Configure Collector/Reflector

Per-Destination Queue Statistics

Each Destination displays a chart of its activity over a 24 hour period.

• Web Management Port  - The port the Snare Reflector web UI operates on. It is recommended that this value stay at the default value when the reflector is operating as part of a Snare Central installation.
  
• Web UI HTTPS Certificate - This certificate will be used for HTTPS Snare Reflector Web UI interactions.
• TLS Listener Certificate - This certificate will be used for TLS client interactions.
• Generate a new self-signed certificate - Newly generated self signed certificates will be appended to the list of available certificates.
  
• Network Destination certificate verification - Choose the desired level of certificate verification.  This can be one of Accept Any or Strict Checking. Accept Any is ideal for self-signed certificates. Strict Checking verifies the entire certificate chain.
  
• UTC Charts - Turn this on to display UTC (Coordinated Universal Time) time on destination charts instead of local machine time.  By default the times are displayed in local time.
  
• TLS Authentication Key - Define the authentication key for TLS_AUTH listener. The same key should be used by the Snare Agent that wants to send logs using TLS_AUTH.
  TLS_AUTH is Snare proprietary protocol that supports TLS connection with authentication between source and destination. 
• Setup Wizard - The setup wizard will walk you through the initial steps required to get Snare Reflector up and running.   Selecting Restart Wizard will cause the Wizard to restart. 

• Hostname - An IP address or hostname to which the Snare Reflector should direct log data.
• Port - The target port on the destination server to send log data.  Enter port 6161 if sending data to a Snare Server, unless sending encrypted data.  Enter port 514 to send data to a syslog server, unless the syslog server on the destination listens on a non standard TCP/UDP port.
• Protocol - Select one of the following options: 
  • UDP
  • TCP
  • TLS - TCP with TLS encryption
    Please ensure the destination system supports the TLS protocol. 
  • TLS_AUTH - TCP with TLS encryption and authentication.
    TLS_AUTH is a Snare proprietary protocol that overlays the TLS connection with authentication between source and destination. The same TLS authentication key needs to be configured on this page and in the Snare destination (a standalone Snare Reflector or another Snare Central). 
    
    
• Destination Format - Formats include: 
  • Snare Server 7.1+ - Logs will be sent using a Snare Central internal format
  • Syslog RFC 5424 - Logs will be sent using the latest generation of the syslog protocol, with fields parsed from the source log included within the RFC5424 structuredData element.
  • Syslog RFC 3164 - Logs will be sent using the older generation of the syslog protocol. Note that some information (such as the 'year' in which the log was generated) will be lost, when using this format
  • QRadar - Syslog RFC 3164 format, but the Reflector will attempt to remove the first tab-delimited field supplied with the incoming event, as long as it does not include internal spaces, in order to work around a QRadar processing issue
  • RSA Envision - Syslog RFC 3164 format, but the Reflector will prefix a header to the syslog message, which includes the originating IP address, and the date/time in seconds-since-epoch format that the event arrived at the server
  • RAW - no conversion - no format conversion will be performed
  • Generic JSON - both header and event content information is represented in a single-line JSON format
  • Elasticsearch bulk delivery - Snare internal format for SATI. Events will be batched up and delivered in groups via a HTTP POST upload to elastic. Logs can also be sent to multiple external Elasticsearch installs and Amazon Opensearch (fork of Elasticsearch) installs with different ports, addresses and filtering. 
    
  • Syslog 5424 JSON - Syslog RFC 5424 header, with JSON payload. In the event that a Snare V2 format log is received, it will be forwarded in the original format, with any extra enhancements inserted as key/value pairs into the Event/Data/SnareDataMap key.
  • Syslog RFC 5424 - no structuredData - Logs will be sent using the latest generation of the syslog protocol, but will explicitly avoid injecting field data into the structuredData component of RFC5424, if the source event does not already include structuredData.

  • CEF - the event will be converted to CEF format, where each event field, will be either implemented as a vendor CEF field in the CEF Extension area, or will be mapped to baseline CEF fields. As at the date of this document, the logs from Snare for Windows agents will include the advanced CEF field mapping.

    Example

    In general, CEF format will generate data of the following format:
    Jan 11 12:25:39 hostname CEF:Version|Device Vendor|Device Product|Device Event Class ID|Name|Severity|[Extension]
    eg:
    Jan 11 12:25:39 snareserver CEF:0|Snare|SnareReflector|3.2|WinSecurity:4830|2|dvc=snare,SnareReflectorTable=WinSecurity,SnareReflectorUser=Fred
  • CEF Syslog RFC3164 - CEF format as discussed above, with a Syslog RFC3164 header
  • Snare Legacy Realtime Delivery - Snare internal legacy format
  • Snare v8 Data Exchange -  Snare internal format and also for use from Snare Central to Snare Central forwarding. NOTE: this can only be used to other 8.4.0+ destinations
• Regular Expression Filter - forward only events that match the specified filters to the destination. See the Regular Expression Filters page in this guide for more information.
• Search and Replace Filter - allows to modify events on the fly, between reception and retransmission. See the Search and Replace Filters page in this guide for more information.

Basic information about the Snare Reflector is displayed here including version information, build id, and the length of time Snare Reflector is online. 3rd party packages that the Snare Reflector requires are listed with their licensing information.