Configure Collector/Reflector

Owned by Andrew Madge
Last updated: Aug 14, 2024 by Svetlana Sheptiy
9 min read

Navigating to Systems | Administrative Tools | Configure Collector/Reflector opens the Reflector Web UI in a new browser tab, and provides access to configure reflector settings, and view collection and reflection status. 

The Snare Reflector in Snare Central is capable of 'reflecting' events that arrive at the server, to another Snare Central server, or to a third party SIEM server or collector. The reflector supports a range of target server formats, including, but not limited to, "Snare", "Syslog RFC 3164", "Syslog RFC 5424", "Syslog RFC 5424 - no structuredData",  "JSON", "Elastic Batch", "QRadar", and "Envision". TLS encryption is available, if the destination server supports it.

On first access to this page, a Welcome screen is displayed.

The reflector is pre-configured with several default internal destinations and a license.

  • Select Let's start the setup wizard option to review the settings, and add additional destinations. Settings can be updated at a later stage as well. 
  • Select Take me to the Dashboard option to review current event collection and reflection statistics. 

Reflector Dashboard

The reflector Dashboard displays event collection statistics and destination status. The data updates every few seconds.

Event Collection Statistics

The following dashboard items are available:

  • Destinations - The number of Destinations to which the Snare Reflector is sending events. 

    Snare Central has several pre-configured internal destinations:

    • 127.0.0.1:6170:TCP - reflects events internally

    • 127.0.0.1:6171: UDP - disabled by default. Enabled automatically if any real-time outputs are enabled in your Snare Central objectives.

    • 127.0.0.1:9201:HTTP - disabled by default. Enabled automatically if local delivery to Snare Advanced Threat Intelligence (SATI) is enabled in Snare Central

The administrator can add additional destinations via Settings | Destinations.

  • Recent Events / Sec - This is the smoothed average number of events received by Snare Reflector per second.
  • Total Events / 24 Hrs - This is the total number of events received in the past rolling 24 hour window.
  • Total Bytes / 24 Hrs This is the total number of bytes received while Snare Reflector has been running. 
  • Disk Cache % Full - This indicates the number of events stored as a percentage of the total disk cache capacity.  
  • Events On Disk - This indicates the number of events currently stored in the disk cache. Note that the disk cache is only enabled for non-local , priority destinations.

Per-Destination Queue Statistics

Each Destination displays a chart of its activity over a 24 hour period.



  • Recent EPS Sent - indicates the smoothed average number of events sent to this destination per second.
  • Recent Bytes/Sec indicates the smoothed average number of bytes sent to the destination per second.
  • Rolling 24H Bytes Sent - indicates the number of bytes sent in the past rolling 24 hour window.
  • Disk Queue % Full indicates how full each disk queue file is as a percentage.

Chart

Each destination's chart displays the number of events per second (Y-axis) sent over time (X-axis). Note that the time is displayed in local machine time.  If required, UTC may be enabled and configurable via Settings | General | UTC Charts.

Reflector Configuration Settings

General

The following options may be configured:

  • Web Management Port  - The port the Snare Reflector web UI operates on. It is recommended that this value stay at the default value when the reflector is operating as part of a Snare Central installation.
  • Web UI HTTPS Certificate - This certificate will be used for HTTPS Snare Reflector Web UI interactions.
  • TLS Listener Certificate - This certificate will be used for TLS client interactions.
  • Generate a new self-signed certificate - Newly generated self signed certificates will be appended to the list of available certificates.
  • Network Destination certificate verification - Choose the desired level of certificate verification.  This can be one of Accept Any or Strict Checking. Accept Any is ideal for self-signed certificates. Strict Checking verifies the entire certificate chain.
  • UTC Charts - Turn this on to display UTC (Coordinated Universal Time) time on destination charts instead of local machine time.  By default the times are displayed in local time.
  • TLS Authentication Key - Define the authentication key for TLS_AUTH listener. The same key should be used by the Snare Agent that wants to send logs using TLS_AUTH.
    TL    S_AUTH is Snare proprietary protocol that supports TLS connection with authentication between source and destination. 
  • Setup Wizard - The setup wizard will walk you through the initial steps required to get Snare Reflector up and running.   Selecting Restart Wizard will cause the Wizard to restart. 

To save and set the changes to the above settings, and to ensure the Reflector service has received the new configuration, perform the following:

  1. Click on Update to save any changes.

  2. Click on the Restart Snare Reflector button at the top of the screen.

 

License

This page details the licensing information for the Snare Reflector and includes:

  • The Key IDs for your local host, where Snare Central is installed

  • The active licenses registered to your organisation

Destinations

This page provides the ability to configure external network destinations. The Snare reflector will forward events to these defined destinations.

Each destination can use a different format and protocol. Each destination can have filters in the form of regular expressions, to reduce the volume of events forwarded to the destination. It is also possible to apply search and replace filters on the events being sent to a destination. 


Note: the first three destinations in the configuration interface are reserved for use by Snare Central internally, and cannot be modified.


For user-defined destinations, the following destination parameters can be configured:

  • Hostname - An IP address or hostname to which the Snare Reflector should direct log data.
  • Port - The target port on the destination server to send log data.  Enter port 6161 if sending data to a Snare Server, unless sending encrypted data.  Enter port 514 to send data to a syslog server, unless the syslog server on the destination listens on a non standard TCP/UDP port.
  • Protocol - Select one of the following options: 
    • UDP
    • TCP
    • TLS - TCP with TLS encryption
      Please ensure the destination system supports the TLS protocol. 
    • TLS_AUTHTCP with TLS encryption and authentication.
      TLS_AUTH is a Snare proprietary protocol that overlays the TLS connection with authentication between source and destination. The same TLS authentication key needs to be configured on this page and in the Snare destination (a standalone Snare Reflector or another Snare Central). 

