installed.
4. Verify the account used for the System Monitor Service. In Windows Services console, right-click and view Properties, and click the Log On tab. If the service does not use Local System account, you will need the password to that account when installing the Agent.
5. To open Windows Services, click Start, Administrative Tools, and Services.
6. Stop the service called LogRhythm System Monitor service.
7. Take a backup of the Config and State folders usually located at C:\Program Files\LogRhythm\LogRhythm System Monitor\. The exact path used in your environment can be obtained from the System Monitor Configuration Manager.
8. Download the installer from the following SIEM Support Portal
9. Run the installer LRSystemMonitor_64_7.4.9.8010.exe for the System Monitor Agent
10. If the system does not have the Microsoft Visual C++ 2010 Redistributable Package installed, click Install.
11. Follow the instructions in the Install Wizard.
12. If prompted, accept the license agreement.
13. Continue and complete the Install (If prompted for reboot, perform a system reboot)
14. On the Install Wizard Completed screen, clear the Launch System Monitor Configuration Manager check box.
15. If your LogRhythm Windows System Monitor Agent service uses Windows accounts, open Windows Services Control Panel.
16. Click the Log On tab and add the service account and password in the service properties.
17. Make sure the startup type for the service is Automatic.
18. To start the Agent, click Start, Administrative Tools, and Services. Right-click the agent and
select Start.
19. Inform 51SEC Platform team prime about the end of the upgrade and ask them to perform post upgrade validation checks.

LogRhythm Cloud Web GUI





Search logs using Lucene Filter:

Search Logs using Wildcard:

1 comment: