What's New Logrhythm 5.1 Data Sheet

•

What’s New in
LogRhythm® Version 5.1

What’s New in LogRhythm ® Version 5.1

Dear LogRhythm Customers,

I am pleased to introduce LogRhythm 5.1, the latest version of our award winning software. I think you will be
very happy with the extensive list of new features, capabilities, and improvements introduced. As I think you‟ll
come to appreciate, LogRhythm 5.1 is far from a typical minor release.

I think this release provides a great balance between core “blocking and tackling” capabilities with leading edge
innovation. We have long felt our log data collection and management infrastructure is second-to-none. We
continue to invest in this area by adding significant new log collection capabilities including native support for
SNMP traps and the latest version of Netflow. We have invested in improving our reporting infrastructure by
providing you the ability to create your own templates for determining exactly how you want a report to look.
In addition, you can select to use your company logo instead of ours for presentation in a report. We have
introduced new meta-data fields and significantly enhanced how some derived meta-data values are determined.
We also introduced a variety of new capabilities and improvements for easing the administration of your
LogRhythm deployment.

On more of the leading-edge innovation front, we have introduced a number of new features that I am
personally very excited about. We‟ve added Geolocation, the ability to see where hosts contained in log
messages physically reside. While some of our competitors have capabilities in this area, what excites me is
that we introduce Geolocation at the log and event layer whereas others have only focused at the event layer.
This provides great forensic context for every log message, context that provides a wealth of capabilities today
and more in the future. One of those capabilities is leveraged in another new feature called Network
Visualization. This is a very powerful visual analysis tool that provides a visual depiction of host-to-host
relationships across boundaries such as location.

One thing I feel has always differentiated us is our focus on filling the “visibility gaps”. While logs do provide
tremendous visibility on their own, often they don‟t provide the complete story. A core capability of the
LogRhythm System Monitor is to fill in these gaps at the endpoint. Two new powerful forensic visibility
capabilities have been introduced in 5.1. Process Monitor provides independent monitoring of processes
running on a host, when they start, and when they stop. Network Monitor provides independent monitoring of
listening services, inbound connections, and outbound connections to/from a host. These capabilities, combined
with existing endpoint monitoring features (i.e., File Integrity Monitor, DataLoss Defender), provide powerful
and unequaled forensic awareness and visibility at the host.

I hope you find LogRhythm 5.1 as exciting as we do. The LogRhythm engineering team has worked hard to
bring you another quality software release we are very proud of.

Sincerely,

Chris Petersen
CTO, VP Engineering, Co-founder


Overview
This document provides a brief description of new features and the most significant improvements introduced in
LogRhythm 5.1. Please refer to the Release Notes for the complete list of new features, improvements, modifications, and
known issues found in LogRhythm 5.1.

System Monitor Features and Improvements
New Operating System Support
We have added support for the following operating systems and Linux distributions:
HP-UX
Linux Debian
Linux Ubuntu

New Collection Interfaces, Capabilities, and Improvements
SNMP Trap Listener
The Windows System Monitor now includes an integrated SNMP Trap Listener. SNMP versions 1, 2 and 3 are
supported.

Netflow v9
The Windows System Monitor now supports Netflow v9 in addition to version 1 and 5. This provides support for the
latest version of Netflow shipping with Cisco products. Netflow v9 is also compatible with a variety of non-Cisco
products.

Recursive Flat File Collection
This capability allows for the collection of flat files matching a specific file name pattern that reside in root or child
directories. This is ideal for applications (i.e., web servers) that generate new directories containing log files on a daily or
weekly basis.

Integrated Syslog Server for UNIX and Linux System Monitor
The Windows System Monitor has always had an integrated Syslog Listener for receiving UDP and TCP based Syslog.
This same capability has been added in UNIX and Linux versions of the System Monitor. This is ideal for extending the
collection infrastructure in *NIX-centric environments where a single agent can collect and forward Syslog from the
entire environment.

Checkpoint Firewall/VPN Secure Configuration Verification (SCV) Support
The Windows System Monitor now supports collection of logs generated via Checkpoint‟s Secure Configuration
Verification module.

