Sending logs to DEVO

The last update to the snare agent now allows users to send logs directly into DEVO without the need a relay. This is now possible through the use the protocal mTLS and new DEVO formating.

In the guide we will show you how to configure the mTLS destination both within DEVO and the agent.

1. Log in to your DEVO instance and navigate to the “Administration > Relay and ELB” menu on the left hand bar:

   Open

   

2. Then navigate to the “Event load balancers(ELBs) option at the top:

   Open

   

    

3. You will now see your available load balancers, click the 3 dots icon on the far right of your Default Syslog ELB and click download certificate.

4. This will take you to the X.509 certificates page, Click the option to “Create certificate”

5. Once your certificate is generated, click the option to download the PKCS12 cert bundle. ( this file contains the cert and private key)
   Make sure to take note of the password shown on screen as you will need this to import the cert.

6. Login to the host running the Snare agent.

7. Once logged in either press the windows key + R to open the run window or type Run into the windows search box

8. Once the run box is open type “mmc” and press enter

    

9. Once the mmc console opens, click “File” and “Add/Remove Snap-in”

10. Select the option for “Local Computer” then press “Next” and “Finish”

     

11. Now that you have the Certificates menu open, expand the personal folder and then click on the certificates folder.

12. You should see the Snare Agent certificate, right click in the area below and click on “All Tasks” then “Import”

13. Click next, then you will be asked to browse for the certificate. if you haven’t done already copy the earlier downloaded PKCS12 file on the host in this guide i’ve placed it on the desktop.

14. Browse to where you’ve placed the certificate as this is a PKCS12 you will need to change the file type to “All Files”. click the file and press open

     

15. click next and you will then be prompted for a password, input the password you stored from earlier. Alternatively, you can redownload the cert and it will once again show the password.

16. Tick the option for “Mark this key as exportable” if this is not ticked the cert will not show in the agent.

17. Lastly, click next once more and either choose where you want the cert to be stored or allow windows to handle this. Then hit finish you can now close this window.

18. Navigate to the Snare agent and destination configuration menu.

19. The details for the destination and port can be found back on the Devo portal under “Administration” > “Relays and ELBs” Then by clicking the “Event load balancers” option at the top:

    Under the Domain / IP enter the address shown e.g. us.elb.relay.logtrust.net and then input the port e.g. 443.

20. Under protocal select the mTLS option, the mTLS certificate box will now be available.

21. Click the drop down and you will now see them certificate that we added, select this cert.

22. finally select the DEVO format
    
    

23. Once happy with the setup, scroll to the bottom and click “update destinations”

24. once that’s saved, restart the agent for this to take effect.

25. Once the agent has restarted, you can confirm the destination is working by selecting the Latest event menu and view the active destination:

     

The above guide outlines the steps to deploy the deploy the certificate and configure one host and agent, to deplop this on a group or wider selection of systems creating a GPO:

Distribute certificates to Windows devices by using Group Policy | Microsoft Learn