Destination Configuration

This page enables you to configure network and file destinations. The ability to configure general settings will apply to all destinations of any type. Besides, it enables configuring additional data to be included in each event log generated by the agent.

Destination_5.90.png

 

Network Destinations

Multiple destinations per protocol may be configured to send the events to your SIEM by setting the following parameters:

  • Domain / IP. Enter the domain name or IP address of the destination server you are sending the event logs to.

  • Port. Snare Server users should only send events to port 6161 in native UDP or TCP, or 6163 for TLS. To send data via Syslog port 514 is recommended unless the destination is configured differently to receive on a non standard UDP port. To send data to a destination using mTLS use the port as the destination is configured (i.e., usually port 443 is used to send events to Devo). To configure rsyslog to use TLS/SSL encrypted messages refer to http://www.rsyslog.com/doc/rsyslog_tls.html .

  • Protocol. Select the protocol you would like the agent to use when sending events:

    • UDP by the protocol nature may result in messages being lost and not captured by the syslog destination server.

    • TCP will provide reliable message delivery. 

    • TLS will encrypt a TCP connection to the destination server, protecting messages from eavesdropping while in transit.  For TLS the TCP feature TCP_NODELAY is enabled, and prevents TCP buffering by the Operating System, thereby reducing the lag when the agent is sending events via TCP.

    • TLS_AUTH is an extension of TLS format. A TLS_AUTH connection can only be established between agent and a destination if both have the same TLS Authentication Key (see below)

    • mTLS (mutual TLS) will encrypt a TCP connection to the destination server, ensuring that both the client and server authenticate each other, and protecting messages from eavesdropping while in transit. For mTLS, the TCP feature TCP_NODELAY is enabled, preventing TCP buffering by the Operating System, thereby reducing lag when the agent is sending events via TCP.

  • mTLS Certificate. The mTLS Certificate (client certificate) is a key part of the mutual TLS process, as it allows the client to prove its identity to the server during the TLS handshake. Unlike regular TLS, where only the server presents a certificate, in mTLS, the client must also present its own certificate, which the server verifies before establishing a secure, encrypted connection. This ensures that both parties are mutually authenticated and trusted. Note: The field is used only when mTLS protocol is selected. The certificate and its chain of trust is expected to be installed on the machine as a prerequisite of using it in the Agent. To install certificates refer to Appendix K .

  • TLS Auth Key. This is the authentication used by TLS_AUTH protocol. Both agent and destination should configure exactly the same TLS Authentication key for successful TLS_AUTH connection.

  • Format. Select suitable format for the event log records forwarded to this destination:

Format

Description

Destination Applications

Format

Description

Destination Applications

SNARE

Proprietary Snare format, comprised of Snare header and tab-delimited tokens

  • Snare Central

SNARE V2
* available since v5.5.0

A more detailed Snare format, comprised of Snare header and event details in JSON format.

  • Snare Central v8.4.0 or newer

SYSLOG (RFC3164)

SYSLOG (RFC3164) header and tab-delimited tokens message

  • IBM QRadar

  • Dell Secureworks

  • Other 3rd party SIEM systems

  • Snare Central (usually for forwarding to other SIEMs)

SYSLOG Alt (RFC5424 Compatible)

Same as SYSLOG (RFC3164) format, with an addition of event priority in square brackets at the end of the header.

  • ArcSight

  • Other 3rd party SIEM systems

  • Snare Central (usually for forwarding to other SIEMs)

SYSLOG (RFC5424)

SYSLOG (RFC5424) header and tab-delimited tokens message

  • 3rd party SIEMs that require latest Syslog standard format

  • Snare Central (usually for forwarding to other SIEMs)

CEF

ArcSight Common Event Format (CEF)

  • ArcSight

  • Snare Central (usually for forwarding to other SIEMs)

LEEF

IBM Log Event Extended Format (LEEF)

  • IBM Qradar

  • Snare Central (usually for forwarding to other SIEMs)

SYSLOG JSON
* available since v5.5.0

SYSLOG (RFC5424) header and event details in JSON format

DEVO

* available since v5.9.0

SYSLOG (RFC5424) header with a special tag and tab-delimited tokens message.

  • Devo ELB

DEVO JSON
* available since v5.9.0

SYSLOG (RFC5424) header with a special tag and event details in JSON format.

  • Devo ELB

  • Delimiter Character. Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space.  By default the delimiter is a tab character. This is saved to the registry.  To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.

Network Destinations must be created one at time. To add another row to enable the creation of additional Network Destinations simply click the Update Destinations button to confirm the addition of the new Network Destination. Upon the creation of the new Network Destination a new empty row will be made available.

Network Destinations can be removed by clearing the Domain / IP field and clicking Update Destinations.

File Destinations

Multiple File Destinations can be setup utilizing various formats can be setup to help you log information locally or on a drive that is network shared.

