The Status category contains objectives used to monitoring the status and performance of Snare Central. This includes information on user access to Snare Central, current scripts and processes that are running or queued to run, summaries of the data in the data store and general health check information.

The key sub-categories are:

Collection Status - Agent Information
General Statistics
Monitor Live Data
Retrieve Integrity Check of the Data Store
Snare Health Checker
System Status
Total events Plotted per 15 minutes

Collection Status - Agent Information

This objective displays an overview of the systems that have recently reported to Snare Central. The number of days of historical data to query is configurable. Ensure to Regenerate the objective to review current information. The output is available as a CSV and PDF attachment.

General Statistics

This objective provides a number of graphical displays, summarising the data currently held in the Snare Central data store.

Tabs include:

A stacked horizontal bar graph of events per month.
A vertical bar graph of total events for the current year.
A vertical bar graph of events per second, per day, for the last 12 weeks.
A collective clickable graph that displays total number of events, compressed storage size, and average compressed bytes per event for each log type, and each agent within the log type.
A pattern map of events per system over the last 12 weeks.

A horizontal graph of total events per system, sorted by system.

Monitor Live Data

This objective provides a way to preview the events that are being received by Snare Central live. It is designed for debugging and event collection health checking, rather than for auditing the exact events received by the server.

The box on the left lists all of the Log Types for the incoming Events, and the number of bytes received for each Log Type. Clicking on a specific Log Type filters the other displays to make it easier to drill down and see specific events coming into the server.

The box on the right lists all of the Servers or hosts that are sending events to Snare Central. Like the Log Types list, it shows the number of bytes received. Clicking on a Log Type will filter the Servers listed in this box to only those that have sent events of that specific type.

The bottom box shows the last 10 events received, to provide a preview of the events coming in for the selected Log Type and Server.

This objective consumes system resources while active. It may have a small negative effect on event collection rates if left open for long periods of time.

Retrieve Integrity Check of the Data Store

This objective scans the current data store, and generates a SHA3 checksum for each file found. The results can be downloaded from the objective, and compared against previous runs, in order to verify that data has not been tampered with since the last run. The Snare Health Checker will also display alerts if any files have been tampered with.

Sample output from the integrity check process

15af6d8bbcbd12aea0c8acfdc0c7b7a871660371546337807d4787bee3b27386
/data/SnareArchive/2017-06-16/10.1.2.201/GenericLog-18-1-32182.148304939.log.gz

b7ff7ef384ad4323348b611d515a06701201c6c21ff64057e6e49362b405283e
/data/SnareArchive/2017-06-16/10.1.2.201/GenericLog-18-2-32541.79817009.log.gz

f59da0a32a4f4ef6eafa9abc4f495762aa74a350a7fa8df1bb180ce4db381485
/data/SnareArchive/2017-06-16/127.0.0.1/SnareServerLog-14-1-17405.756345034.log.gz

5e2605d29a419d6b1be0030bdb43831f977aa4d779cef0685c295d477f73ab56
/data/SnareArchive/2017-06-16/127.0.0.1/SnareServerLog-16-0-24282.826951027.log.gz

ba0befa07c5168d02687447c2c88e642e49e5217b95d8c1be26f404dcbe1711e
/data/SnareArchive/2017-06-16/127.0.0.1/SnareServerLog-15-0-19800.594000101.log.gz

97b59b5e294c294328cc1e2dd597f718d41a51eedae02864a3f033aa5518eed1
/data/SnareArchive/2017-06-16/127.0.0.1/SnareServerLog-14-2-18608.278234959.log.gz

If you have recently upgraded, or installed Snare Central, the first data checksums will be generated at approximately midnight.

Snare Health Checker

This objective provides a 'health check' for Snare Central by querying the status of key functions of Snare Central, including, but not limited to:

licensing,
whether the key services are still functioning,
reporting agents,
integrity checks
the amount of disk space available and,
status of the Reflector/Collector disk cache.

Functions are configurable via the "Configure" tab and includes:

reports may be configured to be emailed when there is an exception (any issues) in the Snare Health Checker
disk space thresholds
agent event volumes and reporting
discarding event reporting

It is recommended that any (red) problem indications are reported and resolved immediately.

Warning messages (in orange) should be investigated when time permits.

Unlike most other Snare Central objectives, it is not necessary to 'regenerate' this objective. The results are calculated 'on the fly' every time it is loaded.

System Status

This objective provides the details of the Snare Central status. It includes hardware description, operating system distribution, uptime and information and graphs on CPU, network, memory, swap and mounted file system usage.

Total Events Plotted per 15 Minutes

This objective displays the total number of events received for every host over a 35 day period. The coloured rectangles indicate the number of events received during the 15 minute period relative to the scale shown at the bottom of the graph. Further details on the number of events received can be ascertained by placing the mouse cursor over the coloured rectangles.

Furthermore, the raw logs for this 15 minute period can be viewed by 'clicking' the rectangle. Note that for the current month, the details will obviously be for the period since the report was generated. Collection details for a specific host can be viewed by selecting the list of hosts shown at the bottom of the graph.

Snare Central v8 Documentation

Supporting Objectives - Status v8.0.0

Analytics