Cut Dashboard Noise and Easily Retire Log Sources with LogRhythm 7.16

Image of LogRhythm SIEM platform with the retire workflow.

At LogRhythm, we’re focused on making your security journey easier with feature releases every 90 days for our self-hosted security information and event management (SIEM) platform, LogRhythm SIEM. As part of our latest quarterly release, we’re introducing a new feature in LogRhythm SIEM version 7.16 that helps analysts tune out unnecessary diagnostic events to save disk space and processing time.

What’s more, the latest release allows analysts to separate Cases based on entities and RBAC controls, which enables multi-tenant customers and individual businesses to access data assigned only to them. LogRhythm SIEM 7.16 also simplifies the process to retire log sources, Open Collectors, and Beats in the SIEM to reduce your administrative overhead.

LogRhythm SIEM Platform Enhancements  

In LogRhythm 7.16, we’ve continued our work to improve your experience managing your LogRhythm SIEM instance. The latest version includes additional platform improvements that help you simplify tasks and reduce noise in your dashboards.

Filter Out Diagnostic Events in the SIEM 

There are numerous diagnostic events that originate from the SIEM, and they often take up valuable disk space from your organization. The reality is some of those events are purely informational and they usually aren’t necessary for your team to do their jobs.

LogRhythm 7.16 now gives analysts the ability to tune out the noise, helping them focus on what matters. When you want to filter out an event, simply edit the Mediator configuration file, add the Event ID, and select the events you want to filter out. This will prevent non-critical events from being added to the Events Database, saving you disk space and processing time in the SIEM and Mediator. The benefit? The less you index in the Events Database, the fewer resources your system uses, maximizing its efficiency.

Filter out unnecessary diagnostic items from the Events Database to save disk space and time
Figure 1: Filter out unnecessary diagnostic items from the Events Database to save disk space and time

Ease the Migration Path to Rocky Linux  

In our last quarterly release, LogRhythm created a detailed guide to help customers migrate to Rocky Linux. This quarter, LogRhythm introduces improved CentOS to Rocky upgrades by providing an ISO customers can mount. This helps customers perform upgrade steps faster, simplifying a complex migration and streamlining the process to upgrade to Rocky. It might sound daunting, but we’ve worked hard to simplify the process for the migration. If you aren’t comfortable or prefer not to manage this effort, reach out and get help from our Services team!

Case Management Improvements 

LogRhythm SIEM uses entities to logically separate and secure data within the SIEM. Numerous business units and multi-tenant environments take advantage of this powerful feature throughout the product. To streamline the workflow in the SIEM, LogRhythm 7.16 enables Cases to adhere to entity separation permissions.

With the latest update, you can select an entity when you create a new Case, and that Case will only be visible to people with access. This gives administrators more control, ensuring that individual business units and multi-tenant customers only access data that is assigned to them through entity separation and role-based access control (RBAC).

Access to Cases adheres to entity separation permissions ensuring visibility to only those with access
Figure 2: Access to Cases adheres to entity separation permissions ensuring visibility to only those with access

Simplify Log Source Retirement 

Back in 2019, I recall sitting in a conference room with a product manager reviewing the Open Collector setup and configuration process. At this time, I helped sales engineers develop use cases and create sample data for realistic demos of our on-prem SIEM. While the technology was awesome, it was difficult to learn the new commands and components.

In LogRhythm 7.16, we are simplifying the process and making your experience even easier. What used to require numerous commands and regular references to our documentation is now streamlined in our Web Console. Building on the features we introduced in LogRhythm 7.14, we’re expanding our capabilities in the LogRhythm 7.16 release and taking the vision of Open Collector to the next level. We’re taking what once was a Command Line Interface-driven configuration and management process and simplified it to bring it all in the Web Consolefrom beat deployment to retirement.  

As part of our effort to improve workflows for our customers, we are introducing more administration in the Web Console, re-imagining workflows to increase speed and performance. In LogRhythm 7.16, we improve the process to retire a Beat or Open Collector. You no longer need to go to another section of the SIEM to retire associated log sources when a Beat or Open Collector is retired. The latest SIEM update automatically retires associated Beats and log sources when an Open Collector is retired​.

This feature enables the SIEM to simplify and automate tasks that were previously manual or administrative, allowing users more time to focus on security rather than SIEM administration. By simplifying log source retirement, you can reduce the number of clicks by at least 50%. This helps you configure and update numerous log sources, reducing your administrative overhead.

