Insight Agent exclude eventID's (5145 File Access Activity)

I’m trying to stop the Windows Insight Agent from collecting eventID 5145, since it generates so much data. Turning the logging policy off isn’t an option.
Found an article on the KB that should help (InsightIDR - Event Code Exclusion | Insight Agent Documentation) but whatever i try, i still get the friggin logs. I got it to work once, but when i tried documenting my steps, and redoing what i did, it doesnt work anymore. I’m at a loss, this generates so much data.

This is what my C:\Program Files\Rapid7\Insight Agent\components\insight_agent\common\config\agent.jobs.windows.ui_realtime.json looks like right now (omitted some numbers).

Rapid7 agent

Any suggestions?

2 Likes

Hi pvan den berge,

I saw that you faced the same issue with the Windows Insight Agent still collecting EventID 5145 logs, even after attempting to exclude it using the configuration file. I’m running into the exact same problem where the exclusion doesn’t seem to stick, and it’s generating a huge amount of data.

I was wondering if you ever found a solution to this problem? If so, I’d greatly appreciate it if you could share what worked for you.

Thanks in advance for your help!