Log Aggregators
A log aggregator is not an event source itself, but a place from which event source data can be pulled from the original source. Think of a SIEM like a "middle man" between InsightIDR and the original event source. If you already have logs going into a log aggregator on a network (e.g. SIEM or Splunk), you can use the aggregator to forward logs to InsightIDR.
Requirements for Log Aggregators
InsightIDR requires the following:
- The logs must be split up into separate streams into the collector so that each parser will only have logs going to it that it knows how to parse.
- For example, AD logs can be sent to UDP port 6000 while firewall logs can be sent to port 6001, IDS logs to port 6002, etc.
- Logs must be sent to the collector before they are processed by the SIEM so they look the same to the collector as if they came from the original network appliance.
InsightIDR Log Aggregators
The following Log Aggregators receive data from these platforms into Insight Platform:
- HP ArcSight
- IBM QRadar
- LogRhythm
- McAfee Enterprise Security Manager (previously known as Nitrosecurity)
- Splunk
Event Sources that support Log Aggregators
You can configure the following event sources to use log aggregators as their collection method:
Active Directory
Advanced Malware
DHCP
- Cisco Meraki
- Infoblox Trinzic
- ISC dhcpd
- Microsoft DHCP
- Sophos UTM
- Alcatel-Lucent VitalQIP
- MikroTik
- Dnsmasq DHCP
DNS
- Infoblox Trinzic
- ISC Bind9
- Microsoft DNS
- Dnsmasq DNS
- PowerDNS
Firewall
- Check Point
- Barracuda Firewall
- Cisco ASA Firewall + VPN
- Cisco FirePower Threat Defense
- Cisco Meraki
- ForcePoint Firewall
- Fortinet Firewall
- Palo Alto Firewall, VPN and Wildfire
- pfSense Firewall
- SonicWALL
- WatchGuard XTM
- Juniper Netscreen
- Sophos Firewall
- Cisco IOS Firewall
- Clavister W20
- Juniper Junos OS
- McAfee Firewall
- Stonesoft Firewall
IDS
- Cisco FirePower (Sourcefire IDS)
- F5 Networks BIG-IP Local Traffic Manager
- Security Onion
- Sentinel IPS
- Cisco FireSIGHT
- Sourcefire 3D
- Corero IPS
- Dell iSensor
- Trend Micro TippingPoint
Ingress Authentication
Virus Scanners
- BitDefender
- CylancePROTECT
- ESET Antivirus
- Kaspersky Anti-Virus
- McAfee ePO
- MalwareBytes Endpoint Protection
- SentinelOne EDR
- Sophos Central
- Sophos Intercept X
- Symantec Endpoint Protection
- Trend Micro Apex One
- Trend Micro Deep Security
- Trend Micro OfficeScan
- Rapid7 Universal Antivirus
- F-Secure
- Trend Micro Control Manager
VPN
- Cisco ASA Firewall & VPN
- Barracuda Firewall & VPN
- Cisco ISE
- Microsoft IAS (RADIUS)
- Microsoft Remote Web Access
- Citrix NetScaler VPN
- OpenVPN
- Juniper Pulse Connect Secure
- Cisco ACS NAS
- F5 Networks FirePass
- Microsoft Network Policy Server
- MobilityGuard OneGate
- VMware Horizon
Web Proxy
- Barracuda Web Security Gateway
- Sophos Secure Web Gateway
- WebSense Web Security Gateway
- zScaler NSS
- Cisco IronPort
- Livigent Content Filter
- McAfee Web Reporter Web Proxy
- Squid
Rapid7 Universal Event Sources
Raw Data Event Sources
Web Server Access Logs
Forward Logs From a SIEM
InsightIDR can forward logs from the following SIEM/log aggregation products:
- HP ArcSight
- LogRhythm
- McAfee Enterprise Security Manager (formerly Nitrosecurity)
- Splunk
- IBM QRadar
- FireEye Threat Analytics Platform (TAP)
For all SIEM/log aggregation productions, follow the vendor documentation to forward the log/event data to a collector using standard syslog for both the log format and also the transport methodology.
Before your InsightIDR deployment, if you will be forwarding logs from your SIEM, you should be prepared to perform the necessary steps on the SIEM. You can either complete the setup before the deployment or complete the setup with your Rapid7 Consultant during the deployment.