Setup Chronicle Forwarder

  • Updated
Table of Contents:

This article describes the prerequisites and procedures required to download and install Chronicle Forwarder on your Linux machines.

A forwarder is used to send logs from the customer environment to the Chronicle instance. You can install the forwarder on a variety of Linux distributions, including Debian, Ubuntu, and Red Hat. Google Cloud provides the software using a Docker container. You can run and manage the Docker container on either a physical or virtual machine running Linux.

Logs are ingested as unstructured data into Chronicle, where it is parsed, indexed, and stored in UDM format. 

Note:  If the forwarder key is not available in the Resolution Intelligence Cloud, contact Google Chronicle Support.

System Requirements

  • RAM—1 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You need 3 GB of RAM to collect data for all three.
  • CPU—2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, provision 4 to 6 CPUs.
  • Disk—100 MB of disk space is sufficient, regardless of how much data the Chronicle forwarder handles. If you need to buffer backlogged messages to disk as opposed to memory, see Disk Buffering. The Chronicle forwarder buffers to memory by default.

Download Chronicle Forwarder

  1. Login to Resolution Intelligence Cloud with your credentials.

  2. Click  the gear icon at the top (or) hover over  icon at the top left corner.

  3. In the bottom of the left menu, click Configurations.

  4. In the left menu, under Data Ingestion, click Forwarders.

  5. In the Forwarders page, click Download next to Linux.

Steps for installation

Once the forwarder is downloaded to your local drive, do the following steps:

  1. Create a config folder in the root

    # mkdir ~/config
  1.  Copy config file to the config folder in your local drive.

    ~/config

Install Docker Engine

Update the apt package index and install the latest version of Docker Engine and container, or go to the next step to install a specific version:

  • apt-get update
  • apt-get install docker.io

Run the forwarder within the Docker container

If you are upgrading, start by cleaning up any previous Docker runs.

  1. In the following example, if the name of the Docker container is cfps, then obtain the latest Docker image from Google Cloud with the # docker pull command below
    • docker stop cfps
    • docker rm cfps
  1. Obtain the latest Docker image from Google Cloud using
    • docker pull gcr.io/chronicle-container/cf_production_stable
  1. Start Chronicle forwarder from the Docker container using
    • docker run --detach --name cfps --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable

Monitor and manage the forwarder

The following Docker commands help you monitor and manage Chronicle Forwarder:

  1. Check if the Docker container is running
    • docker ps
  1. Display the logs from the container. Note that this can generate a substantial volume of output but is useful for debugging.
    • docker logs cfps

Once the setup is complete, navigate to configurations and create detection rules  to generate signals in the Resolution Intelligence Cloud.

Related articles

Comments

0 comments

Please sign in to leave a comment.