Configuring the Snare Agent with ArcSight
SUMMARY
Apr 01, 2016
The Snare Agent may be configured to send events to an ArcSight destination. This article includes Snare configuration information, and updates to ArcSight configuration to avoid any performance issues, as per recommendations from customer feedback:
Configuring Snare
On the Snare Agent Network Configuration screen the following options must be checked:
Enable SYSLOG Header?
Use alternate header?
It is also recommended to select User Coordinated Universal Time (UTC)? and install the dedicated Smarts on a UTC server. ArcSight users mention to not use ArcSight Settings to set a timezone as they were badly implemented, and use the TZ environment variable instead when launching the SmartConnector JVM.
For example, under Linux, edit /opt/arcsight/yoursmartname/current/bin/agent.wrapper.sh and changed the "command=" to:
command="cd $WRAPPER_DIR; TZ=UTC LD_LIBRARY_PATH=$LD_LIBRARY_PATH $WRAPPER_CMD $WRAPPER_CONF $WRAPPER_ARGS"
ArcSight SmartConnector Configuration
it is highly recommended to dedicate SmartConnectors to Snare audit parsing
with some filters applied on the SmartConnector level, one dedicated Smart can achieve about 1200 EPS TOPS before caching - stay below 800 for continuous use
if you dedicate you can load balance
The following will only work with a dedicated Smart for Snare, this needs to be changed from a stock "agent.properties", you need to replace the following:
agents[0].forwardmode=true
agents[0].port=port that snare sends its audit on
agents[0].protocol=Raw TCP
agents[0].usecustomsubagentlist=true
agents[0].customsubagentlist=snare_syslog|generic_syslogIn this way, the default Snare parser is always invoked first, and if it’s a status message, it will not recognize the message, the second parser is invoked - a generic syslog.
The status message won’t get parsed properly, but you still can access them in the CEF "message" field