InsightIDR - Event Code Exclusion
On versions 1.4.88 or higher, you can configure the Insight Agent to exclude specific event codes from the event code monitor; this can be useful in high load situations or "noisy" environments. Please note that you cannot configure the file to collect additional event codes.
To do this, complete the following:
- Stop the Insight Agent service.
- As an admin user, open the
config\agent.jobs.windows.ui_realtime.json
file, which should live in the agent root configuration directory. - Add the following JSON into the original file, replacing
[n]
with the security codes of your choice in a comma delimited list.
Advanced Configuration
1{2"EventLogMonitor": {3"excludes": {4"security": [5145, 1234]5}6}7}8}
The JSON above will removed the EVID codes 5145 and 1234 from the security log scanner, effectively excluding it from the event monitor.
- Verify that the modified config file is valid JSON before saving.
- Restart the Insight Agent service.
Please use at your own discretion
Rapid7 does not manage your config file; if you notice that it is causing errors, you can remove it from the file.
Did this page help you?