The Snare Central collection subsystem is a robust group of services that are capable of retrieving data from a variety of different sources, and a range of protocols.
| Info |
|---|
|
The following services listen on Snare Central network interfaces, and receive audit and event log data.
...
It is rare that data arriving via syslog provides consistent information that identifies the log source. Usually, Snare will have to scan each incoming event, line-by-line, and pattern match against a series of potential log format templates in order to match a particular event to a log format such as PIX or perhaps Unix SUDO log data. As such, the speed of collection through syslog, is approximately 20% lower than that of the primary collection port.
TLS Syslog: Port 6514, TLS
A dedicated port for receiving syslog events over TLS protocol.
SNMPTrap: Port 162, UDP
SNMP traps are used for logging in a number of older network-related appliances. Snare Central can receive snmptrap data, and make it available for analysis from within the Snare Central interface.
| Tip |
|---|
| MIB (management information base) files are not supported by Snare Central. SNMPTrap messages that rely on MIB files for decoding content, will still be processed - but may be presented with the original numeric content included, rather than the translated/enhanced text-based content. FTOKENs, as described in the documentation above, can be implemented to provide translations for often-monitored events. |
TLS Server: Port 6163
Several newer Snare agents Agents are capable of sending data over a TLS encrypted connection. The Snare Central TLS Server port can receive such data, and integrate the data into the normal Snare Central collection framework.
...