In Snare Windows WEC Agent installed on a Windows Event Collector (WEC) server can be configured to collect events forwarded from other Windows servers.
To configure this capability, navigate to the Snare WEC agent's web UI , in > Log Sources > Audit Policies ("Audit Policy Configuration (Objectives Configuration " in versions version earlier than 5v5.59.0) there is a checkbox under the parameter .
Under Identify log sources to capture events from titled , tick the Windows Forwarded Events checkbox. This checkbox is only available in the Snare WEC agent.
This checkbox must be checked to collect events from the Windows Forwarded Events custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.
Basic Auditing:
Advanced Auditing:
| Note | ||
|---|---|---|
| ||
| The agent will adjust the source host details to be the original hostname when it sends the syslog, so the destination server will understand that the logs are originally from another host and not the forwarded host. The host IP override settings in the Destination Configuration page will only apply to the host the SnareWEC agent is running on and the agent currently does not do any IP translations of the host details for the forwarded events. |
...