Figure 3: Retiring associated log sources when a Beat or Open Collector is retired is easier than ever with LogRhythm 7.16
Figure 3: Retiring associated log sources when a Beat or Open Collector is retired is easier than ever with LogRhythm 7.16

Automate Windows Event Log XML Filter Configurations

Often, configured logging levels can be more granular than what is required for the SIEM, creating clutter in Windows Event Logs and using up precious processing cycles and space in your SIEM. And filtering out these messages at the agent would require regex, as well as local processing cycles. That’s why Version 7.9 introduced the ability to use to a Windows XML query format to target and collect only the specified types of Windows Event logs you need.

With LogRhythm 7.16, we’re expanding this capability into the REST API, updating log source management endpoints to include XML filter configuration options. Now administrators can reduce admin overhead by programmatically configuring and updating Windows Event log sources through the API.

Ongoing Log Source Support 

With LogRhythm 7.16, we are excited to introduce a new Linux Host log source. This new log source combats some of the challenges we’ve seen over the years with a growing number of log sources being combined into a single log source type. In the latest release, we are separating Syslog Linux to specifically support OS level logging.

To improve management, performance, and reliability, LogRhythm is working on a multi-quarter project to divide the Linux Host log source and others in future releases into separate log source types that can be leveraged using Log Source Virtualization. This will ensure customers can minimize the extra rules of tools or components that aren’t in use, and instead ensure maximum performance on the components in use.

To support our ongoing commitment to you, we continually update and improve Message Processor Engine (MPE) rules. As such, a crucial step in maintaining a healthy security posture is to normalize log messages. This helps ensure that you get more value out of the log data LogRhythm ingests and the security insight power of LogRhythm’s Machine Data Intelligence (MDI) Fabric.

A few of the highlights released over the last three months include:

  • Firewall security – The insight provided from firewalls is critical for protecting organizations. This quarter, LogRhythm released improvements for firewalls such as: Palo Alto Networks, Fortinet FortiGate, Forcepoint Stonesoft, Check Point, and Juniper Networks firewalls. With these improvements, LogRhythm customers will find greater value in the log enrichment and can better defend against threats.
  • Cloud Security – Protecting cloud resources is more critical today than ever before. That’s why we made improvements to cloud log sources. This quarter, LogRhythm improved: Azure Event Hub, AWS CloudTrail, and Gmail Message Tracking. These improvements ensure organizations that use these cloud solutions have effective visibility in their SIEM to detect, respond to, and prevent threats.
  • Endpoint – Regardless of whether you are protecting end users or servers, effective monitoring of endpoints is crucial to be aware of new and emerging threats. With LogRhythm SIEM 7.16, LogRhythm’s improved CrowdStrike, Kaspersky, Windows Event logging, Linux, and AIX normalization rules ensure you get the most accurate information out of the logs to maximize your security awareness.

And those are just the highlights! LogRhythm updated more than 30 log sources over the last quarter, and we will continue to update more as part of our commitment to our customers’ successful security practices.

In-Platform Resource Center Tutorial 

Continuing in our effort to enable customers, the LogRhythm Training and Enablement team is adding a new tutorial to the Resource Center. This guide focuses on the power of the Inspector window. Check out the Onboarding section of the Resource Center to see the tutorials included for free in LogRhythm SIEM.

Figure 4: Learn more about the Inspector window in LogRhythm's Resource Center in the Web Console.
Figure 4: Learn more about the Inspector window in LogRhythm’s Resource Center in the Web Console

Get the Latest in LogRhythm SIEM 7.16 

Take advantage of the latest features in LogRhythm SIEM! Existing customers can request a license here and download LogRhythm 7.16 from Community. Information and documentation on LogRhythm SIEM enhancements are available in our Release Notes as well as the Knowledge Base.

To keep your SIEM instance current, our LogRhythm experts can help you perform upgrades for every SIEM product release under your subscription with our Unlimited Upgrades Service. Find out more about LogRhythm’s Unlimited Upgrades Service.

If you’re interested in learning more about LogRhythm SIEM 7.16, register for the April 2024 Quarterly Launch webinar on April 16 at 11:00 a.m. ET to watch our experts demo the latest enhancements, or visit our What’s New webpage.

Keep a pulse on the latest trends in cybersecurity. LogRhythm is set to release its 2024 State of Security Research Report. For a sneak peek, click here.