Auto Configure

InsightIDR has the ability to automatically discover and configure certain sources (Active Directory via WMI; LDAP; Microsoft DHCP and DNS via Network Shares) in your environment. Auto configure is especially helpful with core event sources, as the core user attribution engine can be setup in just a few minutes.

You can run the auto-configure feature just to discover event sources without configuring those event sources themselves. This practice can be helpful to discover any newly deployed servers in your environment that haven't been configured for monitoring.

Before You Begin

You must first deploy and activate your Collector. See Collector Installation and Deployment for instructions.

Additionally, make sure you configure logging and network shares on requested DHCP and DNS servers to enable log collection.

For DHCP and DNS Servers, InsightIDR can only auto-configure these event sources on servers running Windows 2008, Windows Vista, or later.

Use Auto Configure

  1. Navigate to the InsightIDR homepage.
  2. Select Data Collection on the left menu and then select the Setup Event Source dropdown menu. Select Add Event Source.
  3. Select the Auto Configure icon.
  1. Provide a domain admin service account credential for InsightIDR to automatically discover and configure event sources. The credential should be entered in pre-2000 format (domain\username).
  1. If your Active Directory environment contains multiple domains, enter them in the box below, separated by commas.
    • If you only have one domain, ignore this field, as the domain should be specified in the credential already. See Multi-Domain Environments for more information.
  2. Click the Discover button to begin discovering event sources. This will allow InsightIDR to use your Collector host and your administrative credentials to enumerate server hosts in your environment, including Microsoft domain controllers, DHCP servers, and DNS servers.

This may take a minute or two, but you should see event sources appear in the background. Then the Discovered Event Sources page will appear with a list of event source server hosts. 7. Select the event sources you wish for InsightIDR to configure automatically.

For initial configuration, Rapid7 recommends connecting all Active Directory sources and one LDAP source from a server that is logically close to your Collector.

These event sources require no configuration changes . Your Collector will use your administrative credentials to pull events from Active Directory via WMI in addition to making an LDAP query to find information about your users.

You can also auto-configure Microsoft DHCP and DNS, but they require configuration changes in order to deposit logs into a dedicated folder. See DHCP and DNS for information on creating audit log folders.

  1. Select all of the you would like to set up automatically and click the Configure button. Each source should show "Configuring" for a brief time before showing "Event Source Created." If a source shows an error, then you may need to create the event source manually.
  2. Once the green checks for at least Active Directory and LDAP, you can Close the Auto Configure window and return to regular event source setup.

Linux Auto Configure

On Linux, InsightIDR can discover all the server types and can configure the LDAP and Active Directory event sources. However, InsightIDR cannot perform the configuration or creation of the Microsoft DHCP or DNS sources.

Troubleshooting

Unreachable Source

If a source is identified that is not reachable by a Collector, it will be marked as such.

Deploy another Collector logically adjacent to the source and re-run the Auto Configure wizard to setup these event sources, or adjust firewall rules to allow the Collector to communicate with the event source.

Having trouble?

Review the collector.log file to see a list of all Collector activity, including attempted ports.