  • Path & Filename. Set the path and the filename to log events to a file.  Snare will rotate these files daily, however when the log reaches 2GB within one day, the file will automatically be rotated. The maximum size may be set in Maximum File Size. Please note there may be a high amount of disk space being taken up by the log files over time, and may also pose a security risk as access to the file(s) will need to be managed.

  • Format.  Event log records may be written to the file formatted in any of the formats described in the Network Destination section above.

  • Delimiter Character. Allows each destination to have an individual delimiter, including, tab, comma, vertical bar and space.  By default the delimiter is a tab character. This is saved to the registry.  To define a custom delimiter, select Custom from the drop down and enter in the character in the input field.

  • Maximum File Size.  The maximum generated size of an output file receiving events.  The output file is rotated daily normally, but with this setting the file will be rotated upon reaching the maximum, within that day.  Default size is 256MB.

File Destinations must be created one at time. To add another row to enable the creation of additional File Destinations simply click the Update Destinations button to confirm the addition of the new File Destination. Upon the creation of the new File Destination a new empty row will be made available.

File Destinations can be removed by clearing the Path & Filename field and clicking Update Destinations.

The purpose of the file destination is to store the copy of each event that is successfully sent to at least one network destination. If there is no network destination and at least one file destination, Snare will keep writing new events to the file destination but will not show these events in Latest Events page. If there are more than one network destinations and one file destination, Snare will write an event to the file destination if it can first successfully send event to at least one of the network destinations. If none of the network destinations is available, Snare will add events to a memory cache and will write those events to the file destination as well. Once the memory cache reaches its capacity, no additional events will be written to the file destination.

Hostname Options

The settings apply to the settings to modify the hostname associated with the processed event log. 

  • Override Hostname. Can be used to override the name that is given to the host when Windows is first installed. Unless a different name is required to be sent in the processed event log record, leave this field blank and the SnareCore service will use the default system's hostname set during installation. This includes the Dynamic DNS Names feature that automatically re-queries the DNS server for any IP Address changes every ten minutes.

  • Host IP As Source. Enabling this setting will use the IP address for the selected Network Adapter from the list.  The source IP will replace the hostname in the log message.

General Destination Options

The settings apply to all network and file destinations.

  • Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events.  As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS,  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.

  • Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache.  This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log.  Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.

  • Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted.  The temporary files will be written to the Snare installation directory C:\Program Files\Snare\.

  • UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.

  • EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events and not capturing the events. The EPS rate limit is to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if the EPS rate limit is set to 50 then Snare will only send a maximum 50 log messages in a second to any destination server.

     

  • EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.

  • EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server.  This setting only works if EPS Rate Limit Notification is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to destination server(s) regardless of how many times Snare reaches the EPS rate limit.

  • SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.

  • SYSLOG TAG Terminator. Allows to choose whether to use TAB or a custom delimiter as a terminator of TAG part of the SYSLOG (RFC3164) event. TAB will be used by default.

Event Options

These settings allow you to configure additional data to be included in each event log generated by the agent.

  • Append Checksum to Events. This feature allows you to add the checksum at the end of every event log generated by the agent.

  • Event Source ID. This feature allows you to add an ID/string to every event log generated by the agent.

    There are three options to choose from the drop down menu - NONE, Free Text, and Registry Path.


    • NONE: When the selected Event Source ID type is NONE, the input field is disabled and no additional data will be added to the event logs generated by the agent.


    • Free Text: When this option is selected, the desired ID can be specified in the input field. A valid ID can be at most 128 character long and can only contain the following characters :  a-zA-Z0-9,:&_~!@%/-.*?+()^$


    • Registry Path: When this option is selected, the path to the Windows Registry containing the ID can be specified in the input field. The Registry path must be of the form:  [ROOT_KEY]\[PATH_TO_VALUE], where ROOT_KEY is one of HKEY_CLASSES_ROOT, HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE, HKEY_USERS, HKEY_CURRENT_CONFIG.  The ID at the specified Registry is interpreted as a string and is truncated to 128 characters if longer. Valid characters are: a-zA-Z0-9,:&_~!@%/-.*?+()^$. The ID is evaluated when the configuration is updated which is then displayed beneath the input field.

      If the value in the specified Registry contains invalid character(s), then the value is sanitised by replacing the invalid character(s) with underscore(s). The sanitised value is displayed beneath the input field and is used as the Event Source ID messages.

If Event Source ID is configured, the ID is displayed on the home screen (Audit Service Status) of the Agent UI and every event log from the agent in SNARE format or one of the SYSLOG formats will have EventSourceId=<value> appended at the end of the message.

 

To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:

  1. Click on Update Destinations to save any changes to the registry.

  2. Click on the Apply Configuration & Restart Service menu item.