Latest Events

Owned by Andrew Madge
Last updated: Sept 13, 2024 by Svetlana Sheptiy
3 min read

Events collected by the agent that meet the filtering requirements as per the audit configuration, will be displayed in the Latest Events window.  This display is NOT a display from the event log file, but rather a temporary display from a shared memory connection between the web UI and the the Snare service.  This list will be empty if the agent has not yet found any matching events or if there has been a network problem and the agent has temporarily suspended event processing.


 

A key feature of Snare service is that events are not stored locally on the host, but rather sent out over the network to one or more remote hosts, and a summary version of the events is displayed on the window.

Events may be Audit Events, Log Audit or File Integrity events.  By default, the audit events are displayed, however to review the file integrity monitoring events, select the File Integrity button.  This will restrict the display of latest events to only FIM events, if configured and enabled via menu item File Integrity Monitoring.  Similarly, select the Log Audit button to show the latest Log Auditing events if configured via the Log Configuration menu item.

No events will be generated unless there is a valid destination configured to which to send them.

Below is an example of the latest FIM events:


Below is an example of the latest Log Auditing events:

Other useful information of the Latest Events Window is as follows:

  • restricted to a list of 20 entries and cannot be cleared, except by restarting the Snare service
  • new events will be displayed with an alarm bell icon next to it
  • events are highlighted in the criticality level colour nominated in your audit policies
  • the window will automatically refresh every 15 seconds for event logs or when the Latest Events menu item is selected
  • displays the status of the current network connection(s) to the log server
  • displays the date and time of the last HeartBeat sent, if applicable

About Destinations

Additionally this page shows the host/IP name, protocol, status and rate of events.  The status is the current state of the connection and may include:

    • INITIAL - The remote log location is about to begin setup
    • RESOLVING - DNS resolution for a hostname is occurring
    • RESOLVE_DELAY - DNS resolution failed, a retry will occur in X seconds
    • CONNECTING - Snare is trying to connect to the destination
    • CONNECT_FAILED - The connection to the destination failed
    • CONNECT_DELAY - Connecting to the remote end failed, it will be retried again in X seconds
    • CONNECTED - Snare has an active connection to the destination
    • SENDING - Snare is currently sending logs to the destination
    • DISCONNECTED - The destination has disconnected the snare agent. A re-connection will occur automatically.
    • HANDSHAKE - A SSL/TLS Handshake is in progress
    • HANDSHAKE_FAILED - The SSL/TLS Handshake failed
    • OPENING - Opening a a file destination is in progress
    • WRITING - Writing is occurring to a file
    • WRITE_FAILED - A write to file failed
    • CLOSED - A file has been closed
    • AVAILABLE - Instant feedback indicating if Snare can use the destination to send logs. A value of 1 indicates that logs can be sent. A value of 0 indicates logs can't be sent.
    • ReadyToSend - Instant feedback indicating if the destination is setup in a state where logs can be sent. If Snare is already sending to the destination, ReadyToSend will be 0.