- Introduction
- Deployment
- Configuration
- OS Support
- Integration
- 42. Amazon Web Services (AWS)
- 43. Apache HTTP Server
- 44. Apache Tomcat
- 45. APC Automatic Transfer Switch
- 46. Apple macOS kernel
- 47. ArcSight Common Event Format (CEF)
- 48. Box
- 49. Brocade Switches
- 50. Browser History Logs
- 51. Check Point
- 52. Cisco ACS
- 53. Cisco ASA
- 54. Cisco FireSIGHT
- 55. Cisco IPS
- 56. Cloud Instance Metadata
- 57. Common Event Expression (CEE)
- 58. Dell EqualLogic
- 59. Dell iDRAC
- 60. Dell PowerVault MD Series
- 61. Devo
- 62. DHCP logs
- 63. DNS Monitoring
- 64. Docker
- 65. Elasticsearch and Kibana
- 66. F5 BIG-IP
- 67. File Integrity Monitoring
- 68. FreeRADIUS
- 69. Graylog
- 70. HP ProCurve
- 71. IBM QRadar SIEM
- 72. Industrial Control Systems
- 73. Linux Audit System
- 74. Linux system logs
- 75. Log Event Extended Format (LEEF)
- 76. McAfee Enterprise Security Manager (ESM)
- 77. McAfee ePolicy Orchestrator
- 78. Microsoft Active Directory Domain Controller
- 79. Microsoft Azure
- 80. Microsoft Azure Event Hubs
- 81. Microsoft Azure Sentinel
- 82. Microsoft Exchange
- 83. Microsoft IIS
- 84. Microsoft SharePoint
- 85. Microsoft SQL Server
- 86. Microsoft System Center Endpoint Protection
- 87. Microsoft System Center Configuration Manager
- 88. Microsoft System Center Operations Manager
- 89. MongoDB
- 90. Nagios Log Server
- 91. Nessus Vulnerability Scanner
- 92. NetApp
- 93. .NET application logs
- 94. Nginx
- 95. Okta
- 96. Osquery
- 97. Postfix
- 98. Promise
- 99. Rapid7 InsightIDR SIEM
- 100. RSA NetWitness
- 101. SafeNet KeySecure
- 102. Salesforce
- 103. Snare
- 104. Snort
- 105. Solarwinds Loggly
- 106. Splunk
- 107. Sumo Logic
- 108. Symantec Endpoint Protection
- 109. Synology DiskStation
- 110. Syslog
- 111. Sysmon
- 112. Ubiquiti UniFi
- 113. VMware vCenter
- 114. Windows AppLocker
- 115. Windows Command Line Auditing
- 116. Windows Event Log
- 117. Windows Firewall
- 118. Windows Group Policy
- 119. Windows Management Instrumentation (WMI)
- 120. Windows PowerShell
- 121. Microsoft Windows Update
- 122. Windows USB auditing
- 123. Zeek (formerly Bro) Network Security Monitor
- Troubleshooting
- Enterprise Edition Reference Manual
- NXLog Manager
- NXLog Add-Ons
103. Snare
The Snare Agent is a popular log collection software for Windows Event Log. The Snare format is supported by many tools and SIEM vendors. It uses tab delimited records and can use Syslog as the transport. NXLog can be configured to collect or forward logs in the Snare format.
The Snare format can be used with or without the Syslog header.
HOSTNAME⇥MSWinEventLog⇥Criticality⇥EventLogSource⇥SnareCounter⇥SubmitTime⇥EventID⇥SourceName⇥UserName⇥SIDType⇥EventLogType⇥ComputerName⇥CategoryString⇥DataString⇥ExpandedString⇥OptionalMD5Checksum
<PRI>TIMESTAMP HOSTNAME MSWinEventLog⇥Criticality⇥EventLogSource⇥SnareCounter⇥SubmitTime⇥EventID⇥SourceName⇥UserName⇥SIDType⇥EventLogType⇥ComputerName⇥CategoryString⇥DataString⇥ExpandedString⇥OptionalMD5Checksum
103.1. Collecting Snare logs
NXLog can parse Snare logs with the parse_csv() procedure provided by the xm_csv extension module.
