Overview

This blog is going to show you how to deploy an additional “plugin-in/service” in stand-alone mode without the need to install the patch installer on each server.

The current issue with the WinCollect install is that it only installs Windows Event Log and File Forwarder services as part of the baseline install.   Therefore if customer wants to collect DHCP logs in a stand-alone deployment they would need to install the WinCollect Agent and then install the Patch Installer and then either use the Configuration Console or modify the Agent-Config.xml directly.  In this blog I will discuss how to take the Patch installer out of the equation and also how to make changes using templates so you won’t need to edit the Agent-Config.xml directly.

NOTE:  We plan to address the separate installs issue in a future release of WinCollect, most likely WC 10.0 (Version Number TBD)

Templates

For some background on how templates work see the following blog Template Overview

Use Case 

Customer wants to deploy WinCollect in stand-alone mode and would like to collect Windows Events along with DHCP server logs.  They would like to keep all the configuration generic so they don’t have to change it for each server they install.

Install Agent

Sample Cmd Line Install which will collect Security / Application and System Event logs

c:\wincollect-7.2.9-72.x64.exe /s /v"/qn STATUSSERVER=172.18.X.X LOG_SOURCE_AUTO_CREATION_ENABLED=True LOG_SOURCE_AUTO_CREATION_PARAMETERS=""Component1.AgentDevice=DeviceWindowsLog&Component1.Action=create&Component1.LogSourceName=EventLogLocal&Component1.LogSourceIdentifier=%COMPUTERNAME%&Component1.Dest.Name=QRadar&Component1.EventLogPollProtocol=MSEVEN6&Component1.Dest.Hostname=172.18.X.X&Component1.Dest.Port=514&Component1.Dest.Protocol=TCP&Component1.Log.Security=true&Component1.Log.System=true&Component1.Log.Application=true&Component1.Log.ForwardedEvents=false&Component1.Log.DNS+Server=false&Component1.Log.File+Replication+Service=false&Component1.Log.Directory+Service=false&Component1.RemoteMachinePollInterval=10000&Component1.MinLogsToProcessPerPass=1250&Component1.MaxLogsToProcessPerPass=1825&Component1.EventRateTuningProfile=High+Event+Rate+Server&Component1.TimestampFormat=Milliseconds"""

Required Customer Modifications
STATUSSERVER=172.18.X.X
This is where the Agent status messages are going to be sent to (You don’t need this if you don’t want the status messages)
Component1.Dest.Hostname=172.18.X.X
This is IP/Hostname of the QRadar Console/EC where you want to send the Syslog events.  In this example the destination is going to use TCP over port 514 (Component1.Dest.Port=514&Component1.Dest.Protocol=TCP)

Create Template with Payload Router and DHCP Service

NOTE:  To access the required service .dll’s, and to create the template, you will need to install the WinCollect Configuration Console via the patch installer.  Recommend installing this on your laptop or on a test machine so that you can get the correct dll’s and Agent-Config.xml format.     NOTE:  If you want to use the Configuration Console you need .NET 3.5 installed.

Create DHCP log source in Configuration Console

Save and deploy the log source.  Open the Agent-Config.xml and locate the DHCP service

<Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91">
    <InstanceData>
      <Instance enabled="true" name="LocalDHCP">
        <Environment>
          <Parameter value="Test" name="DeviceAddress" />
          <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory" />
          <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy" />
          <Parameter value="5000" name="ThrottleTimeout" />
          <Parameter value="Test" name="RemoteMachine" />
          <Parameter value="true" name="Local.System" />
          <Parameter value="0" name="Login.Handle" />
        </Environment>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>

NOTE:  Since we want to make the configuration generic I replaced the “Test” for DeviceAddress and RemoteMachine with %computername%.  The Configuration Console won’t accept %computername% as a valid hostname.

We also need to tell the Agent where we want to send the events for this log source to.  So we need to bind the Log Source name with the destination name, which is configured in the PayloadRouter service.  In this example we can see routes for both the event log and DHCP collection.

 

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
    <Environment>
      <Parameter name="RouterThreads" value="3" />
      <Parameter name="QueueLowWaterMark" value="9975000" />
      <Parameter name="QueueHighWaterMark" value="10000000" />
      <Parameter name="StatisticsSweepPeriod" value="30" />
      <!-- Sample route config
			<Parameter name="AddRoute" value="{WindowsConfigName}{YourECNameGoesHere::TCP}"/>
			End Sample Route Config -->
      <Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
      <Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" />
    </Environment>
  </Service>

NOTE:  In the Agent install command – Component1.LogSourceName=EventLogLocal, this is the name of the log source, and the name of the destination is Component1.Dest.Name=QRadar

We need to combine both services into a template file which in this instance we will name service_PayloadRouterDHCP.xml

Example:

