Hi all,
I am looking for a way to be able to extract and review/report on current event source status for our multiple clients (40+) we have in IDR.
There is unfortunately no API interaction with event sources for IDR that I am aware of (which seems like a major shortcoming to me), so I cannot interact via API which would be the ideal way.
I have half a thought that I could use Selenium to programmatically interact with the website and extract lists of event sources and their status that way. But that would get very messy.
Does anyone have a method they are using to be able to automatically extract and list event sources and their status?
And for the Rapid7 Staff, is there an API to be able to interact with event sources (even just to get status) either available or on the roadmap?
Hey @achesterton
to my knowledge we don’t have any immediate plans to expose a public API for this functionality. I’d agree thought that this is an area where our API coverage is lacking. One thing I can think of would be to look at the logs produced from an event source programmatically using the Query API InsightIDR REST API | InsightIDR Documentation
Or alternatively you could configure inactivity alerts for the logs produced from event sources to alert when something stops flowing Create and Manage Custom Alerts | InsightIDR Documentation
David
Hi David,
We already utilise custom inactivity alerts for some core inactivity alerting, but they need to be manually created and targeted, which is not ideal and opens the whole situation up to human error.
Just one example is someone forgetting to target a new event source logset when they create a new event source.
They’re also not great at handling event sources where we expect them to be intermittent with the events they receive. Using a purely time-based inactivity measurement can generate false positives, which if anything is more unhelpful than not getting inactivity alerts at all.
For those sort of event sources being able to do our own rate-over-last-X-days calculations from an API would be very useful.
Using the Query API would potentially be an interesting exercise, but I think it would suffer from the same human error issues above because it would have to be at least semi-manual to get the individual log ID’s in the first place in order to query them.
Can we please submit this as an IDEA to have event sources exposed in a public API?
Hi @achesterton totally understand the hesitancy to rely on the Inactivity alerts due to potential human error - as far as having to create them manually, its worth noting we do have a tags API (tags are another name for alerts) that allows the creation of custom alerts programmatically Tags API, which, combined with the get logs Get Logs and/or logset api’s Get Logsets you could fully automate the creation of inactivity alerts (not to discount Get Event Sources which is the api which returns the logs associated to an event source). You could even use the query API to look back in time to establish how long this event source typically sends data and base the inactivity duration off of the output.
Note these links I’m sharing point to the InsightOps documentation but are fully functional with the IDR product.
Lastly, we have had at least 1 other request for an event source api, the idea ticket is #10553 if you would like to submit a support case we can link it to your account so you can track its progress over time, but as I previously mentioned, its currently not on the near term roadmap.
David
1 Like
Have there been any updates or changes regarding this functionality? I’m in a similar position needing to support multiple tenants and it would be helpful to get better alerting regarding event source errors.