How to configure Snare Agents for QRadar
SUMMARY
The configuration settings are outlined below for sending events to IBM's QRadar in:
Snare Enterprise Agent for Windows
Snare Central Server Reflector
Snare Enterprise Agent for Windows
From your Snare Enterprise Agent, navigate to the Destination Configuration page and update the following settings:
Under Network Destinations set:
To send logs to QRadar via Snare Central:Domain/IP to your Snare Central destination
Port to 6161
Protocol to UDP or TCP (recommended)
Format to SNARE
To send logs directly to QRadar:Domain/IP to your QRadar destination
Port to 514
Protocol to UDP or TCP (recommended)
Format to SYSLOG (RFC3164) or other. LEEF may be use though the Port will require updating.
Under Hostname Options set:
Select the Host IP As Source checkbox. On saving the page the field Override Hostname will be populated.
Select Update Destinations to save your page settings
Click Apply Configuration & Restart Service menu item to update the registry.
Snare Central Server
The Snare Central Server Collector / Reflector is a very flexible tool for filtering and editing event log data. It is capable of filtering events on a per-destination basis. It can convert data from one format to another, and it can even modify the event information on the fly to suit your target SIEM server or syslog destination.
Navigate to System : Administrative Tools : Configure Collector/Reflector and select Settings > Destinations. Update the following:
Enter the destination FQDN or IP address
Type in 514 for Port
Select TCP for Protocol to ensure no events are lost
Select Destination Format QRadar
Apply filtering or data tagging in the additional fields as needed
When sending logs to Snare Central to then be reflected to QRadar it is best to send the logs using Snare format to Snare Central then use the QRadar log format as above. The Agent should also use the host IP as a source override as it makes it easier for QRadar to parse out the logs from the reflector.