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
		<Environment>
			<Parameter name="RouterThreads" value="3" />
			<Parameter name="QueueLowWaterMark" value="9975000" />
			<Parameter name="QueueHighWaterMark" value="10000000" />
			<Parameter name="StatisticsSweepPeriod" value="30" />
			<Parameter value="{LocalDHCP}{QRadar}" name="AddRoute" />
			<Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
		</Environment>
	</Service>
	<Service classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP" version="7.2.8.91">
		<InstanceData>
			<Instance enabled="true" name="LocalDHCP">
				<Environment>
					<Parameter value="%computername%" name="DeviceAddress"/>
					<Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/>
					<Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
					<Parameter value="5000" name="ThrottleTimeout"/>
					<Parameter value="%computername%" name="RemoteMachine"/>
					<Parameter value="true" name="Local.System"/>
					<Parameter value="0" name="Login.Handle"/>
				</Environment>
			</Instance>
		</InstanceData>
		<Environment/>
	</Service>

Finally to provide the Agent the DHCP code base we need to gather the DeviceMicrosoftDHCP.dll from the c:\Program Files\IBM\WinCollect\bin folder where you installed the patch installer.

Deploy Agent with DHCP Service


Now that you have both the .dll and the template file you can push this out to any agent where WinCollect 7.2.8 is installed in stand-alone mode.

Copy the DHCP dll (DeviceMicrosoftDHCP.dll) to the \WinCollect\bin folder
Copy the service_PayloadRouterDHCP.xml to the \WinCollect\patch folder

The WinCollect Agent will check the patch folder every 3-5s and will see template file, add the contents into the Agent-Config.xml and then restart WinCollect.  You will now see an additional patch_checkpoint folder and a new Agent-Config in the \WinCollect\config folder.

The agent will now start to collect DHCP logs.  If you look in the WinCollect log you should see the following

 

10-30 09:12:40.680 INFO  Device.Service.WindowsDHCPDevice : Initializing Microsoft DHCP Device Service...
10-30 09:12:40.680 INFO  Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service: Overriding thread pool type with type AdaptiveThreadPool.
10-30 09:12:40.695 INFO  Device.Service.WindowsDHCPDevice : Started device instance LocalDHCP with credential handle 0
10-30 09:12:40.695 INFO  Device.Service.WindowsDHCPDevice : Microsoft DHCP Device Service initialized.
10-30 09:12:40.695 INFO  System.ComponentFactory : Service DeviceMicrosoftDHCP v7.2.8 initialized

And then it starting to monitor the file

10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\DhcpSrvLog-Tue.log.
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Adding a file to monitor: C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log
10-30 09:12:40.711 INFO  Device.WindowsDHCP.WindowsDHCPDeviceReader.DHCPSV : Opened file C:\Windows\System32\dhcp\dhcpv6srvlog-tue.log.

Use Case #2

Customer would like to deploy DHCP and DNS Debug local log sources and install patch installer so that other plugin dll’s are available if needed in the future

  • Install Agent in stand-alone mode as mentioned above
  • Install Patch installer without configuration console (This will install all of the required dll’s without installing the configuration console)

c:\wincollect-standalone-patch-installer-7.2.9-72.exe /s /v” /qn ADDLOCAL=WinCollect_StandAlone_Patch”

  • Create a template file with the following content (I named it service_PayloadRouterDHCP_DNS.xml
<Service classification="Service" type="Service" version="7.2.9" module="Routing" name="PayloadRouter">
    <Environment>
       <Parameter name="RouterThreads" value="3" />
       <Parameter name="QueueLowWaterMark" value="9975000" />
       <Parameter name="QueueHighWaterMark" value="10000000" />
       <Parameter name="StatisticsSweepPeriod" value="30" />
       <Parameter name="AddRoute" value="{EventLog}{QRadar}" />
       <Parameter name="AddRoute" value="{DNS Debug Local}{QRadar}" />
       <Parameter name="AddRoute" value="{LocalDHCP}{QRadar}" />
    </Environment>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDNS" name="DeviceMicrosoftDNS">
    <Environment/>
        <InstanceData>
        <Instance enabled="true" name="DNS Debug Local">
            <Environment>
               <Parameter value="%computername%" name="DeviceAddress"/>
               <Parameter value="%computername%" name="RemoteMachine"/>
               <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
               <Parameter value="5000" name="ThrottleTimeout"/>
               <Parameter value=".*.log" name="FilenamePattern"/>
               <Parameter value="true" name="Local.System"/>
               <Parameter value="C:\dnsdebug" name="RootDirectory"/>
               <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
               <Parameter value="0" name="Login.Handle"/>
            </Environment>
        </Instance>
        </InstanceData>
</Service>
<Service version="7.2.9" classification="Service" type="DeviceType" module="DeviceMicrosoftDHCP" name="DeviceMicrosoftDHCP">
    <InstanceData>
          <Instance enabled="true" name="LocalDHCP">
            <Environment>
               <Parameter value="%computername%" name="DeviceAddress"/>
               <Parameter value="C:\Windows\System32\dhcp" name="RootDirectory"/>
               <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
               <Parameter value="5000" name="ThrottleTimeout"/>
               <Parameter value="%computername%" name="RemoteMachine"/>
               <Parameter value="true" name="Local.System"/>
               <Parameter value="0" name="Login.Handle"/>
           </Environment>
         </Instance>
    </InstanceData>
<Environment/>
</Service>

 

  • Copy PayloadRouterDHCP_DNS.xml to the patches folder and the Agent will pick up and apply the change.

