Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 4 Next »

Snare Agents

This section assumes that you have Snare Agents installed and are using the agents as part of your logging environment. It provides tools to perform the following tasks:

  • Gather user and group information to support other Snare Server objectives.
  • Query User and Group information gathered from your Snare Agents.
  • Audit and manage the configuration of Snare Agents within your environment.

Query Active Directory Extract

This is a simple objective that scans the user and group details retrieved from various Snare Agents as part of the "Retrieve Data" objectives within "Snare Agents".


Utilise the search functions to scan for particular users or groups of interest. The search function provides a very basic query builder. Results are returned in tabular form.

Retrieve System Data Using Agents

AIX Users and Groups

Retrieve users and groups by connecting to all, or specific, Snare for AIX Agents that have sent data to the Snare Server, and requesting a dump of the user and group data.

User and group information will be used by AIX objectives to convert numeric user and group ID information into user/group names, and to implement user/group snapshot objectives.

In order to run this objective successfully, you should have at least one 'Snare for AIX' agent installed on a server that has full YP visibility, with 'remote control' activated, and a password set that matches either the 'override' password explicitly configured for this objective, or the password set under the 'Configuration Wizard'. In addition, the system in question should be reachable by the Snare Server from a network perspective (eg: firewalls between the Snare Server and the YP master should allow TCP connections from the Snare Server to the remote system on TCP port 6161).

Cognos Users and Groups

Retrieve users and groups by connecting to a Cognos-specific LDAP server that has been configured to allow the Snare Server IP address to download Cognos user and group information.

User and group information will be used by Cognos objectives to convert numeric user and group ID information into user/group names, and to implement user/group snapshot objectives.

Irix Users and Groups

Retrieve users and groups by connecting to all, or specific, Snare for Irix Agents that have sent data to the Snare Server, and requesting a dump of the user and group data.

User and group information will be used by Irix objectives to convert numeric user and group ID information into user/group names, and to implement user/group snapshot objectives.

LDAP Users and Groups

Retrieve users and groups by connecting to a generic LDAP server that has been configured to allow the Snare Server IP address to scan for user and group information.

Linux Users and Groups

Retrieve users and groups by connecting to all, or specific, Snare for Linux Agents that have sent data to the Snare Server, and requesting a dump of the user and group data.

User and group information will be used by Linux objectives to convert numeric user and group ID information into user/group names, and to implement user/group snapshot objectives.

OS400 Users and Groups

Search for files generated with the AS/400 DSPUSRPRF tool, that have been transferred to the /data/SnareCollect/OS400Users directory on the Snare Server, and retrieve user account information, and related user flags from the file.

Retrieve Notes Data for Yesterday

Lotus Notes Event Logs: Since no agent currently exists for Lotus Notes, this objective attempts to connect to a target Domino server, and download the log.nsf (MiscEvents, MailRoutingEvents, ReplicationEvents and NNTPEvents), catalog.nsf, and names.nsf databases, and insert the resulting data into appropriate data stores on the Snare Server.

User and Group information, plus notes access controls are also downloaded. Depending on your log volume, and data retention settings within Lotus Notes, you may need to modify some settings within Domino, in order for Domino to return appropriate results back to the Snare Server. Within the Domino web server configuration page is a section named "Conversion/Display". From the Domino Administrator, click the Configuration tab, expand the Web section and click Internet Sites.

  1. Choose the Web Site document you want to edit and click Edit Document.
  2. Click the Domino Web Engine tab. Under "Conversion/Display", the default settings are: Default lines per view page: 30 Maximum lines per view page: 1000. These values should be configured as follows: Default lines per view page: 250 Maximum lines per view page: 0

 

The objective will attempt to download event log data tagged with a date/time of yesterday's date, by Lotus Notes. It is recommended that this objective be configured to run once per day.

User and group information will be used by user/group snapshot objectives.

Solaris Users and Groups

Retrieve users and groups by connecting to all, or specific, Snare for Solaris Agents that have sent data to the Snare Server, and requesting a dump of the user and group data.

User and group information will be used by Solaris objectives to convert numeric user and group ID information into user/group names, and to implement user/group snapshot objectives.

In order to run this objective successfully, you should have at least one 'Snare for Solaris' agent installed on a server that has full NIS visibility, with 'remote control' activated.

Windows Users and Groups

Retrieve users and groups by connecting to all, or specific, Snare for Windows Agents that have sent data to the Snare Server, and requesting a dump of the user and group data.

User and group information will be used by Windows objectives to convert SID information into user names, and to implement user/group snapshot objectives.

In order to run this objective successfully, you should have at least one 'Snare for Windows' agent installed on a Domain Controller or Member Server, with 'remote control' activated.

Remote Management

A complete guide to using the Agent Management Console can be found in the "Snare Server v7 Agent Management Console" user guide.

The Remote Management section under Snare Agents provides the ability to audit and manage the configuration of the Snare Agents within your environment.

By default it contains a single 'Manage Agents' objective, but this objective can be cloned, renamed, and deleted, to support as many different combinations of agent configurations as required. Simply Right-Click on the objective and choose from the options in the menu.

No other objectives within the Status or System menu can be manipulated in the same way.

Configuring Agent Management

To set up an Agent Management objective, open one of the Remote Management objectives (the default is Manage Agents) and go to the Configuration section (click 'Configure' in the top icons menu).

Snare Agent Type

Specify the type of the Snare Agents to be managed through this objective. Different agent versions have been grouped based on Operating System and major version changes to prevent incompatible configurations from being compared and saved. Remember, you can easily Clone the objective for each type of Snare Agent you use.

The objective will attempt to contact any Agents that match the required Operating System based off the log tables they have reported events for in the last 3 months. It restricts these results based off the reported version number from the Agent itself.

For example, the "Snare Agent for Linux (1.x.x - 2.1.x)" type will not match a "Snare Agent for Windows" or even a "Snare Agent for Linux v2.2.0" Agent. However, it will match a "Snare Agent for Linux v2.1.0" or a "Snare Agent for Linux v1.8.2" Agent.

Hostname Filter

To help filter the Agents being managed through the objective, a hostname filter can be specified that will restrict the managed Agents to those matching the filter. The filter supports by default * as a wildcard, but this can be changed to support Regular Expressions if the option is enabled.

The objective will not attempt to contact any Agent which is excluded due to the hostname filter.

For example, a filter of '*.intersectalliance.com' will manage 'agent001.intersectalliance.com', but not 'agent002.dni.gov.au'.

Version String filter

To further restrict the managed agents, a version string can be specified using the same matching rules as the Hostname Filter (i.e. * wildcard, or regular expressions). This filter is based off the reported version from the agent, which it can only obtain by attempting to contact the agent during each regeneration.

For example, a regular expression filter of "4\.0\.[01]\.\d" will match any version between 4.0.0.0 and 4.0.1.9.

This will not override the version restrictions set in the Snare Agent Type selection. If the specified version string is incompatible with the Agent Type, no agents will be managed.

Non-reporting Agents

Snare Agents that do not report to the Snare Server can be specified within the Non-reporting Agents box. This will add them into the list of hosts to query and be managed if online.

Non-reporting Agents bypass the Hostname Filter selection, however they will still be checked by the Snare Agent Type and Version String Filters.

Non-reporting Agents can be listed with each agent on a new line, with the IP address and hostname separated with a comma.


For example, a block of non-reporting agents would look like this:

10.0.0.100,CUSTOM-0-100.SNARE.IA
10.0.0.101,CUSTOM-0-101.SNARE.IA
10.0.0.102,CUSTOM-0-102.SNARE.IA
10.0.0.103,CUSTOM-0-103.SNARE.IA


Alternatively, an IP address range can be specified by clicking the 'Add IP address range' button. Simply specify the IP range in the format: 10.1.1.1-10.1.1.5, and the domain to append to the IP to form the hostname.

Adding an IP address range inserts all of the specified IP addresses into the Non-reporting Agents field. So it is easy to remove specific IP addresses from the middle of the range as required.

Alternate Passwords

The objective, by default, uses the Agent password specified in the Configuration Wizard when it attempts to communicate with each Agent. If that password fails, it will attempt each of the Alternate Passwords until it finds one that works. This allows you to support legacy configurations, periodically change the Snare Agent password, or use different passwords for different groups of Agents, without stopping the objective from communicating with the agents.

Protocol to use

The legacy agents (pre-v5) may only use HTTP (the default option).  Version 5 agents, such as Snare Enterprise Agent for WIndows, Snare Enterprise Agent for MSSQL,Snare Enterprise Epilog for WIndows, may be configured to use HTTPS.  To configure the version 5 agents:

  1. Navigate to Access Configuration
  2. Set the Web Server Protocol to HTTPS
  3. Set Require a password for remote control?
  4. Set a password field in Password to allow remote control of SNARE

Each report may be configured per agent type/version per protocol. 

Alternate listening port

Likewise, the objective uses the Agent listening port specified in the Configuration Wizard when it attempts to communicate with each agent. If that port fails, it will attempt to use the alternate port specified here. The purpose of this field is the same as the alternate password fields - legacy and change support.

Management Mode

Only highlight differences between Master config and Agent config

The objective will only highlight the differences between the Master config and each Agent configuration. These differences will need to be manually resolved.

Push Master config to all managed Agents on schedule

The objective will attempt to update each non-matching Agent with the configuration template from the Master. This method requires no manual intervention to sync up managed.

