Setup Chronicle Forwarder

Learn from the following video on you setup forwarders to start ingesting on-premise data into Cloud.

Forwarder is used to send logs from the customer environment to the Chronicle instance. This is used when the customers want to send the logs directly to Chronicle, and do not wish to use the cloud buckets to ingest data, or the log type does not have native ingestion via 3rd party API. The forwarder can be used as a ready to deploy solution, instead of manually incorporating the ingestion API.

You can install the forwarder on a variety of Linux distributions including Debian, Ubuntu, and Red Hat. Google Cloud provides the software using a Docker container. You can run and manage the Docker container on either a physical or virtual machine running Linux.

Forwarders ingest the unstructured data into Chronicle where it is parsed, indexed, and stored in UDM format. In addition to UDM conversion, forwarders help you 

• run a Syslog server,
• provide passive network monitoring.

System Requirements

The following are general recommendations. For recommendations specific to your system, contact Chronicle Support.

• RAM—1 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You need 3 GB of RAM to collect data for all three.
• CPU—2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, provision 4 to 6 CPUs.
• Disk—100 MB of disk space is sufficient, regardless of how much data the Chronicle forwarder handles. If you need to buffer backlogged messages to disk as opposed to memory, see Disk Buffering. The Chronicle forwarder buffers to memory by default.

Download Chronicle Forwarder

1. Navigate to Configurations --> Overview --> Agents & Fleet Management.
2. Under Forwarders, click Download next to Linux.

Steps for installation

1. Create a config folder in the root
   
   # mkdir ~/config

2. Reach Netenrich support for config file. Copy config file to the config folder
   
   ~/config

Install Docker Engine

Update the apt package index, and install the latest version of Docker Engine and container, or go to the next step to install a specific version:

• apt-get update
• apt-get install docker.io

Run the forwarder within the Docker container

If you are upgrading, start by cleaning up any previous Docker runs.

1. In the following example, the name of the Docker container is cfps, then obtain the latest Docker image from Google Cloud with the # docker pull command below

• • docker stop cfps
  • docker rm cfps

2. Obtain the latest Docker image from Google Cloud using

• • docker pull gcr.io/chronicle-container/cf_production_stable

3. Start Chronicle forwarder from the Docker container using

• • docker run --detach --name cfps --restart=always --log-opt max-size=100m --log-opt max-file=10 --net=host -v ~/config:/opt/chronicle/external gcr.io/chronicle-container/cf_production_stable

Monitor and manage the forwarder

The following Docker commands help you to monitor and manage Chronicle forwarder:

1. Check if the Docker container is running

• • docker ps

2. Display the logs from the container. Note that this can generate a substantial volume of output, but is useful for debugging:

• • docker logs cfps

Once the setup is completed, navigate to Chronicle CMS in Resolution Intelligence and create detection rules on top of Chronicle data to push the signals to Resolution Intelligence.

If the conditions defined in the rules are matched to any event from Chronicle data, signals will be generated in Resolution Intelligence. Resolution Intelligence correlation engine correlates the similar signals and generates a situation so that the successful generation of a situation from Chronicle data confirms the setup of Chronicle Forwarder and data feed.