Google Security Operations forwarder executable for Windows

This document describes how to install and configure the Google Security Operations forwarder on Microsoft Windows.

Customize the configuration files

Based on the information you submitted prior to deployment, Google Cloud provides you with an executable file and an optional configuration file for the Google Security Operations forwarder. The executable file should only be run on the host it was configured for. Each executable file includes configuration specific to the Google Security Operations forwarder instance on your network. If you need to alter the configuration, contact Google Security Operations Support.

System requirements

The following are general recommendations. For recommendations specific to your system, contact Google Security Operations Support.

• Windows Server version: The Google Security Operations forwarder is supported on the following versions of Microsoft Windows Server:

  • 2008 R2

  • 2012 R2

  • 2016

• RAM: 1.5 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You need 4.5 GB of RAM to collect data for all three.

• CPU: 2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, 4 to 6 CPUs are necessary.

• Disk: 20 GB of disk space is required, regardless of how much data the Google Security Operations forwarder handles. The Google Security Operations forwarder does not buffer to disk by default, but it is recommended to enable disk buffering. You can buffer the disk by adding write_to_disk_buffer_enabled and write_to_disk_dir_path parameters in the config file.

  For example:

  - <collector>:
       common:
           ...
           write_to_disk_buffer_enabled: true
           write_to_disk_dir_path: <var>your_path</var>
           ...
  

Google IP address ranges

You might need the IP address range to open when setting up a Google Security Operations forwarder configuration, such as when setting up the configuration for your firewall. It's not possible for Google to provide a specific list of IP addresses. However, you can obtain Google IP address ranges.

Verify the firewall configuration

If you have firewalls or authenticated proxies in between the Google Security Operations forwarder container and the internet, they require rules to allow access to the following Google Cloud hosts:

You can check network connectivity to Google Cloud using the following steps:

1. Start Windows PowerShell with Administrator privileges (Click Start, type PowerShell, right-click Windows PowerShell, and click Run as administrator).

2. Run the following command. TcpTestSucceeded should return true.

   C:\> test-netconnection <host> -port <port>

   For example:

   C:\> test-netconnection malachiteingestion-pa.googleapis.com -port 443
   ComputerName     : malchiteingestion-pa.googleapis.com
   RemoteAddress    : 198.51.100.202
   RemotePort       : 443
   InterfaceAlias   : Ethernet
   SourceAddress    : 10.168.0.2
   TcpTestSucceeded : True
   

You can also use the Google Security Operations forwarder to check network connectivity:

1. Start Command Prompt with administrator privileges (Click Start, type Command Prompt, right-click Command Prompt, and click Run as Administrator).

2. To verify network connectivity, run the Google Security Operations forwarder with the -test option.

   C:\> .\chronicle_forwarder.exe -test
   Verify network connection succeeded!
   

Install the Google Security Operations forwarder on Windows

On Windows, the Google Security Operations forwarder executable needs to be installed as a service.

1. Copy the chronicle_forwarder.exe file and the configuration file to a working directory.

2. Start Command Prompt with administrator privileges (Click Start, type Command Prompt, right-click Command Prompt, and click Run as Administrator).

3. To install the service, navigate to the working directory you created in step 1 and run the following command:

   C:\> .\chronicle_forwarder.exe -install -config FILE_NAME
   

   Replace FILE_NAME with the name of the configuration file provided to you.

   The service is installed to C:\Windows\system32\ChronicleForwarder.

4. To start the service, run the following command:

   C:\> sc.exe start chronicle_forwarder
   

Verify the Google Security Operations forwarder is running

The Google Security Operations forwarder should have a network connection open on port 443 and your data should be displayed in the Google Security Operations web interface within minutes.

You can verify that the Google Security Operations forwarder is running using any of the following methods:

• Task Manager: Navigate to the Processes tab > Background processes > chronicle_forwarder.

