Running Snare in the Cloud

Owned by Steve Challans
Last updated: Feb 09, 2024
5 min read

Snare Central is available to run in the cloud on Amazon AWS, Microsoft Azure and Oracle cloud. We have specific images available for customers that want to run their Snare Central in these cloud platforms. The default image is sized at 400GB of disk and the customer can allocate additional disk and use the disk manager to increase their logging space for as many terabytes as they need.

After deploying the system you will need to load your license from SLDM, contact sales if you dont have this. Once you can login to the system run the configuration wizard to setup any local settings. It is recommended to patch the system to the latest patch from SLDM. The patch process for each image is the same as an on premises install, where the customer downloads the patch updates from SLDM and applies the patch to the system after taking the relevant system backups (ie snapshots).

Each cloud provider has options for their own server sizing or system shape that can be used with lots of disk options ranging from slower SAS to super-fast SSD options. We recommend that you size the system according to your expected system usage. In general running the system in the cloud makes it an easy process to increase the system capacity to a larger or smaller one if needed and then activate with a reboot. The key factors at all times are:

  • Do to have enough CPUs to meet the load.

  • Is the disk IOPS able to keep up with the load of streaming data from all of the Snare Agents and syslog devices.

  • Do I have enough disk capacity to store all of the log data for the timeframe and meeting your regulatory or policy requirements.

  • Do I have the network sized to cover the traffic flow.

  • Do I have access to the relevant network segments and firewall rules in place to receive the logs from the relevant security zones.

Once all of this is understood then we can look at some sizing options on the relevant cloud platforms.

Snare Central contains the following components

  • Central log collection and storage

  • Reporting and data searching

  • Snare Reflector

  • Snare Agent Manager & Configuration (SAM or SAMC)

  • Agent Management Console (AMC) - being deprecated as the agent management policy functions have moved to the SAMC.

Storage needs

  • The storage needs are largely driven from the EPS rates of the systems, log types and the data retention needs. The more of each the more storage thats needed. In most cases Snare Central will get 90% + reduction in raw log storage. eg 1.13 TB of raw log data may only consume 87 GB of actual disk. This is due to the high compression rates Snare Central has with its log storage.

  • Other factors can depend on the following

    • The amount of reflector cache needed reflecting logs to other SIEM or logging systems and how long a network or system outage that needs to be factored in. So some customers have configured anything from a few GB to 2 TB of cache. The caveat here is to also ensure that there is enough system and network capacity to catch up these cached logs and the destination can cope with catchup eps rates and normal eps rates at the same time.

      • 110 GB pre day of raw logs may reduce to around 4.5 GB

    • The amount of reporting and local dashboard usage. Both of these may require additional index space. Snare Central uses an opportunistic index method so only indexes what it needs and has regular queries on. This conserves normal index space but having enough disk for this extra disk allows the system to cache up indexes based on the need and usage patterns. This may mean another 1-2 TB or more of disk is allocated for index caching. As a rule 1-5% of actual SnareArchive space usage may be required for indexes. If an index has not been used and new indexes are needed then the older data will be rolled off the system, so the index space is self managed.

Some baseline suggested sizes that customers can use, system sizing’s are a guide only as actual system performance can vary:

Amazon AWS

  • T2.large 2 CPU 8 Gb memory for very small installs or AMC only usage

  • T2.xlarge 4 CPU 16Gb memory small logging installs < 100 agents

  • For more intensive loads the m5 class or systems might be used along with SSD based fast disk storage systems as IOPS become more important.

  • M5.2xlarge 8 CPU and 32 Gb of memory

  • M5.4xlarge 16 CPU and 64 Gb of memory

  • And larger sizes - Snare Central will use the capacity the system is configured to use

Microsoft Azure

  • Besides some smaller systems larger systems like the D4 and D8 servers can be used for example

  • D4s_v3 4 CPU and 16 Gb of memory for small systems doing around 2,000-4,000 EPS

  • D8s_v3 8 CPU and 32 GB of memory with 2 times the IOPS as D4 larger systems doing 8,000-10,000 EPS

  • D8as_v4 with 8 CPU and 32 GB of memory and up to 16 disks for larger workloads.

  • Other variations and larger sizes can also be used.

Oracle Cloud

  • The VM.Standard.E4.Flex systems offer a good range and very select-able on sizing.

  • 2 CPU and 16 GB of memory for very small logging needs for SAM/AMC only installs

  • 4 CPU and 24 GB of memory for larger environments that does 2,000-4,000 EPS with bursting to higher loads of 5,000-6,000 range.

  • 8 CPU and 48 GB of memory for larger environments that does 9,000-10,000 EPS range.

  • 16 CPU and 128 GB of memory for larger environments doing 20,000 EPS ranges

  • 32 CPU and 256 GB of memory for up to 65,000 EPS systems

  • Besides the standard system shapes Oracle also offers some very flexible E3.Flex options that allows customers to configure their systems on a CPU by CPU and per GB of memory basis.

Other variations and larger sizes can also be used depending the SAM usage, reporting, event searching and dashboard needs as they may require increases sizing over the above. More memory often has performance improvement as data is cached into memory.

Windows Snare Agent Manager

The Windows Snare Agent Manager (SAM) can also run in the cloud on a compatible windows server. The size and specifications are the same for an internal windows server. Refer to the installation guide for more information.

Snare Agents

Snare Agents can all run on systems in the cloud where the customer has control of the operating systems like as in IaaS installations. The same principles apply for an internal system and the agents operate in the same way.

Firewall rules

To run Snare Central in the cloud is much the same as running it on premises and you may need to adjust your firewall rules to allow network traffic between network segments. See this link for more details https://prophecyinternational.atlassian.net/wiki/spaces/Snare/pages/852623528

If you have a need to run your Snare Central system in the cloud or migrate your logging workload to the cloud and require some consulting professional services then please contact our friendly sales team via email so they can assist you. If you have an active maintenance contact you can also contact support for advice.