With the following configuration, NXLog will accept Snare format logs via UDP, parse them, convert to JSON, and output the result to file. This configuration supports both "Snare over Syslog" and the regular Snare format.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<Extension snare>
Module xm_csv
Fields $MSWINEventLog, $Criticality, $EventLogSource, $SnareCounter, \
$SubmitTime, $EventID, $SourceName, $UserName, $SIDType, \
$EventLogType, $ComputerName, $Category, $Data, $Expanded, \
$MD5Checksum
FieldTypes string, integer, string, integer, datetime, integer, string, \
string, string, string, string, string, string, string, string
Delimiter \t
</Extension>
<Extension json>
Module xm_json
</Extension>
<Extension syslog>
Module xm_syslog
</Extension>
<Input in>
Module im_udp
Host 0.0.0.0
Port 6161
<Exec>
parse_syslog_bsd();
if $Message =~ /^((\w+)\t)?(MSWinEventLog.+)$/
{
if $2 != ''
{
$Hostname = $2;
$Message = $3;
}
snare->parse_csv($Message);
$Message = $Expanded;
}
</Exec>
</Input>
<Output out>
Module om_file
File '/var/log/json'
Exec to_json();
</Output>
<Route r>
Path in => out
</Route>
<13>Nov 21 11:40:27 myserver MSWinEventLog⇥0⇥Security⇥32⇥Mon Nov 21 11:40:27 2016⇥592⇥Security⇥Andy⇥User⇥Success Audit⇥MAIN⇥DetailedTracking⇥Process ended⇥Ended process ID: 2455
{
"EventReceivedTime": "2016-11-21 11:40:28",
"SourceModuleName": "in",
"SourceModuleType": "im_file",
"SyslogFacilityValue": 1,
"SyslogFacility": "USER",
"SyslogSeverityValue": 5,
"SyslogSeverity": "NOTICE",
"SeverityValue": 2,
"Severity": "INFO",
"Hostname": "myserver",
"EventTime": "2016-11-21 11:40:27",
"Message": "Ended process ID: 2455",
"MSWINEventLog": "MSWinEventLog",
"Criticality": 0,
"EventLogSource": "Security",
"SnareCounter": 32,
"SubmitTime": "2016-11-21 11:40:27",
"EventID": 592,
"SourceName": "Security",
"UserName": "Andy",
"SIDType": "User",
"EventLogType": "SuccessAudit",
"ComputerName": "MAIN",
"CategoryString": "DetailedTracking",
"DataString": "Process ended",
"ExpandedString": "Ended process ID: 2455"
}
103.2. Generating Snare logs
NXLog can also generate Snare logs in place of the original Snare agent with the to_syslog_snare() procedure provided by the xm_syslog extension module.
With this configuration, NXLog will read the Windows Event Log, convert it to Snare format, and output it via UDP. NXLog log messages are also included (via the im_internal module). Tabs and newline sequences are replaced with spaces.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<Extension syslog>
Module xm_syslog
</Extension>
<Input internal>
Module im_internal
</Input>
<Input eventlog>
Module im_msvistalog
Exec $Message =~ s/(\t|\R)/ /g;
</Input>
<Output out>
Module om_udp
Host 192.168.1.1
Port 514
Exec to_syslog_snare();
</Output>
<Route r>
Path internal, eventlog => out
</Route>
<13>Nov 21 11:40:27 myserver MSWinEventLog⇥0⇥Security⇥32⇥Mon Nov 21 11:40:27 2016⇥592⇥Security⇥N/A⇥N/A⇥Success Audit⇥MAIN⇥DetailedTracking⇥Process ended⇥Ended process ID: 2455