Windows Remote Event Log Connection Optimization
The number and frequency of new connections required to collect Event Logs remotely has been significantly reduced.
This results in overall performance improvements and reduces the number of logs written to the Windows Security Event
log as a result of remote collection activity.


Windows 1252 Codepage Extended ASCII support
Log messages containing Extended ASCII characters for languages included in the Windows 1252 codepage will be
collected and presented in native language. This includes the following languages:

Afrikaans Finnish Malay
Basque French Norwegian
Catalan Galician Portuguese
Danish German Spanish
Dutch Icelandic Swahili
English Indonesian Swedish
Faroese Italian

New Forensic Visibility and Awareness Features
A tenet of LogRhythm‟s vision is to provide profound visibility into the operating environment. We do this to help our
customers better understand the environment as it affects or is impacted by security, operations, and compliance/audit
events. In LogRhythm 5.1, we have introduced two significant features that provide forensic awareness into the activity
of a host.

Network Connection Monitor
This feature provides an audit trail of connections to and from the host on which the System Monitor is installed. We also
detect and log listening services. This is an optional capability available in System Monitor Lite that can provide constant
or on-demand visibility into how a host is interacting on the LAN, WAN and Internet.

Use Case
Deploy System Monitors and enable Network Connection Monitor on servers in a DMZ and alert on unauthorized
connections from DMZ hosts to hosts on the Internet or inside the trusted network.

Use Case
Deploy System Monitors and enable Network Connection Monitor on key servers and alert if observe network
connection initiating directly from the Internet or other unauthorized networks.

Process Monitor
This feature provides an audit trail of processes running on a host. Logs are generated whenever a new process or
program starts or a previously running process or program stops. This is an optional capability available in System
Monitor Lite that can provide constant or on-demand visibility into what processes and applications a host is running.

Use Case
Deploy System Monitors and enable Process Monitor on key servers. Create a whitelist of authorized programs
and alert if any program is observed not in the approved whitelist.

Use Case
Deploy System Monitors and enable Process Monitor on user desktops. Create a blacklist of high-risk
unauthorized programs (i.e., BitTorrent) and alert if such programs are observed on monitored hosts.


System Monitor Feature Matrix

System Monitor System Monitor
Lite Pro
Windows UNIX Windows UNIX
Timestamp Normalization X X X X
Collection Scheduling X X X X
Compressed Data Transmission X X X X
Encrypted Data Transmission X X X X
Flat File Log Collection X X X X
Recursive Flat File Log Collection New! 5.1 New! 5.1 New! 5.1 New! 5.1
Windows Event Log Collection X X
Remote Windows Event Log Collection X X
Integrated UDP Syslog Server X New! 5.1 X New! 5.1
Integrated TCP Syslog Server X New! 5.1 X New! 5.1
Integrated Netflow Server v1 and v5 X
Integrated Netflow Server v9 New! 5.1
Integrated SNMP Trap Receiver New! 5.1
Remote Checkpoint Firewall Log Collection (via LEA) X
Remote Cisco IDS Log Collection (via (SDEE) X
Remote Database Log Collection (UDLA) X
System Performance Monitoring X X X X
Data Loss Defender X X
File Integrity Monitoring X X
Process Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1
Network Connection Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1
User Activity Monitoring X X X X

New Meta-data Fields and Resolution Enhancements
In 5.1, new meta-data fields have been introduced. We also improve how some derived values are determined. These are
very significant changes in terms of what information is presented for every log message and event. These new fields and
enhancements provide immediate value from an analysis, reporting, and alerting standpoint. They have also been
implemented to prepare for additional automated and visual analysis capabilities planned in future releases.

NOTE: It is very important the Administrator of LogRhythm understands how the configuration of your
deployment affects how these fields are determined and as a result, their usefulness throughout the product.
Please refer to online help to learn more or contact support for additional information.

