Installing and configuring the forwarder on Windows

This document describes how to install and configure the forwarder on Microsoft Windows.

Customize the configuration files

Based on the information you submitted prior to deployment, Google Cloud provides you with an executable file and an optional configuration file for the forwarder. The executable file should only be run on the host it was configured for. Each executable file includes configuration specific to the forwarder instance on your network. If you need to alter the configuration, please contact Chronicle Support.

System requirements

The following are general recommendations. For recommendations specific to your system, contact Chronicle Support.

  • Windows Server Version—The Chronicle forwarder is supported on the following versions of Microsoft Windows Server:

    • 2008 R2
    • 2012 R2
    • 2016
  • RAM—1.5 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You would need 4.5 GB of RAM to collect data for all three.

  • CPU—2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, 4 to 6 CPUs are necessary.

  • Disk—100 MB of disk space is sufficient, regardless of how much data Chronicle forwarder handles. Chronicle forwarder does not buffer to disk.

Verify the firewall configuration

If you have firewalls or authenticated proxies in between the forwarder container and the Internet, they require rules to allow access to the following Google Cloud hosts:

Connection Type Destinatio Port
TCP 443
TCP 443

You can check network connectivity to Google Cloud using the following steps:

  1. Start Windows PowerShell with Administrator privileges (Windows -> right click Windows PowerShell and select Run as Administrator).

  2. Issue the following command. TcpTestSucceeded should return as True.

    C:\> test-netconnection <host> -port <port>

    For example:

    C:\> test-net connection -port 443
    ComputerName     :
    RemoteAddress    :
    RemotePort       : 443
    InterfaceAlias   : Ethernet
    SourceAddress    :
    TcpTestSucceeded : True</font>

You can also use the forwarder to check network connectivity:

  1. Start Command Prompt with Administrator privileges (Windows -> right click Command Prompt and select Run as administrator).
  2. To verify network connectivity, run the forwarder with the -test option.

    C:\> .\chronicle_forwarder.exe -test
    Verify network connection succeeded!

Install the forwarder on Windows

On Windows, the forwarder executable needs to be installed as a service.

  1. Copy the chronicle_forwarder.exe file and the configuration file to a working directory.

  2. Start Command Prompt with Administrator privileges (Windows -> right click Command Prompt and select Run as administrator).

  3. To install the service, navigate to the working directory you created in step 1 and issue the following command:

    C:\> .\chronicle_forwarder.exe -install -config <configFileProvidedToYou>
    The service is installed to C:\Windows\system32\ChronicleForwarder
  4. To start the service, issue the following command:

    C:\> sc start chronicle_forwarder

Verify the forwarder is running

The forwarder should have a network connection open on port 443 and your data should be displayed in the Chronicle web interface within minutes.

You can verify that the forwarder is running using any of the following methods:

  • Task Manager—Navigate to the Processes tab. Under Background processes, chronicle_forwarder should be listed.

  • Resources Monitor—On the Network tab, the chronicle_forwarder.exe application should be listed under Network Activity (whenever the chronicle_forwarder.exe application connects to Google Cloud), under TCP Connections, and under Listening Ports.

  • Chronicle forwarder log files—Navigate to the C:\Windows\Temp folder. The Chronicle forwarder log files are stored here. The log files all begin with Open the most recent log file in a text editor. It provides a variety of information, including when Chronicle forwarder was started and when it began sending data to Google Cloud.

Uninstall the forwarder

To uninstall the forwarder service, complete the following steps:

  1. Open Command Prompt in Administrator mode.

  2. Stop the Chronicle forwarder service:

    C:\> sc stop chronicle_forwarder
    SERVICE_NAME: chronicle_forwarder
    TYPE               : 10  WIN32_OWN_PROCESS
    WIN32_EXIT_CODE    : 0  (0x0)
    SERVICE_EXIT_CODE  : 0  (0x0)
    CHECKPOINT         : 0x0
    WAIT_HINT          : 0x0
  3. Navigate to the C:\Windows\system32\ChronicleForwarder directory and uninstall the Chronicle forwarder service: C:\> .\chronicle_forwarder.exe -uninstall

Upgrade the forwarder

To upgrade the forwarder while continuing to use your current configuration file, complete the following steps:

  1. Open Command Prompt in Administrator mode.

  2. Copy your configuration file from the C:\Windows\system32\ChronicleForwarder directory to another directory.

  3. Stop the Chronicle forwarder:

    C:\> sc stop chronicle_forwarder

  4. Uninstall the Chronicle forwarder service and application:

    C:\> .\chronicle_forwarder.exe --uninstall

  5. Delete all of the files in the C:\windows\system32\ChronicleForwarder directory.

  6. Copy the new chronicle_forwarder.exe application and the original configuration file to a working directory.

  7. From the working directory, issue the following command:

    C:\> .\chronicle_forwarder.exe -install -config configFileProvidedToYou

  8. Start the service:

    C:\ sc start chronicle_forwarder

Collect Splunk data

Contact Chronicle Support to update your Chronicle forwarder configuration file to forward your Splunk data to Google Cloud.

