DMZ logs view

I installed the insight agent in a DMZ server. I can see the agent in the Data Collection Management > Agents but I can’t find any logs in the log search.

Should I add the server to the Event Sources?
If so, What Event Source type should I choose? i.e. Custom logs


Adding the agent to a machine will enable it to transmit process start events as well as windows security events. These logs are populated in log search under

Endpoint Activity → Process Start events (Provided you have Managed Detection Response, IDR Ultimate or EET add on)
Endpoint Activity → Local Service Creation

as well as
Active Directory Admin Activity → Endpoint Agents (Windows DCs only)
Asset Authentication → Endpoint Agents
Host to IP Observations → Endpoint Agents (Windows only)
File Access Activity → Endpoint Agents (Windows only - with FAAM auditing configured on endpoints)
File Modification Activity → Endpoint Agents (Windows/Linux - with FIM auditing configured on endpoints)
Virus Alert → Endpoint Agents
Unparsed Data → Windows Defender

Can you share a little more info on these machines, are they windows or linux? Can you check the above listed logs? If you search for the hostname using a case insensitive partial match (loose search) do you see any hits?


Hey David,

Thanks for your replied.

The DMZ is a Microsoft Windows Server 2016 Standard out of the domain. I tried to search by hostname using a case insensitive partial match as suggested but received no logs. I do see the Rapid7 agent in the services running and we verify that the firewall sees the server sending data to the collector.

Next thing would be to run a diagnostics check

and if that passes we need to review the agent logs to see what jobs are running and if there are any errors, you can find the agent.log in this location C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common

HI David,

It seems, that the logs started showing after a while so it was a matter of long time. Thanks for all your effort.


1 Like