Chronicle forwarder executable for Windows

This document describes how to install and configure the Chronicle forwarder on Microsoft Windows.

Customize the configuration files

Based on the information you submitted prior to deployment, Google Cloud provides you with an executable file and an optional configuration file for the Chronicle forwarder. The executable file should only be run on the host it was configured for. Each executable file includes configuration specific to the Chronicle forwarder instance on your network. If you need to alter the configuration, contact Chronicle Support.

System requirements

The following are general recommendations. For recommendations specific to your system, contact Chronicle Support.

• Windows Server version: The Chronicle forwarder is supported on the following versions of Microsoft Windows Server:

  • 2008 R2

  • 2012 R2

  • 2016

• RAM: 1.5 GB for each collected data type. For example, endpoint detection and response (EDR), DNS, and DHCP are all separate data types. You need 4.5 GB of RAM to collect data for all three.

• CPU: 2 CPUs are sufficient to handle less than 10,000 events per second (EPS) (total for all data types). If you expect to forward more than 10,000 EPS, 4 to 6 CPUs are necessary.

• Disk: 100 MB of disk space is sufficient, regardless of how much data the Chronicle forwarder handles. The Chronicle forwarder does not buffer to disk by default. You can buffer the disk by adding write_to_disk_buffer_enabled and write_to_disk_dir_path parameters in the config file.

  For example:

  - <collector>:
       common:
           ...
           write_to_disk_buffer_enabled: true
           write_to_disk_dir_path: <var>your_path</var>
           ...
  

Google IP address ranges

You might need the IP address range to open when setting up a Chronicle forwarder configuration, such as when setting up the configuration for your firewall. It's not possible for Google to provide a specific list of IP addresses. However, you can obtain Google IP address ranges.

Verify the firewall configuration

If you have firewalls or authenticated proxies in between the Chronicle forwarder container and the internet, they require rules to allow access to the following Google Cloud hosts:

Connection Type	Destination	Port
TCP	malachiteingestion-pa.googleapis.com	443
TCP	asia-northeast1-malachiteingestion-pa.googleapis.com	443
TCP	asia-south1-malachiteingestion-pa.googleapis.com	443
TCP	asia-southeast1-malachiteingestion-pa.googleapis.com	443
TCP	australia-southeast1-malachiteingestion-pa.googleapis.com	443
TCP	europe-malachiteingestion-pa.googleapis.com	443
TCP	europe-west2-malachiteingestion-pa.googleapis.com	443
TCP	europe-west3-malachiteingestion-pa.googleapis.com	443
TCP	europe-west6-malachiteingestion-pa.googleapis.com	443
TCP	me-central2-malachiteingestion-pa.googleapis.com	443
TCP	me-west1-malachiteingestion-pa.googleapis.com	443
TCP	northamerica-northeast2-malachiteingestion-pa.googleapis.com	443
TCP	accounts.google.com	443
TCP	gcr.io	443
TCP	oauth2.googleapis.com	443
TCP	storage.googleapis.com	443

You can check network connectivity to Google Cloud using the following steps:

1. Start Windows PowerShell with Administrator privileges (Click Start, type PowerShell, right-click Windows PowerShell, and click Run as administrator).

2. Run the following command. TcpTestSucceeded should return true.

   C:\> test-netconnection <host> -port <port>

   For example:

   C:\> test-netconnection malachiteingestion-pa.googleapis.com -port 443
   ComputerName     : malchiteingestion-pa.googleapis.com
   RemoteAddress    : 198.51.100.202
   RemotePort       : 443
   InterfaceAlias   : Ethernet
   SourceAddress    : 10.168.0.2
   TcpTestSucceeded : True
   

You can also use the Chronicle forwarder to check network connectivity:

1. Start Command Prompt with administrator privileges (Click Start, type Command Prompt, right-click Command Prompt, and click Run as Administrator).

2. To verify network connectivity, run the Chronicle forwarder with the -test option.

   C:\> .\chronicle_forwarder.exe -test
   Verify network connection succeeded!
   

Install the Chronicle forwarder on Windows

On Windows, the Chronicle forwarder executable needs to be installed as a service.

1. Copy the chronicle_forwarder.exe file and the configuration file to a working directory.

2. Start Command Prompt with administrator privileges (Click Start, type Command Prompt, right-click Command Prompt, and click Run as Administrator).

