I am looking for some advice on monitoring for SQL events using InsightIDR. I already set up the SQL server to allow IDR to get the events and I see them in the raw logs on IDR but I am not sure what the proper format is for queries. It seems like everything I run returns no results but I can see the data in the Log Search screen when I do not put anything in the query text box. Any help would be appreciated. Thanks!
Posted by Ron Gallimore about a month ago
Can I move event sources to a second collector to offload some work? I have a second collector just installed in a remote location and I want it to capture the events local to it. I do not see any way to transfer the resources over. I do not want to move all of them, just the international ones to the new collector. Will it screw up existing records? Any way to do it or do I need to delete them and then add to the new one?
Posted by Kerry LeBlanc about a month ago
Has anyone actually been able to do this? The documentation below is BEYOND terrible. Does not make Rapid7 look good as a SIEM, especially next to Splunk whose documentation is, you know, helpful. https://insightidr.help.rapid7.com/docs/splunk#section-data-source
Posted by Jeff Smithwick 3 months ago
I have a system called Squared Up that I use to interface some other systems for dashboarding. I have been looking around trying to find a webapi for Insight IDR but I haven't found one. Does this exist and if not, can we get this added please? I'd like to be able to have a dashboard in my tool that displays alerts from SCOM and our Citrix Netscalers as well as display certain saved reports from IDR (AD/Exchange/Security related). This functionality would be fantastic. Otherwise, we will have an extra system to have to log into and sort through rather than being able to just use one. Thanks. Gary
Posted by Gary Jackson about a year ago
Hello, We are running a POC of InsightIDR and we are getting the following message (in bootstrap.log) when we try and activate a collector. Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: RegistrationManager attempting to connect to the server: https://eu.data.insight.rapid7.com/api/1/collector/register Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger info INFO: **** Agent key for this Collector is: 311aa03d-7c6f-446b-a015-c85a113b4ff8 Mar 16, 2018 9:10:55 AM com.rapid7.razor.collector.bootstrap.impl.JavaLogHelper$Logger error SEVERE: Registration process failed with exception javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at java.net.URL.openStream(Unknown Source) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.registerWithServer(RegistrationManager.java:203) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.doRegister(RegistrationManager.java:108) at com.rapid7.razor.collector.bootstrap.impl.RegistrationManager.checkRegistration(RegistrationManager.java:72) at com.rapid7.razor.collector.bootstrap.impl.BootstrapProcess.call(BootstrapProcess.java:46) at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Wireshark gives me a 59 30.875484 my collector ip my proxy ip TLSv1.2 61 Alert (Level: Fatal, Description: Certificate Unknown) We have allowed SSL pass through and the server can get to the site. Any ideas?
Posted by Martin Austin about a year ago
Has anyone tried to utilize the exchange transport in Insight IDR with Exchange 2010. I know that the official stance is that it is not supported, however, I would like to know if anyone has tried it, if it worked or if it blew up their exchange 2010 server
Posted by Jack Rider about a year ago