Log Streaming to Rapid7 InsightIDR
The Log Streaming service allows enriched logs from the USS platform to be streamed to external services such as SIEM solutions, analytics platforms and SoC services. To request access to the Log Streaming service, please contact your service provider.
- Log in to Insight IDR
- Navigate to Data Collection -> Collectors and click Get Started
- Follow the instructions to download and configure the desired collector in your environment e.g. local network, public cloud.
- Important: make a note of the Activation Token provided during installation
- Ensure that inbound connections on TCP port 23000 are allowed (e.g. from the public Internet)
- Navigate to Data Collection -> Collectors and click Activate Collector
- Enter a name for the collector and paste in the key obtained in Step 4
- Wait for the collector to activate. If the collector fails to activate then consult the troubleshooting documentation from Rapid7 InsightIDR (it is likely to be a local firewall or proxy issue)
- Navigate to the Event Sources tab and click Add Event Source. Scroll down to the Raw Data section and click Custom Logs
- Complete the form ensuring you select the connector you activated, the timezone and collection method Listen on Network Port
- In the network details section specify port 23000 and TCP protocol
- Click Save
- Select the Event Sources tab and confirm that a new Event Source has been created and is running
- Send the public Fully Qualified Domain Name (FQDN) of the collector to your Service Provider. This cannot be an IP address
- Wait for confirmation from your service provider that the log stream has been configured
- Navigate to Log Search and select the Log Source as the Event Source you created in Step 15. Click Run
- The log stream is now set up and you can continue to query the data in Rapid7 InsightIDR.