Versions Compared

Version Old Version 15 New Version Current
Changes made by

AHM Sarowar Sattar

Andrew Madge

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning

The purpose of the file destination is to store the copy of each event that is successfully sent to at least one network destination.  If If there is no network destination and at least one file destination, Snare will keep writing new events to the file destination but will not show these events in Latest Events page.  If If there are more than one network destinations and one file destination, Snare will write a an event to the file destination if it can first successfully send event to at least one of the network destinations.  If If none of the network destinations is available, Snare will add events to a memory cache and will write those events to the file destination as well. Once the memory cache reaches its capacity, no additional events will be written to the file destination. If there is a need to store the events locally only in a file destination then a dummy UDP network destination must be added. 


Hostname Options

The settings apply to the settings to modify the hostname associated with the processed event log. 

...

  • Event Cache Size. Modify the in memory cache to be based on the number of events that the in memory cache will use up to the maximum of 65536 events.  As the number of events are entered the memory setting Event Cache Size Per Destination will be automatically recalculated. This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log. Combined with TCP or TLS,  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Event Cache Size Per Destination. As an alternate to specifying the number of events the in memory, the cache can be configured to use a maximum amount of memory per destination. Using this setting will automatically recalculate the number of events that can fit in this memory cache.  This setting can be used in conjunction with the Event Log Cache Size in the General Configuration page.  This setting does not need to be very large as the principle cache is the Windows event log.  Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable.
  • Disk Cache. This is the path where the agent will temporarily save all unsent events if the agent needs to restart. The agent will read and send the events when it is restarted.  The temporary files will be written to the Snare installation directory C:\Program Files\Snare\.
  • UTC Timestamp. Enables UTC (Coordinated Universal Time) timestamp format for events instead of local machine time zone format.
  • EPS Rate Limit. This is a hard limit on the number of events sent by the agent per second to any destination server. This EPS rate limit applies only to sending the events and not capturing the events. The EPS rate limit is to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates. For example, if the EPS rate limit is set to 50 then Snare will only send a maximum 50 log messages in a second to any destination server.


  • EPS Rate Limit Notification. If this option is selected then a message will be sent to the server when agent reaches the EPS rate limit. The message also include the EPS rate limit value.

  • EPS Notification Rate Limit. This is the time (in minutes), during that if agent reaches the EPS limit multiple times then only one EPS rate limit message will be sent to the server.  This setting only works if EPS Rate Limit Notification is checked. For example, if EPS notification rate limit is set to 10 minutes then only one EPS notification message will be sent to destination server(s) regardless of how many times Snare reaches the EPS rate limit.

    Note
    The EPS rate limit settings are to help reduce the load on slow network links or to reduce the impact on the destination SIEM servers during unexpected high event rates.


  • SYSLOG Facility. Specifies the subsystem that produced the message. The list displays default facility levels that is compatible with Unix.
  • SYSLOG TAG Terminator. Allows to choose whether to use TAB or a custom delimiter as a terminator of TAG part of the SYSLOG (RFC3164) event. TAB will be used by default.

Event Options

These settings allow you to configure additional data to be included in each event log generated by the agent.

...