Skip to content

Network Requirements

Communication Overview

RhythmX communicates with several integrated services. The following ports must be open between the RhythmX server and the relevant services for the platform to function correctly.

flowchart LR
    LDS["LogRhythm<br>Log Distribution<br>Services"] -->|"5514, 5515, 5516"| RX["RhythmX"]
    RX -->|"9200"| ES["LogRhythm<br>DX / Indexer"]
    RX -->|"1433"| SQL["LogRhythm<br>SQL Server"]
    RX -->|"389 / 636"| LDAP["LDAP<br>Server"]
    RX -->|"514"| SYS["Syslog<br>Destination"]
    RX -->|"443"| JIRA["Jira / ServiceNow"]
    RX -->|"123"| NTP["NTP Server"]
    ANALYST["Analysts"] -->|"443"| RX

    style LDS fill:#1a237e,stroke:#534bae,color:#fff
    style RX fill:#b71c1c,stroke:#f05545,color:#fff
    style ES fill:#1a237e,stroke:#534bae,color:#fff
    style SQL fill:#1a237e,stroke:#534bae,color:#fff
    style LDAP fill:#4a148c,stroke:#7c43bd,color:#fff
    style SYS fill:#e65100,stroke:#ff9d3f,color:#fff
    style JIRA fill:#00695c,stroke:#4db6ac,color:#fff
    style NTP fill:#6a1b9a,stroke:#ab47bc,color:#fff
    style ANALYST fill:#1b5e20,stroke:#4c8c4a,color:#fff

Inbound Ports

Ports that must be open on the RhythmX server to accept incoming traffic.

Port Protocol Source Purpose
5514 TCP / UDP LogRhythm LDS Windows Event Log ingestion
5515 TCP LogRhythm LDS Linux Sysmon log ingestion
5516 TCP LogRhythm LDS Linux Auditd log ingestion
443 TCP Analyst workstations Web UI and dashboard access (HTTPS)

Outbound Ports

Ports that the RhythmX server must be able to reach on external services.

Port Protocol Destination Purpose
9200 TCP LogRhythm DX / Indexer Elasticsearch queries for threat hunting and analytics
1433 TCP LogRhythm SQL Server Alarm retrieval, case synchronization, actor data
389 TCP LDAP Server User directory sync and entity enrichment
636 TCP LDAP Server (SSL) Secure LDAP connection (if SSL is enabled)
514 TCP / UDP Syslog destination Forwarding structured detections via syslog
443 TCP Jira Cloud / ServiceNow Ticket integration — pushing incidents to external ticketing systems
123 UDP NTP Server Time synchronization — critical for accurate timestamp correlation across log sources

Firewall Rules

If the RhythmX server and LogRhythm components are deployed across different network segments or VLANs, ensure the following rules are applied on all intermediate firewalls between them.

Source Destination Port Protocol Direction Purpose
LogRhythm LDS RhythmX Server 5514 TCP / UDP Inbound Windows log ingestion
LogRhythm LDS RhythmX Server 5515 TCP Inbound Linux Sysmon log ingestion
LogRhythm LDS RhythmX Server 5516 TCP Inbound Linux Auditd log ingestion
Analyst Workstations RhythmX Server 443 TCP Inbound Web UI access (HTTPS)
RhythmX Server LogRhythm DX / Indexer 9200 TCP Outbound Elasticsearch queries
RhythmX Server LogRhythm SQL Server 1433 TCP Outbound Alarm and case sync
RhythmX Server LDAP Server 389 / 636 TCP Outbound User directory sync
RhythmX Server Syslog Destination 514 TCP / UDP Outbound Detection forwarding
RhythmX Server Jira Cloud / ServiceNow 443 TCP Outbound Ticket integration
RhythmX Server NTP Server 123 UDP Outbound Time synchronization

Note: If your environment uses network address translation (NAT) between segments, ensure the translated addresses are reflected in the firewall rules. All connections are initiated by the source listed above — no callback or reverse connections are required.

TLS Requirements

Connection TLS Requirement
Web UI (443) TLS 1.2+ required. RhythmX serves HTTPS with a self-signed or CA-issued certificate.
Jira Cloud (443) TLS 1.2+ — Jira Cloud enforces HTTPS. Ensure the RhythmX server can validate Jira's certificate chain.
ServiceNow (443) TLS 1.2+ — ServiceNow enforces HTTPS. Same certificate chain requirement.
LDAP (636) LDAPS uses TLS. If using port 389, consider upgrading to 636 for encrypted directory queries.
Syslog (514) TCP syslog can optionally use TLS for encrypted log transport. Configure the destination to accept TLS connections if required by your security policy.