Foundational Event Sources

An event source is an application, appliance, server, service, or other IT asset that generates log events. The Collector captures the data generated by these event sources, compresses the data, encrypts it, and pushes it up to the Insight platform. The Insight platform will then normalize, attribute, analyze, and present that data for search.

The foundational event sources provide the most data in regards to user attribution. User attribution correlates endpoint activity to individual users, including what endpoint applications they use and when. Attribution gives you a more complete image of your security posture, as user accounts are the most common targets for sophisticated attacks.

The foundational event sources are:

After you configure these, you can also prepare additional event sources.


Adding a Lightweight Directory Access Protocol (LDAP) server allows InsightIDR to track the users, admins, and security groups contained in the domain and to link account activity with real users to identify privileged and service accounts.

LDAP automatically mirrors data across all LDAP servers if you enable the auto-mirror feature. Even if you have multiple LDAP servers, you only need to configure one LDAP event source.

To add the LDAP event source:

  1. Designate a Service Account with the correct permissions.
  2. Open Port 636 (LDAPS) between the Collector and the LDAP server.

See LDAP for more information.

You can use the same service account for both LDAP and Active Directory.

Active Directory

Active Directory provides security logs from your domain controllers and authentication and administrative events for your domain users. Make sure that you add one Active Directory event source for each domain controller.

To collect logs from this event source:

  1. Open ports 135, 139, and 445 between the collector and Active Directory.
  2. Designate a Service Account with the correct permissions.

See Active Directory for more information.


Dynamic Host Configuration Protocol (DHCP) event logs provide IP lease information to correlate each IP address with its assigned host at the time of the event.

See DHCP for more information.

For DHCP applications that are not Microsoft-related, you can usually configure the application to send syslog to InsightIDR. Learn how.

Prepare Additional Event Sources

Besides the user attribution event sources, you can ingest additional high-value logs into your InsightIDR platform. These additional events allow you to search and analyze data across your entire environment.

If possible, connect all of the following types of event sources:

See the InsightIDR Event Sources page for a complete list. To configure event sources, you can manually create them or use the InsightIDR Auto Configure feature.