Collector Installation and Deployment

The following process pairs the Collector in your network to Amazon Web Services (AWS), where the InsightIDR servers are hosted. Note that no credentials are stored in AWS.

For Cloud environments, installing a Collector is necessary to understand the relationship between IP addresses and assets. To attribute assets, you must install the Insight Agent on all assets within your environment, and provision a Collector to deliver the agent logs to InsightIDR. The Insight Agent is the only source of up to date hostname to IP information in Cloud environments. Systems running the Insight Agent must have network access to communicate with the Collector over ports 5508, 6608, and 8037 and the Collector must be able to connect to the Insight Platform over port 443. Refer to Ports Used by InsightIDR for more information.

You can install the Collector on the following operating systems:

Additionally, please review Collector Processing and Deployment to Your Network for the easiest transition.

Configure an Antivirus exclusion

Endpoint security applications (such as McAfee Threat Intelligence Exchange, CylancePROTECT, Carbon Black, and others) may flag, block, or delete the Collector from your assets depending on your detection and response settings.

To prevent this from happening, we recommend that you configure an allow list rule for the directory of the collector so your endpoint security software does not accidentally target it.

Installation

To download and install the Collector file:

  1. Navigate to your account at insight.rapid7.com.
  2. On the left menu, select the Data Collection tab.
  3. Select the Setup Collector menu from the available dropdown and choose your operating system.

Windows Installation

A zip file will begin to download. It will be an executable file.

Note that you can download the Collector installer package on your local machine and then transfer the executable to the Collector server host if this is easier than downloading directly with the server host.

  1. Run the .exe file and follow the steps of the application wizard. All the default install settings are acceptable.
  2. Copy the Activation Key from the wizard so you can link the installed software to InsightIDR.
  3. Go back to InsightIDR in your web browser, and select Data Collection on the left.
  4. From the dropdown menus on the right, choose Setup Collector and then choose Activate Collector.
  1. Name the Collector, and then enter the activation key from the installation wizard.
  2. Click the Activate button.

Linux Installation

The Linux .sh installer will download onto your machine. Ensure that you have read and write access on your machine to make these changes.

To install the Collector on a remote Linux host:

  1. Send the InsightSetup-Linux64.sh installer script to your target Linux host using your method of choice.
  2. SSH to the target system and navigate to the installer’s current directory.
  3. Modify the permissions of the script to make it executable with the following command: chmod +x InsightSetup-Linux64.sh
  4. Run the following script as root to start the installer: sudo ./InsightSetup-Linux64.sh
  5. A terminal wizard guides you through the installation process. Proceed through the system settings and license prompts to start the installation.
  6. When the installation completes, copy the value shown next to Agent key:
  7. Go back to InsightIDR in your web browser, and select Data Collection on the left.
  8. From the dropdown menus on the right, choose Setup Collector and then choose Activate Collector.
  9. Name the Collector, and then enter the activation key from the installation wizard.
  10. Click the Activate button.

Collector Processing

When you click the Activate button, you will see the activation process start with the "Waiting for connection..." status message.

This can take several minutes as your on-premises Collector software reaches up to the Insight platform and hands off the shared secret (activation key). Once the initial handshake is complete, a unique pair of cryptographic keys will be generated. These crypto keys are used for all subsequent Collector to Insight platform communications. Once the keys have been exchanged, you should see health metrics for the server host.

Deployment to Your Network

If all of the requirements have been met, InsightIDR should be running and collecting data within a few minutes. The installation of the Collector is like a "handshake" between the system and the platform, which then allows InsightIDR to see and collect data from previously configured event sources.

You can start adding event sources right away; simply click the one you'd like to add and fill in the necessary fields. See InsightIDR Event Sources for more information.

Troubleshooting

See Collector Troubleshooting for more information.