The Snare Central collection subsystem is a robust group of services that are capable of retrieving data from a variety of different sources, and a range of protocols.
The following services listen on Snare Central network interfaces, and receive audit and event log data.
Snare Agent Logs: Port 6161, TCP & UDP
This is the default reception port for all Snare Agent log data.
Log data that is sent to this port, is generally assumed to be formatted in a certain way, in particular:
- Tab delimited data
- The following fields in order:
- System name
- Log Type (eg: SolarisBSM)
By requiring this format, the Snare Central collection system on port 6161 can significantly reduce the amount of scanning that needs to be performed on each and every input line; leading to a commensurate increase in event collection per second (EPS) rates.
Syslog: Port 514, TCP & UDP
Snare Central operates a syslog receiver on both TCP and UDP protocols. Many devices use syslog to distribute log data to a central collection point. Network devices such as routers and firewalls often choose this log distribution method.
It is rare that data arriving via syslog provides consistent information that identifies the log source. Usually, Snare will have to scan each incoming event, line-by-line, and pattern match against a series of potential log format templates in order to match a particular event to a log format such as PIX or perhaps Unix SUDO log data. As such, the speed of collection through syslog, is approximately 20% lower than that of the primary collection port.
TLS Syslog: Port 6514, TLS
A dedicated port for receiving syslog events over TLS protocol.
SNMPTrap: Port 162, UDP
SNMP traps are used for logging in a number of older network-related appliances. Snare Central can receive snmptrap data, and make it available for analysis from within the Snare Central interface.
TLS Server: Port 6163
Snare Agents are capable of sending data over a TLS encrypted connection. The Snare Central TLS Server port can receive such data, and integrate the data into the normal Snare Central collection framework.
TLS_AUTH Server: Port 6164
Several newer Snare agents are capable of sending data over a TLS_AUTH encrypted connection. This TLS_AUTH is an extension of TLS protocol where an agent is authenticated before any log data is received from it. For authentication purposes, a same TLS Authentication Key must be configured in Snare Central and Snare agents. A default TLS Authentication Key is set to during installation and it is strongly recommended to update it. A valid TLS Authentication Key must be between 8-4096 characters and allowed characters include A-Za-z0-9~!@$%^*\()_+=`-
Performance
The EPS collection rates of Snare Central is significantly dependent on the underlying hardware. In particular, single-core CPU speed is a reliable indicator of the system's ability to collect data.
On a reasonably modern, workstation-quality system (i7 or equivalent), the TCP server can sustainably collect approximately 16,000 events per second. The UDP collection server can collect events in burst mode, of upwards of 80,000 events per second, without losing data due to CPU limitations, as long as the average EPS rates over the course of an hour, remains at or below the 16,000 EPS threshold.
Higher performance server-quality CPUs, will receive a boost in EPS figures commensurate with their single-core processing capabilities. Snare Central uses multiple cores where available, to segregate the collection of different log sources (eg: TCP collection is on one core, and UDP is on another), so actual collection rates may be significantly higher for organisations that funnel data to Snare Central using several different protocols (eg: TCP for servers that have high reliability requirements, UDP for workstations where guaranteed delivery of audit data is less of a concern, syslog for network devices).