WEC Collector via Bindplane Agent

  • Updated
Table of Contents:

Before You Begin

Step 1:

Verify the Firewall Configuration

 a. To install the Bindplane Agent (observIQ Distro for Open Telemetry Collector), need the following requirements:

- Windows 2012 or later

- Internet connectivity

b. In the Firewall, the following Custom Port and Protocol must be allowed from the Servers to the Forwarder.

Custom Port: 11517

Protocol: TCP

c. In the Firewall, the following Hosts must be allowed from the Forwarder to Chronicle.

Connection Type Destination Port
TCP malachiteingestion-pa.googleapis.com 443
TCP asia-northeast1-malachiteingestion-pa.googleapis.com 443
TCP asia-south1-malachiteingestion-pa.googleapis.com 443
TCP asia-southeast1-malachiteingestion-pa.googleapis.com 443
TCP australia-southeast1-malachiteingestion-pa.googleapis.com 443
TCP europe-malachiteingestion-pa.googleapis.com 443
TCP europe-west2-malachiteingestion-pa.googleapis.com 443
TCP europe-west3-malachiteingestion-pa.googleapis.com 443
TCP europe-west6-malachiteingestion-pa.googleapis.com 443
TCP europe-west12-malachiteingestion-pa.googleapis.com 443
TCP me-central1-malachiteingestion-pa.googleapis.com 443
TCP me-central2-malachiteingestion-pa.googleapis.com 443
TCP me-west1-malachiteingestion-pa.googleapis.com 443
TCP northamerica-northeast2-malachiteingestion-pa.googleapis.com 443
TCP accounts.google.com 443
TCP oauth2.googleapis.com 443

Step 2:
Add the below Collector to the Forwarder Config File,

- syslog:
    common:
     enabled: true
     data_type: WINEVTLOG
     data_hint:
     batch_n_seconds: 10
     batch_n_bytes: 1048576
    tcp_address: 0.0.0.0:11517
    udp_address: 0.0.0.0:11517

Step 3:

Certificate Authority

Certificates Requirements

1. A server authentication certificate has to be installed on the Event Collector computer in the personal store of the Local machine. The subject of this certificate has to match the FQDN of the collector.

2. A client authentication certificate has to be installed on the Event Source computers in the personal store of the Local machine. The subject of this certificate has to match the FQDN of the computer.

3. If the client certificate has been issued by a different Certification Authority than the one of the Event Collector then those Root and Intermediate certificates needs to be installed on the Event Collector as well.

4. If the client certificate was issued by an Intermediate certification authority and the collector is running Windows 2012 or later you will have to configure the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\ClientAuthTrustMode (DWORD) = 2

5. Verify that both the server and client are able to successfully check revocation status on all certificates. Use of the certutil command can assist in troubleshooting any errors.

Configure certificate mapping on the Event Collector

1. Create new local user.

2. Make this new user a local Administrator on the collector.

3. Create the certificate mapping using a certificate that is present in the “Trusted Root Certification Authorities” or “Intermediate Certification Authorities” of the machine.

 winrm create winrm/config/service/certmapping?Issuer=<Thumbprint of the issuing CA certificate>+Subject=*+URI=* '@{UserName="<username>";Password="<password>"}' -remote:localhost

4. From a client, use the following command to test the listener and the certificate mapping:

winrm g winrm/config -r:https://<Event Collector FQDN>:5986 -a:certificate -certificate:"<Thumbprint of the client authentication certificate>"

This should return the WinRM configuration of the Event collector. Do not move past this step if the configuration is not displayed.

Setting up the WEC Collector

1. Please setup a windows server and join it to the AD.

2. Once setup and logged in, open the windows event viewer.

3. Double click Subscriptions, if you are opening subscriptions for the first time. A dialog box opens, press Yes and Continue.

4. Open PowerShell as admin and run the following commands. These commands are to start winrm, and at make winrm persistent at startup. The other commands are recommended by Microsoft to maintain stable and reliable connection to all computers in the domain using WinRM.

winrm quickconfig -quiet

Set-Service -Name WINRM -StartupType Automatic

netsh http delete urlacl url=http://+:5985/wsman/

netsh http add urlacl url=http://+:5985/wsman/
sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)
(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

netsh http delete urlacl url=https://+:5986/wsman/

netsh http add urlacl url=https://+:5986/wsman/
sddl=D:(A;;GX;;;S-1-5-80-569256582-2953403351-2909559716-1301513147-412116970)
(A;;GX;;;S-1-5-80-4059739203-877974739-1245631912-527174227-2996563517)

 5. Now lets go back to the windows event viewer and go to Subscriptions and create a new subscription.

6. Give the subscription name and note it down somewhere.

7. Selected ‘Source computer initiated’.

Now click ‘Select Computer Groups’ and select ‘Add Domain Computers’. Type in the dialog box, the DC/Endpoint names and press check names. If they are existing and connected to the AD, the name will be auto completed. Press OK.

