Requirements

To execeute correctly the Agent, the following software is required:

• .NET Framework 4.0
• Internet Explorer dll framework
• Outgoing open port 443

Antivirus Consideration

We reported that some antivirus can interfere with the normal operation of the Agent (We have especially reported many cases with Sophos). Please be sure to insert an exception

• Sophos

Preliminary Information

• Agent Buffer: in case of the sgbox is offline, the agent will act as Buffer to store the logs until connection with the appliance is restored. The buffer store depend on the free disk space remaining.
• Port used: the port used to communicate is the 443.
• Communication type: SGBox Agent will communicate trough the Internet Explorer DCOM API.

Download

To install the agent you must to download the agent from the dedicated download section on SGBox Portal

Note, to download SGAgent, it is required to login or sign up on our portal and go to the Download SGBox Software section.

Installation Configuration

Extract the downloaded archive and run the setup

Click on “Next/Avanti” to continue with the installation

Browse the folder where you want install the agent

Edit the field “Server ip” with the IP or FQDN of your SGBox

You will be asked to confirm the data entered, click “Next/Avanti” to proceed with the installation.

Click on “Yes” to start with the installation

Click on “Close/Chiudi” to finish the installation

If the installation is correctly terminated a new service named “SGBoxTask Service” will be created

Log Retreive Configurations

Capture Logs from Standard Windows Event View

This section explain how to create a new configuration and command. A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing configuration if you want to edit it.

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.

Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent to SGBox.
• Log Name: the registry name. If it not present look the this section
• Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

You can add more commands to your configuration.

Drag & Drop your configuration to the target host and Save Changes.

Capture Logs from Operational (Application) Windows Event View

This section explain how to create a new configuration and command from a custom registry log. We’ll take the Terminal Service Registry as example. Here the details of the logs we want retrieve:

Se the previous section to specify a new command from a basic registry:
https://www.sgbox.it/sgbox/EN/knowledge-base/create-a-new-command/

Fist of all we need to find the exact name of the registry: Right click > Properties

A new command could be added in a same way to an existing configuration.

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.

Enter o modify a name for the configuration and select GetEventLog to retrieve new information from Event Viewer.

Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent toSGBox.
• Log Name: select ADD NEW
• New Log Name: the registry name taken before.
• Select o specify the Event ID. You can Select All events or -1 to tell the agent to send all events from the specified register.

You can add more commands to your configuration.

Drag & Drop your configuration to the target host and Save Changes.

Capture Logs from File/Folders (TailFolder method)

This section explain how to create a new configuration and the related command in order to retrieve logs from a specific folder.

Requirements

• SGBox 5.0.2 or SGBox 4.2.7 is required.
• At least SGAgent 3.2.7433.19116 is required .

Log in to SGBox web interface. Go to LM > Configuration > Agents

Click on CLICK HERE TO CREATE NEW CONFIGURATION if you want create a new configuration or click on existing  configuration if you want to edit it.
Enter a name and select TailFolder as command.

A new windows appears. Enter details of your command:

• Name: a descriptive name of your command.
• Description: brief description of your command ( not mandatory).
• Frequency: how frequent these information will be sent to SGBox.
• Directory Path: where how logs are located
• File Name: Logs file name, also star expression could be used.
• List Subdirectories: Use this flag if you want to look also logs located in the subdirectories.
• Timestamp Pattern: a regex to find the correct timestamp of the logs.
• Timestamp Format: Specify logs timestamp format.
• Timezone: You can specify if the Timestamp is in Localtime or UTC.

ATTENTION: if the folder you are trying to monitor is inside C:/Windows/System32/ you need to use C:/Windows/sysnative/

Your command has been created. If you want you can add more commands to your configuration.

Click on Save Changes to save your configuration.

Drag & Drop your configuration to the target host and Save Changes.

When everything is configured you can see your logs in historical search

Configure File Integrity Monitoring

File Integrity Monitoring is new feature introduced with the last SGAgent version and it’s used to monitor files and shared folders. Using this feature you can monitor when a specific file is read, modified or deleted.

!Attention: File Integrity Monitoring is not File Auditing, you are not able to see the user that execute the action.

Requirements

• SGBox 5.1.3 or higher.
• SGAgent 3.4 or higher.

The FIM package can be installed from SCM>Applications>Packages: Click to install to download and install the package, then click on Run and select the hosts you want to monitor.

