What’s New in LogRhythm ® Version 5.1Dear LogRhythm Customers,I am pleased to introduce LogRhythm 5.1, the latest version of our award winning software. I think you will bevery happy with the extensive list of new features, capabilities, and improvements introduced. As I think you‟llcome to appreciate, LogRhythm 5.1 is far from a typical minor release.I think this release provides a great balance between core “blocking and tackling” capabilities with leading edgeinnovation. We have long felt our log data collection and management infrastructure is second-to-none. Wecontinue to invest in this area by adding significant new log collection capabilities including native support forSNMP traps and the latest version of Netflow. We have invested in improving our reporting infrastructure byproviding you the ability to create your own templates for determining exactly how you want a report to look.In addition, you can select to use your company logo instead of ours for presentation in a report. We haveintroduced new meta-data fields and significantly enhanced how some derived meta-data values are determined.We also introduced a variety of new capabilities and improvements for easing the administration of yourLogRhythm deployment.On more of the leading-edge innovation front, we have introduced a number of new features that I ampersonally very excited about. We‟ve added Geolocation, the ability to see where hosts contained in logmessages physically reside. While some of our competitors have capabilities in this area, what excites me isthat we introduce Geolocation at the log and event layer whereas others have only focused at the event layer.This provides great forensic context for every log message, context that provides a wealth of capabilities todayand more in the future. One of those capabilities is leveraged in another new feature called NetworkVisualization. This is a very powerful visual analysis tool that provides a visual depiction of host-to-hostrelationships across boundaries such as location.One thing I feel has always differentiated us is our focus on filling the “visibility gaps”. While logs do providetremendous visibility on their own, often they don‟t provide the complete story. A core capability of theLogRhythm System Monitor is to fill in these gaps at the endpoint. Two new powerful forensic visibilitycapabilities have been introduced in 5.1. Process Monitor provides independent monitoring of processesrunning on a host, when they start, and when they stop. Network Monitor provides independent monitoring oflistening services, inbound connections, and outbound connections to/from a host. These capabilities, combinedwith existing endpoint monitoring features (i.e., File Integrity Monitor, DataLoss Defender), provide powerfuland unequaled forensic awareness and visibility at the host.I hope you find LogRhythm 5.1 as exciting as we do. The LogRhythm engineering team has worked hard tobring you another quality software release we are very proud of.Sincerely,Chris PetersenCTO, VP Engineering, Co-founder
What’s New in LogRhythm ® Version 5.1OverviewThis document provides a brief description of new features and the most significant improvements introduced inLogRhythm 5.1. Please refer to the Release Notes for the complete list of new features, improvements, modifications, andknown issues found in LogRhythm 5.1.System Monitor Features and ImprovementsNew Operating System SupportWe have added support for the following operating systems and Linux distributions: HP-UX Linux Debian Linux UbuntuNew Collection Interfaces, Capabilities, and ImprovementsSNMP Trap ListenerThe Windows System Monitor now includes an integrated SNMP Trap Listener. SNMP versions 1, 2 and 3 aresupported.Netflow v9The Windows System Monitor now supports Netflow v9 in addition to version 1 and 5. This provides support for thelatest version of Netflow shipping with Cisco products. Netflow v9 is also compatible with a variety of non-Ciscoproducts.Recursive Flat File CollectionThis capability allows for the collection of flat files matching a specific file name pattern that reside in root or childdirectories. This is ideal for applications (i.e., web servers) that generate new directories containing log files on a daily orweekly basis.Integrated Syslog Server for UNIX and Linux System MonitorThe Windows System Monitor has always had an integrated Syslog Listener for receiving UDP and TCP based Syslog.This same capability has been added in UNIX and Linux versions of the System Monitor. This is ideal for extending thecollection infrastructure in *NIX-centric environments where a single agent can collect and forward Syslog from theentire environment.Checkpoint Firewall/VPN Secure Configuration Verification (SCV) SupportThe Windows System Monitor now supports collection of logs generated via Checkpoint‟s Secure ConfigurationVerification module.Windows Remote Event Log Connection OptimizationThe number and frequency of new connections required to collect Event Logs remotely has been significantly reduced.This results in overall performance improvements and reduces the number of logs written to the Windows Security Eventlog as a result of remote collection activity.
