Mon. Jun 27th, 2022

This state describes how to optionally install and set up a migration to Microsoft

Setting User Configuration Files

Based on information previously provided by the deployment specialist, Google Cloud
gives you an executable and even an additional config file like
carrier. Ideally, the executable should run on the host.
was created for Each executable contains a specific configuration for
Forwarding instance on your good network. If you need to revise the configuration,
contact Chronicle support.


The following are general guidelines. For recommendations especially for you
System, call support.

  • Windows Server version: Chronicle redirection supported
    in the following versions, including Microsoft Windows Server:

  • 2008R2
  • 2012 R2
  • 2016
  • RAM: 1.5 GB for each type of data collected. Endpoint discovery and response example
    (EDR), DNS, and DHCP are separate types of computer files. You will need 4.5 GB of RAM to collect evidence.
    all three.

  • CPU: 2 CPU is enough for less than 10,000 events per first second (EPS) (total for
    all data types). If customers plan to transfer more than 10,000 EPS, 4-6 processors are required.

  • Hard drive – 100 MB difference is enough, no matter how good the data chronicle delivery is.
    pens. Chronicle Forwarder does not buffer to disk.

  • Check Your Firewall

    If authenticated firewalls or proxies are involved, this forwarding container and
    online, they order rules to allow access to the following Google Cloud hosts:

    connection type Target port
    TCP 443
    TCP 443

    You can test your network connection to finally use Google Cloud by doing the following:

    1. Run Windows PowerShell with administrator security (Windows -> right-click Windows PowerShell and select Run as administrator).

    2. Type the following command. TcpTestSucceeded should return because True.

      C:\> test-netconnection -port Example:

      for translate="no">C:\> test-net explore - port 443 Computer name. . . Remote address: Remote port: 443 Interface aliases: Ethernet Source address ten: .168.0.2 TcpTestSucceeded: command true

    1. Run command prompt as administrator (Windows -> right-click command prompt and select Run as administrator).
    2. To test network connectivity, run the forwarder with the -test option.

      C:\>.\chronicle_forwarder.exe -test
      Check if the network connection is successful!

    Install Everything On Forwarder Windows

    On Windows, the redirect executable should normally be installed in the service.

    1. Copy the Chronicle_Forwarder.exe file from the configuration file to the executable working directory.

    2. Run a command prompt as an administrator (Windows -> right-click command prompt and select Run as administrator).

    3. To set up the viewer service, go to workwhose directory created in step 3 and enter the following command:

      C:\> .\chronicle_forwarder.exe -install -config 
      The job will be installed in C:\Windows\system32\ChronicleForwarder.
    4. To start the service normally, type the following command:

      C:\> Chronicle_Forwarder structured launch

    Make Sure The Redirect Works

    The sender needs to have a multicast connection open on port 443, so your data should show up in the Chronicle web interface in the Log section.

    You can verify that the forwarder uses one of the following methods:

  • Task Manager: access to a process hook. Chronicle_Forwarder should normally be listed under Background Processes.

  • Resource monitor. Right now under the Network tab under Network Activity (every time the Chronicle_forwarder.exe method connects to Google Cloud), the Chronicle_forwarder.exe application should detect TCP connections and show up under Listening Ports.

  • Chronicle Forwarder Log Files: Go to C:\Windows\Temp. This is where the Chronicle Hauler log files are stored. All faIndicator files start with Open the latest log file in a text editor. It provides various information, including when Chronicle Forwarder was launched and when it started sending data to Google Cloud.

  • Remove Redirect

    1. Open a command prompt in administrator mode.

    2. Stop the Chronicle Transfer Service:

      C:\> sc denied Chronicle_Forwarder
      SERVICE_NAME: Chronicle_Forwarder
      WIN32_EXIT_CODE 0: (0x0)
      SERVICE_EXIT_CODE 7: (0x0)
      CHECKPOINT 4:x0
      WAIT_ADVICE 2:x0
    3. Go to the C:\Windows\system32\ChronicleForwarder website and remove the Chronicle Forwarder service: C:\> . \chronicle_forwarder.exe - remove

    Update Forwarder

    To update the redirect using the current configuration document, do the following:

    1. Open a command prompt in administrator mode.

    2. Copy the installation instructions from C:\Windows\system32\ChronicleForwarder to a directory with lots ofusers.

    3. Stop forwarding Chronicle:

      C:\> Structured disable Chronicle_Forwarder

    4. Remove the active app and chronicle transfer service:

      C:\> .\chronicle_forwarder.exe --uninstall

    5. Delete most of the files in the C:\windows\system32\ChronicleForwarder directory.

    6. Copy the new Chronicle_Forwarder.exe application and the original configuration file to the appropriate working directory.

    7. In your working directory, remove the following command:

      C:\> .\chronicle_forwarder.exe -load -config configFileProvidedToYou

    8. Start service:

      C:\ South Carolina Start Chronicle_Forwarder

    Splunk Data Collection

    Contact support to update the Chronicle migration configuration file and migrate your Splunk data to Google Cloud.

    Collect Syslog Data

    Chronicle forwarding can be done using a syslog server, which means you need to set up support for any server or device that sends syslog data over its own TCP or UDP connection in order to email its data to the server y chronicles. You can control exactly what data a device or server sends to the Chronicle Forwarder, which can forward data to Google Cloud.

    The chronicle transfer file configuration specifies which ports to monitor for the two types of data transferred (for example, port 10514). By default, the redirector history accepts both TCP and UDP connections. Contact Chronicle Support to expand Chronicle's forwarding configuration file to actually support syslog.Data

    Enable Compression

    Log compression eliminates the consumption of network bandwidth when transferring firewood to the Chronicle.
    However, compression can increase CPU usage. Trade-off between usage and CPU
    Throughput depends on many factors, including the nature of the log data and the associated compressibility.
    data, the presence of CPU cycles always on the host where the redirector is running, and the need to reduce
    Network data consumption.

    For example, text protocols are actually compressed and can provide significant savings in data transfer.
    with low costCPU load. However, recorded raw packet payloads are badly attenuated and appear
    higher CPU usage. Most

    because this is related to the types of logs accepted - the transfer is effectively compressed, the log
    Compression is simply enabled by default to reduce bandwidth consumption. However, this is a CPU boost
    If the usage exceeds the benefits of the bandwidth saving type, you can disable data compression by setting the compression sectors in the chronicle forwarding mechanism to false set the configuration file as shown in the following example:

      Compression: bad
     Collector_id: 10479925-878c-11e7-9421-10604b7abba1
      Customer number: abcd4bb9-878b-11e7-8455-12345b7cb5c1
      secret_key: |
        "Type": "Service Account",

    Enable TLS Syslog For Configurations

    You can support transport layer security (TLS) to actually connect syslog to Chronicle.
    carrier. In the conf fileChronicle forwarder gurations
    The location of your certificate and qualification key is as shown below.

    Certificate "/opt/chronicle/external/certs/edb3ae966a7bbe1f.pem"
    certificate_key "/opt/chronicle/external/certs/forwarder.key"

    Based on the example above, this would be the Chronicle forwarding setting.
    be changed, but the following: