This article describes the prerequisites and procedures required to download and install Chronicle Forwarder on your Linux machines.
A forwarder is used to send logs from the customer environment to the Chronicle instance. You can install the forwarder on a variety of Linux distributions, including Debian, Ubuntu, and Red Hat. Google Cloud provides the software using a Docker container. You can run and manage the Docker container on either a physical or virtual machine running Linux.
Logs are ingested as unstructured data into Chronicle, where it is parsed, indexed, and stored in UDM format.
Note: If the forwarder key is not available in the Resolution Intelligence Cloud, contact Google Chronicle Support.
System Requirements
- RAM—1 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You need 3 GB of RAM to collect data for all three.
- CPU—2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, provision 4 to 6 CPUs.
- Disk—100 MB of disk space is sufficient, regardless of how much data the Chronicle forwarder handles. If you need to buffer backlogged messages to disk as opposed to memory, see Disk Buffering. The Chronicle forwarder buffers to memory by default.
Download Chronicle Forwarder
- Login to Resolution Intelligence Cloud with your credentials.
-
Click the gear icon at the top (or) hover over icon at the top left corner.
-
In the bottom of the left menu, click Configurations.
-
In the left menu, under Data Ingestion, click Forwarders.
-
In the Forwarders page, click Download next to Linux.
Steps for installation
Once the forwarder is downloaded to your local drive, do the following steps:
- Create a config folder in the root
# mkdir ~/config
- Copy config file to the config folder in your local drive.
~/config
Install Docker Engine
Update the apt package index and install the latest version of Docker Engine and container, or go to the next step to install a specific version:
- apt-get update
- apt-get install docker.io
Run the forwarder within the Docker container
If you are upgrading, start by cleaning up any previous Docker runs.
- In the following example, if the name of the Docker container is cfps, then obtain the latest Docker image from Google Cloud with the # docker pull command below
-
- docker stop cfps
- docker rm cfps
- Obtain the latest Docker image from Google Cloud using
-
- docker pull gcr.io/chronicle-container/cf_production_stable
- Start Chronicle forwarder from the Docker container using
-
- docker run --detach --name cfps --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable
Monitor and manage the forwarder
The following Docker commands help you monitor and manage Chronicle Forwarder:
- Check if the Docker container is running
-
- docker ps
- Display the logs from the container. Note that this can generate a substantial volume of output but is useful for debugging.
-
- docker logs cfps
Once the setup is complete, navigate to configurations and create detection rules to generate signals in the Resolution Intelligence Cloud.
Comments
0 comments
Please sign in to leave a comment.