Has anyone successfully been able to get Windows Applications and Services Logs into IDR? We are trying to get logs that are visible in Event Viewer at Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational into IDR.
You could try using NXLog? NXLog | InsightIDR Documentation
You’d need to configure the Nxlog to look at that specific Log and forward it to a collector with a Custom Log event source listening on a network port.
David
That would be a possibility if I needed to do this for servers, but I need the logs from Windows 10/11 laptops. A large portion of the laptops rarely, if ever, connect to our internal network and wouldn’t be able to send the logs to the collector. Thank you for the NXLog suggestion though.
You could combine Nxlog or powershell with the logging.json feature of the Insight Agent - read more here Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation
Step 1 would be to have a script or program (such as Nxlog) running and taking the contents of the Applications and Services log and writing them to a .txt file as a single json object per line.
Step 2 Would be to configure the logging.json to read from the file to ingest the json logs and send them directly to log search.
Note it is recommended to set up a service account for generating the least privilege role for the API key needed to configure the logging.json.
Below is an example configuration file, you need to include the endpoint url such as us.data.logs.insight.rapid7.com if you are in us-east-1 (United States 1)
region would be us and then you include the API key from the service account.
{
"config": {
"name": "Windows Agent",
"endpoint": "<region-code>.data.logs.insight.rapid7.com",
"region": "<region-code>",
"api-key": "<platform-api-key>",
"state-file": "C:\\Program Files\\Rapid7\\Insight Agent\\components\\insight_agent\\common\\state.file",
"formatter" : "plain",
"logs": [
{
"destination": "Windows Logs/Applications & Services Log",
"path": "c:\\outputFileFromNxlog.txt",
"enabled": true
},]
}
}
David
Good suggestion. I will explore that option.
We just use logging.json but that sends all Windows events if enabled. The NXLog method from David could be more beneficial to trim to only what you need though.
Alex, does Enabling the Windows events, include the Applications & Services Logs? (Rapid7 support lead me to believe it just brought in the Security events.)
It collects the Security, Application, and System logs, not Applications & Services and not any custom evtx paths
1 Like