Appendix B - Epilog Windows Registry Configuration Description

The purpose of this section is to discuss the makeup of the configuration items in the registry. The Epilog configuration registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Intersect Alliance\Epilog, and this location may not be changed. If the configuration key does not exist, the Epilog service will create it during installation, but will not actively audit events until a correctly formatted at least one log monitor is present.

Epilog can be configured in several different ways, namely:

Via the remote control interface (Recommended).
By manually editing the registry (NOT Recommended).
Note manual editing of the registry location is possible, but care should be taken to ensure that it conforms to the required Snare format. Failure to specify a correct configuration will not 'crash' the Epilog service, but may result in selected events not being able to be read, and the system not working as specified.

Any use of the web based Remote Control Interface to modify selected configurations, will result in manual configuration changes being overwritten.

The format of the audit configuration registry subkeys is discussed below.

`[Config]`	`This subkey stores the delimiter and clientname values.`
`AgentLog`	`This value is of type REG_DWORD and sets the level of tracing sent by the agent. Values include [0-5] where Fatal (0), Error (1), Warning (2), Info (3), Debug (8), Trace (9).`
`CachePath`	This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start.
`Checksum`	`This value is of type REG_DWORD, and determines whether Epilog includes an MD5 Checksum of the contents of each audit record, with the record in question. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set. Note that the checking application will need to strip the final delimiter, plus the MD5 Checksum, from the record before evaluating the record against the checksum.`
`Clientname`	`This is the Hostname of the client and is of type REG_SZ. If no value has been set, "hostname" command output will be displayed. Must be no more than 100 chars, otherwise will truncate.`
`Delimiter`	`This is of type REG_SZ and stores the field delimiting character, ONLY if syslog header has been selected. If more than one char, only first char will be used. If none set, then TAB will be used. This is a HIDDEN field, and only available to those users that wish to set a different delimiter when using the SYSLOG header. This selection option will not be found in the Remote Control Interface.`
`EventSourceId`	`This is of type REG_SZ and stores the Windows Registry path from where to read the Event Source Id text/value. If the value in EventSourceIdType is 2 (Registry Path), then the text/value in the registry, specified by the path, is included in each event.`
`EventSourceIdText`	`This is of type REG_SZ and directly stores the Event Source Id text/value. If the value in EventSourceIdType is 1 (Free Text), then this text/value is included in each event.`
`EventSourceIdType`	`This is of type REG_DWORD and stores the option related to specifying Event Source Id: 0(NONE), 1(Free Text), 2(Registry Path).`
`FileSize`	`This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum.`
`HeartBeat`	This values is the frequency with which a heartbeat is sent, set in minutes.
`HeartBeatFileExport`	This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes.
`HeartBeatOutputPath`	This is the path where the heartbeat messages are exported to, if selected.
HostGUID	`This value is of type REG_SZ`. Set to the GUID of the specific network card.
HostIP	`This value is of type REG_SZ. Set to the IP address of the specific network card.`
`IISLogFlush`	`This value is of type REG_DWORD. Enabling this setting will allow IIS to immediately flush all log messages, allowing Epilog to get them.`
TLS13Minimum	This value is of type REG_DWORD. When disabled (0), Snare Agent supports TLS 1.2 and TLS 1.3 for web connections. When enabled (1), TLS 1.2 is explicitly disabled; browsers connecting to the agent website must support at least TLS 1.3 for ssl connections.
`Separator`	Legacy agent setting required to upgrade agents (if it was set to be the identifier to separate events). Defunct for v5 as now set in Destination Configuration.
UpgradePath	`This value is of type REG_SZ. The automatically generated path in which temporary upgrade files are stored.`
`UseHostIP`	If set it resolves the machines IP address from the first wired adapter. It will not resolve wireless IP's at present. Set this value to 0 for no, or 1 for Yes.
`UseUTC`	`This value is of type REG_DWORD and determines whether Snare should use UTC timestamps instead of the local system time when sending events. Set this value to 0 for no, or 1 for Yes. Will default to FALSE (0) if not set.`

`[Filter]`	`This subkey stores all the filtering policies.`
`Filter#` `(where # is a serial number)`	`This section describes the format of the log filters. Filters are of type REG_SZ, of no greater than 1060 chars.` Example: Filter1: criticality=1,6,6,6,3,3,0,0,0,0match=""regex=0state=1uuid=e6a813b4-3a9b-41b4-b873-e7df57fbb2b1 `Criticality- Format for this string is [0-4],[0-7],[0-7],[0-7],[0-10],[1-10],0,0,0,0.` First integer is between 0 and 4 that indicates the severity of the event. Critical = 4, Priority = 3, Warning = 2, Information = 1, Clear = 0. Next 3 values are Syslog for each RFC3164, RFC3164 Alt and RFC5424. Syslog values RFC3164 Alt and RFC5424 are copied from Syslog and not used separately. Values 0-7 denote Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug. CEF is 0 - 10, 0 is least severe and 10 is most severe. LEEF is 1 - 10, 1 is least severe and 10 is most severe. Last 4 values 0,0,0,0 are reserved and not in use. eg. criticality=2,5,5,5,7,9,0,0,0,0 `match (General Match) - The General match term is the filter expression, and is defined to be any value which includes DOS wildcard characters. Max length is 512. It can also include regular expressions if 'regex' box is checked. Use = to include matching events, != to exclude matching events.` `eg match=""` `Regex: =0 (Include general string term to match); =1 (Include regex string term to match)` `eg. regex=0`

