InsightIDR - Event Code Exclusion

On versions 1.4.88 or higher, you can configure the Insight Agent to exclude specific event codes from the event code monitor; this can be useful in high load situations or "noisy" environments. Please note that you cannot configure the file to collect additional event codes.

To do this, complete the following:

Stop the Insight Agent service.
As an admin user, open the config\agent.jobs.windows.ui_realtime.json file, which should live in the agent root configuration directory.
Add the following JSON into the original file, replacing [n] with the security codes of your choice in a comma delimited list.


Advanced Configuration
1
{
2
  "EventLogMonitor": {
3
      "excludes": {
4
        "security": [5145, 1234]
5
        }
6
      }
7
 }
8
}

The JSON above will removed the EVID codes 5145 and 1234 from the security log scanner, effectively excluding it from the event monitor.

Verify that the modified config file is valid JSON before saving.
Restart the Insight Agent service.

Please use at your own discretion

Rapid7 does not manage your config file; if you notice that it is causing errors, you can remove it from the file.

Did this page help you?

Configure

InsightIDR - auditd Compatibility Mode for Linux Assets

Configure

InsightOps - Configure the Insight Agent to Send Logs