Monitor Microsoft Windows Defender Antivirus with Graylog Part 2

: Travis Nuske; 20 Sep 2022

Part 2 of the guide for deploying Graylog to monitor Microsoft Windows Defender Antivirus on Windows endpoints.

This is part 2 of a multi-part guide for setting up Graylog to monitor Windows Defender on your endpoints. In this part, I'll outline the steps to deploy the Graylog sidecar to your endpoints and configure Graylog inputs to start processing the logs coming from your endpoints. This part assumes you've got a working Graylog server in your environment, if not - take a look at Part 1

Graylog Sidecar Deployment

Graylog Sidecar is the agent installed on the endpoints that collects the logs generated by the host and sends it to the Graylog sever. These agents need an API token to communicate with the server. To generate an API token:

Open a browser on your machine, and navigate to http://<IP address or hostname of your Graylog server>:9000

In the Sidecar System User (built-in) row, click Edit.

On the Edit user - Sidecar System user (built-in) page, click Edit Tokens

In the Create And Edit Tokens section, Enter a name for the token ie WindowsSidecar and click Create Token.

Once the token has been generated, make sure to copy it somewhere safe - you'll need this later on, and it can't be recovered as far as I know. Click Done.

Deploy Graylog Sidecar to Endpoints

Now that you have an API token for the Graylog Sidecar, you can now deploy the sidecar to your endpoints. There are many methods to install the sidecar in your environment, in this guide I'm going to wrap the Sidecar installer in a MSI file and deploy it with group policy.

Download the latest Graylog Sidecar Windows installer from Graylog GitHub here: https://github.com/Graylog2/collector-sidecar/releases/download/1.2.0/graylog_sidecar_installer_1.2.0-1.exe

Move the Graylog sidecar installer graylog_sidecar_installer_1.2.0-1.exe into a new, empty folder.

Before you begin creating an MSI installer for the Graylog Sidecar, you'll need to create a small PostInstall.bat script to include in the MSI.

In a text editor (Notepad is fine) create a file called PostInstall.bat and add the following two lines of code:

"c:\Program Files\Graylog\sidecar\graylog-sidecar.exe" -service install

"c:\Program Files\Graylog\sidecar\graylog-sidecar.exe" -service start

Save PostInstall.bat in the same folder as the Graylog installer. We'll use this batch file to install the sidecar service and start it when it's first installed.

Download the MSIWrapper installer MSI_Wrapper_10_0_51_0.msi from here: https://www.exemsi.com/downloads/msi_wrapper/MSI_Wrapper_10_0_51_0.msi

Install MSI_Wrapper_10_0_51_0.msi using the default options, and run MSI Wrapper.

On the Welcome to the EXE to MSI converter wizard screen, click Next.

On the Executable screen, click the browse button ... and select the graylog_sidecar_installer_1.2.0-1.exe file. Tick the box to include all the files in the setup folder and subfolders. This will ensure the PostaInstall.bat script is included in the .msi file. The MSI output file name will be filled in automatically. Change the MSI platform architecture to x64. Click Next.

On the Visibility in Apps & features screen, leave the default settings and click Next.

On the Security and User Context screen, change the Security context to Windows Installer and Always elevate. Set the MSI Installation context to Per Machine. Click Next.

On the Application Ids screen, Enter GraylogSidecar as the Application Id, and click the Create New button next to Upgrade Code. Click Next

On the Properties screen, change the Manufacturer field from Executable to Manual and enter Graylog. Click Next.

On the More Properties screen, leave the fields blank (or fill them out to your liking) and click Next.

On the Parameters screen, enter the the following Install arguments:

/S -APITOKEN=<your API token> -SERVERURL=http://<hostname of graylog server>:9000/api

Set the Uninstall arguments as:

/S

Click Next.

On the Actions screen, enter PostInstall.bat into the After Install command line field. Click Next.

On the Summary screen , click Build. Dismiss any prompts that might appear. In the folder with the Graylog installer and PostInstall script will now be an .msi installer customised for your environment.

Test the Graylog customised MSI installer

At this point I'd recommend testing the msi by manually installing it on one of your endpoints.

Copy graylog_sidecar_installer_1.2.0-1.msi to one of your endpoints, and double click it to begin the installation process.

Accept the user account control box (if prompted), otherwise the installer will run without any prompts. Once the installer has finished, Open services.msc by pressing Win + R and typing services.msc into the Open field, Click OK.

Check that the Graylog Sidecar service is present and is running.

Once you've confirmed that the service is running, log back into your Graylog web interface and navigate to System/Sidecars -> Sidecars You should now see one sidecar listed:

Great! You've now got a working .msi installer you can use. Add this to the Software installation section of a Group Policy object assigned to your endpoints (or create a new GPO). On the next reboot, the endpoint will install the Graylog Sidecar automatically and register itself with the Graylog server.

Assign Winlogbeat Configuration

By default, sidecars do not automatically start sending logs to the Graylog server; you need to modify and assign a Configuration to them from the Graylog web interface.

On the Sidecar overview page, click Configuration. In the Configurations section, click Create Configuration.

Enter a name for your configuration, such as WinlogBeat Configuration.

Change the Collector field to winlogbeat in Windows and press Cancel when prompted to use the default template.

Enter the code below into the Configuration field:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
hosts: ["<hostname of your graylog server>:5044"]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
winlogbeat:
event_logs:
- name: Application
- name: System
- name: Security
- name: Microsoft-Windows-Windows Defender/Operational

Make sure to change the host section of the configuration code to the hostname of your Graylog server and click Create.

This configuration will setup the sidecar running on the endpoints to send the Application, System, Security and Windows Defender logs to Graylog for processing. Now that you've got a configuration for winlogbeat, it's time to assign this to your endpoints.

Navigate to System -> Sidecars. Click Administration.

This table shows a list of all the endpoints that have reported into Graylog at least once, and all the available collectors installed on those endpoints.

In the table heading, click Collector -> winlogbeat on Windows. This will filter the list of collectors shown in the list to just the winlogbeat collectors on the endpoints.

Click the Select All box at the top left of the table to select all your endpoints. Click Configure -> WinlogBeat Configuration.

Click Confirm on the prompt that appears. This will apply the configuration to all the selected endpoints - whether they are currently running now, or will apply the configuration the next time the endpoint reports into Graylog.

Note: You'll periodically need to revisit this step as more endpoints report in to Graylog - I don't know of a way to automatically apply a configuration to an endpoint when it first registers. There is currently an open issue on the Graylog Github around this problem https://github.com/Graylog2/graylog2-server/issues/5062#issuecomment-1232617137 If I hear of a development around this, I'll update this guide.

Ingest Windows Event logs in Graylog

Now that the Sidecars on your endpoints are setup to send their logs to Graylog, the last step in being able to process the logs is to add a Beats Input to Graylog. Navigate to System -> Inputs. Click the Select Input field and choose Beats

Click Launch new input.

In the popup prompt that appears, give your Beats input a title such as Beats, scroll to the bottom and click Save. Note: This sets up the communication of your logs from the endpoints to Graylog to be sent unencrypted. Setting up TLS encryption for the log transport is beyond the scope of this guide, but if there is enough interest, I'll follow up with a guide on this.

Now that the beats input is configured, you should start to see messages come into the server. Click Streams -> All Messages. In the top right corner of the window, click Not updating -> 1 Second. You should now see messages coming in from your endpoints in real time.

Awesome, now that you've got logs coming into Graylog, we can start to drill down into these these logs and find the Windows Defender events that we need to be notified of! In the next part we'll create a dashboard to monitor for detected malware and set up a system to send email notifications of detected malware.