Advanced Event Source Settings

Multi-Domain Environments

If you have multiple domains in your environment, it is important that you specify a default domain for all event sources. This setting ensures that InsightIDR knows which domain should be used to attribute users to, particularly when that data is not provided in the event log. A default domain can be set for all event sources when configuring user attribution settings. To use a different domain for a specific event source, you can customize it directly in the event source’s configuration settings.

Rapid7 Encryption Certificate

When using TCP to send event source data by syslog, you can also choose to encrypt that data. When configuring an event source, choose TCP under collection methods and select the "Download Certificate" button. The certification is called Rapid7CA.pem and will allow InsightIDR and the event source to "trust" each other during log forwarding.

Rapid7 Recommends importing the certificate file on the same machine as the vendor or application you are connecting to InsightIDR as an event source. Use your administrative tool or vendor in order for your machine to ingest the certificate.

The certificate file contains two keys: a public key for your organization, and the Rapid7 key, which created the org-key.

Inactivity Timeout Threshold

This setting applies only to DHCP and VPN event sources. The inactivity Timeout Threshold setting allows you to specify in minutes how long an event source should be inactive before it enters an error state.

Active Failover Partner

If you have two DHCP servers configured in an active/passive relationship, you can specify the active partner.

Unparsed Logs

Learn about how unparsed logs affect your event source.

Attribution Source

In InsightIDR, attribution refers to the attempts the system makes to identify which assets, accounts, and users are involved in the collected log activity. For example, when an event log states that the activity was performed by the account jdoe, InsightIDR uses previously collected information from other event sources to determine whether that account is associated with the user Jane Doe or John Doe.

Attribution source can be set for all event sources when configuring user attribution settings. To use a different attribution source for a specific event source, you can customize it directly in the event source’s configuration settings.

Did this page help you?

Event Source Configuration

Data Collection Methods

Event Source Configuration

Monitor Event Source Health