Snare Central can process a reasonably wide range of source data types. The Snare Central data acquisition software is generally tuned for particular versions of operating system or device logs, so if you encounter problems importing particular types of data, please contact your Snare Central support team, and be prepared to supply (sanitised if required) log samples.
Snort Sensor
Organisations that use the Snort network intrusion detection system can send data to Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to Snare Central. Note that there is no configuration required on Snare Central.
What you need
How to..
On the host that is acting as a Snort collection sensor:
- In the file /etc/syslog.conf, add the following two lines:
# Send all SYSLOG events to Snare Central
*.*@12.23.34.45
- Please substitute the IP address, or the DNS name, of Snare Central for the string "12.23.34.45"
- Modify the file /etc/snort/snort.conf to include the following line:
output alert_syslog: LOG_AUTH LOG_ALERT
- An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
- Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
/etc/init.d/snortd; /etc/init.d/syslog restart
service snortd restart; service syslog restart
Troubleshooting Snort
Checking for Snort Sensor errors:
- Look in
/var/log/messages
for errors. - Run manually:
/usr/sbin/snort -D -i "ppp0" -c /etc/snort/snort.conf
- ..then look in
/var/log/messages
for errors
Collecting ACF2 Data
Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on Snare Central, which will then be uploaded by Snare Central processes, on a daily basis.
The ACF2 processed reports are based on specific utilities, provided with the ACF2. The utilities produce formatted reports on the following activity on a mainframe, which can then be collected by Snare Central, and used for reporting:
- ACFRPTLL Logonid Modification Log
- ACFRPTRL Dataset Rule Modification Log
- ACFRPTEL Infostorate Modification Log
- ACFRPTDS Dataset Violation/Logging
- ACFRPTRV Resource Violation/Logging
- ACFRPTPW Invalid Password Authority Log
The end of this chapter contains a listing of an example JCL which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Each step in the sample job below performs the following steps. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.
- Deletes previous day's FTP transfer library.
- Runs ACF2 report, placing output in a GDG (7 generations kept).
- Allocate new FTP transfer library and copy report from GDG created in previous step.
- FTP the transfer library to Snare Central. The 'snarexfer' FTP user must be used. This user defaults to the "
/data/SnareCollect
" directory on Snare Central. The ACF2 processed reports must be placed in the "ACF2Log" sub-directory. So the full path becomes: "/data/SnareCollect/ACF2Log
". Member level security is used to protect the FTP lid password.
The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved. The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.
********************************** Top of Data ********************************** //CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J /*JOBPARM SYSAFF=PROD //----------------------------------------------------------------- //* //* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER //* //*---------- DELETE TEMP XFER LIB --------------------------------- //* //STEP1 EXEC PGM=IKJEFT01,REGION=8192K //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTERM DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * DELETE 'CSC.SNARE01.LIDMODS.XFER' //* //*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------ //* //STEP2 EXEC PGM=ACFRPTLL //SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), // DISP=(,CATLG), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSUDUMP DD SYSOUT=* //REC01 DD DSN=CTF.SMFJR,DISP=SHR //SYSIN DD * MASK(********) DETAIL NOUPDATE SYSID(****) //* //*---------- COPY REPORT FROM GDG TO XFER LIB --------------------- //* //COPY EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), DISP=SHR //SYSUT2 DD DSN=CSC.SNARE01.LIDMODS.XFER, // DISP=(NEW,CATLG,DELETE), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=*.SYSUT1 //* DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSIN DD DUMMY //* //*---------- FTP XFER FILE TO SNARE SERVER ------------------------ //* //STEP4 EXEC FTP, // SERVER='CSCSNARE', // FTPUSER='SNAREXFER', // FTPCMDS='CSCSNR01', // ENV='PROD', // SOUT='*' //* //*---------- Notify Security Monitoring Team if job fails --------- //* //*JOBFAIL IF ((RC > 4) | (ABEND)) THEN //* //SENDMEMO EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD * HELO NCC MAIL FROM:<PSC0SCHD@AGENCY.COM> RCPT TO:<ITSECMON@AGENCY.COM> DATA TO:ITSECMON<ITSECMON@AGENCY.COM> SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01 PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY. >> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE >> AGENCY'S MAINFRAME ENVIRONMENT. . QUIT /* //SYSUT2 DD SYSOUT=(B,SMTP) //SYSIN DD DUMMY //* //JOBFAIL ENDIF //*===================================================================
RACF Violation Logs
RACF resource violation logs can be batch-imported to Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .
