Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Snare Central can process a reasonably wide range of source data types. The Snare Central data acquisition software is generally tuned for particular versions of operating system or device logs, so if you encounter problems importing particular types of data, please contact your Snare Central support team, and be prepared to supply (sanitised if required) log samples.

Snort Sensor

Organisations that use the Snort network intrusion detection system can send data to Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to Snare Central. Note that there is no configuration required on Snare Central.

What you need

The IP address or DNS name of Snare Central

How to..

On the host that is acting as a Snort collection sensor:

  • In the file /etc/syslog.conf, add the following two lines:

# Send all SYSLOG events to Snare Central
*.*@12.23.34.45

  • Please substitute the IP address, or the DNS name, of Snare Central for the string "12.23.34.45"
  • Modify the file /etc/snort/snort.conf to include the following line:

output alert_syslog: LOG_AUTH LOG_ALERT

  • An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
  • Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
    • /etc/init.d/snortd; /etc/init.d/syslog restart
    • service snortd restart; service syslog restart

Troubleshooting Snort

Checking for Snort Sensor errors:

  • Look in /var/log/messages for errors.
  • Run manually:
    • /usr/sbin/snort -D -i "ppp0" -c /etc/snort/snort.conf
  • ..then look in /var/log/messages for errors

Collecting ACF2 Data

Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on Snare Central, which will then be uploaded by Snare Central processes, on a daily basis.

The ACF2 processed reports are based on specific utilities, provided with the ACF2. The utilities produce formatted reports on the following activity on a mainframe, which can then be collected by Snare Central, and used for reporting:

  • ACFRPTLL Logonid Modification Log
  • ACFRPTRL Dataset Rule Modification Log
  • ACFRPTEL Infostorate Modification Log
  • ACFRPTDS Dataset Violation/Logging
  • ACFRPTRV Resource Violation/Logging
  • ACFRPTPW Invalid Password Authority Log

The end of this chapter contains a listing of an example JCL which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Each step in the sample job below performs the following steps. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.

  • Deletes previous day's FTP transfer library.
  • Runs ACF2 report, placing output in a GDG (7 generations kept).
  • Allocate new FTP transfer library and copy report from GDG created in previous step.
  • FTP the transfer library to Snare Central. The 'snarexfer' FTP user must be used. This user defaults to the "/data/SnareCollect" directory on Snare Central. The ACF2 processed reports must be placed in the "ACF2Log" sub-directory. So the full path becomes: "/data/SnareCollect/ACF2Log". Member level security is used to protect the FTP lid password.

The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved. The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.


CSCSNR01
********************************** Top of Data **********************************
//CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J
/*JOBPARM SYSAFF=PROD
//-----------------------------------------------------------------
//*
//* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER
//*
//*---------- DELETE TEMP XFER LIB ---------------------------------
//*
//STEP1 EXEC PGM=IKJEFT01,REGION=8192K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN DD *
DELETE 'CSC.SNARE01.LIDMODS.XFER'
//*
//*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------
//*
//STEP2 EXEC PGM=ACFRPTLL
//SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
//
DISP=(,CATLG),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSUDUMP DD SYSOUT=*
//REC01 DD DSN=CTF.SMFJR,DISP=SHR
//SYSIN DD *
MASK(********)
DETAIL
NOUPDATE
SYSID(****)
//*
//*---------- COPY REPORT FROM GDG TO XFER LIB ---------------------
//*
//COPY
EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1
DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
DISP=SHR
//SYSUT2
DD DSN=CSC.SNARE01.LIDMODS.XFER,
//
DISP=(NEW,CATLG,DELETE),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=*.SYSUT1
//*
DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSIN
DD DUMMY
//*
//*---------- FTP XFER FILE TO SNARE SERVER ------------------------
//*
//STEP4 EXEC FTP,
//
SERVER='CSCSNARE',
//
FTPUSER='SNAREXFER',
//
FTPCMDS='CSCSNR01',
//
ENV='PROD',
//
SOUT='*'
//*
//*---------- Notify Security Monitoring Team if job fails ---------
//*
//*JOBFAIL IF ((RC > 4) | (ABEND)) THEN
//*
//SENDMEMO EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD *
HELO NCC
MAIL FROM:<PSC0SCHD@AGENCY.COM>
RCPT TO:<ITSECMON@AGENCY.COM>
DATA
TO:ITSECMON<ITSECMON@AGENCY.COM>
SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01
PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY.
>> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE
>> AGENCY'S MAINFRAME ENVIRONMENT.
.
QUIT
/*
//SYSUT2 DD SYSOUT=(B,SMTP)
//SYSIN DD DUMMY
//*
//JOBFAIL ENDIF
//*===================================================================

RACF Violation Logs

RACF resource violation logs can be batch-imported to Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .

