Data Collection Methods

When you configure event sources, you can use one of the following data collection methods:

Listen on Network Port

You can configure your application to forward log events to a syslog server, and then configure the InsightIDR Collector to "listen" on network port for syslog data on a unique port in order to receive it.

See Syslog Logging for more information.

Log Aggregator

If you want to collect logs that have already been collected by a SIEM or a Log Aggregator, you can send raw logs to the Collector using a unique port. See SIEMs/Log Aggregators for more information.

SQS

AWS SQS, or Amazon Simple Queue Services, is a managed queuing service that works with InsightIDR when sending messages as events. See AWS SQS for more information,

WMI

WMI (Windows Management Instrumentation) allows your Collector to retrieve your event source applications for events that are related to User Attribution. WMI is available for all Windows-based event sources, and it is recommended for data collection whenever possible.

See Ports Used by InsightIDR for port recommendations and other requirements.

Watch Directory

You can monitor a network location that hosts log files copied from a specified directory on a local or remote host. The host will add log files to this location. Watch Directory will read the file and start listening to net new writes from the EOF (end-of-file) position (it will not upload the contents of a file if the file is added to the directory).

Use this collection method for log files that "roll over" into new files, such as Microsoft DHCP or IIS log files used in OWA/ActiveSync.

The default option for the scan interval is 30 seconds, but that can be adjusted during configuration.

Interaction between Watch Directory and the Collector

The Collector will scan the watched directory after it is configured. All files in the directory will be scanned to their EOF position. Then, the Collector will re-scan at the specified scan interval. Once the first scan interval elapses, the Collector will run another check and consume any net new lines written past the previous EOF position.

The Collector will scan new files dropped into the directory, too. The Collector will scan the new file to the EOF position and listen for net new writes— Rather than an upload feature, the entire directory works a live feed.

Watch Shared Remote Directory and Local Folder options

During configuration, you must specify a path for the directory. The options are Shared Remote Directory (the default option) or Local Folder.

You can select the Shared Remote Directory option to enhance security. Use this method for log files that are written continuously to a single file, such as Microsoft DNS.

This option requires the Collector to authenticate to the directory as it would for any file share.

Screenshot of Shared Remote Directory option for Watch Directory in Add Event Source

With the Local Folder option, you can specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted network drive. If the directory contains other files, enter a file pattern to specify which files InsightIDR should collect from the Directory.

Screenshot of Local Folder option for Watch Directory in Add Event Source

Watch Directory specifications

There are specifications on how Watch Directory works:

  • Watch Directory supports SMB v1 (CIFS) and SMB v2. InsightIDR requires packet signing for SMB2 connections.

  • Each new line must be delimited by a \n newline character to be considered as a "line". The limit for this is 2048 characters.

Tail File

You can configure InsightIDR to watch the network location where a host stores log data, and ingest any new data added to the log file on a local or remote host. Using the equivalent of the Unix tail command, InsightIDR will collect data written to the host disk every 20 seconds.

There are specifications on how Tail File works:

  • Tail File will read a file and set the last read position. It will only upload net new log lines written to it since the event source started.

  • Each new line must be delimited by a \n newline character to be considered as a "line". The limit for this is 2048 characters.

  • During configuration, you must specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted network drive.

  • Tail File supports SMB v1 (CIFS) and SMB v2. InsightIDR requires packet signing for SMB2 connections.