...
Log type | Format in Reflector | Filter regex (include) | Filter comments | Notes | ||||
|---|---|---|---|---|---|---|---|---|
Apache Web Server | Syslog RFC 3164 ApacheLog(QRadar) | \tApacheLog\t | Set “Log Type” in log file policy as “Apache”. | |||||
Microsoft ADFSRaw | Syslog RFC 3164 (QRadar) | AD FS/Admin | ||||||
Microsoft DefenderRaw | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Windows Defender\/Operational | ||||||
Microsoft DHCP | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | Set “Log Type” in log file policy as “DHCP”. | (QRadar) | \tDHCPLog\t\d+\s\d+,\d{2}\/\d{02}\/\d{02},\d{2}:\d{02}:\d{02}, | ||
Microsoft DNS Server | Syslog RFC 3164 MSDNSServer(QRadar) | \tMSDNSServer\t|Microsoft-Windows-DNSServer\/Audit | Set “Log Type” in log file policy as “DNS”. | |||||
Microsoft Exchange Parser | Syslog RFC 3164 ExchangeLog(QRadar) | \tExchangeLog\t | “Custom” Log type specified in policy. Set as "ExchangeLog". | |||||
Microsoft IIS Server | Syslog RFC 3164 IISWebLog(QRadar) | \tIISWebLog\t | Set “Log Type” in log file policy as “IIS”. | |||||
Microsoft Windows Powershell | Syslog RFC 3164 (QRadar) | Microsoft-Windows-PowerShell\/Operational.*4104 | ||||||
Microsoft Windows Snare Application | Raw | MSWinEventLogSyslog RFC 3164 (QRadar) | \t(Application|Security|System)\t\tMSWinEventLog\t | One desitnation and policy required for Security, Application and System | ||||
Microsoft Windows Snare Security | Raw | MSWinEventLogSyslog RFC 3164 (QRadar) | \t(Application|Security|System)\t | See above | ||||
Microsoft Windows Snare System | Raw | MSWinEventLogSyslog RFC 3164 (QRadar) | \t(Application|Security|System)\t | See above | ||||
Microsoft Windows SysmonRaw | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Sysmon/Operational | ||||||
Microsoft Windows Sysmon | Syslog RFC 3164 (QRadar) | Microsoft-Windows-Sysmon/Operational | ||||||
RADIUS_NPS | Syslog RFC 3164 RadiusLog(QRadar) | \tRadiusLog\t | “Custom” Log type specified in policy. Set as "RadiusLog". | |||||
Windows MSSQL Via Syslog SNARERaw | Syslog RFC 3164 (QRadar) | MSSQL\$MICROSOFT##WID|MSSQLSERVERReplace MSSQLSERVER with instance name | ||||||
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance nameCEF |
Note: A port for ingestion of each type will need to be created in Securonix first.
...
Deploy Snare to Production: If everything is functioning as expected, use the MSI Builder to extract the configuration from the configured Snare agent and generate an .msi file that contains both configuration and installation media. Following steps here: Creating the MSI package - Snare MSI Documentation v3 - Confluence. From there, deploy the Snare agent to your production environment.
Decommission NXLog: After ensuring Snare is working as expected, safely decommission your old NXLog setup.
Monitoring: Continue to monitor the Snare agents via the Snare Agent Manager (SAM) to ensure stability and performance.
...