...
- Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.
- Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To send data to a destination using mTLS use the port as the destination is configured (i.e., usually port 443 is used to send event events to Devo). To configure syslog rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html.
- Protocol. Select the protocol you would like the agent to use when sending events:
- UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
- TCP will provide reliable message delivery.
- TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit. For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
- TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see nextbelow)
- mTLS (mutual TLS) will encrypt a TCP connection to the destination server, ensuring that both the client and server authenticate each other, and protecting messages from eavesdropping while in transit. For mTLS, the TCP feature TCP_NODELAY is enabled, preventing TCP buffering by the Operating System, thereby reducing lag when the agent is sending events via TCP.
- mTLS Certificate. The mTLS Certificate (client certificate) is a key part of the mutual TLS process, as it allows the client to prove its identity to the server during the TLS handshake. Unlike regular TLS, where only the server presents a certificate, in mTLS, the client must also present its own certificate, which the server verifies before establishing a secure, encrypted connection. This ensures that both parties are mutually authenticated and trusted. Note: The field is used only when mTLS protocol is selected. The certificate and its chain of trust is expected to be installed on the machine as a prerequisite of using it in the Agent. To install certificates refer to Appendix .
- TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection.
Format. Select suitable format for the event log records forwarded to this destination:
Format
Description
Destination Applications
SNARE
Proprietary Snare format, comprised of Snare header and tab-delimited tokens
Snare Central
SNARE V2
* available since v5.5.0
A more detailed Snare format, comprised of Snare header and event details in JSON format
Snare Central v8.4.0 or newer
SYSLOG (RFC3164)
SYSLOG (RFC3164) header and tab-delimited tokens message
IBM QRadar
Dell Secureworks
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG Alt (RFC5424 Compatible)
Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.
ArcSight
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG (RFC5424)
SYSLOG (RFC5424) header and tab-delimited tokens message
3rd party SIEMs that require latest Syslog standard format
Snare Central (usually for forwarding to other SIEMs)
CEF
ArcSight Common Event Format (CEF)
ArcSight
Snare Central (usually for forwarding to other SIEMs)
LEEF
IBM Log Event Extended Format (LEEF)
IBM Qradar
Snare Central (usually for forwarding to other SIEMs)
SYSLOG JSON
* available since v5.5.0
SYSLOG (RFC5424) header and event details in JSON format
Splunk (See Snare Agents and Splunk on how to setup Splunk recogniser)
Other 3rd party SIEM systems
DEVO
* available since v5.9.0
A specific tag use to send data to DEVO ELB for identification. Devo SYSLOG (RFC5424) header with a special tag and tab-delimited tokens message.
Devo ELB
DEVO JSON
* available since v5.9.0
SYSLOG (RFC5424) header with a special tag and event details in JSON format
with the DEVO tag,.
Devo ELB
- Delimiter Character.Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space. By default the delimiter is a tab character. This is saved to the registry. To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.
...