The Linux macOS Agent has the ability to monitor any text-based log file. The initial log configuration parameters to consider are the location of the log files to be monitored, and the type of log files being monitored. From this page:
- select Add to create a new log monitor
- Modify to update an existing log monitor
- Delete to remove the objectivelog monitor
Editing a Log Configuration
The following parameters for the log inputs may be set:
- Select the Log Type. The log type of a file will tell the Snare server or other SIEM how to handle the incoming data stream and in which table the processed information should be stored. The available log types are:
| GenericLog | Generic log format (default) |
| ApacheLog | Apache web logs |
| ExchMTLog | Exchange message tracking logs pre 2007 |
| Exch2008MTLog | Exchange message tracking logs 2007 |
| Exch2013MTLog | Exchange message tracking logs 2010/2013 |
| IISWebLog | Microsoft IIS web server logs |
| ISAFWSLog | Microsoft ISA firewall logs |
| ISAWebLog | Microsoft ISA web logs |
| MSProxySvr | Microsoft proxy server logs |
| MSDNSServer | Microsoft DNS server logs |
| SMTPSvcLog | Microsoft SMTP logs |
| SquidProxyLog | Squid proxy logs |
| VMSLog | VMS Security Logs |
| NCRATMLog | NCR ATM Journal Logs |
| Custom Event Log | User configurable log type. When this is selected the desired format can be added in the text field. |
- Multi-Line Format. How you would like the agent to send events to the Snare Server or other SIEM.
...
- All matching files - Users may create a single log monitor for all files within a directory
- Last matching file – Users may monitor the last file located within a directory, found alphabetically.
- First matching file – Users may monitor the first file located within a directory, found alphabetically.
- Fixed number of first matching files - Users may monitor the set number of first matched files within a directory.
- Fixed number of last matching files - Users may monitor the set number of last matched files within a directory.
- Number of files (1-65535) - This option is available when a Fixed number of first matching files or Fixed number of last matching files option is selected. This option takes the fixed number of first/last matching files within a directory that will be monitored.
...
To save and set the changes to the above settings, and to ensure the registry has received the new configuration configuration file has been updated perform the following:
- Click on Change Configuration to save any changes to the registry configuration file and to return to the Log Configuration main page. It will summarise the details of the log files to monitor. At this time, if the Log File or Directory does not exist, or if no files are found in that directory to be watched, the Matching File column will be displayed in red as below. If this is the case It will summarise the details of the log files to monitor or display "No matches" in the the Matching File(s) column. If no matching files were found, check your paths and log file formats.
- Click on the Apply Configuration & Restart Service menu item.
...