The steps below recommend initial settings for Snare Agents. As dedicated tables exist for all of the agents mentioned below, the standard syslog systems must not be used (this will ensure the correct handling of data by the Snare Central). The use of the Snare via the web user interface (UI) is recommended (the user friendly interface will maintain the appropriate syntax and formatting) and instructions to enable this service will be detailed where applicable.
...
For all UNIX-based agents, the following section should be included in the configuration file to enable remote control capabilities. The user friendly interface will maintain the appropriate syntax and formatting of the Snare configuration files, while also allowing the Snare Central to contact its agents to check their individual configuration settings.
...
- Specify the log files that Epilog should monitor.
- Set the destination server to the Snare Central IP address or hostname.
- Syslog option must not be used when sending logs to a Snare Central so that all events are processed correctly by the Snare Central.
- Send event to TCP or UDP port 6161.
- UDP is recommended for faster and more efficient use of host and network resources.
- Generally, events will be stored in the Snare Central GenericLog table.
...