Overview
This blog is going to show you how to deploy an additional “plugin-in/service” in stand-alone mode without the need to install the patch installer on each server.
Templates
For some background on how templates work see the following blog Template Overview
Use Case
Customer would like to collect Windows DHCP Server logs in using WinCollect in stand-alone mode. Also they would like to keep all the configuration generic so they don’t have to change it for each server they install.
Pre-requisites
WinCollect 7.2.9 P1 (Build 96)
Install Agent
Sample Cmd Line Install which will collect Security / Application and System Event logs
c:\wincollect-7.2.9-96.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.TimestampFormat=Milliseconds"""
Required Customer Modifications
STATUSSERVER=172.18.X.X
This is where the Agent status messages are going to be sent to (You don’t need this if you don’t want the status messages)
Component1.Dest.Hostname=172.18.X.X
This is IP/Hostname of the QRadar Console/EC where you want to send the Syslog events. In this example the destination is going to use TCP over port 514 (Component1.Dest.Port=514&Component1.Dest.Protocol=TCP)
Create Template with Payload Router and DHCP Service
NOTE: To get examples of what to use for the template, you will need to install the WinCollect Configuration Console via the patch installer. Recommend installing this on your laptop or on a test machine. NOTE: If you want to use the Configuration Console you need .NET 3.5 installed.
Create DHCP log source in Configuration Console
Save and deploy the log source. Open the Agent-Config.xml and locate the DHCP service
<Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91"> <InstanceData> <Instance enabled="true" name="LocalDHCP"> <Environment> <Parameter value="Test" name="DeviceAddress" /> <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory" /> <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy" /> <Parameter value="5000" name="ThrottleTimeout" /> <Parameter value="Test" name="RemoteMachine" /> <Parameter value="true" name="Local.System" /> <Parameter value="0" name="Login.Handle" /> </Environment> </Instance> </InstanceData> <Environment /> </Service>
NOTE: Since we want to make the configuration generic I replaced the “Test” for DeviceAddress and RemoteMachine with %computername%. The Configuration Console won’t accept %computername% as a valid hostname.
We also need to tell the Agent where we want to send the events for this log source to. So we need to bind the Log Source name with the destination name, which is configured in the PayloadRouter service. In this example we can see routes for both the event log and DHCP collection.
<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter"> <Environment> <Parameter name="RouterThreads" value="3" /> <Parameter name="QueueLowWaterMark" value="9975000" /> <Parameter name="QueueHighWaterMark" value="10000000" /> <Parameter name="StatisticsSweepPeriod" value="30" /> <!-- Sample route config <Parameter name="AddRoute" value="{WindowsConfigName}{YourECNameGoesHere::TCP}"/> End Sample Route Config --> <Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" /> <Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" /> </Environment> </Service>
NOTE: In the Agent install command – Component1.LogSourceName=EventLogLocal, this is the name of the log source, and the name of the destination is Component1.Dest.Name=QRadar
We need to combine both services into a template file which in this instance we will name service_PayloadRouterDHCP.xml
Example:
<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter"> <Environment> <Parameter name="RouterThreads" value="3" /> <Parameter name="QueueLowWaterMark" value="9975000" /> <Parameter name="QueueHighWaterMark" value="10000000" /> <Parameter name="StatisticsSweepPeriod" value="30" /> <Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" /> <Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" /> </Environment> </Service> <Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91"> <InstanceData> <Instance enabled="true" name="LocalDHCP"> <Environment> <Parameter value="%computername%" name="DeviceAddress"/> <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/> <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/> <Parameter value="5000" name="ThrottleTimeout"/> <Parameter value="%computername%" name="RemoteMachine"/> <Parameter value="true" name="Local.System"/> <Parameter value="0" name="Login.Handle"/> </Environment> </Instance> </InstanceData> <Environment/> </Service>
Deploy Agent with DHCP Service
Now that you have the template file you can push this out to any agent where WinCollect 7.2.9-96 is installed in stand-alone mode.
Copy the service_PayloadRouterDHCP.xml to the \WinCollect\patch folder
The WinCollect Agent will check the patch folder every 3-5s and will see template file, add the contents into the Agent-Config.xml and then restart WinCollect. You will now see an additional patch_checkpoint folder and a new Agent-Config in the \WinCollect\config folder.
The agent will now start to collect DHCP logs. If you look in the WinCollect log you should see the following
10-30 09:12:40.680 INFO Device.Service.WindowsDHCPDevice : Initializing Microsoft DHCP Device Service... 10-30 09:12:40.680 INFO Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service: Overriding thread pool type with type AdaptiveThreadPool. 10-30 09:12:40.695 INFO Device.Service.WindowsDHCPDevice : Started device instance LocalDHCP with credential handle 0 10-30 09:12:40.695 INFO Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service initialized. 10-30 09:12:40.695 INFO System.ComponentFactory : Service DeviceMicrosoftDHCP v7.2.9 initialized And then it starting to monitor the file 10-30 09:12:40.711 INFO Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log 10-30 09:12:40.711 INFO Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log. 10-30 09:12:40.711 INFO Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log 10-30 09:12:40.711 INFO Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log.
