Data Collection Methods

When you configure event sources, you can use one of the following data collection methods:

Listen for Syslog

You can configure your application to forward log events to a syslog server, and then configure the InsightIDR Collector to "listen" for syslog data on a unique port in order to receive it.

See Syslog Logging for more information.

Log Aggregator

If you want to collect logs that have already been collected by a SIEM or a Log Aggregator, you can send raw logs to the Collector using a unique port. See SIEMs/Log Aggregators for more information.


AWS SQS, or Amazon Simple Queue Services, is a managed queuing service that works with InsightIDR when sending messages as events. See AWS SQS for more information,


WMI (Windows Management Instrumentation) allows your Collector to retrieve your event source applications for events that are related to User Attribution. WMI is available for all Windows-based event sources, and it is recommended for data collection whenever possible.

See Ports Used by InsightIDR for port recommendations and other requirements.

Watch Directory

You can monitor a watch directory, which is a network location that hosts copied log files from a specified directory on a local or remote host. The host will add log files to this location in 30 second intervals.

Use this collection method for log files that "roll over" into new files, such as Microsoft DHCP or IIS log files used in OWA/ActiveSync.

During configuration, you must specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted network drive. If the directory contains other files, enter a file pattern to specify which files InsightIDR should collect from the Directory.

Watch Shared Remote Directory

To enhance security, you can select the watch shared remote directory option. This options requires the Collector to authenticate to the directory as it would for any file share.

Tail File

You can configure InsightIDR to watch the network location where a host stores log data, and ingest any new data added to the log file. Using the equivalent of the Unix tail command, InsightIDR will collect data written to the host disk every 20 seconds.

Use this method for log files that are written continuously to a single file, such as Microsoft DNS.

During configuration, you must specify a local folder path or a Windows UNC (Universal Naming Convention) path to a hosted network drive.

Updated about a year ago

Data Collection Methods

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.