Vous êtes sur la page 1sur 3

LogRhythm Community  Product documentation & downloads  SIEM  Support/Partner downloads and documentation

LogRhythm 7.3.x message data ow diagram 

 
LogRhythm 7.2.x message data ow diagram  

 
 
Useful status and con guration web pages for the DX
Grafana - Shows performance metrics, system health and component diagnostic data in
format.
Linux - https://IPofDX:8111 (7.3.x uses https; prior 7.x versions used only http)
Windows - http://localhost:8110
Note - Linux DX Grafana uses https and can be accessed externally, but Windows DX Gra
be accessed only locally
Consul - Shows DX service status information. Not a commonly-used site and shouldn't b
without assistance from LogRhythm Support.
Linux - https://IPofDX:8112
Windows - http://localhost:8500
Note - Linux DX Consul uses https and can be accessed externally, but Windows DX Cons
accessed only locally
AllConf - Allows viewing and editing of DX con guration parameters
Linux - https://IPofDX
Windows - http://localhost:9100
Note - Linux DX AllConf uses https and must be accessed externally, but Windows DX AllC
http and can only be accessed locally
Web Console - Used mainly for analyst work ows, but contains some administrative dash
Windows - https://IPofWebConsole:8443
 
 
 
Useful CURL commands - These are intended to be entered into a local web browser on
a Windows-based DX without the curl part, or at the shell command prompt for a Linux-
based DX as-is. The localhost address may need to be changed to an actual IP address,
depending on con guration.
curl localhost:9200/_cluster/health?pretty - Displays overall ElasticSearch cluster health
curl localhost:9200/_cat/indices - Displays the health of all indices in verbose (add ?v at
the end to make it verbose)
curl localhost:9200/_cat/shards - Displays the health of all shards (index fragments)
curl localhost:9200/_cat/master - Displays the current master node of the ES cluster
curl localhost:9200/_cat/nodes - Displays a list of nodes participating in the ES cluster
along with statistics
curl localhost:9200/_cluster/pending_tasks?pretty - Displays list of pending write tasks
into the ES cluster
 
Useful Linux Commands - These commands can help with general system administration
tasks on a Linux-based DX. Many of these may need to be executed with the
word sudo in front of them to run with elevated privileges.

systemctl status <service> - Displays the current status of a speci ed service (running,
stopped, etc).
systemctl start/stop/restart <service> - Execute a service command (start, stop, restart)
on a service.
watch -n2 "<command>" - Executes the command given every 2 seconds and refreshes
the output in the terminal session. Useful for "tailing" a curl command for ES health.
tail -f <log path> - shows the last several lines of a le, and updates the output in real-
time with any new lines added to that le. Useful for showing realtime updates to a
component log le.
tail -500 <log path> - Same as above, but shows a static number of the last x lines of a
le. Change the number to suit the use case
top - Displays running processes on the server, and can be sorted interactively by CPU &
memory utilization
ip addr show - Displays the current con guration of all network adapters on the system.
Useful for showing the IP addresses in use by the server.
.\< lename> Syntax for executing a .sh le (shell script)
sudo !! - Run the last executed command as su. Useful for when you forgot the sudo
command in the rst place!
df -h - Shows the le system space utilization in human-readable format (MB,GB,TB, etc).
Useful for troubleshooting "out of space" issues.
 
Table of DX micro-services
Service TCP Port Purpose
AllConf 80,443 Con g of DX port 80 is forwarded to 443
Columbo 13130/13132 WC Queries / WC Threat Activity Map
Consul 8112/8500 Consul Administration Dashboard (Linux)
Denorm 13100 Injects Context Data into log messages
Grafana 8111 / 8110 Grafana Dashboard Linux / Windows
In uxDB 8086 Admin queries to In ux DB
Vitals 13202/13200 Collection of Mediator Stats
Anubis 16000 Reliable Messaging
Elastic Search 9200/9300/9400 Core data repository, critical service
Carpenter 1433 Synchronize lists and tables from the EMDB
Bulldozer 1433 Writes Cluster stats in EMDB
 
Important DX paths
Path Windows Linux
DX C:\Program Files\LogRhythm\Data
/usr/local/logrhythm
Binaries Indexer
DX Con g C:\Program Files\LogRhythm\Data
/usr/local/logrhythm/con gserver/con
Files Indexer\con gserver\conf
C:\Program Files\LogRhythm\Data
/var/log/persistent
Indexer\logs
/var/log/ElasticSearch
DX Log C:\Program Files\LogRhythm\Data
/var/log/Grafana
Files Indexer\ElasticSearch\logs
/var/log/in uxdb
C:\Program Files\LogRhythm\Data
/var/log/nginx
Indexer\Grafana\logs
DX logs-
${DXDATAPATH}\elasticsearch\data /usr/local/logrhythm/db/elasticsearch
Resository
C:\Program Files\LogRhythm\Data
In uxDB /usr/local/logrhythm/in uxdb/data/st
Indexer\in uxdb\data\stats\default
Gigawatt C:\Program Files\LogRhythm\Data
/usr/local/logrhythm/db/gigawatt/dat
DB Indexer\gigawatt\data
C:\Program Files\LogRhythm\Data /usr/local/logrhythm/tools/start-all-se
DX
Indexer\tools\start-all-services.bat linux.sh
start/stop
C:\Program Files\LogRhythm\Data /usr/local/logrhythm/tools/stop-all-se
scripts
Indexer\\tools\stop-all-services.bat linux.sh
 
Procedure - Submit AllConf changes without restarting ElasticSearch (which is time
consuming)
• Stop the Heartthrob service on all DX nodes: sudo systemctl stop heartthrob.service
• Submit the desired change using AllConf webpage
• Restart con gServer on all nodes: sudo systemctl restart con gserver.service
• Restart the relevant services (whose con guration was changed): sudo systemctl restart
anubis.service
• Start Hearthrob on all nodes: sudo systemctl start heartthrob.service
Note - When ElasticSearch con guration is changed in AllConf, the Elasticsearch must be
restarted, so it is best to not use this process and simply submit the change normally via
AllConf, which will restart the necessary services automatically.

Version history

Revision #: 2 of 2
Last update: 09-23-2017 02:34 AM
Updated by: AndyCulpepper
 
View article history

Labels (4)

Administration Data Indexer diagnostic DX

Contributors

AndyCulpepper

Comment