RACF files should be in ASCII format, and transferred to the directory /data/SnareCollect/RACFLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Log format

RACF logs are fixed-column logs. Snare Central assumes the following format:

  • EVENT TYPE: Characters 1-8
  • EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
  • TIME: Characters 19-26
  • DATE: Characters 28-37
  • SYSTEM: Characters 39-42 (SYSTEM ID)
  • USER ID: Characters 59-66
  • GROUP ID: Characters 68-75
  • TERMINAL (HOSTNAME): Characters 171-178
  • JOB NAME: Characters 180-187
  • USER NAME: Characters 556-575
  • ATTRIBUTES: (True/False)
    • VIOLATION: 44-47
    • BYPASS: 107-110
    • SPECIAL USER: 602-605
    • PRIV: 646-649 

Tandem Logs

Tandom systems supply logs with the following fields:

  • P-TIMEREP
  • PS-SYSNAME
  • PS-GUSER
  • PS-GUSER
  • PS-TERM
  • P-OPERATIO
  • P-OUTCOME
  • PO-OWNUSER
  • PO-OBJTYPE
  • PO-OWNUSER
  • PC-GUSER
  • PC-TERM

Logs should be transferred to the directory /data/SnareCollect/TandemLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sidewinder Firewall Logs

Sidewinder firewall logs can be exported to CSV, and transferred to Snare Central for processing.

Snare Central, will utilise the following fields:

  • date
  • hostname
  • user_name
  • reason
  • srcip
  • srcport
  • dstip
  • dstport
  • type
  • event
  • protocol
  • auth_method

Logs should be transferred to the directory /data/SnareCollect/SidewinderLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content Keeper Logs

Content keeper logs can be transferred to the directory /data/SnareCollect/CKeeperLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Snare expects logs to be comma delimited, and be composed of fields in the following order:

  • Date/Time
  • Ignored field
  • Source IP Address
  • User Name
  • Bytes
  • Status Code
  • Content
  • URL
  • Policy
  • Category

Checkpoint Firewall1 Logs

Checkpoint Firewall 1 firewalls can export log data to a CSV file. Snare is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file.

A sample header line is:

  • num,date,time,orig,type,action,alert,i/f_name,i/f_dir,proto,src,dst,service,s_port,len,rule,icmp-type,icmp-code,reason:,rpc_prog,IKE Log:,product,additionals:,sys_msgs

Snare will try and pull out the following information from the log data, and incorporate it into the Snare log archive:

  • Date
  • Time
  • Action
  • Interface
  • Source IP Address
  • Source Port
  • Destination IP Address
  • Destination Port
  • Protocol
  • Rule
  • All other information will be included within a general 'Data' field.

Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Gauntlet Firewall Logs

Gauntlet Firewall logs can be transferred to the directory /data/SnareCollect/GauntletFirewallLog/ via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content is assumed to be in ASCII format, and values are space separated.

OS400 Logs

OS400 logs can be transferred to the directory /data/SnareCollect/OS400Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Snare is capable of coping with a range of log formats, as long as the header line, specifying the log format, is included as the first line in each exported file.

Snare understands the following fields:

  • Journal Code (JournalCode)
  • Journal Entry Code (JournalEntryCode)
  • Journal Entry Date (Date)
  • Journal Entry Time (Time)
  • System name (System)
  • Job Name (JobName)
  • User Name (JobUser)
  • Job Number (JobNumber)
  • Program Accessing Object (Program)
  • Object Failure Object Name (OFName)
  • Object Failure Library Name (OFLibrary)
  • Object Failure Object Type (OFType)
  • Failed Login User (Strings)
  • Failed Login Job (Strings)
  • System Value name (Strings)
  • Changed Value (Strings)

Squid Proxy Logs

Squid proxy logs (in the default squid log format) can be transferred to the directory /data/SnareCollect/SquidProxyLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Apache Logs

Apache web server logs (in the default apache 'combined' format) can be transferred to the directory /data/SnareCollect/ApacheLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Internet Information Server (IIS) Logs

IIS web server logs can be transferred to the directory /data/SnareCollect/IISWebLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

IIS logs should retain the header information, that includes the 'Fields' definition line.

