InsightIDR - Event Code Exclusion

Starting with Insight Agent version 1.4.88 and higher, you can configure the Insight Agent to exclude specific event codes from the event log monitor; this can be useful in high-load situations or "noisy" environments. Please note that you cannot configure the file to collect additional event codes.

To do this, complete the following:

1. Stop the Insight Agent service.
2. As an admin user, open the config\agent.jobs.windows.ui_realtime.json file, which should live in the agent root configuration directory.
3. Add the following JSON into the original file, leaving only the event codes you want to exclude. To exclude more events, make sure to include their relevant log name like securityWithSource and source name like Microsoft-Windows-Security-Auditing if applicable.

Advanced Configuration
1
{
2
    "EventLogMonitor": {
3
        "excludes": {
4
            "application": [
5
                1033,
6
                1034,
7
                11707,
8
                11708,
9
                11724,
10
                11725
11
            ],
12
            "applicationWithSource": {
13
                "EMET": [
14
                    2
15
                ]
16
            },
17
            "security": [
18
                1102,
19
                4624,
20
                4625,
21
                4648,
22
                4720,
23
                4697
24
            ],
25
            "securityWithSource": {
26
                "Microsoft-Windows-Security-Auditing": [
27
                    5145
28
                ]
29
            },
30
            "system": [
31
                7045
32
            ],
33
            "systemWithSource": {
34
                "Service Control Manager": [
35
                    7045
36
                ]
37
            }
38
        }
39
    }
40
}

This JSON will prevent the event log monitor from scanning the listed event codes.

4. Verify that the modified config file is valid JSON before saving.
5. Restart the Insight Agent service.