RACF files should be in ASCII format, and transferred to the directory /data/SnareCollect/RACFLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Log format
RACF logs are fixed-column logs. Snare Central assumes the following format:
- EVENT TYPE: Characters 1-8
- EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
- TIME: Characters 19-26
- DATE: Characters 28-37
- SYSTEM: Characters 39-42 (SYSTEM ID)
- USER ID: Characters 59-66
- GROUP ID: Characters 68-75
- TERMINAL (HOSTNAME): Characters 171-178
- JOB NAME: Characters 180-187
- USER NAME: Characters 556-575
- ATTRIBUTES: (True/False)
- VIOLATION: 44-47
- BYPASS: 107-110
- SPECIAL USER: 602-605
- PRIV: 646-649
Tandem Logs
Tandom systems supply logs with the following fields:
- P-TIMEREP
- PS-SYSNAME
- PS-GUSER
- PS-GUSER
- PS-TERM
- P-OPERATIO
- P-OUTCOME
- PO-OWNUSER
- PO-OBJTYPE
- PO-OWNUSER
- PC-GUSER
- PC-TERM
Logs should be transferred to the directory /data/SnareCollect/TandemLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Sidewinder Firewall Logs
Sidewinder firewall logs can be exported to CSV, and transferred to Snare Central for processing.
Snare Central, will utilise the following fields:
- date
- hostname
- user_name
- reason
- srcip
- srcport
- dstip
- dstport
- type
- event
- protocol
- auth_method
Logs should be transferred to the directory /data/SnareCollect/SidewinderLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Content Keeper Logs
Content keeper logs can be transferred to the directory /data/SnareCollect/CKeeperLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Snare expects logs to be comma delimited, and be composed of fields in the following order:
- Date/Time
- Ignored field
- Source IP Address
- User Name
- Bytes
- Status Code
- Content
- URL
- Policy
- Category
Checkpoint Firewall1 Logs
Checkpoint Firewall 1 firewalls can export log data to a CSV file. Snare is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file.
A sample header line is:
- num,date,time,orig,type,action,alert,i/f_name,i/f_dir,proto,src,dst,service,s_port,len,rule,icmp-type,icmp-code,reason:,rpc_prog,IKE Log:,product,additionals:,sys_msgs
Snare will try and pull out the following information from the log data, and incorporate it into the Snare log archive:
- Date
- Time
- Action
- Interface
- Source IP Address
- Source Port
- Destination IP Address
- Destination Port
- Protocol
- Rule
- All other information will be included within a general 'Data' field.
Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Gauntlet Firewall Logs
Gauntlet Firewall logs can be transferred to the directory /data/SnareCollect/GauntletFirewallLog/ via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Content is assumed to be in ASCII format, and values are space separated.
OS400 Logs
OS400 logs can be transferred to the directory /data/SnareCollect/OS400Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Snare is capable of coping with a range of log formats, as long as the header line, specifying the log format, is included as the first line in each exported file.
Snare understands the following fields:
- Journal Code (JournalCode)
- Journal Entry Code (JournalEntryCode)
- Journal Entry Date (Date)
- Journal Entry Time (Time)
- System name (System)
- Job Name (JobName)
- User Name (JobUser)
- Job Number (JobNumber)
- Program Accessing Object (Program)
- Object Failure Object Name (OFName)
- Object Failure Library Name (OFLibrary)
- Object Failure Object Type (OFType)
- Failed Login User (Strings)
- Failed Login Job (Strings)
- System Value name (Strings)
- Changed Value (Strings)
Squid Proxy Logs
Squid proxy logs (in the default squid log format) can be transferred to the directory /data/SnareCollect/SquidProxyLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Apache Logs
Apache web server logs (in the default apache 'combined' format) can be transferred to the directory /data/SnareCollect/ApacheLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Internet Information Server (IIS) Logs
IIS web server logs can be transferred to the directory /data/SnareCollect/IISWebLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
IIS logs should retain the header information, that includes the 'Fields' definition line.