Snare Central requires the following fields to be included:

  • date
  • time
  • s-ip
  • cs-method
  • cs-uri-stem
  • cs-uri-query
  • s-port
  • cs-username
  • c-ip
  • cs(User-Agent)
  • sc-status
  • sc-substatus
  • sc-win32-status

Windows Event Logs (Exported from Snare Agents)

Snare for Windows agents are capable of exporting log data to a file on disk, rather than pushing the events back to a central server.

In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to Snare Central via FTP is possible.

Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Windows Event Logs (EVTX files)

Note: Only available in Snare Central version 7.1 or newer

EVTX files can be exported from windows machines, and transferred to a subdirectory within /data/SnareCollect/MSWinEVTX via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

There are several limitations of the EVTX format that need to be considered:

  • String order may not match the order found in normal Snare agent logs.
    • Some existing Snare Central objectives may require strings to be in a particular order, to pull out information of particular interest, from the 'Strings' section of events, such as as user name.
  • String names may not match those found in normal Snare agent logs.
    • The string "SubjectUserSid" in the EVTX file, is actually translated to "Subject: Security ID:" in many events.
    • The string "SubjectUserName" in the EVTX file may be "User Name" in some circumstances, or "Account Name" in others. There is no obvious consistency , and there does not seem to be a generally available lookup-table to hint at what translations are appropriate.
    • Snare Central will attempt to convert the 'CamelCase' string headers to space-included versions, which are more likely to match those displayed by the Windows event viewer (and therefore transmitted by Snare), however, case may be incorrect in some circumstances:
      • SubjectUserId may be translated as "Subject User Id", whereas the Windows event view will display it as "Subject User ID".
      • There are a few 'special cases' defined in the EVTX converter, that may fix the more obvious examples.
  • The contents of the 'Data' field is not currently supported for conversion.
  • Content that is usually interpreted at display-time in the Windows event viewer, or at transmission time in the Snare agents, will not be interpreted.
    • At event display-time, the Windows event viewer interrogates the registry, and sometimes native or third party DLL's, to try and resolve event template components to human readable text. The Snare for Windows agent does the same, when it converts the events to text-format prior to transmission.
    • These DLL's/registry entries are not guaranteed to be installed on all windows machines - for example, Internet Information Server template conversion DLL's will not be installed on a server that is not running IIS.
    • As such, information that is available to a Snare Agent on the source system, is NOT available to Snare Central when it attempts to convert the binary EVTX log data to text format.
    • Human-readable event descriptions that are often included within the strings section, will not be available.
  • Date/Time values within the EVTX files are in UTC format, and the EVTX files do not contain UTC offset information for the source server.
  • In general, the conversion tool may require assistance in determining the source of the source EVTX file (eg: Security, Application, System, etc).
    • The two points above, can be addressed with the assistance of file path hints.
    • Logs should be included in one of the following file paths, depending on the log type/source:
      • /data/SnareCollect/MSWinEVTX/Security
      • /data/SnareCollect/MSWinEVTX/Application
      • /data/SnareCollect/MSWinEVTX/System
    • Under these directories, if time zone conversion is required (highly recommended), a directory should be created with the textual representation of the time-zone (but with the forward-slash character switched out for a COLON)
      • For example:
        • /data/SnareCollect/MSWinEVTX/Security/America:New_York
        • /data/SnareCollect/MSWinEVTX/Security/Australia:Adelaide


Example

A Sample log line, as received by Snare Central from a Snare Agent, and after conversion from an EVTX file. Key differences are highlighted.

