The steps below recommend initial settings for Snare Agents. As dedicated tables exist for all of the agents mentioned below, the standard syslog systems must not be used (this will ensure the correct handling of data by the Snare Central). The use of the Snare remote control feature via the web user interface (UI) is recommended (the user friendly interface will maintain the appropriate syntax and formatting) and instructions to enable this service will be detailed where applicable.
...
During installation, if the machine is not part of a Windows' domain, allow Snare to take control of the audit subsystem. If the machine is part of a Windows' domain, Local and Group Policies will need to be manually edited to provide the required level of auditing.
Through the remote control interfaceweb UI, click Network Configuration.
...
Once access is granted, please configure the enterprise remote access password through the "Remote Control Configuration" page on the agent web interface.
Linux
The latest Linux Agent no longer requires kernel modifications to activate and gather audit information, making installation and upgrade management much easier. The Linux Agent is packaged with a comprehensive set of objectives for NISPOM, SOX and PCI compliance. Once installed, make the following changes via the Snare Remote Control Interface or the configuration file:
...
- Specify the log files that Epilog should monitor.
- Set the destination server to the Snare Central IP address or hostname.
- Syslog option must not be used when sending logs to a Snare Central so that all events are processed correctly by the Snare Central.
- Send event to TCP or UDP port 6161.
- UDP is recommended for faster and more efficient use of host and network resources.
- Generally, events will be stored in the Snare Central GenericLog table.
Tru64
...
- .