Events collected by the agent that meet the filtering requirements as per the audit configuration, will be displayed in the Latest Events window. This display is NOT a display from the event log file, but rather a temporary display from a shared memory connection between the web UI and the the Snare service. This list will be empty if the agent has not yet found any matching events or if there has been a network problem and the agent has temporarily suspended event processing.
A key feature of Snare service is that events are not stored locally on the host, but rather sent out over the network to one or more remote hosts, and a summary version of the events is displayed on the window.
...