Snare Central requires the following fields to be included:
- date
- time
- s-ip
- cs-method
- cs-uri-stem
- cs-uri-query
- s-port
- cs-username
- c-ip
- cs(User-Agent)
- sc-status
- sc-substatus
- sc-win32-status
Windows Event Logs (Exported from Snare Agents)
Snare for Windows agents are capable of exporting log data to a file on disk, rather than pushing the events back to a central server.
In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to Snare Central via FTP is possible.
Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
Windows Event Logs (EVTX files)
Note: Only available in Snare Central version 7.1 or newer
EVTX files can be exported from windows machines, and transferred to a subdirectory within /data/SnareCollect/MSWinEVTX via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.
There are several limitations of the EVTX format that need to be considered:
- String order may not match the order found in normal Snare agent logs.
- Some existing Snare Central objectives may require strings to be in a particular order, to pull out information of particular interest, from the 'Strings' section of events, such as as user name.
- String names may not match those found in normal Snare agent logs.
- The string "SubjectUserSid" in the EVTX file, is actually translated to "Subject: Security ID:" in many events.
- The string "SubjectUserName" in the EVTX file may be "User Name" in some circumstances, or "Account Name" in others. There is no obvious consistency , and there does not seem to be a generally available lookup-table to hint at what translations are appropriate.
- Snare Central will attempt to convert the 'CamelCase' string headers to space-included versions, which are more likely to match those displayed by the Windows event viewer (and therefore transmitted by Snare), however, case may be incorrect in some circumstances:
- SubjectUserId may be translated as "Subject User Id", whereas the Windows event view will display it as "Subject User ID".
- There are a few 'special cases' defined in the EVTX converter, that may fix the more obvious examples.
- The contents of the 'Data' field is not currently supported for conversion.
- Content that is usually interpreted at display-time in the Windows event viewer, or at transmission time in the Snare agents, will not be interpreted.
- At event display-time, the Windows event viewer interrogates the registry, and sometimes native or third party DLL's, to try and resolve event template components to human readable text. The Snare for Windows agent does the same, when it converts the events to text-format prior to transmission.
- These DLL's/registry entries are not guaranteed to be installed on all windows machines - for example, Internet Information Server template conversion DLL's will not be installed on a server that is not running IIS.
- As such, information that is available to a Snare Agent on the source system, is NOT available to Snare Central when it attempts to convert the binary EVTX log data to text format.
- Human-readable event descriptions that are often included within the strings section, will not be available.
- Date/Time values within the EVTX files are in UTC format, and the EVTX files do not contain UTC offset information for the source server.
- In general, the conversion tool may require assistance in determining the source of the source EVTX file (eg: Security, Application, System, etc).
- The two points above, can be addressed with the assistance of file path hints.
- Logs should be included in one of the following file paths, depending on the log type/source:
- /data/SnareCollect/MSWinEVTX/Security
- /data/SnareCollect/MSWinEVTX/Application
- /data/SnareCollect/MSWinEVTX/System
- Under these directories, if time zone conversion is required (highly recommended), a directory should be created with the textual representation of the time-zone (but with the forward-slash character switched out for a COLON)
- For example:
- /data/SnareCollect/MSWinEVTX/Security/America:New_York
- /data/SnareCollect/MSWinEVTX/Security/Australia:Adelaide
- For example:
Example
A Sample log line, as received by Snare Central from a Snare Agent, and after conversion from an EVTX file. Key differences are highlighted.
Snare Agent | EVTX Converter |
---|---|
2015-02-05 | 2015-02-05 |
14:23:27 | 14:23:27 |
WIN08R264DC2 | WIN08R264DC2 |
WinSecurity | WinSecurity |
47 | 47 |
4719 | 4719 |
Microsoft-Windows-Security-Auditing | Microsoft-Windows-Security-Auditing |
TEST\WIN08R264DC2$ | TEST\WIN08R264DC2$ |
N/A | N/A |
Success Audit | Success Audit |
System audit policy was changed. | |
Subject: Security ID: S-1-5-18 | Subject User Sid: S-1-5-18 |
Account Name: WIN08R264DC2$ | Subject Account Name: WIN08R264DC2$ |
Account Domain: TEST | Subject Account Domain: TEST |
Logon ID: 0x3e7 | Logon Id: 0x3e7 |
Audit Policy Change: Category: System | Category Id: %%8272 |
Subcategory: Security State Change | Subcategory Id: %%12288 |
Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030} | Subcategory Guid: {0CCE9210-69AE-11D9-BED3-505054503030} |
Changes: Success removed, Failure removed | Audit Policy Changes: %%8448, %%8450 |
Caveats
It should be noted however, that the EVTX import tool, will 'cheat' in some circumstances, and performs some transformations on events that are considered high priority by Snare Central customers, in order to make them appear very similar to the events generated by Snare Agents. These transformations may include:
- Reordering fields
- Relabelling some strings (eg: SubjectUserSid becomes "Subject: Security ID")
- Inserting human readable event descriptions.
