Getting Started with InsightIDR

Automation

How To

Concepts and Usage

Detection Library

InsightIDR REST APIs

Event Source Configuration

Administration

Release Notes

Support

Event Source Troubleshooting

You can monitor your incoming data to understand the overall health of your event sources, determine whether events are flowing into InsightIDR as expected, view parsing rates over time, and more. To access your event source health data, go to the Data Collection Management page, and click Monitor Health beside the event source that you want to review. If you don't see data available or the data you receive is not parsed, you can review the sections below to determine if what you see is expected, or if you need to take some actions to correct unexpected behavior.

Scenarios where no data might be expected:

The event source has just been set or edited
The event source has been stopped
A specific time range does not have data

However, you might need to troubleshoot an issue when:

There is an error in the event source
The event source appears to be correctly running, but no data is available
Other issues are present and none of the above applies

There are also specific issues for data parsing:

How parsing works
Unexpected behavior with data not parsed
The fields in the ingested data are not in English
Other issues are present and none of the above applies

Event source not receiving data: Expected Scenarios

If you check the Event Source Health page for an event source and see that data has not been received, review the following sections to determine whether this is expected.

The event source has just been set up or edited

When you set up or edit an event source, it can take a few minutes for the data to show. While you wait for the data to be displayed, you can check if the event source is running:

How to check:

From the InsightIDR left menu, click Data Collection.
Select the Event Sources tab.
You will find the status below the event source name. If it is correctly set up, it will be displayed as Running.

If the event source is running and you have already waited more than 10 minutes, you might want to check the next steps to identify if there is another reason for the lack of data.

The event source has been stopped

You can stop an event source from collecting data and activate it at a later time. In this case, the Monitor Health page will indicate that data has not been received.

What to check:

You can check if the event source has been stopped and if so, reactivate it ti start receiving data.

From the left menu, click Data Collection.
Select the Event Sources tab.
Find the event source you want to troubleshoot. At the bottom of each event source card, you should see available actions in blue.

If an event source has been stopped, you will find the option to Start Running.

Otherwise, if the event source has not been stopped, the option displayed will be Stop Running.

If you see Stop running, it means that the event source has not been previously stopped. You might want to adjust the selected time range.

A specific time range does not have data

InsightIDR can display event source health data from the last 30 days. It is possible that InsightIDR has received data from an event source, but not in a specific time range.

What to check:

You can check if data is available in a different time range:

From the InsightIDR left menu, click Data Collection.
Select the Event Sources tab.
Click on the Monitor Health option for an event source.
On the top right, click on the date picker and select a different time range.

You can try that for different time ranges. If data is still not available for other dates and you have reviewed the scenarios above, that might not be expected. You can review the next steps to identify if there is an issue.

Unexpected event source behaviors

There are issues that can prevent InsightIDR from receiving data from an event source. In those cases, you need to take action to correct the situation.

If the previous scenarios that described expected causes did not apply to your event source, you can check the following cases and try the suggested steps to fix the issue.

There is an error in the event source

InsightIDR displays error messages to inform you when an issue is affecting event source data. Those errors can sometimes affect the data sent to InsightIDR.

What to check:

From the InsightIDR left menu, click Data Collection. Then select the Event Sources tab.
Event sources that have issues will display orange warnings or red error messages. You will also be able to see an error or warning status below the event source name from the Monitor Health option.

To solve the issue, check the next scenario or contact support.

There is a configuration issue

An event source needs to be properly configured to collect and send data. If there is an issue with the configuration, it can affect how the data is sent to InsightIDR.

What to check:

From the InsightIDR left menu, click Data Collection. Then select the Event Sources tab. 2.Find the event source you want to check, and click Edit. The Edit Event Source panel will open.

Check if that type of event source has a link for to the help documentation below the Select Event Source Type dropdown menu. The setup instructions and recommendations available in that documentation will help you check if the event source is correctly configured. If the event source seems to be correctly configured, you can continue to troubleshoot on your own or contact support.

The event source appears to be running but no data is available

If an event source status says Running but InsightIDR does not appear to be ingesting data, it could be due to the following issues:

The collector that hosts the event source is inactive,
Something is blocking a connection between an event source and a collector, or
The event source is ingesting data that is not being parsed.

What to check:

Ensure that a port (if applicable) is open and nothing is blocking a connection, such as a firewall, endpoint protection or a proxy.
You can generate a test event to get:

A user name: who generated the event,
A machine name: what machine has it been generate on, or
The exact timestamp: when the test was initiated.

Note that it is possible for an event source to send raw data (data that is not getting parsed). In this case, the corresponding log might not even be created in Log Search under Raw Data.

This can cause the Data Collection Management page to show some activity under EPM for this event source. However, since there will be no log created for this event source in Log Search, it will appear as if data is going nowhere.

That information should help you identify if InsightIDR is getting any data at all from that event source. If the event source is not sending any data, you can contact support or check the next scenario.

Event sources can have specific issues, so documentation for setup and configuration might include particular troubleshooting steps that are unique to that type of event source. You might want to look for documentation about an specific event source and check if there are any troubleshooting steps available.

Other issues are present and none of the above applies

If you think that none of the scenarios described above applies, you can contact support.

Issues with data not being parsed

Somtimes unparsed data can be expected, but other times can indicate that there is a parsing issue. The following scenarios will help you determine what next steps to take.

How parsing works

Each type of event source can parse specific events and, sometimes, no events at all. You can view parsing information by going to the Event Source Health page.

What to check:

From the left menu, click Data Collection.
Select the Event Sources tab.
Click on the Monitor Health option for an event source.

The type of events that can be parsed will be listed under the About event source parsing section.

If an specific event source type does not produce parsed events, it will be specified on the page.

Unexpected behavior with data not parsed

However, when a specific type of event source is expected to parse events and that information is not available in the Monitor health page, there might be parsing issues.

We will cover those scenarios, next.

The fields in the ingested data are not in English

Currently, the data we receive from an Event Source needs to be in English to be parsed. If ingested data fields are not in English, the data will go to the Unparsed Data logset.