Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
663
Views
5
Helpful
4
Replies

Problem with SNARE

paultribe
Level 1
Level 1

‎04-02-2009 02:55 PM

I have followed th installation guide on configuring SNARE to push events to CS-MARS and am not receiving any events. There is some slight ambiguity in the instructions on configuring the SNARE agent which I am not not sure about:

1) Where it says check Syslog is using port 514, I presumed this is the "destination port" field.

2) On the SANRE client what should SYSLOG facility and SYSLOG Priority be set as.

3) How can I tell what is causing the event logging not to work, I check the MARS audit logs and there is nothing there.

Labels:
0 Helpful
4 Replies 4

sbilgi
Level 5
Level 5

‎04-08-2009 02:58 PM

The Local Controller can now act as a relay; it processes the incoming syslog messages locally before it forwards them to the designated collector. The destination port number is 514 for incoming and relayed syslog messages. MARS adheres to RFC 3164: The BSD syslog Protocol while relaying the syslog messages with the following exceptions:

•MARS can only forward to a single collector IP address

•Because MARS supports exactly one collector, you cannot specify that events originating from one device address be forwarded to one collector while those originating from a different device address are forwarded to a different collector. All events are forwarded to the same collector.

•Forwarded syslog can be up to 1024 bytes in length. Logs longer than 1024 bytes are truncated.

0 Helpful

randytoni
Level 1
Level 1

‎04-22-2009 01:22 PM

this may be silly, but a sanity check is to look for those specific events showing up from an "unknown reporting device" - I only mention this as I've tripped myself up (a couple times) troubleshooting this kind of thing - assuming I had the device properly set up on MARS, but fubar'd something in the process. Only verified the traffic after digging thru these unknown events (looking for keywords such as the sending client IP or hostname) - then I chased down the real issue (the device setup / config on MARS).

Not sure if this is of any value, but just passing it on fwiw - good luck....

paultribe
Level 1
Level 1
In response to randytoni

‎04-23-2009 01:04 AM

Thanks for the posts. have actually resolved this. It has always been working, its just that no rules were firing. When I searched for events I found many.

0 Helpful

randytoni
Level 1
Level 1
In response to paultribe

‎04-23-2009 05:37 AM

glad to hear it's working

0 Helpful
Customers Also Viewed These Support Documents