Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

This page displays latest events sent to a network destination. This list will be empty if the agent has not yet found any matching events or if there has been a network problem and the events could not be sent to any of the configured network destinations.

Filter buttons allow the user to view different types of events: 

  • macOS Audit events -  displays events generated by macOS audit subsystem, as configured in the Audit Policy Configuration page.
  • Log Audit events - displays events collected from log files, as configured in the Log Configuration and Log Filter Configuration pages.
  • File Integrity events - displays file-related events generated by Snare FIM module, as configured in the File Integrity Monitoring page.

No events will be generated unless there is a valid destination configured to which to send them.



Below is an example of the latest FIM events:


Below is an example of the latest Log Audit events:

Other useful information of the Latest Events Window is as follows:

  • restricted to a list of 20 entries and cannot be cleared, except by restarting the Snare service
  • new events will be displayed with an alarm bell icon next to it
  • events are highlighted in the criticality level colour nominated in your audit policies
  • the window will automatically refresh every 30 seconds for event logs or when the Latest Events menu item is selected
  • displays the status of the current network connection(s) to the log server
  • displays the date and time of the last HeartBeat sent, if applicable

About Destinations

Additionally this page shows the host/IP name, protocol, status and rate of events.  The status is the current state of the connection and may include:

    • INITIAL - The remote log location is about to begin setup
    • RESOLVING - DNS resolution for a hostname is occurring
    • RESOLVE_DELAY - DNS resolution failed, a retry will occur in X seconds
    • CONNECTING - Snare is trying to connect to the destination
    • CONNECT_FAILED - The connection to the destination failed
    • CONNECT_DELAY - Connecting to the remote end failed, it will be retried again in X seconds
    • CONNECTED - Snare has an active connection to the destination
    • SENDING - Snare is currently sending logs to the destination
    • DISCONNECTED - The destination has disconnected the snare agent. A re-connection will occur automatically.
    • HANDSHAKE - A SSL/TLS Handshake is in progress
    • HANDSHAKE_FAILED - The SSL/TLS Handshake failed
    • OPENING - Opening a a file destination is in progress
    • WRITING - Writing is occurring to a file
    • WRITE_FAILED - A write to file failed
    • CLOSED - A file has been closed
    • AVAILABLE - Instant feedback indicating if Snare can use the destination to send logs. A value of 1 indicates that logs can be sent. A value of 0 indicates logs can't be sent.
    • ReadyToSend - Instant feedback indicating if the destination is setup in a state where logs can be sent. If Snare is already sending to the destination, ReadyToSend will be 0.


  • No labels