This option is only supported by some Snare Agent versions.

Comparison Options

Ignore Agent version mismatch in configuration differences report.

By default the Agent Version is not saved in the configuration lists so it doesn't report as a mismatch during normal operation of the objective. Disabling this option will compare version numbers, which can be useful when upgrading the fleet to track down any Agents that have been missed in the upgrade.

Ignore offline/uncontactable agents.

Normally any Agents that are uncontactable are highlighted on the report, and trigger an email notification (if enabled). While this is useful when scanning a known number of Agents to ensure availability, it can cause needless notifications when scanning a whole network for a small number of Agents within the network. Enabling this option will ignore offline Agents by removing the highlight and disabling the email notifications.

Understanding the Objective

The objective needs to be configured and regenerated at least once before any of its functions are available.

Snare Agents



The first content tab provides a summary overview of the status of each Agent (both managed and ignored), grouped by status. The hostname of each agent is listed, along with IP address, Agent Type and version.

Non-reporting agents will be postfixed by a *.

  • Agents matching the Master configuration

    • These Agents are online and completely match the Master Configuration, with no differences.

  • Agents with configuration different to the Master Configuration

    • These Agents are online but their configuration is different to the Master Configuration.

  • Agents that cannot be contacted

    • Agents that match the Operating System (from Agent Type filter), and Hostname filter, but cannot be contacted. Some of these Agents may have the wrong version, but since this information is identified once the Agent is contacted it is impossible to determine this information while they are offline.

  • Agents ignored by version string filter

    • Online Agents excluded from management due to the version string filter. 

  • Agents ignored by hostname filter

    • Agents excluded from management due to the hostname filter.

  • Agents ignored by type filter

    • Agents excluded from management due to the Agent type filter.

Master Config



The Master Config tab provides a way to view the existing Master Configuration, refresh it with imported config from an Agent, or clear it completely.

The Refresh Master Config box allows the Master Configuration to be imported from either a custom Agent, specified by an IP address or hostname, or from an existing agent specified in the dropdown.

Refreshing the Master Configuration will not re-analyse the current Agent configurations, and as such the differences list may not be accurate until the objective is next regenerated.

The current Master Configuration will be listed for reference. Depending on the Agent type, it may be possible to manually edit some of the configuration fields without needing to make the changes on the Master Agent and re-import. If any fields have been manually edited, the hostname will be listed as 'manual update'.

Finally, the Master configuration can be cleared from the objective if it is no longer required/accurate.

Config Differences


The Agent Config Differences tab lists each online Agent that doesn't match the Master configuration exactly, with a list of the parameters that do not match for review. Only the Agent parameters which do not match the Master parameters are listed, and all others will be an exact match.

The first column is the configuration parameter name, the second is the value set on the Agent, and the third is the Master configuration value. Fields which are missing from either side will be marked with 'Not Configured'.

Refresh Specific Agents


When there are a large number of Agents managed in a single objective, it takes time to Regenerate everything. This makes debugging a small subset of Agents a problem if you have to wait for 30+ minutes after each change. To get around this, the Refresh Specific Agents tab provides the ability to specify which Agents you wish to regenerate on-demand.

Simply select the Agents to be regenerated by ticking the Checkboxes and clicking 'Refresh Selected Agents'. The objective will regenerate, and only retrieve data from the selected Agents. It will use the previously retrieved config values to work out the differences reports for each Agent that wasn't refreshed.

Agent Processing Errors


Any errors encountered while regenerating the objective will be listed on this tab. All of the Agents listed under "Agents that cannot be contacted" will be listed on this page with the reason why they could not be contacted. Likewise, when Config Push is enabled, Agents with a configuration that does not match, will have a reason listed here too.

Example errors:

  • Unable to find a listening port to connect to 10.0.0.199 on, agent could be offline. (Tried: 6161, 6163)
  • Unable to find a password to authenticate to 10.0.4.20:6163 on.
  • Reported Agent Version at 10.0.4.30:6161 doesn't match expected type 'Windows'.

Snare Agent Management Console

As part of installing or upgrading to version 7.2, the Snare Agent Manager (SAM) is included.  This will help to manage your agents and licensing of the agents.

Selecting the menu item will launch SAM in another tab.  The Snare Agent Manager is used for the license allocation and management of the v5+ Snare Agents using the Web application interface which can be used via any modern web browser (The minimum versions are IE9+. and current versions of Chrome, Safari and Firefox, refer to the installation guide for more details ). The SAM is designed to provide centralized management of all your Snare agent licensing. It contains a dashboard to allow the easy identification and status of the licensing system, usage and if there are operational issues from agents and their licenses.

Please refer to the User Guide for Snare Agent Manager for further information.



  • No labels