Expand Log Source Collection and Flexibility with LogRhythm 7.17

Log source onboarding with LogRhythm SIEM version 7.17

Behind every LogRhythm product release, our team puts customers at the very core. That’s part of our commitment to you every 90 days. In our ninth consecutive quarterly release, we’ve opened LogRhythm SIEM to allow any JSON agent that supports the Lumberjack protocol to send data into LogRhythm. LogRhythm 7.17 expands log source collection capabilities to ingest third-party log sources in the SIEM. 

LogRhythm 7.17 also introduces a new JSON Policy Builder that makes it simple to create normalization rules without requiring coding or other scripting languages. In addition, the release features a streamlined installer that cuts installation steps in half, giving you greater flexibility into the components you can install when upgrading XM and Linux DX architectures as well as a new licensing details endpoint in the Admin API. 

Collect Third-Party JSON Log Sources  

We understand it can be challenging to get data into the SIEM when LogRhythm doesn’t have an out-of-the-box Beat for the log source you need. We’ve heard your request, and with LogRhythm 7.17, we’ve made it easier to bring JSON log sources to LogRhythm SIEM.

We’ve opened the LogRhythm SIEM so that the System Monitor Agent can accept JSON logs from sources that support the Lumberjack protocol, enabling you to tailor out-of-the-box and custom normalization rules. “Lumberjack” is a lightweight log shipper, which is part of the larger Elastic Stack (formerly known as the ELK Stack) ecosystem.

Our new Open Collection Architecture methods let security analysts use third-party tools to collect important security logs from sources LogRhythm has not yet built out-of-the-box support for. You no longer need LogRhythm to release an official tool to collect the specific logs you want.

If you are on an older version of LogRhythm SIEM, now is the time to upgrade your LogRhythm instance! With 7.17, you can tailor out-of-the-box rules and build custom normalization rules, enabling you to ingest new log sources faster than before.

Figure 1: Expand your log collection by bringing JSON log sources that support the Lumberjack protocol into LogRhythm SIEM.
Figure 1: Expand your log collection by bringing JSON log sources that support the Lumberjack protocol into LogRhythm SIEM.

Simplify Customization with the JSON Policy Builder

As any analyst and SIEM administrator knows, coding knowledge is essential when you need to normalize JSON log messages. The problem? Normalization policies can be confusing to create, difficult to visualize, and are often time consuming.

To make the experience easier, LogRhythm 7.17 features a JSON Policy Builder, a web-based tool that lets you easily map JSON values to the LogRhythm schema and export the policy file to use on the System Monitor Agent. Through the GIU-based wizard, LogRhythm automatically extracts the data, and you can map specific fields to the LogRhythm schema via a drop-down menu. You can access the JSON Policy Builder directly from the Web Console.

To retain any custom normalization rules you build, the System Monitor Agent now features a folder to store custom policy files. This custom normalization policy folder enables customers and partners to safely store custom or modified normalization rules without risk of losing customizations, removing the concern about rules being overwritten or impacted during the upgrade process.

Figure 2: The JSON Policy Builder lets you map JSON values to the LogRhythm schema and export the policy file to use on the System Monitor Agent.
Figure 2: The JSON Policy Builder lets you map JSON values to the LogRhythm schema and export the policy file to use on the System Monitor Agent.

Improve the Installation and Upgrade Experience

Customers who want flexibility within installations and upgrades often run into rigid install options. They typically must run the LogRhythm Install Wizard multiple times to install the necessary components if they run a configuration that’s not listed in the wizard.

LogRhythm 7.17 introduces a new streamlined installer that gives you greater flexibility into what components they can install on a single box.​ Administrators can now opt out to install the data indexer on the same hardware as the rest of the LogRhythm components​. This streamlines your process, allowing you to upgrade LogRhythm SIEM in half of the steps, giving you greater control and helping you upgrade faster.

Figure 3: Upgrade LogRhythm SIEM in half of the steps with LogRhythm's new streamlined installer.
Figure 3: Upgrade LogRhythm SIEM in half of the steps with LogRhythm’s new streamlined installer.

Leverage a New Platform Licensing API

For SIEM Administrators that use APIs to monitor and track deployments, obtaining licensing information is crucial. But that typically involves accessing the Client Console, which can be cumbersome. To make accessing the details easier, LogRhythm SIEM now enables Administrators to retrieve and monitor LogRhythm SIEM licensing and version details using a new licensing details endpoint in the Admin API. Now Administrators can quickly compare licensed MPS with volume statistics available through the Metrics API to monitor usage.​ Additionally, teams can reduce overhead and automate data retrieval across multiple environments.

Figure 4: Retrieve and monitor LogRhythm SIEM licensing and version details using a new licensing details endpoint in the Admin API.
Figure 4: Retrieve and monitor LogRhythm SIEM licensing and version details using a new licensing details endpoint in the Admin API.

Enhancements to More Than 70 Log Sources

We’re committed to providing continuous enhancements. That includes improving Message Processor Engine (MPE) rules every quarter. A critical component in maintaining a healthy security posture is to normalize log messages. This ensures that you maximize value from log data ingested by LogRhythm and the security insights powered by LogRhythm’s Machine Data Intelligence (MDI) Fabric.

LogRhythm updated more than 70 log sources over the last three months. We released updates in the following key categories:

  • Operating systems: This quarter, LogRhythm improved log collection to ensure we can see operating system-level activity to help surface threats and breaches for AIX, BSD, Linux, HP-UX, Solaris, and Microsoft Windows.
  • Firewall security: LogRhythm released improvements for firewalls such as Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, and Checkpoint.With these improvements, customers will find greater value in log enrichment and can better defend against threats.
  • Applications: LogRhythm refined and tuned all data points to ensure a cohesive connection across the SIEM, connecting it to attacks and compromises for Mimecast Email, Microsoft Exchange, Fortinet Fortimail, and Trend Micro Email Security.

For the list of log sources, check out the Knowledge Base Release Notes.

Figure 5: LogRhythm updated more than 70 log sources over the last quarter to enable better correlation and analysis of specific Beats.
Figure 5: LogRhythm updated more than 70 log sources over the last quarter to enable better correlation and analysis of specific Beats.

Download the Latest from LogRhythm SIEM 7.17

Stay up to date and enjoy the newest features in LogRhythm SIEM with our latest version, LogRhythm 7.17! Existing customers can request a license here and download LogRhythm 7.17 from Community. Further details and documentation on LogRhythm SIEM enhancements are available in our Release Notes and the Knowledge Base.

For customers that need help keeping their SIEM up to date, the LogRhythm Unlimited Upgrades Service can help. Our team of experts can help perform upgrades for every SIEM product release under your subscription with the service. Find out more here.

Interested in seeing product demos from LogRhythm 7.17? Join me and my colleague, Jake Halderman, for the LogRhythm SIEM July 2024 Quarterly Launch webinar on July 17 at 11 a.m. ET. Register today to learn more! Get the details about LogRhythm product updates from the What’s New webpage.