Time Zones
The following Time Zones are supported:
Africa:Abidjan | Africa:Accra | Africa:Addis_Ababa | Africa:Algiers | Africa:Asmara |
Africa:Asmera | Africa:Bamako | Africa:Bangui | Africa:Banjul | Africa:Bissau |
Africa:Blantyre | Africa:Brazzaville | Africa:Bujumbura | Africa:Cairo | Africa:Casablanca |
Africa:Ceuta | Africa:Conakry | Africa:Dakar | Africa:Dar_es_Salaam | Africa:Djibouti |
Africa:Douala | Africa:El_Aaiun | Africa:Freetown | Africa:Gaborone | Africa:Harare |
Africa:Johannesburg | Africa:Juba | Africa:Kampala | Africa:Khartoum | Africa:Kigali |
Africa:Kinshasa | Africa:Lagos | Africa:Libreville | Africa:Lome | Africa:Luanda |
Africa:Lubumbashi | Africa:Lusaka | Africa:Malabo | Africa:Maputo | Africa:Maseru |
Africa:Mbabane | Africa:Mogadishu | Africa:Monrovia | Africa:Nairobi | Africa:Ndjamena |
Africa:Niamey | Africa:Nouakchott | Africa:Ouagadougou | Africa:Porto-Novo | Africa:Sao_Tome |
Africa:Timbuktu | Africa:Tripoli | Africa:Tunis | Africa:Windhoek | |
America:Adak | America:Anchorage | America:Anguilla | America:Antigua | America:Araguaina |
America:Argentina:Buenos_Aires | America:Argentina:Catamarca | America:Argentina:ComodRivadavia | America:Argentina:Cordoba | America:Argentina:Jujuy |
America:Argentina:La_Rioja | America:Argentina:Mendoza | America:Argentina:Rio_Gallegos | America:Argentina:Salta | America:Argentina:San_Juan |
America:Argentina:San_Luis | America:Argentina:Tucuman | America:Argentina:Ushuaia | America:Aruba | America:Asuncion |
America:Atikokan | America:Atka | America:Bahia | America:Bahia_Banderas | America:Barbados |
America:Belem | America:Belize | America:Blanc-Sablon | America:Boa_Vista | America:Bogota |
America:Boise | America:Buenos_Aires | America:Cambridge_Bay | America:Campo_Grande | America:Cancun |
America:Caracas | America:Catamarca | America:Cayenne | America:Cayman | America:Chicago |
America:Chihuahua | America:Coral_Harbour | America:Cordoba | America:Costa_Rica | America:Creston |
America:Cuiaba | America:Curacao | America:Danmarkshavn | America:Dawson | America:Dawson_Creek |
America:Denver | America:Detroit | America:Dominica | America:Edmonton | America:Eirunepe |
America:El_Salvador | America:Ensenada | America:Fort_Wayne | America:Fortaleza | America:Glace_Bay |
America:Godthab | America:Goose_Bay | America:Grand_Turk | America:Grenada | America:Guadeloupe |
America:Guatemala | America:Guayaquil | America:Guyana | America:Halifax | America:Havana |
America:Hermosillo | America:Indiana:Indianapolis | America:Indiana:Knox | America:Indiana:Marengo | America:Indiana:Petersburg |
America:Indiana:Tell_City | America:Indiana:Vevay | America:Indiana:Vincennes | America:Indiana:Winamac | America:Indianapolis |
America:Inuvik | America:Iqaluit | America:Jamaica | America:Jujuy | America:Juneau |
America:Kentucky:Louisville | America:Kentucky:Monticello | America:Knox_IN | America:Kralendijk | America:La_Paz |
America:Lima | America:Los_Angeles | America:Louisville | America:Lower_Princes | America:Maceio |
America:Managua | America:Manaus | America:Marigot | America:Martinique | America:Matamoros |