Go on LM>Configurations>Agents

In our example we create a specific configuration for this feature, but you can also create a new command on a existing configuration and modify it.
Click on “New Configuration” to create a new configuration and select CheckFolder.

A new window will appear to enter the command’s details:

• • Name: a descriptive name of your command.
  • Description: a short description of your command (not mandatory).
  • Frequency: how often this information will be sent to SGBox (60 sec suggested).
  • Directory Path: where the files or folders are located.
  • File Name: Name of the file (you can also use the star expression).
  • Check Subdirectories: Use this flag if you want to look at files located in sub directories as well.
  • File Integrity: Select the monitor mode* you want to use
  • Exclude files: you can specify some files to exclude for the monitor (not mandatory, regex supported)

Monitor Mode

• Monitor Only: check the integrity when the PC and agent are running.
• Monitor and store integrity: Store the integrity in a internal DB. Even if some operations on files are performed when the S.O or Agent are not running, the agent can identify them. Store large directories can seriously impact performance.

Click OK to save the command.
Click “Save Changes” to save your configuration.

Drag and drop your configuration to target host and click again on “Save Changes“.

When everything is set up you can see your logs in the historical search or from the “File Integrity Monitoring” dashboards.

FIM is very useful if you want to store critical configurations or backups.  It’s no suggested monitor all the C: storage. Here some interested folder to monitor:

C:\inetpub\wwwroot C:\Windows\Boot C:\Windows\System32\drivers\etc

Strict TLS connection with a Personal Certificate

Starting from version 3.7. it is possible configure the SGAgent to check the SGBox/Collector certificate before sending information.

Requirements:

• SGAgent version 3.7
• SGBox must have a valid certificate. Look this section.

After installed go in the installation directory. Default path is C:Files(x86)Agent** Open the file SGBoxTask.exe.config** as Administrator with a text editor like Notepad.

add the following entry after the connection strings: key=”IgnoreCertificate” value=”False”

Save the configuration and restart the SGBoxTask Service service.

Check the file SGBoxTaskLog.txt to verify that everything is ok.
Here an example of error:

220330 14.51.05 0000008 *** Error The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. System at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context) at System.Net.HttpWebRequest.GetRequestStream() at SGBoxTask.Utils.Internet.GenerateCommandRequest(String uri, String ApplicationId, String login, String password)

Here an example when it works:

220330 14.54.20 0000004 Starting ServiceSGBoxTask 220330 14.54.20 0000006 Starting Main 220330 14.54.20 0000006 Params 0A002700000D https://sgbox192.sgbox.it/sgbox/LM/dataxchange/cmd.php https://sgbox192.sgbox.it/sgbox/LM/dataxchange/send.php 220330 14.54.20 0000006 SleepTime 10 msec 220330 14.54.20 0000006 RandomStartTimer 2 sec RandomMinStartTimer 1 220330 14.54.20 0000006 Enable TLS 1, 1.1, 1.2 220330 14.54.20 0000006 Starting StartSendPacket 220330 14.54.20 0000006 Starting StartGetCommand

Uninstall

Prerequisites

Before Uninstall the Agent be sure that (for all users connected to the server):

• All mmc.exe instance are closed
• All services panel (services.msc) are closed
• The Task Manager (and Process Explorer) is temporary closed
• All Event Viewer instance are closed

Automatic procedure (Recommended)

To uninstall the Agent, you must go to “Add/Remove Programs”, then select the “SGBox Agent” and select “Uninstall”.

Reinstall Note: It is recommended, in case of agent reinstall, to full restart the machine before proceeding with the new install.

Manual Full Remove

To Full remove the Agent if anything goes wrong, you must check and remove these items:

• Service: Stop and remove the service, you can use this Powershell command:
  get-service SGBoxTask | stop-service then on a cmd window sc delete SGBoxTask
• Registry: Find and delete this Regsitry Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SGBoxTask
• Folders: Full Remove this Folder: C:\Program Files (x86)\SGBox Agent

Update Agent

To update the Agent you must completely uninstall the old version (we recommend also to reboot the machine if possible), then install the new version with the specific installer.

