Snare can forward log is an integrate partner with Securonix and fully supports sending various type of logs data to Securonix using their pre-configured parsers. This guide outlines the steps to configure the Snare agent, along with links to the Securonix documentation on how to finalise configuration within Securonix itself.
Follow steps outlined here to install the Snare agent. Agent Installation - Snare Windows Agent v5 Documentation - Confluence
Once the agent is installed, login the web UI (https://localhost:6161) and select “Destination configuration”.
Under the “Network Destinations” section, enter the domain/IP address and port for Snare Reflector, and ensure Format is “Snare” and “Delimiter Character” is “Tab”.
...
the Securonix platform.
The following guides detail the required steps to configure and send log data to Securonix for supported log types:
| Child pages (Children Display) | ||
|---|---|---|
|
The following table also highlight some of the high level configurations of the Snare reflector for sending log data into Securonix:
Datasource | Format in Reflector | Filter |
|---|
regex (include) | Filter comments | Notes |
|---|---|---|
Apache Web Server | Syslog RFC 3164 |
\tApacheLog\t | Set “Log Type” in log file policy as “Apache”. | |||
Microsoft ADFS | Raw | AD FS/Admin | ||
Microsoft Defender | Raw | Microsoft-Windows-Windows Defender/Operational | ||
Microsoft DHCP | Syslog RFC 3164 |
\tDHCPLog\t | Replace MSSQLSERVER with instance name | Set “Log Type” in log file policy as “DHCP”. |
Microsoft DNS Server | Syslog RFC 3164 |
\tMSDNSServer\t | Set “Log Type” in log file policy as “DNS”. | |||
Microsoft Exchange Parser | Syslog RFC 3164 | \tExchangeLog\t | “Custom” Log type specified in policy. Set as "ExchangeLog". | |
Microsoft IIS Server | Syslog RFC 3164 |
\tIISWebLog\t | Set “Log Type” in log file policy as “IIS”. | |||
Microsoft Windows Powershell | Syslog RFC 3164 | Microsoft-Windows-PowerShell/Operational | ||
Microsoft Windows Snare Application | Raw | One desitnation and policy required for Security, Application and System | ||
Microsoft Windows Snare Security | Raw | See above | ||
Microsoft Windows Snare System | Raw | See above | ||
Microsoft Windows Sysmon | Raw | Microsoft-Windows-Sysmon/Operational | ||
Microsoft Windows Sysmon | Syslog | Microsoft-Windows-Sysmon/Operational | ||
RADIUS_NPS |
Syslog RFC 3164 | RadiusLog | “Custom” Log type specified in policy. Set as "RadiusLog". | |
Windows MSSQL Via Syslog SNARE |
Note: Securonix has various parsers for log data generated and sent from Snare, details on this can be found at the below links.
...
Microsoft Windows Security Logs
...
...
Microsoft Corporation Windows Snare Syslog System
...
Microsoft Corporation Windows Snare Syslog Application
...
Microsoft Windows MSSQL Via syslog SNARE
...
Raw | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name | ||
Windows MSSQL Via Syslog SNARE | Syslog RFC 3164 | MSSQL\$MICROSOFT##WID|MSSQLSERVER | Replace MSSQLSERVER with instance name |