Collecting Logs and Events from Windows Machines

The Windows Agent plus Sysmon is for all Windows Servers*, Workstations and Laptops. For some servers (DHCP, IIS, etc) utilize NXLog in addition to the Windows Agent and Sysmon. 

* Some servers, such as a primary domain controller in a large network, generate a large volume of Windows Events. Check with DefenseStorm Engineering to find out if the Windows Agent can be installed.

This includes Windows Vista SP2 and higher, Windows 7 SP1 and higher, Windows 8 (all versions, but 8.1 or higher recommended), Windows 10 (all versions), and Servers 2008 and higher.

Upgrading NXLog/PWT to Windows Agent

  1. Uninstall NXLog
  2. Uninstall Praesidio Windows Tool
  3. Install Windows Agent. 

If you would like assistance with this procedure, please contact support@defensestorm.com.


Windows Agent

The Windows Agent is a program installed on Windows laptops to collect and forward local Windows event activity to the DefenseStorm GRID. To ensure all event data is logged and tracked, it is still captured when a device is offline. 

The Windows Agent automatically checks for updates within 2-4 hours of the service starting, and then every 24 hours. If an update is found it is installed automatically. Not all agents update at the exact same time.

Features

  • Windows based installer file that supports both full GUI and command line installations
  • Full documentation for installer usage with options
  • Two-factor authentication
  • Login via username/password
  • Login via token/secret/orgId
  • Local event log collection
  • Windows event logging
  • Full offline logging. All available data is sent upon reconnection to the network.
  • Application auto updates itself from the DefenseStorm cloud
    • The system checks for automatic updates within 2-4 hours of the service starting, and every 24 hours after that. If the Agent is restarted, the timeline restarts as well. 
  • Auto updates can be turned off upon installation.
  • Send data via DVM or direct to the Cloud.
    • Fallback to the available method

Requirements & Limitations

  • NET 4.5.2 must be installed
  • User needs administrative permissions
  • Internet connection for authentication during installation
  • Offline Logging:
    • Local file logging requires edits to the configuration file, and then a service restart to take effect

Pre-instal Procedures 

Before following the cmd line or GUI installation, you must download the msi from DefenseStorm and obtain your Key, Secret, and Org ID from the GRID UI. If you are using the fallback method, or entering Proxy settings, you must also obtain your DVM IP address. 

Obtaining your Key, Secret, Org ID

The key, secret, and org id are required for all installation types. Follow the steps below:

  1. Log into the GRID UI > Settings > Input Tokens > Get Agent Tokens (top right of the window).
  2. Keep this information on-hand for the instal procedures. 

Downloading the msi 

The msi is required for all installation types.  

  1. Download the msi to your local machine so it can be found for installation. 
  2. Obtain DWA installer files > click link for DefenseStorm Windows Agent 
  3. Make note of the path to the msi location on your local machine. This will be used in the install process.
    For example, /Users/joetester/Downloads/DefenesStorm

Obtaining your DVM IP address

This is only required for fallback installation and entering proxy settings. 

  1. Login to the GRID
  2. Events > search pvm_stats> filter by hostname

Command-line Installation

Utilizing the command-line installation method allows for silent installation across your network. There are three different methods for sending data to the DefenseStorm GRID. 

  • Direct to Cloud (default)
    Data comes from your network directly to the DefenseStorm Cloud
  • Through DVM
    Data flows from your network to the DVM, then to the Cloud
  • Fallback from DVM to Cloud
    Data flows from your network, to the DVM, then to the Cloud unless the DVM is unavailable. In that instance, the data goes directly to the Cloud until the DVM becomes available. 


NOTE: To verify that the Windows Agent was installed correctly, view Windows events in the GRID UI. 

Direct to Cloud (default)

Enter the following command with your specified network information to send your data direct through the Cloud:

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id/quiet 

Through DVM

Enter the following command with your specified network information to send your data through the DefenseStorm Virtual Machine:

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id SENDEVENTS=dvm DVMHOST=your dvm ip address/quiet

Fallback from DVM to Cloud

Enter the following command with your specified network information to send your data through the DVM unless the DVM is down. If the DVM goes down, it sends data directly to the Cloud until the DVM becomes available. 

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id SENDEVENTS=both DVMHOST=your dvm ip address/quiet

Proxy Settings

If you are using a proxy on your network, you can manually enter the proxy settings via the command line interface. 

msiexec /i DefenseStorm.msi  /l*v mylog.txt /quiet apikey=XX apisecret=YY orgid=ZZ  proxy=http://10.10.10.10:3128


