Improved
- Additional encoding support: The Insight Agent can now monitor and send logs using other encoding formats beyond the UTF-8 format. To specify a different encoding format for a specific log, add the
"encoding"key and a supported encoding value to the log's JSON object in yourlogging.jsonfile. - Refactored Windows log forwarding for Log Search: The Insight Agent's ability to monitor logs on Windows assets and send them to Log Search has been refactored with more features and improved stability and is available on an opt-in basis. To opt in to this refactored Windows log collection capability, add the
"windows_following": truekey-value pair to the log's JSON object in yourlogging.jsonfile. The refactored component includes the following functionality:- Log rotation support for Windows assets.
- An Insight Agent restart is no longer required to move, rename, or delete a file that is being followed by the le_realtime agent job.
- Log forwarding configuration instructions are available here:
Fixed
- We fixed an issue that caused asset quarantine jobs on macOS assets to fail if the Insight Agent's proxy server or localhost resolved to an IPv6 address.
- We fixed an issue that prevented the ui_realtime agent job from assuming its backup role of collecting process start events when Sysmon isn't available.
Sysmon and Events Monitor Updates
- The Events Monitor component can now collect the Event ID 3: Network connection, Event ID 10: ProcessAccess, and Event ID 13: RegistryEvent (Value Set) Sysmon events for analysis with InsightIDR and MDR.
- This change is shipped independently of this Insight Agent version release. The Sysmon service is configured automatically by the Sysmon Installer component. If you have a Rapid7 deployment of Sysmon, you can view these new events in Log Search under the Endpoint Activity log set.
Other Changes
- Additional container-related directories that do not pose any vulnerability risk will now be automatically excluded from assessments to reduce Insight Agent resource utilization.