Skip to content

Collecting with CQ Windows Agent


Content

Installing CyberQuest Log Gathering Agent

Download CyberQuest Agent from the following link: http://nextgensoftware.solutions/upload/Windows%20Agent/WindowsAgents_2.0.5.25.msi

In order to install CyberQuest Log Gathering Agent, the following steps need to be executed:

1) Install Microsoft .NET Framework 4.5

2) On the machine from where the logs will be gathered double click the executable WindowsAgents_2.0.5.25.msi and click „Next” to continue the installation process.

Alt text

3) Accept the license agreement by click the „I Agree” option after reading and agreeing the licensing terms.

Alt text

4) Choose the installation path and select „Install” in order to start the agent installation process.

Alt text

Alt text

5) In order to complete the installation process, select „Next” and „Finish” options.

Alt text

Alt text

6) Configuring CyberQuest Log Gathering Agent to choose the type of logs and the desired machines for which logs will be collected and also where to send the collected logs the following files need to be edited: - Agent.exe.config (default location is : C:\Program Files (x86)\CyberQuest LogAgent) - Collections.xml (default location is : C:\Program Files (x86)\CyberQuest LogAgent)

Agent.exe.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
  </configSections>
  <log4net>
    <appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date [%thread] %-5level %logger [%ndc] - %message%newline"/>
      </layout>
    </appender>
    <appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
      <file value="logs\\agent.log"/>
      <appendToFile value="true"/>
      <maximumFileSize value="1000KB"/>
      <maxSizeRollBackups value="10"/>
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date - %level  - %thread  - %logger - %message%newline"/>
      </layout>
    </appender>
    <root>
      <level value="DEBUG"/>
      <appender-ref ref="RollingFile"/>
      <appender-ref ref="ConsoleAppender"/>
    </root>
  </log4net>
  <appSettings>
    <add key="connectorType" value="SIEM" />
    <add key="server" value="XXX.XXX.XXX.XXX" />    <- CyberQuest server IP address 
    <add key="serverPort" value="8090" />               for UDP collection
    <add key="serverProtocol" value="mq" />
    <add key="eventSyncQueueSize" value="10000" />
    <add key="AgentUUID" value="430401f3-fa20-4fc4-95fe-beb31cfaf978" />
    <add key="compressData" value="true" />
    <add key="encryptData" value="true" />
    <add key="mqUserName" value="cq" />
    <add key="mqPassword" value="VRW7Zl7RreWg9Q==" />
    <add key="mqHost" value="XXX.XXX.XXX.XXX" />    <- CyberQuest server IP address
    <add key="mqVhost" value="/" />                     for TCP collection
    <add key="mqPort" value="5672" />
    <add key="mqExchangeName" value="eventsExchange" />
    <add key="mqQueueName" value="events" />
    <add key="mqRouting" value="agents" />
    <add key="throttleCollection" value="10000" />
  </appSettings>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
  </startup>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.2.29.0" newVersion="2.2.29.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

In <appSettings> section edit the fallowing tags:

<add key="server" value="XXX.XXX.XXX.XXX" />   
XXX.XXX.XXX.XXX <- CyberQuest server IP address

<add key="mqHost" value="XXX.XXX.XXX.XXX" />
XXX.XXX.XXX.XXX <- CyberQuest server IP address

Collections.xml

<?xml version="1.0" encoding="utf-8" ?>
<configuration> 
    <settings>
        <CollectComputer computer="Localhost" >   <- LogAgent FQDN or IP Address


            <log name="Security">                 <- Event Full Name
                <add name="collectionMethod" value="wmi" />

                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Application">              <- Event Full Name
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="System">                   <- Event Full Name
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

        </CollectComputer>  

    </settings>
</configuration>

After any configuration changes restart the CyberQuest Log Gathering Agent service: - Press Start->Run and type “services.msc” then click OK

Alt text

  • Select the service “CyberQuest Log Gathering Agent” from the list and press “Stop Service” button.
  • After the operation ends successfully press “Start Service” button.

Alt text

Alt text

After the restart is completed the agent will start sending data to the collection server.

Configuring the CyberQuest Log Gathering Agent data collection

The CyberQuest Log Gathering Agent can collect Windows Logs from the machine where it was intalled or from any computer on the network.

Configure CyberQuest Log Gathering Agent for collecting local logs.

