This page enables you to configure network and file destinations. The ability to configure general settings will apply to all destinations of any type
Besides, it enables configuring additional data to be included in each event log generated by the agent.
Network Destinations
Multiple destinations per protocol may be configured to send the events to your SIEM by setting the following parameters:
- Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.
- Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .
- Protocol. Select the protocol you would like the agent to use when sending events:
- UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
- TCP will provide reliable message delivery.
- TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit. For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
- TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see next)
TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection
.Format. Select suitable format for theevent log records forwarded to this destination:
Format
Description
Destination Applications
SNARE
Proprietary Snare format, comprised of Snare header and tab-delimited tokens
Snare Central
SNARE V2
* available since v5.5.0A more detailed Snare format, comprised of Snare header and event details in JSON format
Snare Central v8.4.0 or newer
SYSLOG (RFC3164)
SYSLOG (RFC3164) header and tab-delimited tokens message
IBM QRadar
Dell Secureworks
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG Alt (RFC5424 Compatible)
Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.
ArcSight
Other 3rd party SIEM systems
Snare Central (usually for forwarding to other SIEMs)
SYSLOG (RFC5424)
SYSLOG (RFC5424) header and tab-delimited tokens message
3rd party SIEMs that require latest Syslog standard format
Snare Central (usually for forwarding to other SIEMs)
CEF
ArcSight Common Event Format (CEF)
ArcSight
Snare Central (usually for forwarding to other SIEMs)
LEEF
IBM Log Event Extended Format (LEEF)
IBM Qradar
Snare Central (usually for forwarding to other SIEMs)
SYSLOG JSON
* available since v5.5.0SYSLOG (RFC5424) header and event details in JSON format
Splunk (See Snare Agents and Splunk on how to setup Splunk recogniser)
Other 3rd party SIEM systems
Format. Select suitable format for the event log records forwarded to this destination:
- Delimiter Character.Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space. By default the delimiter is a tab character. This is saved to the registry. To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.
...
The settings apply to the settings to modify the hostname associated with the processed event log.
- Override Hostname. Can be used to override the name that is given to the host when Windows is first installed. Unless a different name is required to be sent in the processed event log record, leave this field blank and the SnareCore service will use the default system's hostname set during installation. This includes the Dynamic DNS Names feature that automatically re-queries the DNS server for any IP Address changes every ten minutes.
- Host IP As Source. Enabling this setting will use the IP address for the selected Network Adapter from the list. The source IP will replace the hostname in the log message.
...
The settings apply to all network and file destinations.
- Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events. As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page. This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS, this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
- Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page. This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
- Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted. The temporary files will be written to the Snare installation directory C:\Program Files\Snare\.
- UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.
- EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events and not capturing the events. The EPS rate limit is to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if the EPS rate limit is set to 50 then Snare will only send a maximum 50 log messages in a second to any destination server.
- EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.
EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server. This setting only works if EPS Rate Limit Notification is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to destination server(s) regardless of how many times Snare reaches the EPS rate limit.
Note The EPS rate limit settings are to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. - SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.
...
If Event Source ID is configured, the ID is displayed on the home screen (Audit Service Status) of the Agent UI and every event log from the agent in SNARE format or one of the SYSLOG formats will have EventSourceId=<value> appended at the end of the message.
To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:
...