3. To install the service, navigate to the working directory you created in step 1 and run the following command:

   C:\> .\chronicle_forwarder.exe -install -config FILE_NAME
   

   Replace FILE_NAME with the name of the configuration file provided to you.

   The service is installed to C:\Windows\system32\ChronicleForwarder.

4. To start the service, run the following command:

   C:\> sc.exe start chronicle_forwarder
   

Verify the Chronicle forwarder is running

The Chronicle forwarder should have a network connection open on port 443 and your data should be displayed in the Chronicle web interface within minutes.

You can verify that the Chronicle forwarder is running using any of the following methods:

• Task Manager: Navigate to the Processes tab > Background processes > chronicle_forwarder.

• Resources Monitor: On the Network tab, the chronicle_forwarder.exe application should be listed under Network Activity (whenever the chronicle_forwarder.exe application connects to Google Cloud), under TCP Connections, and under Listening Ports.

View forwarder logs

Chronicle forwarder log files are stored in the C:\Windows\Temp folder. The log files begin with chronicle_forwarder.exe.win-forwarder. The log files provide a variety of information, including when the forwarder was started and when it began sending data to Google Cloud.

Uninstall the Chronicle forwarder

To uninstall the Chronicle forwarder service, complete the following steps:

1. Open Command Prompt in administrator mode.

2. Stop the Chronicle forwarder service:

   SERVICE_NAME: chronicle_forwarder
   TYPE               : 10  WIN32_OWN_PROCESS
   STATE              : 4  RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN)
   WIN32_EXIT_CODE    : 0  (0x0)
   SERVICE_EXIT_CODE  : 0  (0x0)
   CHECKPOINT         : 0x0
   WAIT_HINT          : 0x0
   

3. Navigate to the C:\Windows\system32\ChronicleForwarder directory and uninstall the Chronicle forwarder service: C:\> .\chronicle_forwarder.exe -uninstall

Upgrade the Chronicle forwarder

To upgrade the Chronicle forwarder while continuing to use your current configuration file, complete the following steps:

1. Open Command Prompt in administrator mode.

2. Copy your configuration file from the C:\Windows\system32\ChronicleForwarder directory to another directory.

3. Stop the Chronicle forwarder:

   C:\> sc.exe stop chronicle_forwarder
   

4. Uninstall the Chronicle forwarder service and application:

   C:\> .\chronicle_forwarder.exe --uninstall
   

5. Delete all files in the C:\windows\system32\ChronicleForwarder directory.

6. Copy the new chronicle_forwarder.exe application and the original configuration file to a working directory.

7. From the working directory, run the following command:

   C:\> .\chronicle_forwarder.exe -install -config configFileProvidedToYou
   

8. Start the service:

   C:\ sc.exe start chronicle_forwarder
   

Collect Splunk data

Contact Chronicle Support to update your Chronicle forwarder configuration file to forward your Splunk data to Google Cloud.

Collect syslog data

The Chronicle forwarder can operate as a syslog server, meaning you can configure any appliance or server that supports sending syslog data over a TCP or UDP connection to forward their data to the Chronicle forwarder. You can control exactly what data the appliance or server sends to the Chronicle forwarder which can then forward the data to Google Cloud.

The Chronicle forwarder configuration file specifies which ports to monitor for each type of forwarded data (for example, port 10514). By default, the Chronicle forwarder accepts both TCP and UDP connections. Contact Chronicle Support to update your Chronicle forwarder configuration file to support syslog.

Toggle data compression

Log compression reduces network bandwidth consumption when transferring logs to Chronicle. However, compression might cause an increase in CPU usage. The tradeoff between CPU usage and bandwidth depends on many factors, including the type of log data, the compressibility of that data, the availability of CPU cycles on the host running the forwarder, and the need for reducing network bandwidth consumption.

For example, text based logs compress well and can provide substantial bandwidth savings with low CPU usage. However, encrypted payloads of raw packets do not compress well and incur higher CPU usage.

