...
Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.
Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .
Protocol. Select the protocol you would like the agent to use when sending events:
UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
TCP will provide reliable message delivery.
TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit. For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see next)
TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection.
Format.Select suitable format for theevent log records forwarded to this destination:
Format | Description | Destination Applications |
|---|---|---|
SNARE | Proprietary Snare format, comprised of Snare header and tab-delimited tokens |
|
SNARE V2 | A more detailed Snare format, comprised of Snare header and event details in JSON format. |
|
SYSLOG (RFC3164) | SYSLOG (RFC3164) header and tab-delimited tokens message |
|
SYSLOG Alt (RFC5424 Compatible) | Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header. |
|
SYSLOG (RFC5424) | SYSLOG (RFC5424) header and tab-delimited tokens message |
|
CEF | ArcSight Common Event Format (CEF) |
|
LEEF | IBM Log Event Extended Format (LEEF) |
|
SYSLOG JSON | SYSLOG (RFC5424) header and event details in JSON format |
|
Delimiter Character.Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space. By default the delimiter is a tab character. This is saved to the registry. To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.
...
| Tip |
|---|
File Destinations must be created one at time. To add another row to enable the creation of additional File Destinations simply click the Update Destinations button to confirm the addition of the new File Destination. Upon the creation of the new File Destination a new empty row will be made available. File Destinations can be removed by clearing the Path & Filename field and clicking Update Destinations. |
| Note |
|---|
The purpose of the file destination is to store the copy of each event that is successfully sent to at least one network destination. If there is no network destination or all network destinations are down then no event will be written to the file destination. If there is a need to store the events locally only in a file destination then a dummy UDP network destination must be added. |
Hostname Options
The settings apply to the settings to modify the hostname associated with the processed event log.
...
To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:
Click on Update Destinations to save any changes to the registry.
Click on the Apply Configuration & Restart Service menu item.