Custom event logs (only available for Snare Enterprise Agents) are captured beyond the Windows Logs events, that is, within Applications and Services Logs. To capture the custom logs, create or modify an Audit Policy and select the Custom Event Log check box under Identify the event logs arealog sources to capture events from, and then specify the specific name of the log in the Source Search Term.
To find the specific name of the log, start the Event Viewer, and browse to the event log you wish to capture, and open the Properties dialog. For example, for Group Policy logs the name to enter in the Audit Policy for Source Search Term can be found on the Event Viewer's Details tab (Friendly View) for that event as displayed below:
Once the configuration is saved and as your expected events are logged, the latest events will then display the logs, for example:
