Like other raw data, custom logs contextualize information throughout InsightIDR and are helpful during log search.
Any text based log of any kind can be ingested through InsightIDR. This event source will accept any data as is and does not parse. As such, use this event source when you want to send data in a format that is not currently supported by the platform.
Configure InsightIDR to collect data from the event source
After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.
To configure the new event source in InsightIDR:
- From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
- Click Add Raw Data > Custom Logs.
- Alternatively, you can search for Custom Logs or filter by the Rapid7 Product Type, and then select the Rapid7 Custom Logs event source tile.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Custom Log Recommendations
Rapid7 recommends using JSON or KVP format for logging, as data is presented in log search in this form. Sending an unstructured string will yield an unstructured log entry in InsightIDR - you can search for any text in the event, but lose the benefit of keyword search.
Formatting logs in JSON or KVP will allow InsightIDR to preserve the keyword format and provide the added benefit of keyword search (eg, foo=bar).