DRAFT- REMOVE/UPDATE
This page enables you to configure network and file destinations. The ability to configure general settings will apply to all destinations of any type. Besides, it enables configuring additional data to be included in each event log generated by the agent.
...
Network Destinations
Multiple destinations per protocol may be configured to send the events to your SIEM by setting the following parameters:
...
Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.
...
Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .
...
Protocol. Select the protocol you would like the agent to use when sending events:
UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
TCP will provide reliable message delivery.
TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit. For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see next)
...
TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection.
...
Format
...
Description
...
Destination Applications
...
SNARE
...
Proprietary Snare format, comprised of Snare header and tab-delimited tokens
...
Snare Central
...
SNARE V2
* available since v5.5.0
...
A more detailed Snare format, comprised of Snare header and event details in JSON format.
...
Snare Central v8.4.0 or newer
...
SYSLOG (RFC3164)
...
SYSLOG (RFC3164) header and tab-delimited tokens message
...
IBM QRadar
Dell Secureworks
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
...
SYSLOG Alt (RFC5424 Compatible)
...
Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.
...
ArcSight
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
...
SYSLOG (RFC5424)
...
SYSLOG (RFC5424) header and tab-delimited tokens message
...
3rd party SIEMs that require latest Syslog standard format
Snare Central (usually for forwarding to other SIEMs)
...
CEF
...
ArcSight Common Event Format (CEF)
...
ArcSight
Snare Central (usually for forwarding to other SIEMs)
...
LEEF
...
IBM Log Event Extended Format (LEEF)
...
IBM Qradar
Snare Central (usually for forwarding to other SIEMs)
...
SYSLOG JSON
* available since v5.5.0
...
SYSLOG (RFC5424) header and event details in JSON format
...
Splunk (See Snare Agents and Splunk on how to setup Splunk recogniser)
Other 3rd party SIEM systems
...
| Tip |
|---|
Network Destinations must be created one at time. To add another row to enable the creation of additional Network Destinations simply click the Update Destinations button to confirm the addition of the new Network Destination. Upon the creation of the new Network Destination a new empty row will be made available. Network Destinations can be removed by clearing the Domain / IP field and clicking Update Destinations. |
File Destinations
Multiple File Destinations can be setup utilizing various formats can be setup to help you log information locally or on a drive that is network shared.
...
Format. Event log records may be written to the file formatted in any of the formats described in the Network Destination section above.
...
Maximum File Size. The maximum generated size of an output file receiving events. The output file is rotated daily normally, but with this setting the file will be rotated upon reaching the maximum, within that day. Default size is 256MB.
| Tip |
|---|
File Destinations must be created one at time. To add another row to enable the creation of additional File Destinations simply click the Update Destinations button to confirm the addition of the new File Destination. Upon the creation of the new File Destination a new empty row will be made available. File Destinations can be removed by clearing the Path & Filename field and clicking Update Destinations. |
| Note |
|---|
The purpose of the file destination is to store the copy of each event that is successfully sent to at least one network destination. If there is no network destination or all network destinations are down then no event will be written to the file destination. If there is a need to store the events locally only in a file destination then a dummy UDP network destination must be added. |
Hostname Options
The settings apply to the settings to modify the hostname associated with the processed event log.
Override Hostname. Can be used to override the name that is given to the host when Windows is first installed. Unless a different name is required to be sent in the processed event log record, leave this field blank and the SnareCore service will use the default system's hostname set during installation. This includes the Dynamic DNS Names feature that automatically re-queries the DNS server for any IP Address changes every ten minutes.
Host IP As Source. Enabling this setting will use the IP address for the selected Network Adapter from the list. The source IP will replace the hostname in the log message.
General Destination Options
The settings apply to all network and file destinations.
Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events. As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page. This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS, this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page. This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted. The temporary files will be written to the Snare installation directory C:\Program Files\Snare\.
UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.
EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events and not capturing the events. The EPS rate limit is to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if the EPS rate limit is set to 50 then Snare will only send a maximum 50 log messages in a second to any destination server.
EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.
EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server. This setting only works if EPS Rate Limit Notification is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to destination server(s) regardless of how many times Snare reaches the EPS rate limit.
| Note |
|---|
The EPS rate limit settings are to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. |
SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.
Event Options
These settings allow you to configure additional data to be included in each event log generated by the agent.
Append Checksum to Events. This feature allows you to add the checksum at the end of every event log generated by the agent.
...
NONE: When the selected Event Source ID type is NONE, the input field is disabled and no additional data will be added to the event logs generated by the agent.
