Accenture MDR Quick Start Guide for Windows®

This quick start guide will help Accenture MxDR customers configure Windows® servers to send logs to the Log collection Platform (LCP).

The document includes the following topics:

1 Supported Versions
2 Port Requirements
3 Configuring Windows Server
4 LCP Configuration Parameters

Supported Versions

A list of supported versions is available in the Accenture MxDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Windows server

LCP

514 (UDP) or

601 (TCP)

Default port

Configuring Windows Server

You can configure Windows to send syslog messages to the LCP using the following agents:

If you are using the Snare agent, see Configuring the Snare agent 5.6.0 for log forwarding
If you are using the Lasso agent, see Configure Lasso to send Syslog messages
If you are using the Balabit Syslog agent, see Configure Balabit Syslog agent
If you are using the NXLog agent, see Configure Nxlog agent
If you are using the PaloAlto Cortex XDR, see Configure PaloAlto Cortex XDR Agent

Configuring the Snare agent 5.6.0 for log forwarding

Access the Snare control interface using one of the following methods.
1. Enter the following URL via a web browser on the local machine:
  http://localhost:6161/
2. Navigate to the Snare installation directory and open the file openweb.bat.
From the left pane menu, Click Destination Configuration, go to Network Destinations.
Domain/IP - Type the IP address of the LCP.
Port - Type the port number used for Syslog communication. Use 6514 for TLS, 601 for TCP and 514 for UDP.
Protocol - Select TLS (MxDR Preferred Method) or TCP or UDP
Format- Select Format as SYSLOG (RFC3164)
Delimiter Character - Select Delimiter Character as TAB

3. Check Enable Use Host IP Address as source address.

4. Set SYSLOG Facility to Local4.

5. Click on Update Destinations to save configuration.

6. While using TLS protocol for Log forwarding, click Security Certificate and keep Network Destination Certificate Verification setting to Accept Any.

Note : The ability to send events to multiple hosts or using the TLS OR TCP protocol is provided with the Enterprise Version of the Snare agent. Please refer the vendor documentation for more information.

To ensure all type of events are configured for Snare

On the Snare web interface, go to Audit Policy Configuration from left pane.
Click on Add Audit Policy.

3. In the Identify the event logs section, check all the options.

4. Select the Exclude option for Event ID Match Type.

5. In the Event ID Search Term box, enter 5156 to filter self-generated connection logs.

6. Click Change Configuration.

Find the below snapshots for an entire configuration :

7. From the left pane menu, click Apply Configuration & Restart Service.

Note :

LCP supports both Tab and Space delimiter for Snare agent logs.
The Custom Event Log option which is needed to capture logs from Application and Services Logs is only available in the Snare Enterprise version.
Event ID 5156: The Windows filtering platform has a permitted connection that creates a self-generated log loop. For every new Windows event that is created, Snare sends that event to the LCP server via a UDP syslog packet. However, this syslog packet will trigger another Windows 5156 event which Snare will send to the LCP server and which in turn triggers another event. It is important that you disable the Event ID - 5156 in the agent configuration as this loop behavior will cause network congestion and increase the server and LCP CPU utilization.
Reference URL : Snare Reporting large number of events of type 5156

Configure Lasso to send Syslog messages

From the Lasso host computer, navigate to the Lasso installation directory.
Edit the Lasso.ini configuration file to use the following format:

LogAppliance,IP_Address,Port_Number,udp

LogAppliance is a reserved keyword and must be the first parameter.
IP_Address is the IP address of the LCP. You must specify the IP address.
Port_Number is the port number used for Syslog communication. The default Syslog port is 514. You also can configure a different port.
You must specify UDP as the protocol.

