Hello, I am using a collector that will look for Windows events, except it takes all of them and I would like to be able to specify only events 4771 and 4768.
In order to solve this problem I tried another method, using an agent that I placed on my windows machine. Unfortunately, InsightIDR does find the agent, but I don’t see the data.
Would you know how to get to InsightIDR only the events you want with the collector?
Hi @chloe_boissavy!
IDR today leverages 4768 on a DC as part of the predefined event codes.
https://docs.rapid7.com/insightidr/insight-agent/#monitored-event-codes
Today we are working on making data ingestion from Windows more flexible, but in the meantime a workaround for your use case would be to use a third party agent, NXLog.
NXLog allows you to select the Windows Log bucket of your choice (in this case the Security log) and the event codes you want. NXLog will then proceed and send those logs through syslog to the Collector, and finally they will become visible in Log Search.
https://docs.rapid7.com/insightidr/nxlog/
Let me know if this helps.
Regards,
Felipe
Indeed, it works ! Thank you so much 