New Meta-Data Fields
Origin & Impacted Entity
The Origin Entity is the Entity to which the Origin Host is associated. The Impacted Entity is the Entity to which the
Impacted Host is associated. Because Entities typically map to physical operating locations or classes of systems, these
two fields provide very useful context in terms of understanding the Entity from which the action (i.e., attack, logon)
originated and the Entity impacted by the action. The introduction of these fields enable analysis, reporting and alerting
based on the Entity in which the Origin or Impacted Host resides.


Use Case
Report and alert on authentication activity across Entity boundaries. For instance if each entity were a separate
business unit, this report would be of authentications between business units.

Origin & Impacted Network
The Origin Network is the network to which the Origin Host is associated. The Impacted Network is the Network to
which the Impacted Host is associated. These two fields provide very useful context when analyzing Host-to-Network
and Network-to-Network relationships. The introduction of these fields enable analysis, reporting and alerting based on
the Network in which the Origin or Impacted Host resides.

Use Case
Report and alert on network traffic between untrusted and trusted networks. For instance, if you had created a
DMZ Network and a Production Servers Network, you could alert on any activity originating from the DMZ
Network targeting any host in the Production Servers network.

Origin & Impacted Zone
The Origin Zone is the Zone (Internal, External, DMZ) in which the Origin Host resides. The Impacted Zone is the Zone
in which the Impacted Host resides. The introduction of these fields enable analysis and reporting based on the Zone in
which the Origin or Impacted Host resides.

Origin & Impacted Location
The Origin Location is the location in which the Origin Host resides. The Impacted Location is the location in which the
Impacted Host resides. Location can be presented or considered for filtering at the Country, Region, or City level. These
fields are introduced as part of the new Geolocation feature described below and enable analysis, reporting, and alerting
based on geographic location

Meta-Data Field Resolution Enhancements
The approach for deriving the following fields has been modified and improved in LogRhythm 5.1. Although these
improvements should not negatively affect an existing deployment, it is important to understand how these fields are
determined based on your configuration.

Known Origin Host Origin Zone*
Known Impacted Host Impacted Zone*
Known Origin Network* Direction
Known Impacted Network*

* NOTE: Although these fields are listed as new in 5.1, the fields did exist in previous versions. However, they were
minimally exposed or completely hidden from the end-user. In 5.1 how these fields are determined has changed
and the fields are visible and usable directly by the end-user.

Log Analysis Features and Improvements
Geolocation
Ever wonder where an attack originated from geographically or where data was sent to? With LogRhythm Geolocation
wonder no more. LogRhythm‟s Geolocation capability can provide city level location awareness for every Origin and
Impacted Host represented in a log message. This capability is implemented at the Log Manager layer meaning EVERY
log collected by LogRhythm can have Geolocation information assigned. Geolocation information is assigned to a log
based on static assignment and automatic resolution.

Static location assignment is available to all 5.1 users. This capability allows you to assign specific locations to Known
Hosts and Networks that will be used during log processing to assign location to Origin and Impacted Hosts.


Automatic location resolution requires a separate software license purchased on an annual subscription basis. Automatic
location resolves public IP addresses to the last known physical location. The list of last known locations is provided via
the LogRhythm knowledge base and updated periodically. Country-level resolution accuracy is 99.9% with city level
resolution accuracy around 95%. Annual license fees for this functionality are $1,000, $2,500 and $5,000 for
LR500/LRX1, LR1000/LRX2 and LR2000/LRX3 XM and LM models respectively. If you are interested in licensing this
capability, please contact your LogRhythm Customer Relationship Manager at (303) 413-8745.

Geolocation information is available in Personal Dashboard, Investigator, and Tail. It is also available in Reports
targeting the Event Manager or Log Managers. Geolocation information is not currently available in Log Miner or
LogMart. Geolocation criteria can be specified for searches and for reports. Criteria can also be specified for Alarm
Rules and Global Log Processing Rules.

Use Case
Report and alert on remote authentication activity originating from locations outside expected states and/or
countries.

Use Case
Report and alert on data transfers from sensitive servers to locations outside known and authorized geographic
operating locations.

