Expand Log Source Collection and Flexibility with LogRhythm SIEM 7.17

Behind every LogRhythm SIEM product release, our team puts customers at the very core. That’s part of our commitment to you every 90 days. In our ninth consecutive quarterly release, we’ve opened LogRhythm SIEM to allow any JSON agent that supports the Lumberjack protocol to send data into the SIEM. Version 7.17 expands log source collection capabilities to ingest third-party log sources in the SIEM. 

LogRhythm SIEM 7.17 also introduces a new JSON Policy Builder that makes it simple to create normalization rules without requiring coding or other scripting languages. In addition, the release features a streamlined installer that cuts installation steps in half, giving you greater flexibility into the components you can install when upgrading XM and Linux DX architectures as well as a new licensing details endpoint in the Admin API.  

Collect Third-Party JSON Log Sources  

We understand it can be challenging to get data into the SIEM when the platform doesn’t have an out-of-the-box Beat for the log source you need. We’ve heard your request, and with LogRhythm SIEM 7.17, we’ve made it easier to bring JSON log sources to LogRhythm SIEM.

We’ve opened the LogRhythm SIEM so that the System Monitor Agent can accept JSON logs from sources that support the Lumberjack protocol, enabling you to tailor out-of-the-box and custom normalization rules. “Lumberjack” is a lightweight log shipper, which is part of the larger Elastic Stack (formerly known as the ELK Stack) ecosystem.

Our new Open Collection Architecture methods let security analysts use third-party tools to collect important security logs from sources LogRhythm SIEM has not yet built out-of-the-box support for.

If you are on an older version of LogRhythm SIEM, now is the time to upgrade your new instance! With version 7.17, you can tailor out-of-the-box rules and build custom normalization rules, enabling you to ingest new log sources faster than before.

Simplify Customization with the JSON Policy Builder

As any analyst and SIEM administrator knows, coding knowledge is essential when you need to normalize JSON log messages. The problem? Normalization policies can be confusing to create, difficult to visualize, and are often time consuming.

To make the experience easier, LogRhythm SIEM 7.17 features a JSON Policy Builder, a web-based tool that lets you easily map JSON values to the schema and export the policy file to use on the System Monitor Agent. Through the GIU-based wizard, LogRhythm SIEM automatically extracts the data, and you can map specific fields to the schema via a drop-down menu. You can access the JSON Policy Builder directly from the Web Console.

To retain any custom normalization rules you build, the System Monitor Agent now features a folder to store custom policy files. This custom normalization policy folder enables customers and partners to safely store custom or modified normalization rules without risk of losing customizations, removing the concern about rules being overwritten or impacted during the upgrade process.

Improve the Installation and Upgrade Experience

Customers who want flexibility within installations and upgrades often run into rigid install options. They typically must run the Install Wizard multiple times to install the necessary components if they run a configuration that’s not listed in the wizard.

LogRhythm SIEM 7.17 introduces a new streamlined installer that gives you greater flexibility into what components they can install on a single box.​ Administrators can now opt out to install the data indexer on the same hardware as the rest of the components​. This streamlines your process, allowing you to upgrade LogRhythm SIEM in half of the steps, giving you greater control and helping you upgrade faster.

Leverage a New Platform Licensing API

For SIEM Administrators that use APIs to monitor and track deployments, obtaining licensing information is crucial. But that typically involves accessing the Client Console, which can be cumbersome. To make accessing the details easier, LogRhythm SIEM now enables Administrators to retrieve and monitor LogRhythm SIEM licensing and version details using a new licensing details endpoint in the Admin API. Now Administrators can quickly compare licensed MPS with volume statistics available through the Metrics API to monitor usage.​ Additionally, teams can reduce overhead and automate data retrieval across multiple environments.

Enhancements to More Than 70 Log Sources

We’re committed to providing continuous enhancements. That includes improving Message Processor Engine (MPE) rules every quarter. A critical component in maintaining a healthy security posture is to normalize log messages. This ensures that you maximize value from log data ingested by LogRhythm and the security insights powered by LogRhythm’s Machine Data Intelligence (MDI) Fabric.

We updated more than 70 log sources over the last three months. We released updates in the following key categories:

• Operating systems: improved log collection to ensure we can see operating system-level activity to help surface threats and breaches for AIX, BSD, Linux, HP-UX, Solaris, and Microsoft Windows.
• Firewall security: released improvements for firewalls such as Palo Alto Networks, Fortinet FortiGate, Cisco Firepower, and Checkpoint.With these improvements, customers will find greater value in log enrichment and can better defend against threats.
• Applications: refined and tuned all data points to ensure a cohesive connection across the SIEM, connecting it to attacks and compromises for Mimecast Email, Microsoft Exchange, Fortinet Fortimail, and Trend Micro Email Security.

For the list of log sources, check out the Knowledge Base Release Notes.

Download the Latest from LogRhythm SIEM 7.17

Stay up to date and enjoy the newest features in LogRhythm SIEM with our latest version, 7.17! Existing customers can download LogRhythm 7.17 from Community. Further details and documentation on LogRhythm SIEM enhancements are available in our Release Notes and the Knowledge Base.