Versions Compared

Version Old Version 16 New Version 17
Changes made by

AHM Sarowar Sattar

AHM Sarowar Sattar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events.  As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS,  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache.  This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log.  Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted.  The temporary files will be written to the Snare installation directory C:\Program Files\Snare\.
  • UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.
  • EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events and not capturing the events. The EPS rate limit is to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if the EPS rate limit is set to 50 then Snare will only send a maximum 50 log messages in a second to any destination server.


  • EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.

  • EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server.  This setting only works if EPS Rate Limit Notification is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to destination server(s) regardless of how many times Snare reaches the EPS rate limit.

    Note
    The EPS rate limit settings are to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates.


  • SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.
  • SYSLOG TAG Terminator. Allows to choose whether to use TAB or a custom delimiter as a terminator of TAG part of the SYSLOG (RFC3164) event. TAB will be used by default.

Event Options

These settings allow you to configure additional data to be included in each event log generated by the agent.

...