/
Destinations

Destinations

Owned by Andrew Madge
Last updated: Sept 16, 2020

Adding, removing, activating, disabling and prioritising destinations may be performed here.  Also includes the configuration of the search and replace functionality of the filters via regular expressions. 

The following parameters are required to be configured:

  • Hostname - An IP address or hostname to which the Snare Reflector should direct log data.
  • Port - The target port on the destination server to send log data.  Enter port 6161 if sending data to a Snare Server, unless sending encrypted data.  Enter port 514 to send data to a syslog server, unless the syslog server on the destination listens on a non standard TCP/UDP port.
  • Protocol - Select from TCP, UDP, TCP with TLS encryption or TCP with TLS encryption and authentication (TLS_AUTH). NOTE: the destination system has to support TLS protocol to use TLS. The Snare Server does using port 6163 however not all SIEM/syslog systems may have TLS enabled by default, please check the vendors guide for more information. TLS_AUTH is Snare proprietory protocol that supports the TLS connection with authentication. A same TLS authentication key needs to be configured on this page and in the Snare agents that want to send logs using TLS_AUTH. 
  • Destination Format - Formats include: 
Snare Server 7.1+Logs will be sent using a Snare Server internal format
Snare Server HistoricalCompatible with Snare Servers prior to version 7.1.
Syslog RFC 5424
Logs will be sent using the latest generation of the syslog protocol.
Syslog RFC 3164
Logs will be sent using the older generation of the syslog protocol. Note that some information (such as the 'year' in which the log was generated) will be lost, when using this format.
QRadar
Syslog RFC 3164 format, but the Reflector will attempt to remove the first tab-delimited field supplied with the incoming event, as long as it does not include internal spaces, in order to work around a QRadar processing issue.
RSA Envision Syslog RFC 3164 format, but the Reflector will prefix a header to the syslog message, which includes the originating IP address, and the date/time in seconds-since-epoch format that the event arrived at the server.
RAWNo conversion will be performed.


Add destinations

To add multiple destinations click Add Destination and enter the information for this destination.  Select Update to save the settings.  If another destination is required select Add Destination.

Disable destinations

To disable a destination select Disabled for that destination and select Update to save the settings.  A restart of the reflector is required. The disabled destination will not be displayed on the dashboard.

Activate destinations

To reactivate a disabled destination select Active for that destination and select Update to save the settings.  A restart of the reflector is required. The destination will be displayed on the dashboard.

Priority destinations

A destination can be marked as a priority-delivery queue by selecting the Priority: On button.

If any priority destination event queue becomes full, or if all queues are full regardless of priority, then Snare Reflector will introduce flow control to slow down the rate of event delivery to ensure events are not discarded when high EPS conditions are occurring and the cache becomes full. This applies to any destination SIEM systems that may struggle to keep up with the sending of events from the Reflector.


Remove destinations

To delete a destination select Remove for that destination and select Update to save the settings.  A restart of the reflector is required.


Related content