This page enables you to configure network and file destinations. The ability to configure general settings will apply to all destinations of any type
Besides, it enables configuring additional data to be included in each event log generated by the agent.
Network Destinations
Multiple destinations per protocol may be configured to send the events to your SIEM by setting the following parameters:
- Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.
- Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .
- Protocol. Select the protocol you would like the agent to use when sending events:
- UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
- TCP will provide reliable message delivery.
- TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit. For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
- TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see next)
- TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection.
Format. Select suitable format for theevent log records forwarded to this destination:
Format
Description
Destination Applications
SNARE
Proprietary Snare format, comprised of Snare header and tab-delimited tokens
Snare Central
SNARE V2
* available since v5.5.0A more detailed Snare format, comprised of Snare header and event details in JSON format
Snare Central v8.4.0 or newer
SYSLOG (RFC3164)
SYSLOG (RFC3164) header and tab-delimited tokens message
IBM QRadar
Dell Secureworks
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG Alt (RFC5424 Compatible)
Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.
ArcSight
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG (RFC5424)
SYSLOG (RFC5424) header and tab-delimited tokens message
3rd party SIEMs that require latest Syslog standard format
Snare Central (usually for forwarding to other SIEMs)
CEF
ArcSight Common Event Format (CEF)
ArcSight
Snare Central (usually for forwarding to other SIEMs)
LEEF
IBM Log Event Extended Format (LEEF)
IBM Qradar
Snare Central (usually for forwarding to other SIEMs)
SYSLOG JSON
* available since v5.5.0SYSLOG (RFC5424) header and event details in JSON format
Splunk (See Snare Agents and Splunk on how to setup Splunk recogniser)
Other 3rd party SIEM systems
- Delimiter Character.Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space. By default the delimiter is a tab character. This is saved to the registry. To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.
...