How to Stream Data Collected by Immediate Insight to a 3rd Party System
The new streamUDP Data Routing Action can be used to stream a copy of selected data received by Immediate Insight over to 3rd party servers or another II server. This feature requires Immediate Insight app-2015-10-07 or newer.
In the example, we are interested in streaming out user logins to a specific NAS. However this can be any search filter which Immediate Insight supports. Data is being collected by Immediate Insight collector on 10.253.6.36. Then StreamUDP is being used to copy selected events to 10.253.6.41.On the next page we show you have we configured this
From DataFlow -> Data Routing screen, click + to create a new Data Route.
- Give the Data Route a name.
- Enter the Match criteria of events you wish to stream out.
- Enter Action 'streamUDP'
- Then click Edit Settings
Enter the IP address and UDP port of the remote II or other system receive the data.
On the remote server, the selected events appear. For Immediate Insight you must have a UDP collector configured to match the port specified in the previous step (if you use port 3000 it is there by default). If your and sending to a 3rd party server, configure the streamUDP destination port to match the port number which the 3rd party server expects to receive upon (e.g. port 512 or other).
Only UDP is supported to insure minimal impact on performance. Incorrect destinations have little impact.
Note that events larger than the MTU will be silently not copied due to a UDP standard datagram limitation. (This will typically not be an issue.)