Free Text: When this option is selected, the desired ID can be specified in the input field. A valid ID can be at most 128 character long and can only contain the following characters : a-zA-Z0-9,:&_~!@%/-.*?+()^$
Registry Path: When this option is selected, the path to the Windows Registry containing the ID can be specified in the input field. The Registry path must be of the form: [ROOT_KEY]\[PATH_TO_VALUE], where ROOT_KEY is one of HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG. The ID at the specified Registry is interpreted as a string and is truncated to 128 characters if longer. Valid characters are: a-zA-Z0-9,:&_~!@%/-.*?+()^$. The ID is evaluated when the configuration is updated which is then displayed beneath the input field.
If the value in the specified Registry contains invalid character(s), then the value is sanitised by replacing the invalid character(s) with underscore(s). The sanitised value is displayed beneath the input field and is used as the Event Source ID messages.
...
| Info |
|---|
This functionality is available from version 5.9.0 |
Description
Telemetry Monitoring is a subsystem of the agent that periodically collects CPU, storage/disk, memory, and network metrics of the system on which the agent is running. The primary purpose of Telemetry Monitoring is to enable an administrator to monitor system metrics of interest appropriate actions can be taken depending on the values of the metrics.
Telemetry configurations can be created, viewed, modified and deleted from each Telemetry component page. There are 4 telemetry configuration pages for each component of the system - CPU, Disk, Memory, Network. Figure 1 shows the location of the telemetry configuration settings in the navigation tree.
In this document, the Telemetry CPU page will be described, but the other pages behave similarly.
...
Creating and Editing a Telemetry Monitor Configuration
...
When ‘Add' or 'Modify’ are selected as shown in Figure 2, the configuration editor form will be displayed as seen in Figure 3. Then the user can select the desired fields that control the telemetry data to be collected. The following procedure describes the available configuration settings and how to configure them:
Schedule Configuration: This selects the frequency at which telemetry metrics are collected from the system. A user can use the drop-down selector at the top of the form in Figure 3 to configure the collection frequency. The available options are Minutely, Hourly, Midnight, or Custom. If custom is selected, the user will be prompted with an additional textbox where a cron format time must be provided. An example may be as follows:
In this example,
*/15 * * * *was selected which schedules collection to be performed when the system time is a multiple of 15 minutes (00:00, 00:15, 00:30, …). Other examples may be:0 */6 * * *defines a schedule that runs when the time is a multiple of 6 hours (00:00, 06:00, 12:00, 18:00)0 0 1 * *defines a schedule that runs every month at midnight (1st Jan 00:00, 1st Feb 00:00, …)Metric Configuration: Users are provided checkbox options that select the metrics to be collected. For the example shown in Figure 3, there are 4 available CPU metrics that can be configured. If multiple are selected, then multiple events will be generated; there will be an event generated for each metric selected. Additionally, CPU, Disk, and Network have an associated 'InstanceName' which refers to the interface name of the component. Note that there may be multiple instances for a given telemetry type. For example, there may be a single policy for Disks as in Figure 4 below.
This results in the collection of events from each of the instances of Disk - one for storage interface on the system as is seen in the following screenshot:
The available metrics for each telemetry type are as follows:CPU:
% Idle Time
% Privileged Time
% Processor Time
% User Time
Disk:
% Free Space
Free Megabytes
Disk Write Bytes/sec
Disk Read Bytes/sec
Memory:
Available MBytes
Committed Bytes
% Committed Bytes In Use
Network:
Bytes Received/sec
Bytes Sent/sec
% Bytes Total/sec
Packets Outbound Errors
% Packets Received Errors
Severity Configuration: A severity level may be assigned to designate events based on the level of importance for quick identification for each destination format type ie., Snare, Syslog, CEF, LEEF using the drop down lists.
Snare - Critical, Priority, Warning, Information, Clear
Syslog - Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug
CEF - 0 - 10, 0 is least severe and 10 is most severe
LEEF - 1 - 10, 1 is least severe and 10 is most severe
Saving and Applying Telemetry Monitor Configuration
To save and set the changes to the above settings, and to ensure the
...
registry has received the new configuration perform the following:
Click on Update Destinations Change Configuration to save any changes to the registry and to return to the Telemetry Configuration main page. It will summarise the details of the log files to monitor.
Click on the Apply Configuration & Restart Service menu item.
To review the file integrity monitoring events, click on the Latest Events menu item and select the CPU Telemetry button. This will filter the display of latest events to only CPU Telemetry events. Note that no events will be generated unless there is a valid destination configured to which to send them.
The following screenshots show an example of a Telemetry CPU Configuration and the resultant events generated.
...
For additional information about the format of Telemetry events, refer to Appendix I - Telemetry Event Format.