box.win_snare
The logs generated by the Snare Windows Agent are assigned the tag box.win_snare. See below the configuration options needed to forward your events to the Devo platform properly.
Tag structure
The full tag structure follows the format box.win_snare. Then, the following tables will be defined in your domain and events will be automatically sent to the proper table:
- box.win_snare.application
- box.win_snare.security
- box.win_snare.setup
- box.win_snare.system
- box.win_snare.powershell
- box.win_snare.other
For more information on how tags work, see the article about Devo tags.
Configure the Devo Relay rules
The only required setting for this rule is the port and the destination tag. The Sent without syslog tag and Stop processing options must be checked as well.
Configuring the Snare Windows Agent to send logs to the relay
Enter the Snare WebUI and click the Destination Configuration side menu option. Under the Network Destinations section, enter a new destination entry:
Domain/IP: add your relay’s IP or hostname. Be sure that you have access to it.
Port: set a port from 13003 to 13050. Take into account that it will have to be the same port as in the created relay rule.
Protocol: it is advised to set it to TCP in order to prevent event loss.
TLS Authentication Key: not needed.
Format: set it to SYSLOG (RFC3164).
Delimiter Character: set it to Tab. This setting is mandatory for Snare to be able to send the events to Devo.
After defining the new entry, scroll down the page and click the Update Destinations button. Once the page is reloaded, click the Apply Configuration & Restart Service button on the side menu. Here you can see an example configuration:
After a couple of seconds, the service will be working again and sending the events to the relay.