Skip to content

Collecting with CQ Windows Agent

Installing CyberQuest Agent

Download CyberQuest Agent here

To install CyberQuest Agent, following steps must be executed:

  1. Install vcredist_x64_2010.exe
  2. Install vcredist_x64_2012.exe
  3. Install vc_redist_x64_2019.exe
  4. Install Microsoft .NET Framework 4.7.2
  5. Configuring CyberQuest Agent to choose the type of logs and the desired machines for which logs will be collected and also where to send the collected logs the following files need to be edited:

  6. Agent.exe.config (default location is : C:\Program Files (x86)\CyberQuest LogAgent)

  7. Collections.xml (default location is : C:\Program Files (x86)\CyberQuest LogAgent)

Agent.exe.config

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <configSections>
    <section name="log4net" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
  </configSections>
  <log4net>
    <appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date [%thread] %-5level %logger [%ndc] - %message%newline"/>
      </layout>
    </appender>
    <appender name="RollingFile" type="log4net.Appender.RollingFileAppender">
      <file value="logs\\agent.log"/>
      <appendToFile value="true"/>
      <maximumFileSize value="1000KB"/>
      <maxSizeRollBackups value="10"/>
      <layout type="log4net.Layout.PatternLayout">
        <conversionPattern value="%date - %level  - %thread  - %logger - %message%newline"/>
      </layout>
    </appender>
    <root>
      <level value="DEBUG"/>
      <appender-ref ref="RollingFile"/>
      <appender-ref ref="ConsoleAppender"/>
    </root>
  </log4net>
  <appSettings>
    <add key="connectorType" value="SIEM" />
    <add key="server" value="XXX.XXX.XXX.XXX" />  <!-- CyberQuest server IP address for UDP collection -->
    <add key="serverPort" value="8090" />
    <add key="serverProtocol" value="mq" />
    <add key="eventSyncQueueSize" value="10000" />
    <add key="AgentUUID" value="430401f3-fa20-4fc4-95fe-beb31cfaf978" />
    <add key="compressData" value="true" />
    <add key="encryptData" value="true" />
    <add key="mqUserName" value="cq" />
    <add key="mqPassword" value="VRW7Zl7RreWg9Q==" />
    <add key="mqHost" value="XXX.XXX.XXX.XXX" />  <!-- CyberQuest server IP address for TCP collection -->
    <add key="mqVhost" value="/" />
    <add key="mqPort" value="5672" />
    <add key="mqExchangeName" value="eventsExchange" />
    <add key="mqQueueName" value="events" />
    <add key="mqRouting" value="agents" />
    <add key="throttleCollection" value="10000" />
  </appSettings>
  <startup>
    <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5"/>
  </startup>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.6.10.0" newVersion="2.6.10.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-2.2.29.0" newVersion="2.2.29.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
</configuration>

In <appSettings> section edit the following tags:

<add key="server" value="XXX.XXX.XXX.XXX" />
XXX.XXX.XXX.XXX <!-- CyberQuest server IP address -->

<add key="mqHost" value="XXX.XXX.XXX.XXX" />
XXX.XXX.XXX.XXX <!-- CyberQuest server IP address -->

Collections.xml

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <settings>
        <CollectComputer computer="Localhost">  <!-- LogAgent FQDN or IP Address -->
            <log name="Security">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Application">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="System">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="InTrust for AD">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="NextgenSoftware File Access Audit">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="activedirectoryinformation">  <!-- Event Full Name -->
                <add name="collectionMethod" value="activedirectoryinformation" />
                <add name="logType" value="activedirectoryinformation" />
                <add name="templateFile" value="activedirectoryinformation" />
            </log>

            <log name="Microsoft-Windows-PrintService/Operational">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmilight" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="wmiInstalledSoftware">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="wmigeneral" />
                <add name="templateFile" value="wmiInstalledSoftware" />
            </log>

            <log name="Azure">
                <add name="collectionMethod" value="monitorcsvfile" />
                <add name="logType" value="monitorcsvfile" />
                <add name="templateFile" value="azureBotnet" />
            </log>