Required Device Dll’s

The following dll’s are required for each of the plug-ins to work

DNS Debug – DeviceMicrosoftDNS.dll
Exchange – DeviceMicrosoftExchange.dll
File Forwarder – DeviceFileForwarder.dll
IIS – DeviceMicrosoftIIS.dll
IAS/NPS – DeviceMicrosoftIAS.dll
ISA – DeviceMicrosoftISA.dll
SQL Server – DeviceMicrosoftSQL.dll

Sample XML to use for the templates can be gathered by adding different devices in WinCollect Configuration Console

For Example

IIS

<Service version="7.2.8.91" classification="Service" type="DeviceType" module="DeviceMicrosoftIIS" name="DeviceMicrosoftIIS">
    <InstanceData>
      <Instance enabled="false" name="LocalIIS">
        <Environment>
          <Parameter value="%computername%" name="DeviceAddress" />
          <Parameter value="C:\inetpub\logs\LogFiles" name="RootDirectory" />
          <Parameter value="5000" name="ThrottleTimeout" />
          <Parameter value="true" name="Protocol.FTP" />
          <Parameter value="false" name="Protocol.NNTP" />
          <Parameter value="true" name="Protocol.SMTP" />
          <Parameter value="true" name="Protocol.W3C" />
          <Parameter value="%computername%" name="RemoteMachine" />
          <Parameter value="true" name="Local.System" />
          <Parameter value="0" name="Login.Handle" />
        </Environment>
      </Instance>
    </InstanceData>
    <Environment />
  </Service>

Don’t forget to add the route into the payload router

<Service classification="Service" type="Service" version="7.2.8.91" module="Routing" name="PayloadRouter">
		<Environment>
			<Parameter name="RouterThreads" value="3" />
			<Parameter name="QueueLowWaterMark" value="9975000" />
			<Parameter name="QueueHighWaterMark" value="10000000" />
			<Parameter name="StatisticsSweepPeriod" value="30" />
			<Parameter value="{LocalIIS}{QRadar}" name="AddRoute" />
			<Parameter value="{EventLogLocal}{QRadar}" name="AddRoute" />
		</Environment>
	</Service>

File Forwarder Example with 2 “Log Sources”

<Service version="7.2.8-91" classification="Service" type="DeviceType" module="DeviceFileForwarder" name="DeviceFileForwarder">
        <Environment/>
        <InstanceData>
            <Instance enabled="true" name="FileForwarder Continuous - Local">
                <Environment>
                    <Parameter value="%computername%" name="DeviceAddress"/>
                    <Parameter value="%computername%" name="RemoteMachine"/>
                    <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
                    <Parameter value=".*.txt" name="FilenamePattern"/>
                    <Parameter value="Continuous Monitoring" name="MonitoringAlgorithm"/>
                    <Parameter value="true" name="Local.System"/>
                    <Parameter value="5000" name="ThrottleTimeout"/>
                    <Parameter value="true" name="ContinuousMonitor"/>
                    <Parameter value="c:\LogFiles\Continuous" name="RootDirectory"/>
                    <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
                    <Parameter value="false" name="OnlyMonitorFilesCreatedToday"/>
                    <Parameter value="ANSI" name="FileReaderEncoding"/>
                    <Parameter value="0" name="Login.Handle"/>
                </Environment>
            </Instance>
            <Instance enabled="true" name="FileForwarder File Drop - Local">
                <Environment>
                    <Parameter value="%computername%" name="DeviceAddress"/>
                    <Parameter value="%computername%" name="RemoteMachine"/>
                    <Parameter value="true" name="OnlyMonitorFilesCreatedToday"/>
                    <Parameter value="LazyUnicodeLogFile" name="FileReaderPolicy"/>
                    <Parameter value=".*.txt" name="FilenamePattern"/>
                    <Parameter value="File Drop" name="MonitoringAlgorithm"/>
                    <Parameter value="true" name="Local.System"/>
                    <Parameter value="5000" name="ThrottleTimeout"/>
                    <Parameter value="false" name="ContinuousMonitor"/>
                    <Parameter value="FileMonitorNoFSRedirect" name="FileMonitorPolicy"/>
                    <Parameter value="ANSI" name="FileReaderEncoding"/>
                    <Parameter value="c:\LogFiles\FileDrop" name="RootDirectory"/>
                    <Parameter value="0" name="Login.Handle"/>
                </Environment>
            </Instance>
        </InstanceData>
    </Service>

Join The Discussion

Your email address will not be published. Required fields are marked *