Comprehensive list of the command line switches

  • UPDATES {bool, default True. Toggles automatic application updates}
  • WINDOWSUSER {string, default LocalSystem. Specifies user account to run the agent under. This is not recommended.}
  • WINDOWSPASSWORD {string, default NULL. Specifies user account to run the agent under's password. This is not recommended}
  • APIUSER {string, default NULL. DefenseStorm Username for API access- must have accompanying APIPASSWORD.}
  • APIPASSWORD {string, default NULL. DefenseStorm Password for API access- must have accompanying APIUSER.}
  • APIKEY {string, default NULL. DefenseStorm Key for API access- must have accompanying APISECRET and ORGID.}
  • APISECRET {string, default NULL. DefenseStorm Secret for API access- must have accompanying APIKEY and ORGID.}
  • ORGID {string, default NULL. DefenseStorm org id for API access- must have accompanying APISECRET and APIKEY.}
  • SENDEVENTS {string, default NULL. DefenseStorm org id for API access- must have accompanying APISECRET and APIKEY.}
    • Inserting BOTH allows for fallback from the DVM to the cloud, DS means your data is sent to the cloud, DVM is only the DVM.
    • If choosing DVM or BOTH, you must enter DVMHOST into the command line. This option defaults to the DVM first, then to the cloud as fallback.


GUI Installation

Follow the instructions here to install the Windows Agent manually through the GUI.

  1. Click here to Obtain DWA installer files.
  2. Download msi > double-click to run. 
  3. Select Next on the following window to begin installation.
  4.  Terms and Conditions. Select the checkbox to agree, then click Next.
      
  5. Installation folder. Select Next to keep the default folder location.

  6. Sending data. Chose to either send data 'Directly to DefenseStorm', "Through the DVM', or 'Through the DVM if available, directly otherwise'. If you chose to send data through the DVM only, or through the DVM if available, directly otherwise, you must input your DVM IP Address.
  7. Input Token/Key/OrgID from the GRID UI. 
    Installation Window View
  8. After the information is placed in the installer window, select Next.
  9. Select Auto-Updates, click Next.
  10. Complete install. Select Yes on the following pop-up.

  11. The installation completes.
  12. Verify that the Windows Agent is installed correctly by viewing Windows events in the GRID.

Advanced Configuration - Additional log sources

You have the ability to add additional events through either Windows Event Log or from an arbitrary text file.

Windows Event Logs

The Windows Agent is configured by default to read from default log sources we deem most important.  However, you may choose to expand beyond the sources we configure by modifying the ClientLogSources.json file. 

Windows Audit File View


Any of these log sources can be added by editing the ClientLogSources.json file within the C:\Programfiles\DefenseStorm\Data folder. There are 5 fields for each log source entry:

{
    "comment": "Comment 1",
    "log_name": "Application",
    "source": "DefenseStorm",
    "level": [ "error", "warning" ],
    "event_id": [ 7022, 7023 ]
  }
  • "comment" can have any text
  • "log_name" is the same that appears in the `Log` column. Mandatory field.
  • "source" is the `Source` column
    • Omitting means all sources
  • "level" column, whose valid values are: Critical, Error, Warning, Information, LogAlways, Verbose.
    • Omitting means all levels
  • "event_id" is an array of numbers from the `Event ID` column
    • Omitting means all events


Arbitrary Text Files and DNS files

The second method to ingest logs is from an arbitrary text file. The file "Config.json" is where you can set which files you want the Windows Agent to monitor.

The DNS files are in a specific format, it's the default "Debug Log" format of Windows DNS. The "Generic" files can be in any format as long as they are composed of lines. There are two lists, one for DNS files (they have a special format), and “Generic” is for all other file types.

{
  "AutoUpdate": true,
  "MonitoredFiles": {
    "Generic": [ "C:/logs/file1.txt", "C:/logs/file2.txt" ],
    "DnsDebugLog": [ "C:/logs/dns/file3.txt",  "C:/logs/dns/file4.txt" ]


Sysmon

Sysmon does not require an installation package, so the executable can be pushed out over a network and easily scripted by the command in this procedure. Sysmon can be placed anywhere on the disk, the locations listed below are TRAC TEAM recommendations.

To install Sysmon, perform the following steps:

  1. Download and unzip Sysmon from Microsoft
  2. Copy the unzipped file to windows\system32
  3. Download the custom sysmon config file here: github
  4. Copy the unzipped .xml file to windows\system32
  5. As admin, run the following command:
    sysmon.exe -accepteula -i sysmonconfig-export.xml


NXLog

For Windows Servers utilizing DHCP, IIS, or additional log files, NXLog assists the Windows Agent in gathering applicable and usable data. The instructions below explain how to download and instal NXLog on the DVM. 

  1. Download NXLog (here)
  2. Install NXLog
  3. Download the NXLog Config File (DefenseStorm NXLog Conf.zip)
  4. Unzip and place files into NXLog conf directory (typically, c:\Program Files (x86)\NXLog\conf)
  5. Edit nxlog.conf
    1. Change the 'define DVM  10.1.50.100' to your DVM IP
    2. If NXLog was installed some where other than default, modify the following line, 'define ROOT C:\Program Files (x86)\nxlog'
    3. Under the Include Files section, uncomment the applicable conf file(s):
      #include %ROOT%\conf\nxlog-dhcp.conf
      #include %ROOT%\conf\nxlog-iis.conf
    4. Save
  6. Restart NXLog service
  7. Verify no errors in NXLog log file (typically, c:\Program Files (x86)\NXLog\log)