Log Aggregators

A log aggregator is not an event source itself, but a place from which event source data can be pulled from the original source. Think of a SIEM like a "middle man" between InsightIDR and the original event source. If you already have logs going into a log aggregator on a network (e.g. SIEM or Splunk), you can use the aggregator to forward logs to InsightIDR.

Requirements for Log Aggregators

InsightIDR requires the following:

  • The logs must be split up into separate streams into the collector so that each parser will only have logs going to it that it knows how to parse.
  • For example, AD logs can be sent to UDP port 6000 while firewall logs can be sent to port 6001, IDS logs to port 6002, etc.
  • Logs must be sent to the collector before they are processed by the SIEM so they look the same to the collector as if they came from the original network appliance.

InsightIDR Log Aggregators

The following Log Aggregators receive data from these platforms into Insight Platform:

Event Sources that support Log Aggregators

You can configure the following event sources to use log aggregators as their collection method:

Advanced Malware
DHCP
Ingress Authentication
Web Proxy
Web Server Access Logs

Forward Logs From a SIEM

InsightIDR can forward logs from the following SIEM/log aggregation products:

For all SIEM/log aggregation productions, follow the vendor documentation to forward the log/event data to a collector using standard syslog for both the log format and also the transport methodology.

Before your InsightIDR deployment, if you will be forwarding logs from your SIEM, you should be prepared to perform the necessary steps on the SIEM. You can either complete the setup before the deployment or complete the setup with your Rapid7 Consultant during the deployment.