Destination Configuration

Owned by Mirza Baig (Unlicensed)
Last updated: Sept 13, 2018

This page enables you to configure network and file destinations. The ability to configure general settings will apply to all destinations of any type.

Network Destinations

Multiple destinations per protocol may be configured to send the events to your SIEM by setting the following parameters:

  • Domain/IP: Enter the domain name or IP address of the destination server you are sending the event logs to.
  • Port: Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .
  • Protocol. Select the protocol you would like the agent to use when sending events:
    • UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.
    • TCP will provide reliable message delivery. 
    • TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit.  For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.
  • Format. Event log records may be formatted so as to be accepted by:
    • a Snare Server
    • SYSLOG (RFC3164) for many SIEMs including Dell Secureworks
    • SYSLOG Alt (RFC5424 Compatible) for ArcSight and some other SIEM systems
    • SYSLOG (RFC5424) for any SIEM requiring this format
    • CEF for ArcSight

    • LEEF for IBM QRADAR

  • Delimiter Character: Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space.  By default the delimiter is a tab character. This is saved to the registry.  To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.

Network Destinations must be created one at time. To add another row to enable the creation of additional Network Destinations simply click the Update Destinations button to confirm the addition of the new Network Destination. Upon the creation of the new Network Destination a new empty row will be made available.

Network Destinations can be removed by clearing the Domain / IP field and clicking Update Destinations.

File Destinations


Multiple File Destinations can be setup utilizing various formats can be setup to help you log information locally or on a drive that is network shared.
  • Path & Filename: Set the path and the filename to log events to a file.  Snare will rotate these files daily, however when the log reaches 2GB within one day, the file will automatically be rotated. The maximum size may be set in Maximum File Size. Please note there may be a high amount of disk space being taken up by the log files over time, and may also pose a security risk as access to the file(s) will need to be managed.
  • Format:  Event log records may be written to the file formatted for the Snare Server, SYSLOG, SYSLOG Alt, CEF and LEEF.
  • Delimiter Character: Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space.  By default the delimiter is a tab character. This is saved to the registry.  To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.
  •  Maximum File Size:  The maximum generated size of an output file receiving events.  The output file is rotated daily normally, but with this setting the file will be rotated upon reaching the maximum, within that day.  Default size is 256MB. 

File Destinations must be created one at time. To add another row to enable the creation of additional File Destinations simply click the Update Destinations button to confirm the addition of the new File Destination. Upon the creation of the new File Destination a new empty row will be made available.

File Destinations can be removed by clearing the Domain / IP field and clicking Update Destinations.

Hostname Options

The settings apply to the settings to modify the hostname associated with the processed event log. 

  • Override Hostname. Can be used to override the name that is given to the host when Windows is first installed. Unless a different name is required to be sent in the processed event log record, leave this field blank and the Epilog service will use the default system's hostname set during installation. This includes the Dynamic DNS Names feature that automatically re-queries the DNS server for any IP Address changes every ten minutes.
  • Host IP As Source. Enabling this setting will use the IP address for the selected Network Adapter from the list.  The source IP will replace the hostname in the log message.

 General Destination Options

The settings apply to all network and file destinations.

  • Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events.  As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS,  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache.  This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log.  Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted.  The temporary files will be written to the Epilog installation directory C:\Program Files\Epilog\.
  • UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.
  • EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events NOT capturing the events. The EPS rate limit is to help to reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if EPS rate limit is set to 50 (as below) then Snare for Epilog will only send a maximum of fifty log messages in a second to any destination server.
  • EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.

  • EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server.  This setting only works if Notify on EPS Rate Limit is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to the destination server(s) regardless of how many times Snare for Epilog reaches the EPS rate limit.  

    The EPS rate limit settings are to help to reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates.
  • SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.

  • SYSLOG Priority. If the SYSLOG formats are used, the agent can be configured to use a static, or dynamic priority value. If 'Dynamic' is selected as the SYSLOG priority value, the priority sent to the remote SYSLOG server, will mirror the Snare 'criticality' value of the matched objective. 

To save and set the changes to the above settings, and to ensure the registry has received the new configuration perform the following:

  1. Click on Update Destinations to save any changes to the registry.
  2. Click on the Apply Configuration & Restart Service menu item.

Alternatively, the service may also be restarted by selecting the restart service via the Windows services control panel.