I installed the insight agent in a DMZ server. I can see the agent in the Data Collection Management > Agents but I can’t find any logs in the log search.
Should I add the server to the Event Sources?
If so, What Event Source type should I choose? i.e. Custom logs
Adding the agent to a machine will enable it to transmit process start events as well as windows security events. These logs are populated in log search under
Endpoint Activity → Process Start events (Provided you have Managed Detection Response, IDR Ultimate or EET add on)
Endpoint Activity → Local Service Creation
as well as
Active Directory Admin Activity → Endpoint Agents (Windows DCs only)
Asset Authentication → Endpoint Agents
Host to IP Observations → Endpoint Agents (Windows only)
File Access Activity → Endpoint Agents (Windows only - with FAAM auditing configured on endpoints)
File Modification Activity → Endpoint Agents (Windows/Linux - with FIM auditing configured on endpoints)
Virus Alert → Endpoint Agents
Unparsed Data → Windows Defender
Can you share a little more info on these machines, are they windows or linux? Can you check the above listed logs? If you search for the hostname using a case insensitive partial match (loose search) do you see any hits?
Thanks for your replied.
The DMZ is a Microsoft Windows Server 2016 Standard out of the domain. I tried to search by hostname using a case insensitive partial match as suggested but received no logs. I do see the Rapid7 agent in the services running and we verify that the firewall sees the server sending data to the collector.
Next thing would be to run a diagnostics check
and if that passes we need to review the agent logs to see what jobs are running and if there are any errors, you can find the agent.log in this location C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common
It seems, that the logs started showing after a while so it was a matter of long time. Thanks for all your effort.