Use Case #2
Customer would like to deploy DHCP and DNS Debug local log sources
- Install Agent in stand-alone mode as mentioned above
- Create a template file with the following content (I named it service_PayloadRouterDHCP_DNS.xml
- Copy PayloadRouterDHCP_DNS.xml to the patches folder and the Agent will pick up and apply the change.
<Service classification="Service" type="Service" version="7.2.9" module="Routing" name="PayloadRouter">
<Environment>
<Parameter name="RouterThreads" value="3" />
<Parameter name="QueueLowWaterMark" value="9975000" />
<Parameter name="QueueHighWaterMark" value="10000000" />
<Parameter name="StatisticsSweepPeriod" value="30" />
<Parameter name="AddRoute" value="{EventLog}{QRadar}" />
<Parameter name="AddRoute" value="{DNS Debug Local}{QRadar}" />
<Parameter name="AddRoute" value="{LocalDHCP}{QRadar}" />
</Environment>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDNS" name="DeviceMicrosoftDNS">
<Environment/>
<InstanceData>
<Instance enabled="true" name="DNS Debug Local">
<Environment>
<Parameter value="%computername%" name="DeviceAddress"/>
<Parameter value="%computername%" name="RemoteMachine"/>
<Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
<Parameter value="5000" name="ThrottleTimeout"/>
<Parameter value=".*.log" name="FilenamePattern"/>
<Parameter value="true" name="Local.System"/>
<Parameter value="C:\dnsdebug" name="RootDirectory"/>
<Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
<Parameter value="0" name="Login.Handle"/>
</Environment>
</Instance>
</InstanceData>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP">
<InstanceData>
<Instance enabled="true" name="LocalDHCP">
<Environment>
<Parameter value="%computername%" name="DeviceAddress"/>
<Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/>
<Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
<Parameter value="5000" name="ThrottleTimeout"/>
<Parameter value="%computername%" name="RemoteMachine"/>
<Parameter value="true" name="Local.System"/>
<Parameter value="0" name="Login.Handle"/>
</Environment>
</Instance>
</InstanceData>
<Environment/>
</Service>
Sample Templates
Sample XML to use for the templates can be gathered by adding different devices in WinCollect Configuration Console
For Example
IIS
<Service version="7.2.9-96" classification="Service" type="DeviceType" module="DeviceMicrosoftIIS" name="DeviceMicrosoftIIS"> <InstanceData> <Instance enabled="false" name="LocalIIS"> <Environment> <Parameter value="%computername%" name="DeviceAddress" /> <Parameter value="C:\inetpub\logs\LogFiles" name="RootDirectory" /> <Parameter value="5000" name="ThrottleTimeout" /> <Parameter value="true" name="Protocol.FTP" /> <Parameter value="false" name="Protocol.NNTP" /> <Parameter value="true" name="Protocol.SMTP" /> <Parameter value="true" name="Protocol.W3C" /> <Parameter value="%computername%" name="RemoteMachine" /> <Parameter value="true" name="Local.System" /> <Parameter value="0" name="Login.Handle" /> </Environment> </Instance> </InstanceData> <Environment /> </Service>
Don’t forget to add the route into the payload router
<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter"> <Environment> <Parameter name="RouterThreads" value="3" /> <Parameter name="QueueLowWaterMark" value="9975000" /> <Parameter name="QueueHighWaterMark" value="10000000" /> <Parameter name="StatisticsSweepPeriod" value="30" /> <Parameter value="{LocalIIS}{QRadar}" name="AddRoute" /> <Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" /> </Environment> </Service>
File Forwarder Example with 2 “Log Sources”
<Service version="7.2.9-96" classification="Service" type="DeviceType" module="DeviceFileForwarder" name="DeviceFileForwarder"> <Environment/> <InstanceData> <Instance enabled="true" name="FileForwarder Continuous - Local"> <Environment> <Parameter value="%computername%" name="DeviceAddress"/> <Parameter value="%computername%" name="RemoteMachine"/> <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/> <Parameter value=".*.txt" name="FilenamePattern"/> <Parameter value="Continuous Monitoring" name="MonitoringAlgorithm"/> <Parameter value="true" name="Local.System"/> <Parameter value="5000" name="ThrottleTimeout"/> <Parameter value="true" name="ContinuousMonitor"/> <Parameter value="c:\LogFiles\Continuous" name="RootDirectory"/> <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/> <Parameter value="false" name="OnlyMonitorFilesCreatedToday"/> <Parameter value="ANSI" name="FileReaderEncoding"/> <Parameter value="0" name="Login.Handle"/> </Environment> </Instance> <Instance enabled="true" name="FileForwarder File Drop - Local"> <Environment> <Parameter value="%computername%" name="DeviceAddress"/> <Parameter value="%computername%" name="RemoteMachine"/> <Parameter value="true" name="OnlyMonitorFilesCreatedToday"/> <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/> <Parameter value=".*.txt" name="FilenamePattern"/> <Parameter value="File Drop" name="MonitoringAlgorithm"/> <Parameter value="true" name="Local.System"/> <Parameter value="5000" name="ThrottleTimeout"/> <Parameter value="false" name="ContinuousMonitor"/> <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/> <Parameter value="ANSI" name="FileReaderEncoding"/> <Parameter value="c:\LogFiles\FileDrop" name="RootDirectory"/> <Parameter value="0" name="Login.Handle"/> </Environment> </Instance> </InstanceData> </Service>