The Snare Central collection subsystem is a robust group of services that are capable of retrieving data from a variety of different sources, and a range of protocols.
Info |
---|
The following services listen on Snare Central network interfaces, and receive audit and event log data.
Snare Agent Logs: Port 6161, TCP & UDP
This is the default reception port for all Snare Agent log data.
Log data that is sent to this port, is generally assumed to be formatted in a certain way, in particular:
...
Tip |
---|
Although Snare Central operates a syslog collection capability, log data from Snare and Epilog agents should always be sent to this port. Sending the data to the Syslog port, will result in significant EPS rate drops, and may also result in logs that are not filed correctly in Snare's data store; leading to Windows event log data that are filed in the "Generic Log" group, and therefore cannot be used with Windows-related report templates. |
Syslog: Port 514, TCP & UDP
Snare Central operates a syslog receiver on both TCP and UDP protocols. Many devices use syslog to distribute log data to a central collection point. Network devices such as routers and firewalls often choose this log distribution method.
It is rare that data arriving via syslog provides consistent information that identifies the log source. Usually, Snare will have to scan each incoming event, line-by-line, and pattern match against a series of potential log format templates in order to match a particular event to a log format such as PIX or perhaps Unix SUDO log data. As such, the speed of collection through syslog, is approximately 20% lower than that of the primary collection port.
TLS Syslog: Port 6514, TLS
A dedicated port for receiving syslog events over TLS protocol.
SNMPTrap: Port 162, UDP
SNMP traps are used for logging in a number of older network-related appliances. Snare Central can receive snmptrap data, and make it available for analysis from within the Snare Central interface.
Tip |
---|
MIB (management information base) files are not supported by Snare Central. SNMPTrap messages that rely on MIB files for decoding content, will still be processed - but may be presented with the original numeric content included, rather than the translated/enhanced text-based content. FTOKENs, as described in the documentation above, can be implemented to provide translations for often-monitored events. |
TLS Server: Port 6163
Several newer Snare agents Agents are capable of sending data over a TLS encrypted connection. The Snare Central TLS Server port can receive such data, and integrate the data into the normal Snare Central collection framework.
TLS_AUTH Server: Port 6164
Several newer Snare agents are capable of sending data over a TLS_AUTH encrypted connection. This TLS_AUTH is an extension of TLS protocol where an agent is authenticated before any log data is received from it. For authentication purposes, a same TLS Authentication Key must be configured in Snare Central and Snare agents. A default TLS Authentication Key is set to during installation and it is strongly recommended to update it. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-
Performance
The EPS collection rates of Snare Central is significantly dependent on the underlying hardware. In particular, single-core CPU speed is a reliable indicator of the system's ability to collect data.
...