`[Network]`	`This subkey stores the general network configurations.`
`CacheSize`	`This value is of type REG_DWORD, and determines the desired count of events in the memory cache. If this is set then CacheSizeM cannot be altered.`
`CacheSizeM`	`This value is of type REG_DWORD, and determines the size of the in memory cache. The value must be between 1 and 1024.If this is set then CacheSize cannot be altered.`
`CheckTime`	`Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes), maximum is 3600 seconds (1 hour).`
`Destination1Delimiter`	`This sub key is of type REG_SZ and is a comma separated list of destinations, which should be a maximum of 100 characters each. It details the IP address or hostname which the event records will be sent (NB: multiple hosts only available in supported agent). See Appendix - Delimiters.`
`Destination1Format`	`This value is of type REG_DWORD and is the format in which the events are sent to the destination: Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7).`
`Destination1Host`	`This value is of type REG_SZ and is the IP or hostname of the destination server/SIEM.`
`Destination1Port`	`This value is of type REG_DWORD, and determines the Destination Port number. This value must be in 1-65535 range. Will default to 514 if a SYSLOG header has been specified.`
`Destination1SocketType`	`This value is of type REG_DWORD, and determines the protocol used (0 for UDP, 1 for TCP, 2 for TLS/SSL, 3 for TLS_AUTH). This feature only appears in supported agents.`
`Destination1TLSAuthKey`	`This value is of type REG_SZ and is used when Destination1SocketType is 3 i.e. TLS_AUTH.`
`FileOutput1Delimiter`	`This value ranges from 1 to 255. It includes the path of the files where the events will be stored per format (e.g. Snare, SYSLOG)`
`FileOutput1FileName`	`The path and location of the file the events are sent to. Multiple files may be set.`
`FileOutput1Format`	The format to write to the log file. Available formats are: `Snare (0), SYSLOG RFC3164 (1), SYSLOG Alt (2), CEF (3), LEEF (4), SYSLOG RFC5424 (5), SNARE V2 (6), SYSLOG JSON (7).`
`NotifyMsgLimit`	`This value is of type REG_DWORD having value 0 or 1, and determines whether to send or not the EPS notification to server (1 means send and 0 means not to send) whenever agent reaches EPS RateLimit. This feature only appears in supported agents.`
`NotifyMsgLimitFrequency`	`This value is of type REG_DWORD, and determines the frequency of events per second notification. The value is treated in minutes and only one EPS notification message is sent to server regardless of how many times agent reaches EPS limit during these minutes. This feature only appears in supported agents.`
`RateLimit`	`This value is of type REG_DWORD, and determines the upper limit for events per second (EPS) that the agent will send to server. This feature only appears in supported agents.`
`SyslogFacility`	`This value represents the SYSLOG facility for SYSLOG format`

`[Remote]`	`This subkey stores all the remote control parameters.`
`AccessKey`	`This value is of type REG_DWORD and is used to determine whether a password is required to access the remote control functions. It is set to either 0 or 1, with 0 signifying no password is required.`
`AccessKeySet`	`This is of type REG_SZ, and stores the actual password to be used, in encrypted format.`
`Allow`	`"Allow" is of type REG_DWORD, and set to either 0 or 1 to allow remote control If not set or out of bounds, will default to 0/NO (ie; not able to be remote controlled).`
AllowBasicAuth	Only available via the registry. Set to 0 by default. Enable if agent should support basic http authentication in the web UI.
LockTime	`This value is of type REG_DWORD and is used to determine the lock duration in minutes after maximum failed login attempts.`
MaxFailAttempt	`This value is of type REG_DWORD and is used to determine the maximum number of failed login attempts that will be accepted before the agent will be locked for a duration (Duration is defined in LockTime).`
`Restrict`	`This value is of type REG_DWORD, and set to either 0 or 1 to signal whether the remote users should be restricted via IP address or not. 0 = no restrictions.`
`RestrictIP`	`This is of type REG_SZ and is the IP address set from above.`
`WebPort`	`This value is the web server port, if it has been set to something other than port 6162. It is of type REG_DWORD. If not set or out of bounds, it will default to port 6162.`

`[SAM]`	Stores the Snare Agent Manager settings
SAM1AuthKey	Key used by the agent to communicate with the Snare Agent Manager.
SAM1IP	The IP/hostname of where SAM is installed, that will communicate with the agent.
SAM1Port	The port number the agent uses to communicate with SAM, port 6262.

`[State]`
`SAMCToken`	`Token provided by SAM to the agent.`
AgentLocked	`This value is of type REG_DWORD and is set to either 0 or 1 to indicate whether the agent is locked or not due to reaching maximum failed login attempts.`
AgentLockEndTime	`This is of type REG_SZ and is used to store the time when the agent will be back to normal after it has been locked due to reaching maximum failed login attempts.`
LoginAttempts	`This value is of type REG_DWORD and is used to determine the number of consecutive failed login attempts.`

`[Log]`	This subsection stores the log monitors
`Log# (where # is a serial number)`	`This section describes the format of the log monitors. Log monitors are of type REG_SZ, of no greater than 512 chars, and is composed of the following string:` `Logtype \| LogPath` `LogType is optional and is used to inform the Snare server how to process the data stream.` `The LogPath is the fully qualified path to the log file that needs to be monitored or the fully qualified path to the directory containing date stamped log files of the form "YYMMDD" (in this case a trailing backslash ('\') is required). Spaces are valid, except at the start of the term.`