Since most of the log types ingested by the forwarder are efficiently compressible, log compression is enabled by default to reduce bandwidth consumption. However, if the increased CPU usage outweighs the benefit of the bandwidth savings, you can disable compression by setting the compression field to false in the Chronicle forwarder configuration file as shown in the following example:

  compression: false
  url: malachiteingestion-pa.googleapis.com:443
  identity:
  identity:
  collector_id: 10479925-878c-11e7-9421-10604b7abba1
  customer_id: abcd4bb9-878b-11e7-8455-12345b7cb5c1
  secret_key: |
  {
    "type": "service_account",
  ...

Enable TLS for syslog configurations

You can enable Transport Layer Security (TLS) for the syslog connection to the Chronicle forwarder. In the Chronicle forwarder configuration file, specify the location of your certificate and certificate key as shown in the following example:

certificate	C:/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem
certificate_key	C:/opt/chronicle/external/certs/forwarder.key

Based on the example shown, the Chronicle forwarder configuration would be modified as follows:

  collectors:
- syslog:
    common:
      enabled: true
      data_type: WINDOWS_DNS
      data_hint:
      batch_n_seconds: 10
      batch_n_bytes: 1048576
  tcp_address: 0.0.0.0:10515
  connection_timeout_sec: 60
  certificate: "C:/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem"
  certificate_key: "C:/opt/chronicle/external/certs/forwarder.key"

You can create a certs directory under the configuration directory and store the certificate files there.

Collect packet data

The Chronicle forwarder can capture packets directly from a network interface using Npcap on Windows systems.

Packets are captured and sent to Google Cloud instead of log entries. Capture is done from a local interface only.

Contact Chronicle Support to update your Chronicle forwarder configuration file to support packet capture.

To run a Packet Capture (PCAP) forwarder, you need the following:

• Install Npcap on the Microsoft Windows host.

• Grant the Chronicle forwarder root or administrator privileges to monitor the network interface.

• No command-line options are needed.

• On the Npcap installation, enable WinPcap compatibility mode.

To configure a PCAP forwarder, Google Cloud needs the GUID for the interface used to capture packets. Run getmac.exe on the machine where you plan to install the Chronicle forwarder (either the server or the machine listening on the span port) and send the output to Chronicle.

Alternatively, you could modify the configuration file. Locate the PCAP section and replace the GUID value shown next to interface with GUID displayed from running getmac.exe.

For example, here is an original PCAP section:

 common:
       enabled: true
 data_type: PCAP_DNS
       batch_n_seconds: 10
   batch_n_bytes: 1048576
     interface: \Device\NPF_{1A7E7C8B-DD7B-4E13-9637-0437AB1A12FE}
   bpf: udp port 53

Here is the output from running getmac.exe:

C:\>getmac.exe
  Physical Address    Transport Name
  ===========================================================================
  A4-73-9F-ED-E1-82   \Device\Tcpip_{2E0E9440-ABFF-4E5B-B43C-E188FCAD1234}

And finally, here is the revised PCAP section with the new GUID:

- pcap:
       common:
     enabled: true
         data_type: PCAP_DNS
     batch_n_seconds: 10
         batch_n_bytes: 1048576
       interface: \Device\NPF_{2E0E9440-ABFF-4E5B-B43C-E188FCAD9734}
     bpf: udp port 53

Collect WebProxy data

The Chronicle forwarder can capture WebProxy data directly from a network interface using Npcap and send it to Google Cloud.

To enable WebProxy data capture for your system, contact Chronicle Support.

Before you run a WebProxy forwarder, do the following:

1. Install Npcap on the Microsoft Windows host. Enable WinPcap compatibility mode during the installation.

2. Grant root or administrator privileges to the Chronicle forwarder to monitor the network interface.

3. To configure a WebProxy forwarder, Google Cloud needs the GUID for the interface used to capture the WebProxy packets.

   Run getmac.exe on the machine where you want to install the Chronicle forwarder and send the output to Chronicle. Alternatively, you can modify the configuration file. Locate the WebProxy section and replace the GUID shown next to the interface with the GUID displayed after running getmac.exe.

   Modify the Chronicle forwarder configuration (FORWARDER_NAME.conf) file as follows:

     - webproxy:
       common:
           enabled : true
           data_type: <Your LogType>
           batch_n_seconds: 10
           batch_n_bytes: 1048576
         interface: \Device\NPF_{2E0E9440-ABFF-4E5B-B43C-E188FCAD9734}
         bpf: tcp and dst port 80