Versions Compared

Old Version 13

changes.mady.by.user AHM Sarowar Sattar

Saved on

compared with

New Version Current

changes.mady.by.user Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

General configuration parameters to consider are as follows:

...

Including for 'Any event(s)' audit policies. This option, when selected, will enable the auditing for all the events (i.e. System Audit, Logon Audit, ObjectAccess Audit, PrivilegeUse Audit, DetailedTracking Audit, PolicyChange Audit, AccountManagement Audit, DirectoryServiceAccess Audit and AccountLogon Audit). Enable this option *only* when you know what you are doing.

  • Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies? Enables the file system and registry auditing to be controlled by the Snare audit policy settings. In order for Windows to collect file and registry access records, not only must the correct audit category be selected, but also the correct object auditing parameters must also be set. Setting this field will automatically set these parameters, based on the audit policies which have been configured. It is highly recommended that this checkbox be selected. See the FAM / RAM audit policies on "Audit Policy Configuration" documentation page.
  • Allow SNARE to automatically set max event log cache size. Select this option to enable the usage of setting the Windows event log cache size (as per Event Viewer).  
  • Event Log Cache Size. Modify the default Windows event log size, allowing you to easily configure the desired cache size. Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable. Ensure the  Allow SNARE to automatically set max event log cache size checkbox is set to use this disk cache memory setting. 

  • Enable active USB auditing? Select this option if a series of plug and play and drive events are required to be captured and managed by an audit policy. A new audit policy is required to capture USB events as the events will NOT be captured by default.  When creating a new audit policy select the High Level Event of USB Event which automatically presets the other fields for this audit policy.  Please note that after setting the option Enable active USB auditing? the Snare service must be fully restarted.  By enabling USB auditing it will report on the USB devices connected or disconnected, any user details, device types, and the serial number of the device where it is present. 

    Info
    USB auditing is supported on Windows Server 2008 / Windows 7 or newer. It is not supported on Windows XP or Windows Server 2003.


  • IIS Log Flushing? By default, Internet Information Services (IIS) manager takes 60 seconds to write log messages thus it will take at least 60 seconds for the agent to receive the IIS log messages. Enabling this setting will configure IIS Manager to immediately flush log messages. Setting this option may cause serious performance issues since it can results in immediate writing of the log messages on disk by the IIS Manager.
  • Import settings from Snare Epilog Agent? The Snare agent can import Logs and Filters settings from a Snare Epilog agent installed on the same machine. Select this option to import Logs and Filters settings from the Snare Epilog Agent. Note, the relevant settings from the Snare Epilog agent can be imported only ONCE during the lifetime of the agent.

...