Table of Contents:
The article covers how to set up the collector server to receive logs and process them to the Chronicle forwarder.
To configure a collector server in the domain controller and push logs from all endpoints and servers to that collector instance where we install NXLogs and process them to the chronicle forwarder.
Prerequisites
- Windows AD Environment
- 1 x Winserver which acts as a collector needs to be installed in the AD.
- Endpoint devices.
Setting up the collector
- Please setup a windows server and join it to the AD.
- Once setup and logged in, open the windows event viewer.
- Double click Subscriptions, if you are opening subscriptions for the first time. A dialog box opens, press Yes and Continue.
- Open PowerShell as admin and run the following commands. These commands are to start winrm, and at make winrm persistent at startup. The other commands are recommended by Microsoft to maintain stable and reliable connection to all computers in the domain using WinRM.
Command -- winrm quickconfig -quiet
Set-Service -Name WINRM -StartupType Automatic
netsh http delete urlacl url=http://+:5985/wsman/
netsh http add urlacl url=http://+:5985/wsman/
sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)
(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
netsh http delete urlacl url=https://+:5986/wsman/
netsh http add urlacl url=https://+:5986/wsman/
sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)
(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)
- Now lets go back to the windows event viewer and go to Subscriptions and create a new subscription.
- Give the subscription name and note it down somewhere.
- In the same dialog box, there are two methods in which logs are collected by the collector. Collector Initiated, which doesn’t scale well in which the collector server contacts the endpoints and collects logs. Source Initiated in which the source computers contact the collector to send logs.
- For medium to small deployments, Source initiated is preferable.
- Now click Computer Groups and select Add domain computers. Type in the dialog box, the DC/Endpoint names and press check names. If they are existing and connected to the AD , the name will be auto completed. Press OK.
- Now under Subscription Properties, click Select Events, (select all the events as you wish) and in the same dialog box, there is a drop-down menu where you select the types of event logs and press OK.
- Now select Advanced in the subscription properties and select Minimize Latency and press OK.
- The collector server is now ready to receive logs.
Updating the Group Policy
- Now that we have our collector setup, we need to create a group policy which lets the endpoints and servers in that domain to push logs to the collector server.
- Please login to the ad/dc machine and open Group Policy Management.
- Under the Domain, select the Forest, and select the Domains and select your particular domain. For Example, I created it as WECTEST.
- Right click the newly created GPO and select Edit.
- Under Computer Management, go to Policies, select Windows Settings --> Security Settings.
- Right click the Restricted Group box and press Add Group.
- In the dialog box, enter Event Log Readers Group by pressing browse and in the object names to and press OK.
- Double click the newly created event log readers group which will open the properties for that group. Here click Add and in the add member dialog box type “NT AUTHORITY\Network Service ”.
- Now click on system services which is right under the Restricted Groups. Find Windows Remote Management and double click to define it and select Automatic and press OK.
- Next navigate to Administrative Templates, select Windows Components --> Event Forwarding and double click Configure Forwarder Resource Usage. Press Enable and under options select 1000.
Note: This value is usually scaled from deployment to deployment.
- Next click Configure Target Subscription Manager, press Enabled and under options select Show.
A dialog box will appear in which we have to give value that is pointing to the collector.
syntax = Server=http://your DC server address:5985/wsman/SubscriptionManager/WEC,Refresh=120. Now press Apply and OK.
- Next go to the Event log service, then Security, double click Configure log access, press Enabled and paste the following ACL in the dialog box ACL-- O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20).
- Now right click the new Group Policy created and press Enforce.
- Next head over to the collector machine and check our subscription that we have created.
- Now under Windows logs, go to Forwarded Events and check if you are receiving events.
- Since the GPO was updated successfully and we can see that windows event forwarding is working. We will install nx log on the collector machine and route the logs to the forwarder.
Installing NX Log
- Install NXLog. Follow the NXLog documentation.
- First, download the NXLog MSI file from the NXLog website.
- Log in to your account, then click My account at the top of the page.
- Under the Downloads > NXLog Enterprise Edition files tab, choose the correct package for your system.
- Once the file is downloaded, follow the below steps.
- Right click and click Install.
-
- Click Next.
-
- Next accept the terms in the license agreement and click Next.
-
- In this step we can select default path or custom path where the NX log has to be installed and click Next.
