When Automatic Log Structuring is enabled, InsightIDR will convert logs from known formats (such as CEF and JSON) into a human readable format, which allows you to write LEQL queries and search your logs with ease.
Without Automatic Log Structuring, InsightIDR encodes JSON or CEF log files as a string and places it in the
source_data field of your log. This resulting
source_data field reads as a single log line.
Since automatic log structuring is optional, log collection will continue as normal if you choose not to use it.
If you want to take advantage of Automatic Log Structuring, make sure that you configure your appliance or third party device to send data in the CEF or JSON format.
If you have alerts, dashboards, or queries based on the
source_data field, make sure to update them after enabling automatic structuring. Otherwise, they will become invalid.
To enable Automatic Log Structuring:
- Log in to InsightIDR.
- On the left menu, select the Settings page.
- At the bottom of the table, select the Automatic Log Structuring tab.
- Toggle on the Enable button.