InsightIDR has the ability to automatically discover and configure certain sources (Active Directory via WMI; LDAP; Microsoft DHCP and DNS via Network Shares) in your environment. Auto configure is especially helpful with core event sources, as the core user attribution engine can be setup in just a few minutes.
You can run the auto configure feature just to discover event sources, without configuring those event sources themselves. This practice can be helpful to discover any newly deployed servers in your environment that haven't been configured for monitoring.
Before You Begin
You must first deploy and activate your Collector. See Collector Installation and Deployment for instructions.
Additionally, make sure you configure logging and network shares on requested DHCP and DNS servers to enable log collection.
For DHCP and DNS Servers, InsightIDR can only auto configure these event sources on servers running Windows 2008, Windows Vista, or later.
Use Auto Configure
When you run auto configure, InsightIDR uses your Collector host and administrative credentials to enumerate server hosts in your environment, including Microsoft domain controllers, DHCP servers, and DNS servers.
For best results, consider the geographic location and performance of your event sources and Collectors
When configuring an event source, choose a Collector that has a reliable connection and is close to the server or system where the event source resides. For example, if you're configuring an Active Directory event source that collects data from a server located in Boston, try to choose a Collector that is also located in Boston.
To run auto configure:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Select Run Auto Configure. The Configure Event Sources window displays with event sources that were discovered by auto configure previously.
- Do one of the following:
- To configure previously discovered event sources, proceed to step 5.
- To scan for new event sources, complete step 4.
- Rescan your environment to discover event sources:
- Select Rescan.
- Specify a domain administrator Credential by selecting a previously entered credential or by entering a new credential with this information:
- Name - Enter a descriptive name to display in the Credential field.
- Username - Enter the username for the domain administrator in pre-2000 format (domain\username).
- Password - Enter the password associated with the username.
- If your Active Directory environment contains multiple Domains, enter them separated by commas.
- If you have only one domain, ignore this field, as the domain should be specified in the credential already. Read Multi-Domain Environments for more information.
- Select Discover. InsightIDR begins discovering event sources associated with the Collector host and domain administrator credentials. This might take several minutes.
- Select the event sources that you want to configure:
- Active Directory and LDAP event sources don’t require configuration changes, so can be configured automatically. Your Collector uses your administrative credentials to pull events from Active Directory via WMI and creates an LDAP query to find information about your users.
- DHCP and DNS event sources require configuration changes to deposit logs into a dedicated folder, so must be configured manually.
- Select Configure Event Sources. InsightIDR begins configuring the event sources. In the Configure Event Sources window, event sources are marked as created when InsightIDR finishes configuring them. It might take several minutes for InsightIDR to finish the configuration.
Linux Auto Configure
On Linux, InsightIDR can discover all the server types and can configure the LDAP and Active Directory event sources. However, InsightIDR cannot perform the configuration or creation of the Microsoft DHCP or DNS sources.
If a source is identified that is not reachable by a Collector, it will be marked as such.
Deploy another Collector logically adjacent to the source and re-run the Auto Configure wizard to setup these event sources, or adjust firewall rules to allow the Collector to communicate with the event source.
collector.log file to see a list of all Collector activity, including attempted ports.