Improve Log Source Administration, Management with LogRhythm 7.13

Posted by: Ryan Gamboa on | Featured | No Comments
Tags:
Category: Product News
Type:

Every quarter, LogRhythm improves customers’ experiences with new innovations that save users time and ease their workflow. With our fifth consecutive quarterly product release, LogRhythm is continuing the momentum with LogRhythm SIEM version 7.13, which features improvements to log source onboarding and log source management. 

LogRhythm 7.13 features a new engine in the SIEM that can ingest JSON data significantly faster than before, a data processor pooling system that automatically distributes logs across data processors, and new and updated supported log sources, enabling you to focus on threat detection, investigation, and response. 

Simplify Workload with LogRhythm’s New JSON Parsing Engine 

We understand the challenges you face onboarding log sources. That’s why the team has made it even easier to ingest cloud-native log sources. As part of LogRhythm 7.13, we’ve embedded a JSON parsing engine into System Monitor, the SIEM’s collection system. The new engine, available to self-hosted and LogRhythm Cloud customers, reduces complexity and offers a significant performance increase. Now you no longer need to rely on JQ language to define parsers The latest update simplifies workload and administration to onboard data. LogRhythm Cloud customers can use the new JSON parsing engine via on-prem Open Collectors and System monitors. Cloud to Cloud collection will be updated at a later time. 

 

Enable the JSON parsing engine to ingest cloud-native log sources faster
Figure 1: Enable the JSON parsing engine to ingest cloud-native log sources faster

Reduce Administrative Overhead with Data Processor Pooling 

Your agents are your workhorses as they collect data and ship the data to a data processor, which handles the parsing. But there had not been a good way to load balance these agents across multiple data processors — until now. 

With LogRhythm 7.13, LogRhythm introduces Data Processor Pooling, a new feature that lets administrators define a pool of one or more data processors to allow a single agent to collectively send its data to a group of data processors. When an agent is assigned a Data Processing Pool, the agent will spread the logs across the data processors. This removes the need to manually review agent volumes and adjust which data processors the agents are sending to, saving you time. The feature is available to both self-hosted and LogRhythm Cloud customers.

Define a Data Processor Pool with LogRhythm SIEM 7.13
Figure 2: Easily define a Data Processor Pool with LogRhythm SIEM 7.13

 

Assign a Data Processor Pool to agents
Figure 2: Add and remove Data Processors from a pool

 

Assign and alter a Data Processor Pool to agents
Figure 3: Assign agents to a Data Processor Pool to spray logs across Data Processors in a round robin fashion

View Agents in the Web Console  

To further support LogRhythm’s work to introduce additional client console functionality into the web console, LogRhythm created an Agents page that lets self-hosted and LogRhythm Cloud customers see and search through System Monitors in the web console, saving them time from switching between consoles. Customers can select an Agents administration page to view and do the following: 

  • View active and retired system monitor agents and details: 
    • SysMon Name 
    • Host 
    • Entity 
    • Active Log Sources 
    • Last Heartbeat 
    • Type 
    • Version 
    • Last Data Processor 
  • Filter and sort in each column 
  • User visibility into agents will adhere to user profiles and permissions 

 

View agents in the Web console
Figure 4: View agents and the last heartbeat timestamps in the Web console

SecondLook is Available to Self-hosted Customers 

At LogRhythm, we take data seriously. And when it comes to retaining data, it’s important that customers find their data—especially older data—easily. With LogRhythm 7.13, customers who use our self-hosted SIEM option now have access to SecondLook, a tool that enables users to query data and search it in the archives, in the web console.  

Customers that use this SecondLook feature can now search through their archives using the web console instead of the client console. This saves customers time from pivoting between consoles and passes SecondLook searches off to a dedicated service for a more reliable user experience. The latest release follows the launch of SecondLook in the web console to LogRhythm Cloud customers earlier this year as part of the LogRhythm 7.11 release. 

configure and run SecondLook restores directly from the Web Console
Figure 5: Configure and run SecondLook restores directly from the Web Console

 

Customers can select an icon to quickly run a search for the logs restored by SecondLook.
Figure 6: Customers can select an icon to quickly run a search for the logs restored by SecondLook.

The history of past searches is updated whenever you click the SecondLook quick search icon, giving you easy access to modify pre-populated filters.
Figure 7: The history of past searches is updated whenever you click the SecondLook quick search icon, giving you easy access to modify pre-populated filters.

Refreshed Operating Systems

To boost your performance, LogRhythm has updated the operating systems installed on LogRhythm appliances. Over time, operating systems become outdated, making past versions unsupported. With the release of 7.13, LogRhythm is supporting and installing Microsoft Server 2022, Microsoft SQL Server 2019, and Rocky Linux. For customers that prefer the open-source version of Linux, Data Indexers and Open Collector support Rocky Linux 9 and RHEL 9. For customers with RHEL licenses, LogRhythm SIEM supports RHEL 9.  

We’ve also added additional support for System Monitor, which includes Windows 2022, Windows 11, Rocky Linux 9, and RHEL 9.  

Ongoing Log Source Support  

LogRhythm is continuing to review our supported log sources and make updates to strengthen our correlation and analysis. Our new and enhanced methods of ingestion include:    

  • Cisco Identity Services Engine: New policies help prevent classification errors and provide more consistent parsing of log source data for Cisco Identity Services Engine while new messaging processing engine (MPE) rules parse log metadata to the correct schema fields and classify highly complex log source data. 
  • DarkTrace: Helps customers collect logs from DarkTrace. 
  • eStreamer: Updates LogRhythm’s integration with eStreamer to support up through version 7.2. 
  • SonicWall Unified Policy Engine: Enhances LogRhythm’s integration with SonicWall to include collection and parsing from SonicWall’s Unified Policy Engine (UPE). 
  • Cisco Meraki: New policies help prevent classification errors and provide more consistent parsing of log source data for Cisco Meraki while new MPE rules parse log metadata to the correct schema fields and classify highly complex log source data. 

Upgrade to LogRhythm 7.13 and Stay in the Know 

Get the latest features in LogRhythm 7.13! If you are an existing customer, you can request a license here and download LogRhythm 7.13 from Community. To keep your software current, LogRhythm’s Professional Service team can help you stay up to date with our SIEM releases every quarter — seamlessly and on your schedule with our Unlimited Upgrades Service. Customers can also get details on the latest LogRhythm product news and influence future features by visiting LogRhythm’s Innovation Portal.

Not a customer? You can still find out more about LogRhythm’s full suite of product releases for LogRhythm SIEM, LogRhythm Axon, and LogRhythm NDR, by registering for the July 2023 Quarterly Launch webinar or visit our What’s New webpage.

Share on LinkedIn Share on Reddit

Recent LogRhythm blogs by Ryan Gamboa

LogRhythm SIEM 7.14
Making Your Job Easier with LogRhythm 7.14
Improve Log Source Administration, Management with LogRhythm 7.13
LogRhythm SIEM
Enhancing the User Experience and Expanding Log Collection with LogRhythm 7.12