InsightIDR Event Sources

To send your logs to InsightIDR, you can forward them from a Security Information and Event Management system (SIEM) or you can collect the log events directly from the log sources, described below. Note that you can combine these two methods and forward some log event types from the SIEM and then collect the rest directly.

A Rapid7 collector requires each stream of syslog logs to be sent to it on a unique TCP or UDP port. You will need to configure each device that will send logs using syslog to send the logs over a TCP or UDP port that is unique on that collector. It is common to start sending the logs using port 10000, although you may use any open unique port. For Linux collectors, the ports used must be higher than 1024.

Event sources only parse logs in English

Currently, the data we receive from an Event Source needs to be in English to be parsed. If ingested data fields are not in English, the data will go to the Unparsed Data logset.

InsightIDR Event Sources

Active Directory

Browse our Active Directory event source documentation:

InsightIDR also supports:

  • Snare Active Directory via Dell SecureWorks LogVault
Advanced Malware

Browse our Advanced Malware event source documentation:

Data Exporters

Browse our Data Exporter event source documentation:

InsightIDR also supports:

  • FireEye Threat Analytics Platform (TAP)
Deception Technology

Browse our Deception Technology event source documentation:

DHCP

Browse our DHCP event source documentation:

InsightIDR also supports:

  • Alcatel-Lucent VitalQIP
  • Dnsmasq DHCP
  • MikroTik
  • Sophos UTM
  • Bluecat
DNS

Browse our DNS event source documentation:

InsightIDR also supports:

  • Bluecat
  • Infoblox DNS
  • MikroTik
  • PowerDNS
  • Dnsmasq DNS
E-mail & ActiveSync

Browse our E-mail & ActiveSync event source documentation:

Firewall

Browse our Firewall event source documentation:

InsightIDR also supports:

  • Cisco IOS Firewall
  • Juniper Netscreen
  • Juniper Junos OS
  • McAfee Firewall
  • Sophos Firewall
  • Stonesoft Firewall
IDS/IPS

Browse our IDS/IPS event source documentation:

InsightIDR also supports:

  • Corero IPS
  • Dell iSensor
  • Dell SonicWall
  • HP TippingPoint
  • Juniper Junos
  • Metaflows IDS
Ingress Authentication

Browse our Ingress Authentication event source documentation:

LDAP

Browse our LDAP event source documentation:

SIEMs/Log Aggregators

Browse our SIEMs/Log Aggregators event source documentation:

InsightIDR also supports:

  • McAfee Enterprise Security Manager (formally known as Nitrosecurity)
VPN

Browse our VPN event source documentation:

InsightIDR also supports:

  • Cisco ACS NAS
  • Fortinet FortiGate
  • F5 Networks FirePass
  • Microsoft Network Policy Server
  • MobilityGuard OneGate
  • SonicWALL Firewall & VPN
  • VMware Horizon
Web Proxy

Browse our Web Proxy event source documentation:

InsightIDR also supports:

  • Cisco IronPort
  • Fortinet FortiGate
  • Intel Security (formerly McAfee) Web Reporter
  • Livigent Content Filter
  • McAfee Web Reporter Web Proxy
  • Squid
  • TrendMicro Control Manager
  • Watchguard XTM
Rapid7 Universal Event Sources

InsightIDR can now universally support selected data types from any product’s logs, so long as you convert the log output from your product to JSON that matches the Universal Event Format (UEF) contract.

Raw Data Event Sources

Raw Data event sources allow you to collect log events that do not fit InsightIDR's user behavior model or are otherwise unsupported at this time. Raw Data event sources allow you to collect and ingest data for log centralization, search, and data visualization from any event source in your network.

Browse our Raw Logs event source documentation:

You can also utilize NXLog to transform logs from your application.