Silent/Unattended Mode

Install

In order to distribuite SGAgent in silent mode you have to type the follwing command:

SetupSGBox.msi /q ServerIP="192.168.xxx.xxx"

Uninstall

In order to uninstall SGAgent in silent mode you have to type following command:

msiexec /q /x {C09891C0-0E34-4873-A869-F9DC136E67C2}

Troubleshooting

The Agent is composed by:

• A service: named SGBoxTask, must be set on automatic start and running
• Default Installation folder: C:\Program Files (x86)\SGBox Agent – Main files and folders
• SGBoxTask.exe: is the main executable file and service
• SGBoxTaskLog.txt: the main log file of agent itself
• SGBoxAgent.exe.config: configuration file for the agent
• C:\programdata\SGBoxTask\Packet: the folder where packet ready to be send, or cached are stored

How to analyze Agent log

The main log file is: SGBoxTaskLog.txt If you have any sort of problem related to the agent, you can send this file to assistance to check the stream.

Some useful rows to check the correct comunication are:

• Row with the command: GetCommand, the agent is checking the command to execute coming from LM -> Configuration -> Agents
• Detected OLD Reqest xxx: SGAgent has identified a cached command that is not used and has been marked as inactive. It’s informational
• Read Json … : the Json command received from SGBox – Sending File … : a final packet has been sended to SGBox

Check Service

To check the service is running you can from a CMD execute this command:

sc query SGBoxTask

If status equal to Running the service si correctly running, otherwise must be started or check the whole configuration.

Reconfigure IP on change appliance IP

Attention: this procedure is valid only on change IP and not when you are migrating to new appliance istance or a new major version

To change the query IP point for the agent go to the configuration file SGBoxTask.exe.config in the default folder and change these rows:

• <add key="SGCommandUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/cmd.php" />
• <add key="SGResponseUrl" value="https://<ip_to_change>/sgbox/LM/dataxchange/send.php" />

SGBoxTask.exe.config Definition

• <CommandDelay>: Time interval in seconds between the request of new command configuration coming from SGBox
• <MaxLogFileSize>: Max size of the log file SGBoxTaskLog.txt
• <LogLevel>: SGagent log verbosity level for SGBoxTaskLog.txt
• <SGCommandUrl>: Complete Url interrogation for command list coming from SGBox
• <SGResponseUrl>: Complete Url where log is sended to SGBox
• <PageSize>: Max size in bytes of the file sended to SGBox each time
• <SleepTime>: Milliseconds of delay before send the file to SGBox
• <MaxPacketFolderSize>: Max size of the whole log waiting to be sended (or cached)

Network Connectivity Checklist

If the agent is unable to communicate with the Appliance/Collector, please check these actions to be sure that the communication over network is correct:

• Check that machine firewall does not block the requests
• Check that Antivirus installed does not block the requests
• Check that network device between machine and main gateway does not block or drop requests
• Check that no GPO configuration can collide with the agent requests
• Check that the machine is enabled with communication with at least SSL 1.3

The SGBox appliance must be able to communicate via HTTPS with the following address:

SGBox – Piattaforma Next Generation SIEM & SOAR

The connection is required to access updates (available in the applications section of the SCM module). The appliance/collector operating system also uses HTTP/HTTPS protocols to access Ubuntu repositories (*.ubuntu.com).

The appliance syslog server is configured to receive logs via UDP (port 514). SSH (port 22/tcp) traffic must be allowed to access the command-line interface (CLI) (both manifold and appliance).
The virtual collector (if used) and the SGBox agent for Windows (SGAgent) communicate with the appliance via HTTPS (TLS). OpenVAS (installed on the manifold and used by the SGBox NVS module) uses the Greenbone Community Feed (GCF) to keep network vulnerability tests (NVTs) up to date. The frequency of updates is daily and the synchronization activity is based on rsync. The collector must be able to access the following address via rsync protocol (port 873/tcp):

On-Cloud

The main difference from on-premise is that only the collector must communicate with our cloud on port 443/tcp (HTTPS).

ifup eth0
ip a add 192.168.1.200/24 dev eth0
ip route add default via 192.168.1.254

If not already present, install rsyslog packet.

zypper refresh
zypper update
zypper install vim
zypper install rsyslog
systemctl start rsyslog
systemctl enable rsyslog


Edit “rsyslog.conf” file

vi /etc/rsyslog.conf

Add the following row after $IncludeConfig /etc/rsyslog.d/*.conf in order to send only all logs. Is possible use the IP or the hostname of SGBox

*.* @SGBox-IP

Restart rsyslog deamon to load the new configuration and start to send logs

systemctl restart rsyslog

Logs, by default, are stored in /var/log/messages