            <log name="FireEye">
                <add name="collectionMethod" value="httpjsonserver" />
                <add name="logType" value="httpjsonserver" />
                <add name="templateFile" value="httpJson" />
            </log>

            <log name="ExchangeTrackingLog">
                <add name="collectionMethod" value="monitorcsvfile" />
                <add name="logType" value="monitorcsvfile" />
                <add name="templateFile" value="exchangeTrackingLog1" />
            </log>

            <log name="IISLog1">
                <add name="collectionMethod" value="monitorcustomfilescript" />
                <add name="logType" value="monitorcustomfilescript" />
                <add name="templateFile" value="iisLogs" />
            </log>

            <log name="BotnetCCIP">
                <add name="collectionMethod" value="monitorcsvfile" />
                <add name="logType" value="monitorcsvfile" />
                <add name="templateFile" value="BotNet_CCIP" />
            </log>

            <log name="Botnet-Drone-Hadoop">
                <add name="collectionMethod" value="monitorcsvfile" />
                <add name="logType" value="monitorcsvfile" />
                <add name="templateFile" value="Botnet-Drone-Hadoop" />
            </log>

            <log name="SandBox-URL">
                <add name="collectionMethod" value="monitorcsvfile" />
                <add name="logType" value="monitorcsvfile" />
                <add name="templateFile" value="SandBox-URL" />
            </log>

            <!-- Exchange 2016 EXCH2016.nextgen.local -->

            <CollectComputer computer="XXX.XXX.XXX.XXX">  <!-- LogAgent FQDN or IP Address -->

                <log name="Security">
                    <add name="collectionMethod" value="wmilight" />
                    <add name="logType" value="WindowsStandard" />
                    <add name="templateFile" value="wmiEventsWithDomainNEXTGEN" />
                </log>

                <log name="MSExchange Management">
                    <add name="collectionMethod" value="wmilight" />
                    <add name="logType" value="WindowsStandard" />
                    <add name="templateFile" value="wmiEventsWithDomainNEXTGEN" />
                </log>

                <log name="Application">
                    <add name="collectionMethod" value="wmilight" />
                    <add name="logType" value="WindowsStandard" />
                    <add name="templateFile" value="wmiEventsWithDomainNEXTGEN" />
                </log>

                <!-- MSSQL 2014 SQL2014-->

                <CollectComputer computer="XXX.XXX.XXX.XXX">  <!-- LogAgent FQDN or IP Address -->

                    <log name="Security">
                        <add name="collectionMethod" value="wmilight" />
                        <add name="logType" value="WindowsStandard" />
                        <add name="templateFile" value="wmiEventsWithDomainNEXT" />
                    </log>

                    <log name="Application">
                        <add name="collectionMethod" value="wmilight" />
                        <add name="logType" value="WindowsStandard" />
                        <add name="templateFile" value="wmiEventsWithDomainNEXT" />
                    </log>

                    <log name="NextgenSoftware File Access Audit">
                        <add name="collectionMethod" value="wmi" />
                        <add name="logType" value="WindowsStandard" />
                        <add name="templateFile" value="wmiEventsWithDomainNEXT" />
                    </log>

                    <log name="System">
                        <add name="collectionMethod" value="wmilight" />
                        <add name="logType" value="WindowsStandard" />
                        <add name="templateFile" value="wmiEventsWithDomainNEXT" />
                    </log>

                    <log name="Setup">
                        <add name="collectionMethod" value="wmilight" />
                        <add name="logType" value="WindowsStandard" />
                        <add name="templateFile" value="wmiEventsWithDomainNEXT" />
                    </log>

                </CollectComputer>

    </settings>
</configuration>

After any configuration changes restart the CyberQuest Agent service:

  • Press Start->Run, type services.msc and click OK

    Alt text

  • Select CyberQuest Agent service from the list and click on Stop Service button

Alt text

  • After the operation ends successfully click on Start Service button

    Alt text

  • After the restart is completed the agent will start sending data to the collection server.

Configuring the CyberQuest Agent data collection

The CyberQuest Agent can collect Windows Logs from the machine where it was installed or from any computer on the network.