America:Mazatlan | America:Mendoza | America:Menominee | America:Merida | America:Metlakatla |
America:Mexico_City | America:Miquelon | America:Moncton | America:Monterrey | America:Montevideo |
America:Montreal | America:Montserrat | America:Nassau | America:New_York | America:Nipigon |
America:Nome | America:Noronha | America:North_Dakota:Beulah | America:North_Dakota:Center | America:North_Dakota:New_Salem |
America:Ojinaga | America:Panama | America:Pangnirtung | America:Paramaribo | America:Phoenix |
America:Port-au-Prince | America:Port_of_Spain | America:Porto_Acre | America:Porto_Velho | America:Puerto_Rico |
America:Rainy_River | America:Rankin_Inlet | America:Recife | America:Regina | America:Resolute |
America:Rio_Branco | America:Rosario | America:Santa_Isabel | America:Santarem | America:Santiago |
America:Santo_Domingo | America:Sao_Paulo | America:Scoresbysund | America:Shiprock | America:Sitka |
America:St_Barthelemy | America:St_Johns | America:St_Kitts | America:St_Lucia | America:St_Thomas |
America:St_Vincent | America:Swift_Current | America:Tegucigalpa | America:Thule | America:Thunder_Bay |
America:Tijuana | America:Toronto | America:Tortola | America:Vancouver | America:Virgin |
America:Whitehorse | America:Winnipeg | America:Yakutat | America:Yellowknife | |
Antarctica:Casey | Antarctica:Davis | Antarctica:DumontDUrville | Antarctica:Macquarie | Antarctica:Mawson |
Antarctica:McMurdo | Antarctica:Palmer | Antarctica:Rothera | Antarctica:South_Pole | Antarctica:Syowa |
Antarctica:Troll | Antarctica:Vostok | |||
Arctic:Longyearbyen | ||||
Asia:Aden | Asia:Almaty | Asia:Amman | Asia:Anadyr | Asia:Aqtau |
Asia:Aqtobe | Asia:Ashgabat | Asia:Ashkhabad | Asia:Baghdad | Asia:Bahrain |
Asia:Baku | Asia:Bangkok | Asia:Beirut | Asia:Bishkek | Asia:Brunei |
Asia:Calcutta | Asia:Chita | Asia:Choibalsan | Asia:Chongqing | Asia:Chungking |
Asia:Colombo | Asia:Dacca | Asia:Damascus | Asia:Dhaka | Asia:Dili |
Asia:Dubai | Asia:Dushanbe | Asia:Gaza | Asia:Harbin | Asia:Hebron |
Asia:Ho_Chi_Minh | Asia:Hong_Kong | Asia:Hovd | Asia:Irkutsk | Asia:Istanbul |
Asia:Jakarta | Asia:Jayapura | Asia:Jerusalem | Asia:Kabul | Asia:Kamchatka |
Asia:Karachi | Asia:Kashgar | Asia:Kathmandu | Asia:Katmandu | Asia:Khandyga |
Asia:Kolkata | Asia:Krasnoyarsk | Asia:Kuala_Lumpur | Asia:Kuching | Asia:Kuwait |
Asia:Macao | Asia:Macau | Asia:Magadan | Asia:Makassar | Asia:Manila |
Asia:Muscat | Asia:Nicosia | Asia:Novokuznetsk | Asia:Novosibirsk | Asia:Omsk |
Asia:Oral | Asia:Phnom_Penh | Asia:Pontianak | Asia:Pyongyang | Asia:Qatar |
Asia:Qyzylorda | Asia:Rangoon | Asia:Riyadh | Asia:Saigon | Asia:Sakhalin |
Asia:Samarkand | Asia:Seoul | Asia:Shanghai | Asia:Singapore | Asia:Srednekolymsk |
Asia:Taipei | Asia:Tashkent | Asia:Tbilisi | Asia:Tehran | Asia:Tel_Aviv |
Asia:Thimbu | Asia:Thimphu | Asia:Tokyo | Asia:Ujung_Pandang | Asia:Ulaanbaatar |
Asia:Ulan_Bator | Asia:Urumqi | Asia:Ust-Nera | Asia:Vientiane | Asia:Vladivostok |
Asia:Yakutsk | Asia:Yekaterinburg | Asia:Yerevan | ||
Atlantic:Azores | Atlantic:Bermuda | Atlantic:Canary | Atlantic:Cape_Verde | Atlantic:Faeroe |
Atlantic:Faroe | Atlantic:Jan_Mayen | Atlantic:Madeira | Atlantic:Reykjavik | Atlantic:South_Georgia |
