I’m struggling to find windows event logs from my hosts. Anyone know how they appear in Rapid7 or what events are naturally captured by the R7 agent?
Thanks!
Tom
Hi @thomas_chapman ,
the Insight Agent installed on non Domain Controllers collects the following events
7045,1102, 4624, 4625, 4648, 4720
https://docs.rapid7.com/insightidr/insight-agent/#monitored-event-codes
If you have the agent installed and you are looking for logon events, you will find them in Log Search under the Asset Authentication logset, in the Endpoint Agents log
As outlined in the linked docs, on Domain Controllers we can pull additional events in lieu of using the WMI event source option for AD logs.
The AD event source is designed to work on your DCs Active Directory | InsightIDR Documentation and collects the listed security events (additionally you have the option to enable send unfiltered events and collect the entire security log - this is not an option for the Agent running on DCs)
We also have the Generic Windows Event Log option as described here Generic Windows Event Log | InsightIDR Documentation
You can see the list of eventIDs that we collect using that method.
Lastly we have the logging.json option of the agent, see Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation
This method does not work on Domain controllers, but for regular servers/hosts it will work. This method allows you to collect the entire System, Security and Application logs from a given host. However it does come with some caveats as outlined here Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation
I hope this helps
David