Network Visualization
A new tool has been added to Investigator for visually describing the relationships between hosts as represented in log
data. This tool maps the relationships between hosts as contained within configurable containers such as Zone (i.e., DMZ,
Internal), Location, and Network. Failure and security conditions are depicted with red links. Line width represents the
relative amount of activity between related hosts or host containers. “Mousing” over hosts or host containers provides
summary statistics such as kilobytes of traffic, packet counts, and log counts. This tool provides a revolutionary new way
of looking at log data containing information on host-to-host interactions.

The following screenshot depicts Port 80 and 443 traffic.


New Investigator and Personal Dashboard Charts
Two new charts have been added to Investigator and Personal Dashboard:
Logs by Day and Hour
Logs by Day of Week and Hour of Day

Use Case
Analyze VPN activity by day and hour of day to visually see the frequency and pattern of VPN authentications.
Identify anomalous trends in VPN activity based on daily averages and/or time-of-day.


New Investigator Meta-Data Charts
Three new charts have been added to the Meta-data Statistics tool within Investigator. These three charts provide a visual
display of every unique meta-data value compared to all other values across the number of logs, the amount of data
sent/received, and the number of packets sent/received. These charts are designed to provide visual trending and easy
identification of anomalous activity. Following is a screenshot of the three new charts for a meta-data statistics pain
configured to show Impacted Host.
Impacted Hosts by Log Count
Impacted Host by KBytes In/Out
Impacted Host by Items In/Out

Time-based Drill-Down Improvements
An improved drill-down mechanism has been introduced for all charts that show activity by time. In previous versions of
LogRhythm, you were able to drill down on an individual point representing a time range. In 5.1, this capability remains
and added is the ability to select a range of time. In any time-based chart simply click and hold the left mouse button and
drag the mouse to the right until at the end of the range. Release the left mouse button and double click into the
highlighted area to drill-down.


Reporting New Features and Improvements
Custom Report Templates
You can now create your own report templates if the provided out-of-the box templates do not suit your organization‟s
needs. Both detail and summary templates can be created via a Wizard based tool. All log message properties can be used
with a variety of grouping and sorting options. The result is near infinite possibilities in terms of what you want included
in a report. This capability combined with LogRhythm‟s previous reporting capabilities provides near limitless reporting
options.


Custom Report Branding
You can now replace the LogRhythm logo that is printed on reports to an image of your choosing. This is done by
selecting File > Options from the Report Center and checking the „Use Custom Logo‟ checkbox.

Event Management New Features and Improvements
Batch Alarm Record management
You can now select multiple alarms in Alarm Viewer and edit their status/comments in batch.


Personal Dashboard Shared Filters
The filtering function within Personal Dashboard has been significantly improved. Filters are easier to create and manage
with more powerful filtering options. In addition, Personal Dashboard Filters can be shared across the LogRhythm user
base.

Use Case
Configure shared Personal Dashboard Filters for security analyst team and helpdesk operations. When these
users access their Personal Dashboard, the events displayed are automatically filtered based on their job
function.

Administration New Features and Improvements
Batch System Monitor Agent Editing
All properties of a System Monitor can now be edited in batch. This simplifies the administration of deployments where
large numbers of System Monitors are deployed.

Batch Host and Network Editing
Hosts and Networks can now be edited in batch. The following properties are available for batch editing:
Zone
Location
Risk Level
Threat Level

Right Click Add Host
Ever wished you could add a host from a log message you are analyzing to LogRhythm‟s list of Known Hosts? Wish no
more. A new context menu is available off Log/Event lists. Simply select the log or event containing the host you wish to
add and select to add Origin or Impacted Host as a Known Host.

•

LogRhythm Headquarters LogRhythm EMEA LogRhythm Asia Pacific Ltd.
3195 Sterling Circle Siena Court, The Broadway 8/F Exchange Square II
Boulder, CO Maidenhead Berkshire SL6 1NJ 8 Connaught Place, Central,
80301 United Kingdom Hong Kong
303-413-8745 +44 (0) 1628 509 070 +852 2297 2812

What's New Logrhythm 5.1 Data Sheet

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to What's New Logrhythm 5.1 Data Sheet (20)

More from jordagro (19)

Recently uploaded (20)

What's New Logrhythm 5.1 Data Sheet