All Collections
SIEM
How to configure your Windows log collector for Defense.com SIEM
How to configure your Windows log collector for Defense.com SIEM

This article goes over the installation of a Windows collector which will be used to ship logs to the Defense.com SIEM.

Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

Introduction

What is a collector?

A collector is a device deployed within your environment that receives logs from internal nodes and forwards them to the Defense.com SIEM platform securely. The main software used by the collector is Logstash, a Java tool built by the developers of Elasticsearch which can collect logs from a variety of inputs, manipulate the logs by, for example, adding or removing fields, then sends them on to another location.

Installation

  1. Download and extract your install pack to a location of your choice on your collector.

  2. Open a PowerShell prompt as an administrator

  3. Navigate to Windows/collector within your extracted install pack and run the following command:

    ./collector-install.ps1

    Note, if script execution is disabled on your system, set the execution policy to allow the script to run:

    Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process

  4. Logstash and the Service Manager (NSSM) will be downloaded and unpacked to C:\Program Files\

    This can take several minutes to complete.

  5. Once complete, Logstash will be configured and the service will start.

Now the logstash service is installed and running, The following rules must be added to the Windows Defender Firewall. This will allow logstash to communicate with our SIEM platform and your internal devices to communicate with logstash on your collector.

Allowing outbound traffic from Logstash through the Windows Defender Firewall

To ship logs from Logstash to the SIEM platform we need to allow Outbound TCP traffic on ports 31090 to 31100, this is done by following the steps below:

  1. Open the Windows Defender Firewall settings. You can do this by typing Windows Defender Firewall in the Windows search bar and selecting Windows Defender Firewall with Advanced Security from the search results.

  2. Click on "Outbound Rules" in the left pane of the Windows Defender Firewall with Advanced Security window.

  3. Click on New Rule in the right pane of the window to create a new outbound rule.

  4. In the New Outbound Rule Wizard window that appears, select Port as the rule type and click on Next.

  5. In the Protocol and Ports window, select TCP as the protocol and select the Specific local ports" option. Then, enter 31090-31100 as the port range and click on Next.

  6. In the Action window, select Allow the connection and click on Next.

  7. In the Profile window, select the profiles for which you want to allow the outbound traffic on the specified ports. You can select all the profiles if you want the rule to apply to all networks. Then, click on Next.

  8. In the Name window, enter a name for the rule, such as Defense.com SIEM collector 31090-31100 and add a description (optional). Then, click on Finish to create the rule.

That's it! The outbound TCP traffic on ports 31090-31100 is now allowed in Windows Defender Firewall. You can verify the rule by going back to the Outbound Rules section and checking if the rule you just created is listed.

Allowing TCP inbound traffic from beats agents to the collector through the Windows Defender Firewall

  1. Open the Windows Defender Firewall settings. You can do this by typing Windows Defender Firewall in the Windows search bar and selecting Windows Defender Firewall with Advanced Security from the search results.

  2. Click on Inbound Rules in the left pane of the Windows Defender Firewall with Advanced Security window.

  3. Click on New Rule in the right pane of the window to create a new inbound rule.

  4. In the New Inbound Rule Wizard window that appears, select Port as the rule type and click on Next.

  5. In the Protocol and Ports window, select TCP as the protocol and select Specific local ports option. Then, enter 5044 as the port number and click on Next.

  6. In the Action window, select Allow the connection and click on Next.

  7. In the Profile window, select the profiles for which you want to allow the inbound traffic on the specified port. You can select all the profiles if you want the rule to apply to all networks. Then, click on Next.

  8. In the Name window, enter a name for the rule, such as "Defense.com SIEM collector Inbound TCP 5044" and add a description (optional). Then, click on Finish to create the rule.

That's it! The inbound TCP traffic on port 5044 is now allowed in Windows Defender Firewall. You can verify the rule by going back to the "Inbound Rules" section and checking if the rule you just created is listed.

Allowing inbound UDP traffic from syslog to the collector through the Windows Defender Firewall

  1. Open the Windows Defender Firewall settings. You can do this by typing Windows Defender Firewall in the Windows search bar and selecting Windows Defender Firewall with Advanced Security from the search results.

  2. Click on Inbound Rules in the left pane of the Windows Defender Firewall with Advanced Security window.

  3. Click on New Rule in the right pane of the window to create a new inbound rule.

  4. In the New Inbound Rule Wizard window that appears, select Port as the rule type and click on Next.

  5. In the Protocol and Ports window, select UDP as the protocol and select Specific local ports option. Then, enter 5514 as the port number and click on Next.

  6. In the Action window, select Allow the connection and click on Next.

  7. In the Profile window, select the profiles for which you want to allow the inbound traffic on the specified port. You can select all the profiles if you want the rule to apply to all networks. Then, click on Next.

  8. In the Name window, enter a name for the rule, such as "Defense.com SIEM collector Inbound UDP 5514" and add a description (optional). Then, click on Finish to create the rule.

That's it! The inbound UDP traffic on port 5514 is now allowed in Windows Defender Firewall. You can verify the rule by going back to the "Inbound Rules" section and checking if the rule you just created is listed.

Did this answer your question?