• Resources Monitor: On the Network tab, the chronicle_forwarder.exe application should be listed under Network Activity (whenever the chronicle_forwarder.exe application connects to Google Cloud), under TCP Connections, and under Listening Ports.

View forwarder logs

Google Security Operations forwarder log files are stored in the C:\Windows\Temp folder. The log files begin with chronicle_forwarder.exe.win-forwarder. The log files provide a variety of information, including when the forwarder was started and when it began sending data to Google Cloud.

Uninstall the Google Security Operations forwarder

To uninstall the Google Security Operations forwarder service, complete the following steps:

1. Open Command Prompt in administrator mode.

2. Stop the Google Security Operations forwarder service:

   SERVICE_NAME: chronicle_forwarder
   TYPE               : 10  WIN32_OWN_PROCESS
   STATE              : 4  RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
   WIN32_EXIT_CODE    : 0  (0x0)
   SERVICE_EXIT_CODE  : 0  (0x0)
   CHECKPOINT         : 0x0
   WAIT_HINT          : 0x0
   

3. Navigate to the C:\Windows\system32\ChronicleForwarder directory and uninstall the Google Security Operations forwarder service: C:\> .\chronicle_forwarder.exe -uninstall

Upgrade the Google Security Operations forwarder

To upgrade the Google Security Operations forwarder while continuing to use your current configuration file, complete the following steps:

1. Open Command Prompt in administrator mode.

2. Copy your configuration file from the C:\Windows\system32\ChronicleForwarder directory to another directory.

3. Stop the Google Security Operations forwarder:

   C:\> sc.exe stop chronicle_forwarder
   

4. Uninstall the Google Security Operations forwarder service and application:

   C:\> .\chronicle_forwarder.exe --uninstall
   

5. Delete all files in the C:\windows\system32\ChronicleForwarder directory.

6. Copy the new chronicle_forwarder.exe application and the original configuration file to a working directory.

7. From the working directory, run the following command:

   C:\> .\chronicle_forwarder.exe -install -config configFileProvidedToYou
   

8. Start the service:

   C:\ sc.exe start chronicle_forwarder
   

Collect Splunk data

Contact Google Security Operations Support to update your Google Security Operations forwarder configuration file to forward your Splunk data to Google Cloud.

Collect syslog data

The Google Security Operations forwarder can operate as a syslog server, meaning you can configure any appliance or server that supports sending syslog data over a TCP or UDP connection to forward their data to the Google Security Operations forwarder. You can control exactly what data the appliance or server sends to the Google Security Operations forwarder which can then forward the data to Google Cloud.

The Google Security Operations forwarder configuration file specifies which ports to monitor for each type of forwarded data (for example, port 10514). By default, the Google Security Operations forwarder accepts both TCP and UDP connections. Contact Google Security Operations Support to update your Google Security Operations forwarder configuration file to support syslog.

Toggle data compression

Log compression reduces network bandwidth consumption when transferring logs to Google Security Operations. However, compression might cause an increase in CPU usage. The tradeoff between CPU usage and bandwidth depends on many factors, including the type of log data, the compressibility of that data, the availability of CPU cycles on the host running the forwarder, and the need for reducing network bandwidth consumption.

For example, text based logs compress well and can provide substantial bandwidth savings with low CPU usage. However, encrypted payloads of raw packets do not compress well and incur higher CPU usage.

Since most of the log types ingested by the forwarder are efficiently compressible, log compression is enabled by default to reduce bandwidth consumption. However, if the increased CPU usage outweighs the benefit of the bandwidth savings, you can disable compression by setting the compression field to false in the Google Security Operations forwarder configuration file as shown in the following example:

  compression: false
  url: malachiteingestion-pa.googleapis.com:443
  identity:
  identity:
  collector_id: 10479925-878c-11e7-9421-10604b7abba1
  customer_id: abcd4bb9-878b-11e7-8455-12345b7cb5c1
  secret_key: |
  {
    "type": "service_account",
  ...