-
- Click Install.
-
- Click Finish.
- Go to the NX log installation path and open the config file.
Eg :- C:\Program Files\nxlog\conf (Default Installation Path)
- Create a configuration file for NXLog. Use im_msvistalog input module for Microsoft Windows server security channel logs. Replace <hostname> and <port> values with information about the central Microsoft Windows or Linux server. See the NXLog documentation for information about the om_tcp module.
Panic Soft
#NoFreeOnExit TRUE
define ROOT C:\Program Files\nxlog
define WINEVTLOG_OUTPUT_DESTINATION_ADDRESS <hostname>
define WINEVTLOG_OUTPUT_DESTINATION_PORT <port>
define CERTDIR %ROOT%\cert
define CONFDIR %ROOT%\conf\nxlog.d
define LOGDIR %ROOT%\data
include %CONFDIR%\\*.conf
define LOGFILE %LOGDIR%\nxlog.log
LogFile %LOGFILE%
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
<Extension _json>
Module xm_json
</Extension>
<Input windows_security_eventlog>
Module im_msvistalog
<QueryXML>
<QueryList>
<Query Id="0">
<Select Path="Application">*</Select>
<Select Path="System">*</Select>
<Select Path="Security">*</Select>
</Query>
</QueryList>
</QueryXML>
ReadFromLast False
SavePos False
</Input>
<Output out_chronicle_windevents>
Module om_tcp
Host %WINEVTLOG_OUTPUT_DESTINATION_ADDRESS%
Port %WINEVTLOG_OUTPUT_DESTINATION_PORT%
Exec $EventTime = integer($EventTime) / 1000;
Exec $EventReceivedTime = integer($EventReceivedTime) / 1000;
Exec to_json();
</Output>
<Route r2>
Path windows_security_eventlog => out_chronicle_windevents
</Route>
<Extension _syslog>
Module xm_syslog
</Extension>
<Extension _charconv>
Module xm_charconv
AutodetectCharsets iso8859-2, utf-8, utf-16, utf-32
</Extension>
<Extension _exec>
Module xm_exec
</Extension>
<Extension _fileop>
Module xm_fileop
# Check the size of our log file hourly, rotate if larger than 5MB
<Schedule>
Every 1 hour
Exec if (file_exists('%LOGFILE%') and \
(file_size('%LOGFILE%') >= 5M)) \
file_cycle('%LOGFILE%', 8);
</Schedule>
# Rotate our log file every week on Sunday at midnight
<Schedule>
When @weekly
Exec if file_exists('%LOGFILE%') file_cycle('%LOGFILE%', 8);
</Schedule>
</Extension>
# Snare compatible example configuration
# Collecting event log
# <Input in>
# Module im_msvistalog
# </Input>
#
# Converting events to Snare format and sending them out over TCP syslog
# <Output out>
# Module om_tcp
# Host 192.168.1.1
# Port 514
# Exec to_syslog_snare();
# </Output>
#
# Connect input 'in' to output 'out'
# <Route 1>
# Path in => out
# </Route>
- Now Start the NXLog service.
You will be receiving the logs to the forwarder at this point.
Sample Logs
The following are the logs that Windows send to Chronicle.
13>Jul 13 13:05:34 DEVICE-01 AgentDevice=WindowsLog AgentLogFile=Security
PluginVersion=7.3.1.22 Source=Microsoft-Windows-Security-Auditing Computer=DEVICE-01.contoso.local
OriginatingComputer=192.168.1.1 User= Domain= EventID=4672 EventIDCode=4672 EventType=8
EventCategory=12548 RecordNumber=71986462 TimeGenerated=1689267932 TimeWritten=1689267932
Level=Log Always Keywords=Audit Success
Task=SE_ADT_LOGON_SPECIALLOGON Opcode=Info Message=Special privileges assigned to new logon.
Subject: Security ID: NT AUTHORITY\SYSTEM Account Name: DEVICE-01$
Account Domain: contoso Logon ID: 0x9428C28 Privileges: SeSecurityPrivilege
SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeDebugPrivilege
SeSystemEnvironmentPrivilege SeLoadDriverPrivilege SeImpersonatePrivilege
SeDelegateSessionUserImpersonatePrivilege SeEnableDelegationPrivilege
Comments
0 comments
Please sign in to leave a comment.