Data Backup

Autoremove Data

This objective aids with the large amount of data that Snare Central handles. This allows the Snare administrator to establish scheduled deletion tasks based on data age, log type, log name or agent.  Standards like PCI DSS have minimum time retention on logs, and the Autoremove Data capability allows automatic purging of Snare data after a defined period of time. This also aids with keeping disk space under control.  This feature is flexible enough to support different log data aging criteria for different types of data or different sources of the data (agents). This is very important due to the diverse events that Snare Central manages.

When configuring this objective the administrator will be able to list, create, delete, modify and schedule autoremove tasks.  The administrator will be required to define each autoremove task a type of data that is going to be deleted, a matching criteria (with regex conditions) upon the data (like a name, or address), the age of the data to be deleted and a schedule to let the server when this task shall be executed. Snare Central support up to 100 auto-remove tasks.  This objective supports the following types of autoremove tasks:

1. Agent: files associated to this Agent (or group of agents) matched by the Condition and Value fields.
2. Date: files associated to this Date matched by the Condition and Value fields.
3. LogType: Autoremove files associated to this LogType (or Snare Table name) matched by the Condition and Value fields.
4. All: Autoremove all files that complains with the age criteria.

It is required to establish an age criteria to match against using the Older than and units fields.

A Test button is provided for testing the matching and age criteria upon the actual Snare data showing a list of files that will be affected by the task.

Data Backup

Snare can backup data to optical, or removable USB media.  Select a device type to continue to the data archival process.

Optical Media - Interactive

Selecting either the CD or DVD options will present an option to generate either:

• A CD or DVD, mounted in the local Snare CD/DVD burner, or
• An ISO image of an appropriate size that is filled with eventlog data from your Snare data archive, which can be downloaded to your local workstation to burn to optical media.

A dialog will appear that asks you which months/days to transfer. Months can be expanded in order to include or exclude individual day's worth of data. Months or days can be added to the archive by clicking on the associated arrow button to the right of the date. Months or days can be removed by clicking on the red cross that is associated with the date.

A 'fuel gauge' indicator is available to the right of the dialog, and provides an indication of the current fill state of the CD or DVD.

After clicking the 'Next' button, a new dialog will appear, showing the status of the transfer.

Once the process has completed, the dialog will offer you the opportunity to display, or remove the files that have been transferred to CD/DVD.

If you have chosen to generate an ISO image, the image file will be available for download from the front objective output page. You can also choose to remove the CD or DVD from the dialog that pops up when you select the download link, or request an MD5 checksum of the image, to provide a level of assurance that your download matches the image generated by the Snare Server.

Optical Media - Scheduled

When run as a scheduled task, the objective will check the configuration settings for your preferred optical media type (CD or DVD). On regeneration, the objective will create a CD or DVD sized ISO image, which will be available to you to download and burn to a local CD/DVD drive.

Automated ISO generation is only of practical benefit when combined with automated data removal; otherwise, the CD/DVD image generated during each scheduled run, will contain practically the same data as the previous scheduled run. The configuration settings dialog allows you to choose to archive:

• Data from 'last month' only.
• Data that is more than 30, 60, 90 or 365 days old.

USB Media

Choosing the 'USB Drive/Key' button will allow you to synchronise all, or a portion of your current event log data, with a USB device.

Existing data already present on the device will be compared against the current contents of your data archive, and only new, or changed, data will be copied across to the target device.  Data that already exists on the target device, but has been removed from the Snare Server data store, will not be touched. 

When a USB key or hard drive is plugged into the Snare Server, the configuration settings dialog will list the device as a selectable option.

Choosing a USB device as a target device, and setting the objective to regenerate nightly with all data other than the current day, will provide an automated external backup solution for eventlog data. Once you have either filled the external drive, or wish to swap to other media, any data that has been copied over to external storage can be removed manually, and the USB media synchronisation reestablished for the new device.

Remove Data

The Remove Data objective provides the ability to remove data by date, log type or agent.

Selecting a date (or range of dates), will update the Log Type Selection column, to display a list of log types that are available for the chosen date(s). Choosing a log type will update the list of agents that are available for the chosen log types and dates.

Once you are satisfied with your selection, clicking the Remove the selected data button will start the process of removing the actual underlying files, and regenerating the metadata associated with those particular dates, log types and agents.

It may take up to 15 minutes for the changes made by the file removal process to reflect in the list of dates/log types and agents displayed by this objective, or other objectives that rely on the Snare Server metadata subsystem.