Atlantic:St_Helena | Atlantic:Stanley | |||
Australia:ACT | Australia:Adelaide | Australia:Brisbane | Australia:Broken_Hill | Australia:Canberra |
Australia:Currie | Australia:Darwin | Australia:Eucla | Australia:Hobart | Australia:LHI |
Australia:Lindeman | Australia:Lord_Howe | Australia:Melbourne | Australia:North | Australia:NSW |
Australia:Perth | Australia:Queensland | Australia:South | Australia:Sydney | Australia:Tasmania |
Australia:Victoria | Australia:West | Australia:Yancowinna | ||
Europe:Amsterdam | Europe:Andorra | Europe:Athens | Europe:Belfast | Europe:Belgrade |
Europe:Berlin | Europe:Bratislava | Europe:Brussels | Europe:Bucharest | Europe:Budapest |
Europe:Busingen | Europe:Chisinau | Europe:Copenhagen | Europe:Dublin | Europe:Gibraltar |
Europe:Guernsey | Europe:Helsinki | Europe:Isle_of_Man | Europe:Istanbul | Europe:Jersey |
Europe:Kaliningrad | Europe:Kiev | Europe:Lisbon | Europe:Ljubljana | Europe:London |
Europe:Luxembourg | Europe:Madrid | Europe:Malta | Europe:Mariehamn | Europe:Minsk |
Europe:Monaco | Europe:Moscow | Europe:Nicosia | Europe:Oslo | Europe:Paris |
Europe:Podgorica | Europe:Prague | Europe:Riga | Europe:Rome | Europe:Samara |
Europe:San_Marino | Europe:Sarajevo | Europe:Simferopol | Europe:Skopje | Europe:Sofia |
Europe:Stockholm | Europe:Tallinn | Europe:Tirane | Europe:Tiraspol | Europe:Uzhgorod |
Europe:Vaduz | Europe:Vatican | Europe:Vienna | Europe:Vilnius | Europe:Volgograd |
Europe:Warsaw | Europe:Zagreb | Europe:Zaporozhye | Europe:Zurich | |
Indian:Antananarivo | Indian:Chagos | Indian:Christmas | Indian:Cocos | Indian:Comoro |
Indian:Kerguelen | Indian:Mahe | Indian:Maldives | Indian:Mauritius | Indian:Mayotte |
Indian:Reunion | ||||
Pacific:Apia | Pacific:Auckland | Pacific:Bougainville | Pacific:Chatham | Pacific:Chuuk |
Pacific:Easter | Pacific:Efate | Pacific:Enderbury | Pacific:Fakaofo | Pacific:Fiji |
Pacific:Funafuti | Pacific:Galapagos | Pacific:Gambier | Pacific:Guadalcanal | Pacific:Guam |
Pacific:Honolulu | Pacific:Johnston | Pacific:Kiritimati | Pacific:Kosrae | Pacific:Kwajalein |
Pacific:Majuro | Pacific:Marquesas | Pacific:Midway | Pacific:Nauru | Pacific:Niue |
Pacific:Norfolk | Pacific:Noumea | Pacific:Pago_Pago | Pacific:Palau | Pacific:Pitcairn |
Pacific:Pohnpei | Pacific:Ponape | Pacific:Port_Moresby | Pacific:Rarotonga | Pacific:Saipan |
Pacific:Samoa | Pacific:Tahiti | Pacific:Tarawa | Pacific:Tongatapu | Pacific:Truk |
Pacific:Wake | Pacific:Wallis | Pacific:Yap |
Lotus Notes / Domino
Snare Central is able to connect to a Domino server to retrieve eventlog data from log.nsf. It can also retrieve user and group information, plus access controls. However, some of the default settings in Lotus Domino can cause problems with the Snare Agent; please modify the server as follows: From the Domino Administrator page, click the Configuration tab, expand the Web section and click Internet Sites.
- Choose the log.nsf and click Edit Document.
- Click the Domino Web Engine tab. Under "Conversion/Display" complete these fields:
- Default lines per view page: 250 (default 30)
- Maximum lines per view page: 0 (default 1000).