DHCP Troubleshooting

In a successful setup, the following will occur between your DHCP Server, its assets, and InsightIDR:

  • IP assignment log comes into the collector
  • The Collector makes a DNS request to see what computer now has the new IP address
  • The Collector sends the new IP address and the machine name log to backend servers
  • The events per minute (EPM) will show up for that event source

However, you may experience difficulties between your DHCP and InsightIDR, depending on the setup of your environment.

When assigning a dynamic IP address, some DHCP servers do not provide the name of the machine in their audit logs. This makes it challenging for a collector to figure out which machine has just been assigned a new IP address.

Use one of the following solutions to resolve your issues:

InsightIDR Unable to Produce EPM

If your DHCP server does not produce identifying logs, InsightIDR is unable to generate events per minute for that event source.

Try the following solutions in order to confirm whether or not there is an issue with InsightIDR:

  1. Replace the DHCP event source with a generic syslog to confirm InsightIDR is receiving logs. If generic syslog does not produce EPM, check your network or the appliance sending logs for errors.
  2. Use the Collector to make DNS requests to the IP address range that the DHCP server assigns. If the Collector cannot retrieve machine names for the IP range, it will not generate EPM.

Tombstone Errors

A tombstone error indicates a DHCP or VPN event source is in an error state or is not receiving data, or the event source's collector is not communicating with the Insight platform. Therefore, it is not attributing data from the incoming IP addresses to the users.

Because Tombstone errors are specific to the connected event sources, you should examine the details of the error to find out the specific event source that is malfunctioning.

Tombstone errors prevent InsightIDR from attributing activity to your users.

Any assets within the IP range observed from the event sources will no longer attribute activity from firewall, DNS queries, etc, to your users and assets.

Statically-Assigned IP Addresses

The DHCP and VPN event sources are used to determine what host is using IP addresses specified in the log data. You must add in one DHCP event source for each DHCP device or server in your organization.

If you cannot add in any or all DHCP event sources to InsightIDR because you are not using DHCP or are not able to add in the event sources for other reasons, InsightIDR will still be able to do the IP to host attribution if you use either or both of the following options:

Option 1: Use Other Sources for IP to Host Attribution

  1. Install the Insight Agent onto all workstations, servers, and laptops in the organization.
  2. Insight Agents must be able to connect to a Collector to proxy their data to the Rapid7 platform. The Agents must be able to successfully find at least one Insight Collector when they perform their network probes.
  3. Navigate to Settings > Static IP Ranges to add all network segments with endpoints to your environment.

To learn more about how Insight Agents and Collectors communicate, read the InsightVM documentation.

Option 2: Use Network Sensors

Insight Network Sensors can be used to collect DHCP lease network traffic. Refer to the Network Sensor documentation to learn more.

Non-Windows Machines

In order for InsightIDR to discover non-windows assets, make sure you specify the static IP addresses or ranges for InsightIDR to scan. InsightIDR will use DNS to discover the host names for these IP addresses in order to attribute traffic to the asset.