Currently running a trial of InsightIDR. We are trying to throw as many event sources at it as possible. We have several devices on our network that can only send syslog using the default UDP 514.
Is there a way to setup an event source for these devices?
Hi Jeremy,
yes you can indeed, a Custom Logs event source,
using Listen on Network Port as the collection method is the way to go
A port/protocol combo can only be used once per collector. You can have many devices sending logs to that one port but they will be aggregated under one log in log search with the event source name.
If you wish to have multiple distinct event sources listening on udp port 514 additional collectors would be required, or an intermediate device to receive and split the logs out to different ports.
David
Thanks! I’ve got that created!