Snare AgentEVTX Converter
2015-02-052015-02-05
14:23:2714:23:27
WIN08R264DC2WIN08R264DC2
WinSecurityWinSecurity

47

47

47194719
Microsoft-Windows-Security-AuditingMicrosoft-Windows-Security-Auditing
TEST\WIN08R264DC2$TEST\WIN08R264DC2$
N/AN/A
Success AuditSuccess Audit
System audit policy was changed.
Subject:   Security ID:  S-1-5-18Subject User Sid:  S-1-5-18
Account Name:  WIN08R264DC2$Subject Account Name:  WIN08R264DC2$
Account Domain:  TESTSubject Account Domain:  TEST
Logon ID:  0x3e7Logon Id:  0x3e7

Audit Policy Change:    Category:  System

Category Id: %%8272

Subcategory:  Security State ChangeSubcategory Id: %%12288
Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030}Subcategory Guid: {0CCE9210-69AE-11D9-BED3-505054503030}
Changes:  Success removed, Failure removedAudit Policy Changes: %%8448, %%8450

Caveats

It should be noted however, that the EVTX import tool, will 'cheat' in some circumstances, and performs some transformations on events that are considered high priority by Snare Central customers, in order to make them appear very similar to the events generated by Snare Agents. These transformations may include:

  • Reordering fields
  • Relabelling some strings (eg: SubjectUserSid becomes "Subject:    Security ID")
  • Inserting human readable event descriptions.

Time Zones

The following Time Zones are supported:

Africa:Abidjan

Africa:AccraAfrica:Addis_AbabaAfrica:AlgiersAfrica:Asmara
Africa:AsmeraAfrica:BamakoAfrica:BanguiAfrica:BanjulAfrica:Bissau
Africa:BlantyreAfrica:BrazzavilleAfrica:BujumburaAfrica:CairoAfrica:Casablanca
Africa:CeutaAfrica:ConakryAfrica:DakarAfrica:Dar_es_SalaamAfrica:Djibouti
Africa:DoualaAfrica:El_AaiunAfrica:FreetownAfrica:GaboroneAfrica:Harare
Africa:JohannesburgAfrica:JubaAfrica:KampalaAfrica:KhartoumAfrica:Kigali
Africa:KinshasaAfrica:LagosAfrica:LibrevilleAfrica:LomeAfrica:Luanda
Africa:LubumbashiAfrica:LusakaAfrica:MalaboAfrica:MaputoAfrica:Maseru
Africa:MbabaneAfrica:MogadishuAfrica:MonroviaAfrica:NairobiAfrica:Ndjamena
Africa:NiameyAfrica:NouakchottAfrica:OuagadougouAfrica:Porto-NovoAfrica:Sao_Tome
Africa:TimbuktuAfrica:TripoliAfrica:TunisAfrica:Windhoek
America:AdakAmerica:AnchorageAmerica:AnguillaAmerica:AntiguaAmerica:Araguaina
America:Argentina:Buenos_AiresAmerica:Argentina:CatamarcaAmerica:Argentina:ComodRivadaviaAmerica:Argentina:CordobaAmerica:Argentina:Jujuy
America:Argentina:La_RiojaAmerica:Argentina:MendozaAmerica:Argentina:Rio_GallegosAmerica:Argentina:SaltaAmerica:Argentina:San_Juan
America:Argentina:San_LuisAmerica:Argentina:TucumanAmerica:Argentina:UshuaiaAmerica:ArubaAmerica:Asuncion
America:AtikokanAmerica:AtkaAmerica:BahiaAmerica:Bahia_BanderasAmerica:Barbados
America:BelemAmerica:BelizeAmerica:Blanc-SablonAmerica:Boa_VistaAmerica:Bogota
America:BoiseAmerica:Buenos_AiresAmerica:Cambridge_BayAmerica:Campo_GrandeAmerica:Cancun
America:CaracasAmerica:CatamarcaAmerica:CayenneAmerica:CaymanAmerica:Chicago
America:ChihuahuaAmerica:Coral_HarbourAmerica:CordobaAmerica:Costa_RicaAmerica:Creston
America:CuiabaAmerica:CuracaoAmerica:DanmarkshavnAmerica:DawsonAmerica:Dawson_Creek
America:DenverAmerica:DetroitAmerica:DominicaAmerica:EdmontonAmerica:Eirunepe
America:El_SalvadorAmerica:EnsenadaAmerica:Fort_WayneAmerica:FortalezaAmerica:Glace_Bay
America:GodthabAmerica:Goose_BayAmerica:Grand_TurkAmerica:GrenadaAmerica:Guadeloupe
America:GuatemalaAmerica:GuayaquilAmerica:GuyanaAmerica:HalifaxAmerica:Havana
America:HermosilloAmerica:Indiana:IndianapolisAmerica:Indiana:KnoxAmerica:Indiana:MarengoAmerica:Indiana:Petersburg
America:Indiana:Tell_CityAmerica:Indiana:VevayAmerica:Indiana:VincennesAmerica:Indiana:WinamacAmerica:Indianapolis
America:InuvikAmerica:IqaluitAmerica:JamaicaAmerica:JujuyAmerica:Juneau
America:Kentucky:LouisvilleAmerica:Kentucky:MonticelloAmerica:Knox_INAmerica:KralendijkAmerica:La_Paz
America:LimaAmerica:Los_AngelesAmerica:LouisvilleAmerica:Lower_PrincesAmerica:Maceio
America:ManaguaAmerica:ManausAmerica:MarigotAmerica:MartiniqueAmerica:Matamoros
America:MazatlanAmerica:MendozaAmerica:MenomineeAmerica:MeridaAmerica:Metlakatla
America:Mexico_CityAmerica:MiquelonAmerica:MonctonAmerica:MonterreyAmerica:Montevideo
America:MontrealAmerica:MontserratAmerica:NassauAmerica:New_YorkAmerica:Nipigon
America:NomeAmerica:NoronhaAmerica:North_Dakota:BeulahAmerica:North_Dakota:CenterAmerica:North_Dakota:New_Salem
America:OjinagaAmerica:PanamaAmerica:PangnirtungAmerica:ParamariboAmerica:Phoenix
America:Port-au-PrinceAmerica:Port_of_SpainAmerica:Porto_AcreAmerica:Porto_VelhoAmerica:Puerto_Rico
America:Rainy_RiverAmerica:Rankin_InletAmerica:RecifeAmerica:ReginaAmerica:Resolute
America:Rio_BrancoAmerica:RosarioAmerica:Santa_IsabelAmerica:SantaremAmerica:Santiago
America:Santo_DomingoAmerica:Sao_PauloAmerica:ScoresbysundAmerica:ShiprockAmerica:Sitka
America:St_BarthelemyAmerica:St_JohnsAmerica:St_KittsAmerica:St_LuciaAmerica:St_Thomas
America:St_VincentAmerica:Swift_CurrentAmerica:TegucigalpaAmerica:ThuleAmerica:Thunder_Bay
America:TijuanaAmerica:TorontoAmerica:TortolaAmerica:VancouverAmerica:Virgin
America:WhitehorseAmerica:WinnipegAmerica:YakutatAmerica:Yellowknife
Antarctica:CaseyAntarctica:DavisAntarctica:DumontDUrvilleAntarctica:MacquarieAntarctica:Mawson
Antarctica:McMurdoAntarctica:PalmerAntarctica:RotheraAntarctica:South_PoleAntarctica:Syowa
Antarctica:TrollAntarctica:Vostok