For example, if the LCP’s IP address is 192.0.2.1, and the Syslog port is 514, then the corresponding line in the Lasso.ini file is as follows: LogAppliance,192.0.2.1,514,udp

3. Save and close the Lasso.ini configuration file.

4. Restart the Lasso service.

Configure Balabit Syslog agent

Click Start > All Programs > syslog-ng Agent for windows > Configure syslog-ng Agent for windows.
In the Syslog-ng-agent configuration window, in the left pane, select Destinations.
In the right pane, right-click Destination Global Settings, and select Add New Server.
In the Server Property window, click the Server tab.
In the Server Name or Address (IPv4) field, enter the IP address or name of the machine on which the LCP is installed.
In the Server Port field, enter the port number used for Syslog communication.
Click the Messages tab.
Select Snare Protocol from the Protocol drop-down list.
Click OK.
Restart the syslog-ng agent service

Configure Nxlog Agent

Nxlog is a snare like agent to forward windows event logs. To get snare format logs from the nxlog agent, do the following:

Edit the file nxlog.conf: The nxlog configuration file, nxlog.conf is available at either C:\ProgramFiles\nxlog\conf or C:\ProgramFiles (x86)\nxlog\conf while installing through standard installation but this folder could also be set to any custom path during installation.
Using a text editor, open nxlog.conf.
Configure nxlog: The most common use-case for nxlog on windows is to collect logs from the EventLog subsystem and forward it over the network. Here is a simple configuration which reads the EventLog and forwards it over UDP in the SNARE agent format :

## This is a sample configuration file created by Accenture MxDR
## See the nxlog reference manual about the configuration options.
## It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## For Standard installation, Nxlog configuration files path could be available
## on either C:\\Program Files\\nxlog or C:\\Program Files (x86)\\nxlog path
## But this path could also be set to any custom one during installation.

## Please set the ROOT to the folder where your nxlog was installed into,
## otherwise it will not start.

## Here we have provided two ROOT config blocks
## You can use either of them by commenting out the other
## You can also define any custom ROOT configuration and remove these blocks

define ROOT C:\\Program Files\\nxlog
define ROOT_STRING C:\\Program Files\\nxlog

#define ROOT C:\\Program Files (x86)\\nxlog
#define ROOT_STRING C:\\Program Files (x86)\\nxlog

define CERTDIR %ROOT%\\cert
Moduledir %ROOT%\\modules
CacheDir %ROOT%\\data
Pidfile %ROOT%\\data\\nxlog.pid
SpoolDir %ROOT%\\data
LogFile %ROOT%\\data\\nxlog.log

<Extension syslog>
Module xm_syslog
</Extension>

# Windows Event Log
<Input eventlog>
# Uncomment im_msvistalog for Windows Vista/2008/2012 and later
Module im_msvistalog

#Uncomment im_mseventlog for Windows XP/2000/2003
#Module im_mseventlog

#For nxlog older version
#MxDR recommendation to drop self-loop logs, Uncomment the following line to enable thit
#Exec if ($EventID == 5156 AND $DestinationPort == 514) drop();

#For nxlog v3.0.2284 version and onwords
#MxDR recommendation to drop self-loop logs, Uncomment the following line to enable this
#Exec if ($EventID == 5156) AND ($DestPort == '514') drop();

#To send logs in English language when the Windows OS is in Non-English#This feature is available only in NXLog enterprise edition.

#Language en-US
</Input>

<Output out>
Module om_udp
Host LCP_IP
Port 514
Exec to_syslog_snare();
</Output>

<Route 1>
Path eventlog => out
</Route>

4. Start nxlog: Start nxlog using one of the following methods:

Start the Service Manager. Select ’nxlog’ in the list and, then start the service.
Double-click on nxlog.exe.

Outcome:

Supported log collection mechanism: Syslog
Preferred log collection mechanism: Syslog
Event flow logical diagram : Snare AgentàRemote Syslog Server

LCP Configuration Parameters

Table 1-2: Windows event collector (Syslog - 3241) sensor properties to be configured by MxDR are shown in the table.

Property	Default Value	Description
Protocol	UDP	The default protocol for syslog. The collector can also accept logs in TCP. Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture MxDR onboarding team.
IP Address	Windows server interface IP address	Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MxDR onboarding team.
Signatures	MSWinEventLog, SnareServerLog	MxDR recommended signatures processed by the Snare for Windows event collector.
Port Number	514	The default port number for syslog. For TCP, the default port is 601. Syslog TLS uses TCP/6514. Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture MxDR onboarding team if this is a requirement.