Hi everyone. We have an old Qradar instance out there from years past. There are a ton of event sources pointed at it still…load balancers, network equipment, etc etc. Well over 1000 of them. Is there any way I can just have these event sources point to a collector without having to individually build out each event source? Similar to the way you just point a syslog source to Q and it figures out on its own what it is. Surely R7 is more superior and can do this too?
Hi rlowary,
I doubt you can auto-point about 1000 event sources to the InsightIDR. A good alternative for you is turning the Qradar into a log aggregator. The old box will send all logs received to the insight platform
Check the URL below for more information:
https://docs.rapid7.com/insightidr/log-aggregators/
That’s part of the problem…we are MDR, so we have unlimited log ingest and was touted as such. Q is EOL and on no contract, it has to go. Zero chance I can go to my execs and say “hey, we actually need to pay for two siems because the new one isn’t as capable as the pos we are trying to replace”. Additionally, Q is licensed on EPS and such which definitely means you would end up double paying here. I mean, are we enterprise with IDR or are we not? Don’t get me wrong, I love Rapid7 and the products but this seems like a huge miss so far