Configure CyberQuest Agent for collecting local logs

For local collection, of any of the Windows log collections, the „collections.xml” file needs to be edited while keeping the open and close tag formatting specific to XML files. <log name=""> adds a a WMI query for the needed log name for the <CollectComputer computer="" > collected machine. The „Computer” field can be associated with either an FQDN or IP address for the desired machine if it is the same Active Directory as the machine where CyberQuest Agent is installed. For each of these machines another <CollectComputer computer="" > and at least a <log name=""> tag needs to be added in „collections.xml”

<CollectComputer computer="Localhost" >

            <log name="Security">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Application">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="System">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>

            <log name="Setup">
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
            </log>
        </CollectComputer>

Configure CyberQuest Agent for collecting remote computers logs

For remote collection, of any of the Windows log collections, the „collections.xml” file needs to be edited while keeping the open and close tag formatting specific to XML files. <log name=""> adds a WMI query for the needed log name for the <CollectComputer computer="" > collected machine. The „Computer” field can be associated with either an FQDN or IP address for the desired machine from the local network. For each of these machines another <CollectComputer computer="" > and at least a <log name=""> tag needs to be added in „collections.xml”.

For each <CollectComputer computer="" > and <log name=""> tag another tag needs to be added <add name="templateFile" value="default" />. The same template file can be used for multiple computers provided the credentials are the same for all of the collected machines.

1. Edit Colection.xml

Navigate to location C:\Program Files (x86)\CyberQuest LogAgent (default installation folder).

<configuration>
    <settings>

        <CollectComputer computer="XXX.XXX.XXX.XXX">  <!-- Remote computer IP address or FQDN -->

            <log name="Security">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
                <add name="templateFile" value="wmiEventsWithDomain" /> <!--Template file name -->
            </log>

            <log name="Application">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
                <add name="templateFile" value="wmiEventsWithDomain" /> <!--Template file name -->
            </log>

            <log name="System">  <!-- Event Full Name -->
                <add name="collectionMethod" value="wmi" />
                <add name="logType" value="WindowsStandard" />
                <add name="templateFile" value="wmiEventsWithDomain" /> <!--Template file name -->
            </log>

        </CollectComputer>

    </settings>
</configuration>

2. Edit Template wmiEventsWithDomain.xml, or create a new XML file (for default installations located in C:\Program Files (x86)\CyberQuest LogAgent\Templates)

<configuration>
  <settings>
     <add name="USERNAME"  value="user" />  <!-- Local User name -->
     <add name="PASSWORD"  value="VB6wZQ==" />  <!-- Local User’s encoded  Password -->
  <add name="QUERY_INTERVAL"  value="20" />
  <settings>
<configuration>

To encrypt the local user password follow the steps below:

  • Open command prompt window

  • Navigating to the installation directory ( for default installations located in C:\Program Files (x86)\CyberQuest LogAgent) using cd C:\Program Files (x86)\CyberQuest

    Alt text

    Alt text

  • Execute the following command: Agent.exe –encodepassword [Local User’s password] Alt text

  • Copy the output from “Hashed password:” field

3.Modify or create the following registry key: LocalAccountTokenFilterPolicy

  • Press Start->Run, type regedit and press ENTER

    Alt text

  • Locate and click on the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

  • If the LocalAccountTokenFilterPolicy registry entry does not exist, follow below steps:

    a) On the Edit menu, point to New, and click DWORD Value.

    b) Type LocalAccountTokenFilterPolicy, and press ENTER

  • Right-click LocalAccountTokenFilterPolicy, and click Modify.

  • In the Value data box, type 1, and click OK

  • Exit Registry Editor.

    Alt text

4.On the remote computer open Services.msc and verify “Windows Management Instrumentation” and ”Remote Registry” to be set to Startup type: Automatic and Service status: Running. If not set Startup type: Automatic and Start the service

Alt text

5.Verify Network access between CyberQuest Agent and remote windows machine

After any configuration changes restart the CyberQuest Agent service:

  • Press Start->Run, type services.msc and click OK

    Alt text

  • Select CyberQuest Agent service from the list and click Stop Service

Alt text

  • After the operation ends successfully click on Start Service button

    Alt text

  • After the restart is completed the agent will start sending data to the collection server.