What’s New in LogRhythm ® Version 5.1Windows 1252 Codepage Extended ASCII supportLog messages containing Extended ASCII characters for languages included in the Windows 1252 codepage will becollected and presented in native language. This includes the following languages: Afrikaans Finnish Malay Basque French Norwegian Catalan Galician Portuguese Danish German Spanish Dutch Icelandic Swahili English Indonesian Swedish Faroese ItalianNew Forensic Visibility and Awareness FeaturesA tenet of LogRhythm‟s vision is to provide profound visibility into the operating environment. We do this to help ourcustomers better understand the environment as it affects or is impacted by security, operations, and compliance/auditevents. In LogRhythm 5.1, we have introduced two significant features that provide forensic awareness into the activityof a host.Network Connection MonitorThis feature provides an audit trail of connections to and from the host on which the System Monitor is installed. We alsodetect and log listening services. This is an optional capability available in System Monitor Lite that can provide constantor on-demand visibility into how a host is interacting on the LAN, WAN and Internet. Use Case Deploy System Monitors and enable Network Connection Monitor on servers in a DMZ and alert on unauthorized connections from DMZ hosts to hosts on the Internet or inside the trusted network. Use Case Deploy System Monitors and enable Network Connection Monitor on key servers and alert if observe network connection initiating directly from the Internet or other unauthorized networks.Process MonitorThis feature provides an audit trail of processes running on a host. Logs are generated whenever a new process orprogram starts or a previously running process or program stops. This is an optional capability available in SystemMonitor Lite that can provide constant or on-demand visibility into what processes and applications a host is running. Use Case Deploy System Monitors and enable Process Monitor on key servers. Create a whitelist of authorized programs and alert if any program is observed not in the approved whitelist. Use Case Deploy System Monitors and enable Process Monitor on user desktops. Create a blacklist of high-risk unauthorized programs (i.e., BitTorrent) and alert if such programs are observed on monitored hosts.
What’s New in LogRhythm ® Version 5.1System Monitor Feature Matrix System Monitor System Monitor Lite Pro Windows UNIX Windows UNIX Timestamp Normalization X X X X Collection Scheduling X X X X Compressed Data Transmission X X X X Encrypted Data Transmission X X X X Flat File Log Collection X X X X Recursive Flat File Log Collection New! 5.1 New! 5.1 New! 5.1 New! 5.1 Windows Event Log Collection X X Remote Windows Event Log Collection X X Integrated UDP Syslog Server X New! 5.1 X New! 5.1 Integrated TCP Syslog Server X New! 5.1 X New! 5.1 Integrated Netflow Server v1 and v5 X Integrated Netflow Server v9 New! 5.1 Integrated SNMP Trap Receiver New! 5.1 Remote Checkpoint Firewall Log Collection (via LEA) X Remote Cisco IDS Log Collection (via (SDEE) X Remote Database Log Collection (UDLA) X System Performance Monitoring X X X X Data Loss Defender X X File Integrity Monitoring X X Process Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1 Network Connection Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1 User Activity Monitoring X X X XNew Meta-data Fields and Resolution EnhancementsIn 5.1, new meta-data fields have been introduced. We also improve how some derived values are determined. These arevery significant changes in terms of what information is presented for every log message and event. These new fields andenhancements provide immediate value from an analysis, reporting, and alerting standpoint. They have also beenimplemented to prepare for additional automated and visual analysis capabilities planned in future releases. NOTE: It is very important the Administrator of LogRhythm understands how the configuration of your deployment affects how these fields are determined and as a result, their usefulness throughout the product. Please refer to online help to learn more or contact support for additional information.New Meta-Data FieldsOrigin & Impacted EntityThe Origin Entity is the Entity to which the Origin Host is associated. The Impacted Entity is the Entity to which theImpacted Host is associated. Because Entities typically map to physical operating locations or classes of systems, thesetwo fields provide very useful context in terms of understanding the Entity from which the action (i.e., attack, logon)originated and the Entity impacted by the action. The introduction of these fields enable analysis, reporting and alertingbased on the Entity in which the Origin or Impacted Host resides.