Arctic:Longyearbyen



Asia:AdenAsia:AlmatyAsia:AmmanAsia:AnadyrAsia:Aqtau
Asia:AqtobeAsia:AshgabatAsia:AshkhabadAsia:BaghdadAsia:Bahrain
Asia:BakuAsia:BangkokAsia:BeirutAsia:BishkekAsia:Brunei
Asia:CalcuttaAsia:ChitaAsia:ChoibalsanAsia:ChongqingAsia:Chungking
Asia:ColomboAsia:DaccaAsia:DamascusAsia:DhakaAsia:Dili
Asia:DubaiAsia:DushanbeAsia:GazaAsia:HarbinAsia:Hebron
Asia:Ho_Chi_MinhAsia:Hong_KongAsia:HovdAsia:IrkutskAsia:Istanbul
Asia:JakartaAsia:JayapuraAsia:JerusalemAsia:KabulAsia:Kamchatka
Asia:KarachiAsia:KashgarAsia:KathmanduAsia:KatmanduAsia:Khandyga
Asia:KolkataAsia:KrasnoyarskAsia:Kuala_LumpurAsia:KuchingAsia:Kuwait
Asia:MacaoAsia:MacauAsia:MagadanAsia:MakassarAsia:Manila
Asia:MuscatAsia:NicosiaAsia:NovokuznetskAsia:NovosibirskAsia:Omsk
Asia:OralAsia:Phnom_PenhAsia:PontianakAsia:PyongyangAsia:Qatar
Asia:QyzylordaAsia:RangoonAsia:RiyadhAsia:SaigonAsia:Sakhalin
Asia:SamarkandAsia:SeoulAsia:ShanghaiAsia:SingaporeAsia:Srednekolymsk
Asia:TaipeiAsia:TashkentAsia:TbilisiAsia:TehranAsia:Tel_Aviv
Asia:ThimbuAsia:ThimphuAsia:TokyoAsia:Ujung_PandangAsia:Ulaanbaatar
Asia:Ulan_BatorAsia:UrumqiAsia:Ust-NeraAsia:VientianeAsia:Vladivostok
Asia:YakutskAsia:YekaterinburgAsia:Yerevan