  • Destination Format - Formats include: 
    • Snare Server 7.1+ - Logs will be sent using a Snare Central internal format
    • Syslog RFC 5424 - Logs will be sent using the latest generation of the syslog protocol, with fields parsed from the source log included within the RFC5424 structuredData element.
    • Syslog RFC 3164 - Logs will be sent using the older generation of the syslog protocol. Note that some information (such as the 'year' in which the log was generated) will be lost, when using this format
    • QRadar - Syslog RFC 3164 format, but the Reflector will attempt to remove the first tab-delimited field supplied with the incoming event, as long as it does not include internal spaces, in order to work around a QRadar processing issue
    • RSA Envision - Syslog RFC 3164 format, but the Reflector will prefix a header to the syslog message, which includes the originating IP address, and the date/time in seconds-since-epoch format that the event arrived at the server
    • RAW - no conversion - no format conversion will be performed
    • Generic JSON - both header and event content information is represented in a single-line JSON format
    • Elasticsearch bulk delivery - Snare internal format for SATI. Events will be batched up and delivered in groups via a HTTP POST upload to elastic. Logs can also be sent to multiple external Elasticsearch installs and Amazon Opensearch (fork of Elasticsearch) installs with different ports, addresses and filtering. 
    • Syslog 5424 JSON - Syslog RFC 5424 header, with JSON payload. In the event that a Snare V2 format log is received, it will be forwarded in the original format, with any extra enhancements inserted as key/value pairs into the Event/Data/SnareDataMap key.
    • Syslog RFC 5424 - no structuredData - Logs will be sent using the latest generation of the syslog protocol, but will explicitly avoid injecting field data into the structuredData component of RFC5424, if the source event does not already include structuredData.

    • CEF - the event will be converted to CEF format, where each event field, will be either implemented as a vendor CEF field in the CEF Extension area, or will be mapped to baseline CEF fields. As at the date of this document, the logs from Snare for Windows agents will include the advanced CEF field mapping.

      Example

      In general, CEF format will generate data of the following format:
      Jan 11 12:25:39 hostname CEF:Version|Device Vendor|Device Product|Device Event Class ID|Name|Severity|[Extension]
      eg:
      Jan 11 12:25:39 snareserver CEF:0|Snare|SnareReflector|3.2|WinSecurity:4830|2|dvc=snare,SnareReflectorTable=WinSecurity,SnareReflectorUser=Fred
    • CEF Syslog RFC3164 - CEF format as discussed above, with a Syslog RFC3164 header
    • Snare Legacy Realtime Delivery - Snare internal legacy format
    • Snare v8 Data Exchange Snare internal format and also for use from Snare Central to Snare Central forwarding. NOTE: this can only be used to other 8.4.0+ destinations
  • Regular Expression Filter - forward only events that match the specified filters to the destination. See the Regular Expression Filters page in this guide for more information.
  • Search and Replace Filter - allows to modify events on the fly, between reception and retransmission. See the Search and Replace Filters page in this guide for more information.

Add destinations

To add multiple destinations click Add Destination and enter the information for this destination.  Select Update to save the settings.  If another destination is required select Add Destination.

Disable destinations

To disable a destination select Disabled for that destination and select Update to save the settings.  A restart of the reflector is required. The disabled destination will not be displayed on the dashboard.

Activate destinations

To reactivate a disabled destination select Active for that destination and select Update to save the settings.  A restart of the reflector is required. The destination will be displayed on the dashboard.

Priority destinations

A destination can be marked as a priority-delivery queue by selecting the Priority: On button.

Priority destinations will be allocated both a memory and disk cache to provide a reasonable level of assurance that events will not be lost if the target destination is offline for a short period of time. Non-priority destinations will be allocated a memory cache.

If any priority destination event queue becomes full, the Snare Reflector will introduce flow control to slow down or stop the rate of event delivery from clients, to ensure events are not discarded when high EPS conditions are occurring. This applies to any destination SIEM systems that may struggle to keep up with the rate of events sent from the Reflector.

It is highly recommended to use TCP, TLS or TLS_AUTH protocol on priority destinations as these protocols guarantee that events will delivered. UDP doesn't offer such guarantees due to its nature.


Remove destinations

To delete a destination select Remove for that destination and select Update to save the settings.  A restart of the reflector is required.

Listeners

This page displays the ports and protocols on which the Snare Reflector is listening for incoming events.

All Listeners are currently locked by the Snare Central collection server. 

About

Basic information about the Snare Reflector is displayed here including version information, build id, and the length of time Snare Reflector is online. 3rd party packages that the Snare Reflector requires are listed with their licensing information.

The server and client times are important to ensure there is not any time drift of more than ten seconds, as it may prevent logging into the Reflector.

Fixing time drift

If you do experience time drift please check:

  • the date time on the server where the reflector is installed
  • the date time on the client where you are accessing the browser.

Update the times as necessary then restart the browser and try again.

Help

The help page provides information relating to configuring the Destinations and creating regular expression filters.
More detailed information can be found in this User Guide.