What’s New in LogRhythm ® Version 5.1 Use Case Report and alert on authentication activity across Entity boundaries. For instance if each entity were a separate business unit, this report would be of authentications between business units.Origin & Impacted NetworkThe Origin Network is the network to which the Origin Host is associated. The Impacted Network is the Network towhich the Impacted Host is associated. These two fields provide very useful context when analyzing Host-to-Networkand Network-to-Network relationships. The introduction of these fields enable analysis, reporting and alerting based onthe Network in which the Origin or Impacted Host resides. Use Case Report and alert on network traffic between untrusted and trusted networks. For instance, if you had created a DMZ Network and a Production Servers Network, you could alert on any activity originating from the DMZ Network targeting any host in the Production Servers network.Origin & Impacted ZoneThe Origin Zone is the Zone (Internal, External, DMZ) in which the Origin Host resides. The Impacted Zone is the Zonein which the Impacted Host resides. The introduction of these fields enable analysis and reporting based on the Zone inwhich the Origin or Impacted Host resides.Origin & Impacted LocationThe Origin Location is the location in which the Origin Host resides. The Impacted Location is the location in which theImpacted Host resides. Location can be presented or considered for filtering at the Country, Region, or City level. Thesefields are introduced as part of the new Geolocation feature described below and enable analysis, reporting, and alertingbased on geographic locationMeta-Data Field Resolution EnhancementsThe approach for deriving the following fields has been modified and improved in LogRhythm 5.1. Although theseimprovements should not negatively affect an existing deployment, it is important to understand how these fields aredetermined based on your configuration. Known Origin Host Origin Zone* Known Impacted Host Impacted Zone* Known Origin Network* Direction Known Impacted Network* * NOTE: Although these fields are listed as new in 5.1, the fields did exist in previous versions. However, they were minimally exposed or completely hidden from the end-user. In 5.1 how these fields are determined has changed and the fields are visible and usable directly by the end-user.Log Analysis Features and ImprovementsGeolocationEver wonder where an attack originated from geographically or where data was sent to? With LogRhythm Geolocationwonder no more. LogRhythm‟s Geolocation capability can provide city level location awareness for every Origin andImpacted Host represented in a log message. This capability is implemented at the Log Manager layer meaning EVERYlog collected by LogRhythm can have Geolocation information assigned. Geolocation information is assigned to a logbased on static assignment and automatic resolution.Static location assignment is available to all 5.1 users. This capability allows you to assign specific locations to KnownHosts and Networks that will be used during log processing to assign location to Origin and Impacted Hosts.
What’s New in LogRhythm ® Version 5.1Automatic location resolution requires a separate software license purchased on an annual subscription basis. Automaticlocation resolves public IP addresses to the last known physical location. The list of last known locations is provided viathe LogRhythm knowledge base and updated periodically. Country-level resolution accuracy is 99.9% with city levelresolution accuracy around 95%. Annual license fees for this functionality are $1,000, $2,500 and $5,000 forLR500/LRX1, LR1000/LRX2 and LR2000/LRX3 XM and LM models respectively. If you are interested in licensing thiscapability, please contact your LogRhythm Customer Relationship Manager at (303) 413-8745.Geolocation information is available in Personal Dashboard, Investigator, and Tail. It is also available in Reportstargeting the Event Manager or Log Managers. Geolocation information is not currently available in Log Miner orLogMart. Geolocation criteria can be specified for searches and for reports. Criteria can also be specified for AlarmRules and Global Log Processing Rules. Use Case Report and alert on remote authentication activity originating from locations outside expected states and/or countries. Use Case Report and alert on data transfers from sensitive servers to locations outside known and authorized geographic operating locations.Network VisualizationA new tool has been added to Investigator for visually describing the relationships between hosts as represented in logdata. This tool maps the relationships between hosts as contained within configurable containers such as Zone (i.e., DMZ,Internal), Location, and Network. Failure and security conditions are depicted with red links. Line width represents therelative amount of activity between related hosts or host containers. “Mousing” over hosts or host containers providessummary statistics such as kilobytes of traffic, packet counts, and log counts. This tool provides a revolutionary new wayof looking at log data containing information on host-to-host interactions.The following screenshot depicts Port 80 and 443 traffic.
