Installation of Bindplane Agent (observIQ Distro for Open Telemetry Collector) on Windows DHCP Server
Use the following URL to download the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) which is MSI file for Windows Server.
URL: https://github.com/observIQ/bindplane-otel-collector/releases/latest
After downloading MSI file, install the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) on the Windows Server:
Configuring Microsoft Windows LAPS
1. Type eventvwr.msc at an elevated command prompt and press ENTER to open Event Viewer
2. In the Event Viewer, navigate to Applications and Services Logs->Microsoft->Windows-> LAPS > Operational
3. Expand LAPS.
4. Right-click LAPS, and then click Properties.
5. Select the Enable logging checkbox and click OK when asked if log is enabled.
6. Click OK.
Through Forwarder:
1. Before You begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.
Custom Port: 21689
Protocol: TCP
c. In the Firewall, following Hosts must be allowed from the Forwarder to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
Add the below Collector to the Forwarder Config File,
- syslog:
common:
enabled: true
data_type: MICROSOFT_LAPS
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:21689
udp_address: 0.0.0.0:21689
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for OpenTelemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/laps_operational:
channel: Microsoft-Windows-LAPS/Operational
raw: true
start_at: beginning
processors:
batch:
exporters:
chronicleforwarder/laps:
export_type: syslog
raw_log_field: body
syslog:
endpoint: Forwarder IP:21689
transport: tcp
service:
pipelines:
logs/laps:
receivers:
- windowseventlog/laps_operational
processors: [batch]
exporters: [chronicleforwarder/laps]
Step 5. After Saving the config.yaml file, Start the ‘observIQ Distro for OpenTelemetry Collector’ Service.
Step 6. Now, verify that the Windows LAPS Logs are being ingested to the Forwarder and then to Chronicle.
Directly to Chronicle:
1. Before You begin
Step 1:
Verify the Firewall Configuration
a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:
- Windows 2012 or later
- Internet connectivity
- Google SecOps ingestion authentication file
- Google SecOps Customer ID
b. In the Firewall, the following Hosts must be allowed from the Server to Chronicle.
Connection Type | Destination | Port |
TCP | malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-northeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-south1-malachiteingestion-pa.googleapis.com | 443 |
TCP | asia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | australia-southeast1-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west2-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west3-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west6-malachiteingestion-pa.googleapis.com | 443 |
TCP | europe-west12-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central1-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-central2-malachiteingestion-pa.googleapis.com | 443 |
TCP | me-west1-malachiteingestion-pa.googleapis.com | 443 |
TCP | northamerica-northeast2-malachiteingestion-pa.googleapis.com | 443 |
TCP | accounts.google.com | 443 |
TCP | oauth2.googleapis.com | 443 |
Step 2:
a. Google SecOps ingestion authentication file, this is used to add the required fields in the Creds Section in the Bindplane Query,
To download the authentication file, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Collection Agent.
- Download the Google SecOps ingestion authentication file.
b. Google SecOps Customer ID,
To find the customer ID, follow these steps:
- Open the Google SecOps Chronicle.
- Go to SIEM Settings > Profile.
- Copy the Customer ID from the Organization Details section.
2. Configuring config.yaml file
Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for Open Telemetry Collector’ Service in the Services Panel.
Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.
Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.
Step 4. Now Copy the Query below and paste it into the config.yaml file.
receivers:
windowseventlog/laps_operational:
channel: Microsoft-Windows-LAPS/Operational
raw: true
start_at: beginning
processors:
batch:
exporters:
chronicle/laps:
endpoint: malachiteingestion-pa.googleapis.com
creds: '{
"type": "service_account",
"project_id": "malachite-projectname",
"private_key_id": "abcdefghijklmnopqrstuvwxyz123456789",
"private_key": "-----BEGIN PRIVATE KEY-----\nhgjgkgkgkgkgkgkgfg78yhjkDGh\n-----END PRIVATE KEY-----\n",
"client_email": "account@malachite-projectname.iam.gserviceaccount.com",
"client_id": "123456789123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/account%40malachite-projectname.iam.gserviceaccount.com",
"universe_domain": "googleapis.com"
}'
log_type: 'MICROSOFT_LAPS'
override_log_type: false
raw_log_field: body
customer_id: 'dddddddd-dddd-dddd-dddd-dddddddddddd'
service:
pipelines:
logs/laps:
receivers:
- windowseventlog/laps_operational
processors: [batch]
exporters: [chronicle/laps]
Step 5. Now refer to Step 2 (a & b) in ‘Before You Begin’ sub-section under ‘Directly to Chronicle’ section.
Google SecOps ingestion authentication file, copy the data from the authentication file and replace it in the exporters (which are highlighted).
Step 6. Google SecOps Customer ID, copy the Customer ID and paste it into the ‘customer_id’ under exporters.
Step 7. After Saving the config.yaml file, Start the ‘observIQ Distro for Open Telemetry Collector’ Service.
Step 8. Now, verify that the Microsoft Windows LAPS Logs are being ingested into Chronicle.
Comments
0 comments
Please sign in to leave a comment.