For local collection, of any of the Windows log collections, the „collections.xml” file needs to be edited while keeping the open and close tag formatting specific to XML files. <log name=""> adds a a WMI querry for the needed log name for the <CollectComputer computer="" > collected machine. The „Computer” field can be associated with either a FQDN or IP address for the desired machine if it is the same Active Directory as the machine where CyberQuest Log Gathering Agent is installed. For each of these machines another <CollectComputer computer="" > and at least a <log name=""> tag needs to be added in „collections.xml”

<CollectComputer computer="Localhost" >

            <log name="Security">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Application">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="System">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Setup">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>
        </CollectComputer>

Configure CyberQuest Log Gathering Agent for collecting remote computers logs.

For remote collection, of any of the Windows log collections, the „collections.xml” file needs to be edited while keeping the open and close tag formatting specific to XML files. <log name=""> adds a WMI query for the needed log name for the <CollectComputer computer="" > collected machine. The „Computer” field can be associated with either a FQDN or IP address for the desired machine from the local network. For each of these machines another <CollectComputer computer="" > and at least a <log name=""> tag needs to be added in „collections.xml”.

For each <CollectComputer computer="" > and <log name=""> tag another tag needs to be added <add name="templateFile" value="default" />. The same template file can be used for multiple computers provided the credentials are the same for all of the collected machines.

  1. Edit Colection.xml

Navigate to the location C:\Program Files (x86)\CyberQuest LogAgent (default installation folder).

<configuration> 
    <settings>

<CollectComputer computer="XXX.XXX.XXX.XXX">          <- Remote computer IP address or FQDN

         <log name="Security">                        <- Event Full Name
             <add name="collectionMethod" value="wmi" />
             <add name="logType" value="WindowsStandard" />
             <add name="templateFile" value="wmiEventsWithDomain" /> <-Template file name
         </log>

         <log name="Application">                       <- Event Full Name
             <add name="collectionMethod" value="wmi" />
             <add name="logType" value="WindowsStandard" />
             <add name="templateFile" value="wmiEventsWithDomain" /> <-Template file name
         </log>

          <log name="System">                           <- Event Full Name
              <add name="collectionMethod" value="wmi" />
              <add name="logType" value="WindowsStandard" />
              <add name="templateFile" value="wmiEventsWithDomain" /> <-Template file name
          </log>

</CollectComputer>

    </settings>
</configuration>

2.Edit Template wmiEventsWithDomain.xml, or create a new XML file,( for default installations located in C:\Program Files (x86)\CyberQuest LogAgent\Templates)


<?xml version="1.0" encoding="utf-8" ?>
<configuration>
  <settings>

     <add name="USERNAME"  value="user" />      <- Local User name
     <add name="PASSWORD"  value="VB6wZQ==" />  <- Local User’s encoded  Password 
  <add name="QUERY_INTERVAL"  value="20" />
  <settings>    
<configuration>

To encrypt the local user password fallow steps below:

  • Open command prompt window
  • Navigating to the installation directory ( for default installations located in C:\Program Files (x86)\CyberQuest LogAgent) using cd C:\Program Files (x86)\CyberQuest

Alt text Alt text

  • Execute the following command: Agent.exe –encodepassword [Local User’s password] Alt text
  • Copy the output from “Hashed password:” field

3.Modify or create the fallowing registry key: LocalAccountTokenFilterPolicy

  • Click Start, click Run, type “regedit”, and then press ENTER.

Alt text

  • Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps: a) On the Edit menu, point to New, and then click DWORD Value. b) Type LocalAccountTokenFilterPolicy, and then press ENTER.

  • Right-click LocalAccountTokenFilterPolicy, and then click Modify.

  • In the Value data box, type 1, and then click OK.
  • Exit Registry Editor. Alt text

  • On the remote computer open Services.msc and verify “Windows Management Instrumentation” and ”Remote Registry” to be set to Startup type: Automatic and Service status: Running. If not set Startup type: Automatic and Start the service.

Alt text

  1. Verify Network access between CyberQuest Log Gathering Agent and remote windows machine.

After any configuration changes restart the CyberQuest Log Gathering Agent service:

  • Press Start->Run and type “services.msc” then click OK

Alt text

  • Select the service “CyberQuest Log Gathering Agent” from the list and press “Stop Service” button.
  • After the operation ends successfully press “Start Service” button.

Alt text Alt text

After the restart is completed the agent will start sending data to the collection server.