8. Now under Subscription Properties, click Select Events, (select all the events as you wish) and in the same dialog box, there is a drop-down menu where you select the types of event logs and press OK.

 

10. Now select Advanced in the subscription properties and select Minimize Latency and Protocol is HTTPS and press OK.

- if you configure a subscription to use the HTTPS protocol by using the HTTPS option in Advanced Subscription Settings, you must also set corresponding Windows Firewall exceptions for port 443.

- Install a certificate for the server along with its private key. This can easily be done using an Enterprise CA in AD.

- The signing CA of the server certificate must be trusted by the forwarder computers.

- Make sure permission on the private key allow WinRM to access it.

- Create a firewall exception rule to allow data over port 5986.

 The collector server is now ready to receive logs.

Updating the Group Policy

1. Now that we have our collector setup, we need to create a group policy which lets the endpoints and servers in that domain to push logs to the collector server.

2. Please login to the ad/dc machine and open Group Policy Management.

3. Under the Domain, select the Forest, and select the Domains and select your particular domain. For Example, I created it as WECTEST.

4. Right click the newly created GPO and select Edit.

5. Under Computer Management, go to Policies, select Windows Settings --> Security Settings.

6. Right click the Restricted Group box and press Add Group.

7. In the dialog box, enter Event Log Readers Group by pressing browse and in the object names to and press OK.

8. Double click the newly created event log readers group which will open the properties for that group. Here click Add and in the add member dialog box type “NT AUTHORITY\Network Service”.

9. Now click on system services which is right under the Restricted Groups. Find Windows Remote Management and double click to define it and select Automatic and press OK.

10. Next navigate to Administrative Templates, select Windows Components --> Event Forwarding and double click Configure Forwarder Resource Usage. Press Enable and under options select 1000.

Note: This value is usually scaled from deployment to deployment.

11. Next click Configure Target Subscription Manager, press Enabled and under options select Show.

A dialog box will appear in which we have to give value that is pointing to the collector.
syntax:

Server=https://your DC server address:5985/wsman/SubscriptionManager/WEC,Refresh=120, ,IssuerCA=<Thumbprint of the issuing CA certificate>

 Now press Apply and OK.

12. Next go to the Event log service, then Security, double click Configure log access, press Enabled and paste the following ACL in the dialog box 

 ACL-- O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)(A;;0x1;;;S-1-5-20).

13. Now right click the new Group Policy created and press Enforced.

14. Next head over to the collector machine and check our subscription that we have created.

15. Now under Windows logs, go to Forwarded Events and check if you are receiving events.

Since the GPO was updated successfully and we can see that windows event forwarding is working.

Installing Bindplane Agent on WEC Collector

Use the following URL to download the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) which is MSI file for Windows Server.

URL: https://github.com/observIQ/bindplane-otel-collector/releases/latest

After downloading MSI file, install the Bindplane Agent (observIQ Distribution for OpenTelemetry Collector) on the Windows Server:

Configuring config.yaml file

 Step 1. Before configuring the .yaml file, Stop the ‘observIQ Distro for OpenTelemetry Collector’ Service in the Services Panel.

Step 2. Next, open Command Prompt as Administrator, navigate to the directory where the Bindplane Agent is installed, and open the config.yaml file.

Step 3. When opening the config.yaml file, Uncheck the (Always use this app to open .yaml files) option and then attempt to open it in Notepad.

Step 4. Now Copy the Query below and paste it into the config.yaml file.

receivers:
 windowseventlog/source0__forwardedevents:
  attributes:
   log_type: windows_event.forwardedevents
  channel: forwardedevents
  max_reads: 100
  poll_interval: 5s
  raw: true
  start_at: end

processors:
  batch:

exporters:
 chronicleforwarder/wec:
  export_type: syslog
  raw_log_field: body
  syslog:
   endpoint: Forwarder IP:11517
   transport: tcp

service:
 pipelines:
  logs/wec:
   receivers:
    - windowseventlog/source0__forwardedevents
   processors: [batch]
   exporters: [chronicleforwarder/wec]

Now, verify that the Windows Event Logs are being ingested into Chronicle.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.