Atlantic:AzoresAtlantic:BermudaAtlantic:CanaryAtlantic:Cape_VerdeAtlantic:Faeroe
Atlantic:FaroeAtlantic:Jan_MayenAtlantic:MadeiraAtlantic:ReykjavikAtlantic:South_Georgia
Atlantic:St_HelenaAtlantic:Stanley


Australia:ACTAustralia:AdelaideAustralia:BrisbaneAustralia:Broken_HillAustralia:Canberra
Australia:CurrieAustralia:DarwinAustralia:EuclaAustralia:HobartAustralia:LHI
Australia:LindemanAustralia:Lord_HoweAustralia:MelbourneAustralia:NorthAustralia:NSW
Australia:PerthAustralia:QueenslandAustralia:SouthAustralia:SydneyAustralia:Tasmania
Australia:VictoriaAustralia:WestAustralia:Yancowinna

Europe:AmsterdamEurope:AndorraEurope:AthensEurope:BelfastEurope:Belgrade
Europe:BerlinEurope:BratislavaEurope:BrusselsEurope:BucharestEurope:Budapest
Europe:BusingenEurope:ChisinauEurope:CopenhagenEurope:DublinEurope:Gibraltar
Europe:GuernseyEurope:HelsinkiEurope:Isle_of_ManEurope:IstanbulEurope:Jersey
Europe:KaliningradEurope:KievEurope:LisbonEurope:LjubljanaEurope:London
Europe:LuxembourgEurope:MadridEurope:MaltaEurope:MariehamnEurope:Minsk
Europe:MonacoEurope:MoscowEurope:NicosiaEurope:OsloEurope:Paris
Europe:PodgoricaEurope:PragueEurope:RigaEurope:RomeEurope:Samara
Europe:San_MarinoEurope:SarajevoEurope:SimferopolEurope:SkopjeEurope:Sofia
Europe:StockholmEurope:TallinnEurope:TiraneEurope:TiraspolEurope:Uzhgorod
Europe:VaduzEurope:VaticanEurope:ViennaEurope:VilniusEurope:Volgograd
Europe:WarsawEurope:ZagrebEurope:ZaporozhyeEurope:Zurich
Indian:AntananarivoIndian:ChagosIndian:ChristmasIndian:CocosIndian:Comoro
Indian:KerguelenIndian:MaheIndian:MaldivesIndian:MauritiusIndian:Mayotte
Indian:Reunion



Pacific:ApiaPacific:AucklandPacific:BougainvillePacific:ChathamPacific:Chuuk
Pacific:EasterPacific:EfatePacific:EnderburyPacific:FakaofoPacific:Fiji
Pacific:FunafutiPacific:GalapagosPacific:GambierPacific:GuadalcanalPacific:Guam
Pacific:HonoluluPacific:JohnstonPacific:KiritimatiPacific:KosraePacific:Kwajalein
Pacific:MajuroPacific:MarquesasPacific:MidwayPacific:NauruPacific:Niue
Pacific:NorfolkPacific:NoumeaPacific:Pago_PagoPacific:PalauPacific:Pitcairn
Pacific:PohnpeiPacific:PonapePacific:Port_MoresbyPacific:RarotongaPacific:Saipan
Pacific:SamoaPacific:TahitiPacific:TarawaPacific:TongatapuPacific:Truk
Pacific:WakePacific:WallisPacific:Yap

Lotus Notes / Domino

Snare Central is able to connect to a Domino server to retrieve eventlog data from log.nsf. It can also retrieve user and group information, plus access controls. However, some of the default settings in Lotus Domino can cause problems with the Snare Agent; please modify the server as follows: From the Domino Administrator page, click the Configuration tab, expand the Web section and click Internet Sites.

  1. Choose the log.nsf and click Edit Document.
  2. Click the Domino Web Engine tab. Under "Conversion/Display" complete these fields:
    1. Default lines per view page: 250 (default 30)
    2. Maximum lines per view page: 0 (default 1000).
  • No labels