Network and System (servers, apps, etc) Health

InsightIDR
1

Does anyone use IDR for monitoring network and system (servers, apps, web sites, etc) for general health (heartbeat, disk space, processor and memory usage, etc)? The guys on that side of the house use splunk, and we want rid of it on our side – but to do so, we have to make the change across the board. I’ve used IDR extensively in the past and know it can do it, but I’d love to hear some use cases, examples, experiences, or whatever that could help make the case. We did a demo of IDR with that side of the house, and I’m not sure they came away in favor of IDR as they love splunk. Any help is appreciated.

2

Hi @geoS ,

this isn’t a well documented feature of IDR but it is possible, see here

https://docs.rapid7.com/insight-agent/insightops#mac-and-linux

I know this mentions InsightOps but it works just fine with an InsightIDR license.

The part I’d like to draw your attention to is the metrics piece of the logging.json

"metrics": {
			"destination": "<LogsetName>/<LogName>",
			"system-stat-enabled": true,
			"metrics-interval": "60s",
			"metrics-cpu": "system",
			"metrics-vcpu": "core",
			"metrics-mem": "system",
			"metrics-swap": "system",
			"metrics-net": "sum eth0",
			"metrics-disk": "sum sda4 sda5",
			"metrics-space": "/"
		},

This is the part you would include if you would like to monitor cpu, memory, disk and network i/o

Its possible to configure the logging.json to only send metrics, an example would look like this

{
  "config": {
    "name": "Metrics Config",
    "endpoint": "<REGION>.data.logs.insight.rapid7.com",
    "region": "<REGION>",
    "api-key": "<Your API key>",
    "state-file": "C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\common\\state.file",
    "metrics": {
      "destination": "<LogsetName>/<LogName>",
      "system-stat-enabled": true,
      "metrics-interval": "60s",
      "metrics-cpu": "system",
      "metrics-vcpu": "core",
      "metrics-mem": "system",
      "metrics-swap": "system",
      "metrics-net": "sum eth0",
      "metrics-disk": "sum sda4 sda5",
      "metrics-space": "/"
    },
     "logs": []
  }
}

Note you would update the REGION to be your IDR region, add the API as per our docs using Log Search Insight Agent Service Role permission

And finally the destination would need to be set <LogsetName>\<LogName>

You can optionally choose to adjust how frequently the metrics are sent using metrics-interval

David

1 Like