What’s New in LogRhythm ® Version 5.1New Investigator and Personal Dashboard ChartsTwo new charts have been added to Investigator and Personal Dashboard: Logs by Day and Hour Logs by Day of Week and Hour of Day Use Case Analyze VPN activity by day and hour of day to visually see the frequency and pattern of VPN authentications. Identify anomalous trends in VPN activity based on daily averages and/or time-of-day.
What’s New in LogRhythm ® Version 5.1New Investigator Meta-Data ChartsThree new charts have been added to the Meta-data Statistics tool within Investigator. These three charts provide a visualdisplay of every unique meta-data value compared to all other values across the number of logs, the amount of datasent/received, and the number of packets sent/received. These charts are designed to provide visual trending and easyidentification of anomalous activity. Following is a screenshot of the three new charts for a meta-data statistics painconfigured to show Impacted Host. Impacted Hosts by Log Count Impacted Host by KBytes In/Out Impacted Host by Items In/OutTime-based Drill-Down ImprovementsAn improved drill-down mechanism has been introduced for all charts that show activity by time. In previous versions ofLogRhythm, you were able to drill down on an individual point representing a time range. In 5.1, this capability remainsand added is the ability to select a range of time. In any time-based chart simply click and hold the left mouse button anddrag the mouse to the right until at the end of the range. Release the left mouse button and double click into thehighlighted area to drill-down.
What’s New in LogRhythm ® Version 5.1Reporting New Features and ImprovementsCustom Report TemplatesYou can now create your own report templates if the provided out-of-the box templates do not suit your organization‟sneeds. Both detail and summary templates can be created via a Wizard based tool. All log message properties can be usedwith a variety of grouping and sorting options. The result is near infinite possibilities in terms of what you want includedin a report. This capability combined with LogRhythm‟s previous reporting capabilities provides near limitless reportingoptions.
What’s New in LogRhythm ® Version 5.1Custom Report BrandingYou can now replace the LogRhythm logo that is printed on reports to an image of your choosing. This is done byselecting File > Options from the Report Center and checking the „Use Custom Logo‟ checkbox.Event Management New Features and ImprovementsBatch Alarm Record managementYou can now select multiple alarms in Alarm Viewer and edit their status/comments in batch.
What’s New in LogRhythm ® Version 5.1Personal Dashboard Shared FiltersThe filtering function within Personal Dashboard has been significantly improved. Filters are easier to create and managewith more powerful filtering options. In addition, Personal Dashboard Filters can be shared across the LogRhythm userbase. Use Case Configure shared Personal Dashboard Filters for security analyst team and helpdesk operations. When these users access their Personal Dashboard, the events displayed are automatically filtered based on their job function.Administration New Features and ImprovementsBatch System Monitor Agent EditingAll properties of a System Monitor can now be edited in batch. This simplifies the administration of deployments wherelarge numbers of System Monitors are deployed.Batch Host and Network EditingHosts and Networks can now be edited in batch. The following properties are available for batch editing: Zone Location Risk Level Threat LevelRight Click Add HostEver wished you could add a host from a log message you are analyzing to LogRhythm‟s list of Known Hosts? Wish nomore. A new context menu is available off Log/Event lists. Simply select the log or event containing the host you wish toadd and select to add Origin or Impacted Host as a Known Host.• LogRhythm Headquarters LogRhythm EMEA LogRhythm Asia Pacific Ltd. 3195 Sterling Circle Siena Court, The Broadway 8/F Exchange Square II Boulder, CO Maidenhead Berkshire SL6 1NJ 8 Connaught Place, Central, 80301 United Kingdom Hong Kong 303-413-8745 +44 (0) 1628 509 070 +852 2297 2812