Collect syslog data

The Chronicle forwarder can operate as a Syslog server, meaning you can configure any appliance or server that supports sending syslog data over a TCP or UDP connection to forward their data to the Chronicle forwarder. You can control exactly what data the appliance or server sends to the Chronicle forwarder which can then forward the data to Google Cloud.

The Chronicle forwarder configuration file specifies which ports to monitor for each type of forwarded data (for example, port 10514). By default, the Chronicle forwarder accepts both TCP and UDP connections. Contact Chronicle Support to update your Chronicle forwarder configuration file to support syslog.

Toggle data compression

Log compression reduces network bandwidth consumption when transferring logs to Chronicle. However, compression might cause an increase in CPU usage. The tradeoff between CPU usage and bandwidth depends on many factors, including the type of log data, the compressibility of that data, the availability of CPU cycles on the host running the forwarder and the need for reducing network bandwidth consumption.

For example, text based logs compress well and can provide substantial bandwidth savings with low CPU usage. However, encrypted payloads of raw packets do not compress well and incur higher CPU usage.

Since most of the log types ingested by the forwarder are efficiently compressible, log compression is enabled by default to reduce bandwidth consumption. However, if the increased CPU usage outweighs the benefit of the bandwidth savings, you can disable compression by setting the compression field to false in the Chronicle forwarder configuration file as shown in the following example:

  compression: false
  collector_id: 10479925-878c-11e7-9421-10604b7abba1
  customer_id: abcd4bb9-878b-11e7-8455-12345b7cb5c1
  secret_key: |
    "type": "service_account",

Enable TLS for syslog configurations

You can enable Transport Layer Security (TLS) for the Syslog connection to the Chronicle forwarder. In the Chronicle forwarder configuration file, specify the location of your certificate and certificate key as shown in the following example:

certificate "/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem"
certificate_key "/opt/chronicle/external/certs/forwarder.key"

Based on the example shown, the Chronicle forwarder configuration would be modified as follows:

- syslog:
      enabled: true
      data_type: WINDOWS_DNS
      batch_n_seconds: 10
      batch_n_bytes: 1048576
  connection_timeout_sec: 60
  certificate: "/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem"
  certificate_key: "/opt/chronicle/external/certs/forwarder.key"

You can create a certs directory under the configuration directory and store the certificate files there.

Collect packet data

The Chronicle forwarder can capture packets directly from a network interface using WinPcap or Npcap on Windows systems. Packets are captured and sent to Google Cloud instead of log entries. Capture is done from a local interface only.

Contact Chronicle Support to update your Chronicle forwarder configuration file to support packet capture.

To run a Packet Capture (PCAP) forwarder, you need the following:

  • For Microsoft Windows hosts, install WinPcap or Npcap depending on the requirements of your organization.

  • Chronicle forwarder requires root or administrator privileges to monitor the network interface.

  • No command-line options are needed.

  • For Npcap installations, enable WinPcap compatibility mode.

To configure a PCAP forwarder, Google Cloud needs the GUID for the interface used to capture packets. Run getmac.exe on the machine where you plan to install Chronicle forwarder (either the server or the machine listening on the span port) and send the output to Chronicle.

Alternatively, you could modify the configuration file. Locate the PCAP section and replace the GUID value shown next to interface with GUID displayed from running getmac.exe.

For example, here is an original PCAP section:

- pcap:
       enabled: true
 data_type: PCAP_DNS
       batch_n_seconds: 10
   batch_n_bytes: 1048576
     interface: \Device\NPF_{1A7E7C8B-DD7B-4E13-9637-0437AB1A12FE}
   bpf: udp port 53

Here is the output from running getmac.exe:

  Physical Address    Transport Name
  A4-73-9F-ED-E1-82   \Device\Tcpip_{2E0E9440-ABFF-4E5B-B43C-E188FCAD1234}

And finally, here is the revised PCAP section with the new GUID:

  - pcap:
     enabled: true
         data_type: PCAP_DNS
     batch_n_seconds: 10
         batch_n_bytes: 1048576
       interface: \Device\NPF_{2E0E9440-ABFF-4E5B-B43C-E188FCAD9734}
     bpf: udp port 53