Enable TLS for syslog configurations

You can enable Transport Layer Security (TLS) for the syslog connection to the Google Security Operations forwarder. In the Google Security Operations forwarder configuration file, specify the location of your certificate and certificate key as shown in the following example:

Based on the example shown, the Google Security Operations forwarder configuration would be modified as follows:

  collectors:
- syslog:
    common:
      enabled: true
      data_type: WINDOWS_DNS
      data_hint:
      batch_n_seconds: 10
      batch_n_bytes: 1048576
  tcp_address: 0.0.0.0:10515
  connection_timeout_sec: 60
  certificate: "C:/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem"
  certificate_key: "C:/opt/chronicle/external/certs/forwarder.key"

You can create a certs directory under the configuration directory and store the certificate files there.

Collect packet data

The Google Security Operations forwarder can capture packets directly from a network interface using Npcap on Windows systems.

Packets are captured and sent to Google Cloud instead of log entries. Capture is done from a local interface only.

Contact Google Security Operations Support to update your Google Security Operations forwarder configuration file to support packet capture.

To run a Packet Capture (PCAP) forwarder, you need the following:

• Install Npcap on the Microsoft Windows host.

• Grant the Google Security Operations forwarder root or administrator privileges to monitor the network interface.

• No command-line options are needed.

• On the Npcap installation, enable WinPcap compatibility mode.

To configure a PCAP forwarder, Google Cloud needs the GUID for the interface used to capture packets. Run getmac.exe on the machine where you plan to install the Google Security Operations forwarder (either the server or the machine listening on the span port) and send the output to Google Security Operations.

Alternatively, you could modify the configuration file. Locate the PCAP section and replace the GUID value shown next to interface with GUID displayed from running getmac.exe.

For example, here is an original PCAP section:

 common:
       enabled: true
 data_type: PCAP_DNS
       batch_n_seconds: 10
   batch_n_bytes: 1048576
     interface: \Device\NPF_{1A7E7C8B-DD7B-4E13-9637-0437AB1A12FE}
   bpf: udp port 53

Here is the output from running getmac.exe:

C:\>getmac.exe
  Physical Address    Transport Name
  ===========================================================================
  A4-73-9F-ED-E1-82   \Device\Tcpip_{2E0E9440-ABFF-4E5B-B43C-E188FCAD1234}

And finally, here is the revised PCAP section with the new GUID:

- pcap:
       common:
     enabled: true
         data_type: PCAP_DNS
     batch_n_seconds: 10
         batch_n_bytes: 1048576
       interface: \Device\NPF_{2E0E9440-ABFF-4E5B-B43C-E188FCAD9734}
     bpf: udp port 53

Collect WebProxy data

The Google Security Operations forwarder can capture WebProxy data directly from a network interface using Npcap and send it to Google Cloud.

To enable WebProxy data capture for your system, contact Google Security Operations Support.

Before you run a WebProxy forwarder, do the following:

1. Install Npcap on the Microsoft Windows host. Enable WinPcap compatibility mode during the installation.

2. Grant root or administrator privileges to the Google Security Operations forwarder to monitor the network interface.

3. To configure a WebProxy forwarder, Google Cloud needs the GUID for the interface used to capture the WebProxy packets.

   Run getmac.exe on the machine where you want to install the Google Security Operations forwarder and send the output to Google Security Operations. Alternatively, you can modify the configuration file. Locate the WebProxy section and replace the GUID shown next to the interface with the GUID displayed after running getmac.exe.

   Modify the Google Security Operations forwarder configuration (FORWARDER_NAME.conf) file as follows:

     - webproxy:
       common:
           enabled : true
           data_type: <Your LogType>
           batch_n_seconds: 10
           batch_n_bytes: 1048576
         interface: \Device\NPF_{2E0E9440-ABFF-4E5B-B43C-E188FCAD9734}
         bpf: tcp and dst port 80