Network Requirements
Communication Overview
RhythmX communicates with several components in the LogRhythm ecosystem. The following ports must be open between the RhythmX server and the relevant services for the platform to function correctly.
flowchart LR
LDS["LogRhythm<br>Log Distribution<br>Services"] -->|"5514, 5515, 5516"| RX["RhythmX"]
RX -->|"9200"| ES["LogRhythm<br>DX / Indexer"]
RX -->|"1433"| SQL["LogRhythm<br>SQL Server"]
RX -->|"389 / 636"| LDAP["LDAP<br>Server"]
RX -->|"514"| SYS["Syslog<br>Destination"]
ANALYST["Analysts"] -->|"443"| RX
style LDS fill:#1a237e,stroke:#534bae,color:#fff
style RX fill:#b71c1c,stroke:#f05545,color:#fff
style ES fill:#1a237e,stroke:#534bae,color:#fff
style SQL fill:#1a237e,stroke:#534bae,color:#fff
style LDAP fill:#4a148c,stroke:#7c43bd,color:#fff
style SYS fill:#e65100,stroke:#ff9d3f,color:#fff
style ANALYST fill:#1b5e20,stroke:#4c8c4a,color:#fffInbound Ports
Ports that must be open on the RhythmX server to accept incoming traffic.
| Port | Protocol | Source | Purpose |
|---|---|---|---|
| 5514 | TCP / UDP | LogRhythm LDS | Windows Event Log ingestion |
| 5515 | TCP | LogRhythm LDS | Linux Sysmon log ingestion |
| 5516 | TCP | LogRhythm LDS | Linux Auditd log ingestion |
| 443 | TCP | Analyst workstations | Web UI and dashboard access (HTTPS) |
Outbound Ports
Ports that the RhythmX server must be able to reach on external services.
| Port | Protocol | Destination | Purpose |
|---|---|---|---|
| 9200 | TCP | LogRhythm DX / Indexer | Elasticsearch queries for threat hunting and analytics |
| 1433 | TCP | LogRhythm SQL Server | Alarm retrieval, case synchronization, actor data |
| 389 | TCP | LDAP Server | User directory sync and entity enrichment |
| 636 | TCP | LDAP Server (SSL) | Secure LDAP connection (if SSL is enabled) |
| 514 | TCP / UDP | Syslog destination | Forwarding structured detections via syslog |
Firewall Rules
If the RhythmX server and LogRhythm components are deployed across different network segments or VLANs, ensure the following rules are applied on all intermediate firewalls between them.
| Source | Destination | Port | Protocol | Direction | Purpose |
|---|---|---|---|---|---|
| LogRhythm LDS | RhythmX Server | 5514 | TCP / UDP | Inbound | Windows log ingestion |
| LogRhythm LDS | RhythmX Server | 5515 | TCP | Inbound | Linux Sysmon log ingestion |
| LogRhythm LDS | RhythmX Server | 5516 | TCP | Inbound | Linux Auditd log ingestion |
| Analyst Workstations | RhythmX Server | 443 | TCP | Inbound | Web UI access (HTTPS) |
| RhythmX Server | LogRhythm DX / Indexer | 9200 | TCP | Outbound | Elasticsearch queries |
| RhythmX Server | LogRhythm SQL Server | 1433 | TCP | Outbound | Alarm and case sync |
| RhythmX Server | LDAP Server | 389 / 636 | TCP | Outbound | User directory sync |
| RhythmX Server | Syslog Destination | 514 | TCP / UDP | Outbound | Detection forwarding |
Note: If your environment uses network address translation (NAT) between segments, ensure the translated addresses are reflected in the firewall rules. All connections are initiated by the source listed above — no callback or reverse connections are required.