Versions Compared

Old Version 2

changes.mady.by.user Steve Challans

Saved on

compared with

New Version 3

changes.mady.by.user Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Snare Enterprise Agent for Windows

For Version 5 agents

From your Snare Enterprise Agent, navigate to the Destination Configuration page and update the following settings:

  • Under Network Destinations set:
    To send logs to QRadar via Snare Central:

    • Domain/IP to your Snare Central destination

    • Port to 6161

    • Protocol to UDP or TCP (recommended)

    • Format to SNARE

      To send logs directly to QRadar:

    • Domain/IP to your SIEM QRadar destination

    • Port to 514

    • Protocol to UDP or TCP (recommended)

    • Format to SYSLOG (RFC3164) or other.  LEEF may be use though the Port will require updating.

  • Under General Destination Options set:

    • Select the Host IP As Source checkbox. On saving the page the field Override Hostname will be populated.

  • Select Update Destinations to save your page settings

...

  • Click Apply Configuration & Restart Service menu item to update the registry.

...

For Version 4 agents (legacy)

From your Snare Enterprise Agent, navigate to the Network Configuration page and update the following settings:

...

Select the User Host IP Address Override for source address checkbox.  On saving the page the field Override detected DNS Name with  will be populated.

...

Set Destination Port to 514

...

Select UDP or TCP (recommended) protocol

...

...

Select the SYSLOG Header Format as Syslog.

Select Change Configuration to save your settings, and select the Apply the Latest Audit Configuration, to update the registry.

Snare Central Server

The Snare Central Server Collector / Reflector is a very flexible tool for filtering and editing event log data. It is capable of filtering events on a per-destination basis. It can convert data from one format to another, and it can even modify the event information on the fly to suit your target SIEM server or syslog destination.

Navigate to System : Administrative Tools : Configure Collector/Reflector and select ConfigureSettings > Destinations.  Update the following:

  • Enter the destination FQDN or IP address

  • Type in 514 for Port

  • Select TCP for Protocol to ensure no events are lost

  • Select Destination Format QRadar

  • alloy Apply filtering or data tagging in the additional fields as needed

...

When sending logs to Snare Central to then be reflected to QRadar it is best to send the logs to using Snare format to Snare Central then use the QRadar log format as above. The Agent should also use the host IP as a source override as it makes it easier for QRadar to parse out the logs from the reflector.