...
Replicate Filters: If you have custom filters in NXLog (e.g., specific regex patterns for parsing logs), you will need to replicate these with Snare Agents.
File (im_file) filters are applied within “Log Files Filters” found under “Log sources” in the left hand navigation menu. Regex filters can be applied on both include or exclude policies to filter data.
File Activity Monitoring (im_filemon) filters are applied within the policy itself. Filters can be applied by event types, inclusion scopes, utilised permissions, general regex matches and user matches.
Registry Activity Monitoring (im_regmon): filters are applied within the policy itself. Filters can be applied by event types, inclusion scopes, utilised permissions, general regex matches and user matches.
Windows Event Logs (im_mseventlog & im_msvistalog): filters are applied within the policy itself. The frequency and collected counters are configured here.
Windows Performance Counters (im_winperfcount): filters are applied within the policy itself. The frequency and collected counters are configured here.
Define Processing Rules: For advanced log processing like log enrichment, formatting, and transformation, Snare has predefined rules, but more complex parsing may require manual scripting or working with Snare's support team.
c. Log Forwarding
NXLog: You may be forwarding logs to external destinations like a SIEM or syslog server using the
outputdirective.Snare: Similarly, Snare allows you to forward logs to multiple destinations in various formats.
...
Define Output Destinations: Configure destinations under the “Destination Configuration” section of the agent GUI. Specifying the address, port, protocol type (TCP, UDP, TLS, TLS_Auth & MTLS) along with an output format. You can also adjust the specified delimiter of formats on a per destination basis too.Test Output Delivery: Run tests to ensure that logs are forwarded correctly to your SIEM, Syslog server, or any other destinationSet the destination IP as the IP of the Snare reflector, the port as 6161, protocol as TCP and format as “Snare”.
Configure Snare Reflector: Create new destinations within the reflector for the specific log types being collected.
Log type | Format in Reflector | Filter regex (include) | Filter comments | Notes |
|---|---|---|---|---|
Apache Web Server | Syslog RFC 3164 | ApacheLog | Set “Log Type” in log file policy as “Apache”. | |
Microsoft ADFS | Raw | AD FS/Admin | ||
Microsoft Defender | Raw | Microsoft-Windows-Windows Defender/Operational | ||
Microsoft DHCP | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | Set “Log Type” in log file policy as “DHCP”. |
Microsoft DNS Server | Syslog RFC 3164 | MSDNSServer | Set “Log Type” in log file policy as “DNS”. | |
Microsoft Exchange Parser | Syslog RFC 3164 | ExchangeLog | “Custom” Log type specified in policy. Set as "ExchangeLog". | |
Microsoft IIS Server | Syslog RFC 3164 | IISWebLog | Set “Log Type” in log file policy as “IIS”. | |
Microsoft Windows Powershell | Syslog RFC 3164 | Microsoft-Windows-PowerShell/Operational | ||
Microsoft Windows Snare Application | Raw | MSWinEventLog | One desitnation and policy required for Security, Application and System | |
Microsoft Windows Snare Security | Raw | MSWinEventLog | See above | |
Microsoft Windows Snare System | Raw | MSWinEventLog | See above | |
Microsoft Windows Sysmon | Raw | Microsoft-Windows-Sysmon/Operational | ||
Microsoft Windows Sysmon | Syslog | Microsoft-Windows-Sysmon/Operational | ||
RADIUS_NPS | Syslog RFC 3164 | RadiusLog | “Custom” Log type specified in policy. Set as "RadiusLog". | |
Windows MSSQL Via Syslog SNARE | Raw | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | |
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name |
Note: A port for ingestion of each type will need to be created in Securonix first.
Test Output Delivery: Log into Securonix and check that logs are being received under the specified “Activities” using the “Spotter”. Ensuring the necessary ports are open for communication
...
.
...
4. Configuring Management
...
Verify that all logs are being collected correctly from the configured sources.
Check timestamps, log formatting, and data integrity to ensure nothing is missing or malformed.
b. Test Log
...
Ensure that logs are being processed in the same way (filtered, parsed, enriched) as they were in NXLog.
Cross-check with previously stored log data to confirm that no useful information is being lost during migration.
...
Forwarding
Test that logs are being forwarded to the correct destinations (SIEM, syslog servers, etc.).
Check for proper delivery of logs, and monitor for any delivery failures or delays.
...
c. Check agents available in SAM
Review “all agents” section in SAM to confirm agents connected, online and have a license issued.
...