Logs Recieved

If the logs recieved in the SIEM solution appear incorrect or unreadable, chances are the log format snare is sending is incorrect.

Log into the Snare Agent, and go to the “Destination Configuration” Menu

Check the destination format is correct, if the format is either Snare or SnareV2 this is most likely the issue as they’re only to be used with Snare Central.

Below is a list of the formats we support:

SNARE	Proprietary Snare format, comprised of Snare header and tab-delimited tokens	Snare Central
SNARE V2 available since v5.5.0	A more detailed Snare format, comprised of Snare header and event details in JSON format.	Snare Central v8.4.0 or newer
SYSLOG (RFC3164)	SYSLOG (RFC3164) header and tab-delimited tokens message	IBM QRadar Dell Secureworks Other 3rd party SIEM systems Snare Central (usually for forwarding to other SIEMs)
SYSLOG Alt (RFC5424 Compatible)	Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.	ArcSight Other 3rd party SIEM systems Snare Central (usually for forwarding to other SIEMs)
SYSLOG (RFC5424)	SYSLOG (RFC5424) header and tab-delimited tokens message	3rd party SIEMs that require latest Syslog standard format Snare Central (usually for forwarding to other SIEMs)
CEF	ArcSight Common Event Format (CEF)	ArcSight Snare Central (usually for forwarding to other SIEMs)
LEEF	IBM Log Event Extended Format (LEEF)	IBM Qradar Snare Central (usually for forwarding to other SIEMs)
SYSLOG JSON available since v5.5.0	SYSLOG (RFC5424) header and event details in JSON format	Splunk (See Snare Agents and Splunk on how to setup Splunk recogniser) Other 3rd party SIEM systems