LogRhythm Rest API connection
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-12-2023 08:17 AM
We're in the midst of a SecOps deployment, and integrating alarms from our LogRhythm environment is a big requirement. So far, the setup has been working pretty well: using the LogRhythm Configurations page built into SecOps to connect to LogRhythm via Rest API. We've actually had it in place for a few months while the environment has been in development.
However, yesterday we patched and restarted the LogRhythm servers, and the API broke. Alarms stopped importing, and the LogRhythm Configurations page is throwing the error: "Could not connect to the LogRhythm REST API. Please verify your settings and resubmit."
Restarted the API services in LogRhythm, restarted the MID service on the MID server, no change. I'm struggling to interpret the agent0.log file from the MID server. I can see the API connection attempts in the log, but nothing that indicates what might be preventing the connection.
I can CURL the API manually, so I'm thinking this is on the ServiceNow side, either in the NOW platform or on the MID server. Thoughts about how to fix?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-18-2025 12:14 AM
Hi Peter,
Have you found a solution for this issue?
We are facing the same issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-18-2025 07:36 AM
Hello,
We had to open a high priority ticket with ServiceNow support, and it still took almost two months for them to resolve. The initial response we received was:
Most Probable Cause:
It appears that there was a minor glitch during the version update process. The scheduled job running at "Servicenow" concurrently during the LogRhythm patching inadvertently placed the profile in a perpetual running state, awaiting a response from LogRhythm. Consequently, the alarms were not pulled as expected.
Solution Proposed:
Servicenow dev team manually set the state to waiting, allowing the alarms to be successfully pulled. As a result, the integration is now functioning correctly, and the alarms are being pulled without any complications. dev team have diligently monitored the system for several hours, and everything is working flawlessly.
We asked what the steps were for a Platform Administrator to perform this same action in the event it occurred again, and were told that it's impossible, the SN dev team must perform it. You'll need to have Support escalate the issue to Dev immediately in order to get a timely response and resolution.
