Like other raw data, custom logs contextualize information throughout InsightIDR and are helpful during log search.
Any text based log of any kind can be ingested through InsightIDR. This event source will accept any data as is and does not parse. As such, use this event source when you want to send data in a format that is not current supported by the platform.
- From your dashboard, select Data Collection on the left hand menu.
- When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
- From the “Raw Data” section, click the Custom Logs icon. The “Add Event Source” panel appears.
- Choose your collector and event source. You can also name your event source if you want.
- Choose the timezone that matches the location of your event source logs.
- Optionally choose to send unfiltered logs.
- Configure inactivity timeout threshold in minutes.
- Select a collection method and specify a port and a protocol.
- Optionally choose to Encrypt the event source if choosing TCP by downloading the Rapid7 Certificate.
- Click Save.
Rapid7 recommends using JSON or KVP format for logging, as data is presented in log search in this form. Sending an unstructured string will yield an unstructured log entry in InsightIDR - you can search for any text in the event, but lose the benefit of keyword search.
Formatting logs in JSON or KVP will allow InsightIDR to preserve the keyword format and provide the added benefit of keyword search (eg, foo=bar).