Snare Central can process a reasonably wide range of source data types. The Snare Central data acquisition software is generally tuned for particular versions of operating system or device logs, so if you encounter problems importing particular types of data, please contact your Snare Central support team, and be prepared to supply (sanitised if required) log samples.

Snort Sensor

Organisations that use the Snort network intrusion detection system can send data to Snare Central via the syslog protocol. Snare will be able to collect, interpret, and report on the events. The following information provides an overview of the steps required to configure the Snort sensor to send eventlog data back to Snare Central. Note that there is no configuration required on Snare Central.

What you need

The IP address or DNS name of Snare Central

How to..

On the host that is acting as a Snort collection sensor:

In the file /etc/syslog.conf, add the following two lines:

# Send all SYSLOG events to Snare Central
*.*@12.23.34.45

Please substitute the IP address, or the DNS name, of Snare Central for the string "12.23.34.45"
Modify the file /etc/snort/snort.conf to include the following line:

output alert_syslog: LOG_AUTH LOG_ALERT

An existing (or possibly, multiple) 'output' line may already exist in the file - that is acceptable. Snort will be able to send output to both targets.
Restart your snort network intrusion detection system and syslog daemon. Depending on your distribution this may be one of:
- /etc/init.d/snortd; /etc/init.d/syslog restart
- service snortd restart; service syslog restart

Troubleshooting Snort

Checking for Snort Sensor errors:

Look in /var/log/messages for errors.
Run manually:
- /usr/sbin/snort -D -i "ppp0" -c /etc/snort/snort.conf
..then look in /var/log/messages for errors

Collecting ACF2 Data

Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on Snare Central, which will then be uploaded by Snare Central processes, on a daily basis.

The ACF2 processed reports are based on specific utilities, provided with the ACF2. The utilities produce formatted reports on the following activity on a mainframe, which can then be collected by Snare Central, and used for reporting:

ACFRPTLL Logonid Modification Log
ACFRPTRL Dataset Rule Modification Log
ACFRPTEL Infostorate Modification Log
ACFRPTDS Dataset Violation/Logging
ACFRPTRV Resource Violation/Logging
ACFRPTPW Invalid Password Authority Log

The end of this chapter contains a listing of an example JCL which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Each step in the sample job below performs the following steps. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.

Deletes previous day's FTP transfer library.
Runs ACF2 report, placing output in a GDG (7 generations kept).
Allocate new FTP transfer library and copy report from GDG created in previous step.
FTP the transfer library to Snare Central. The 'snarexfer' FTP user must be used. This user defaults to the "/data/SnareCollect" directory on Snare Central. The ACF2 processed reports must be placed in the "ACF2Log" sub-directory. So the full path becomes: "/data/SnareCollect/ACF2Log". Member level security is used to protect the FTP lid password.

The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved. The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.

CSCSNR01

********************************** Top of Data **********************************
//CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J
/*JOBPARM SYSAFF=PROD
//-----------------------------------------------------------------
//*
//* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER
//*
//*---------- DELETE TEMP XFER LIB ---------------------------------
//*
//STEP1 EXEC PGM=IKJEFT01,REGION=8192K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN DD *
DELETE 'CSC.SNARE01.LIDMODS.XFER'
//*
//*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------
//*
//STEP2 EXEC PGM=ACFRPTLL
//SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
//
DISP=(,CATLG),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSUDUMP DD SYSOUT=*
//REC01 DD DSN=CTF.SMFJR,DISP=SHR
//SYSIN DD *
MASK(********)
DETAIL
NOUPDATE
SYSID(****)
//*
//*---------- COPY REPORT FROM GDG TO XFER LIB ---------------------
//*
//COPY
EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1
DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
DISP=SHR
//SYSUT2
DD DSN=CSC.SNARE01.LIDMODS.XFER,
//
DISP=(NEW,CATLG,DELETE),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=*.SYSUT1
//*
DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSIN
DD DUMMY
//*
//*---------- FTP XFER FILE TO SNARE SERVER ------------------------
//*
//STEP4 EXEC FTP,
//
SERVER='CSCSNARE',
//
FTPUSER='SNAREXFER',
//
FTPCMDS='CSCSNR01',
//
ENV='PROD',
//
SOUT='*'
//*
//*---------- Notify Security Monitoring Team if job fails ---------
//*
//*JOBFAIL IF ((RC > 4) | (ABEND)) THEN
//*
//SENDMEMO EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD *
HELO NCC
MAIL FROM:<PSC0SCHD@AGENCY.COM>
RCPT TO:<ITSECMON@AGENCY.COM>
DATA
TO:ITSECMON<ITSECMON@AGENCY.COM>
SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01
PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY.
>> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE
>> AGENCY'S MAINFRAME ENVIRONMENT.
.
QUIT
/*
//SYSUT2 DD SYSOUT=(B,SMTP)
//SYSIN DD DUMMY
//*
//JOBFAIL ENDIF
//*===================================================================

RACF Violation Logs

RACF resource violation logs can be batch-imported to Snare Central. In particular, ACCESS, DELRES, and JOBINIT logs are supported directly, .

RACF files should be in ASCII format, and transferred to the directory /data/SnareCollect/RACFLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Log format

RACF logs are fixed-column logs. Snare Central assumes the following format:

EVENT TYPE: Characters 1-8
EVENT QUALIFIER: Characters 10-17 (Eg; SUCCESS, INVPSWD, RACINITD)
TIME: Characters 19-26
DATE: Characters 28-37
SYSTEM: Characters 39-42 (SYSTEM ID)
USER ID: Characters 59-66
GROUP ID: Characters 68-75
TERMINAL (HOSTNAME): Characters 171-178
JOB NAME: Characters 180-187
USER NAME: Characters 556-575
ATTRIBUTES: (True/False)
- VIOLATION: 44-47
- BYPASS: 107-110
- SPECIAL USER: 602-605
- PRIV: 646-649

Tandem Logs

Tandom systems supply logs with the following fields:

P-TIMEREP
PS-SYSNAME
PS-GUSER
PS-GUSER
PS-TERM
P-OPERATIO
P-OUTCOME
PO-OWNUSER
PO-OBJTYPE
PO-OWNUSER
PC-GUSER
PC-TERM

Logs should be transferred to the directory /data/SnareCollect/TandemLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Sidewinder Firewall Logs

Sidewinder firewall logs can be exported to CSV, and transferred to Snare Central for processing.

Snare Central, will utilise the following fields:

date
hostname
user_name
reason
srcip
srcport
dstip
dstport
type
event
protocol
auth_method

Logs should be transferred to the directory /data/SnareCollect/SidewinderLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content Keeper Logs

Content keeper logs can be transferred to the directory /data/SnareCollect/CKeeperLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Snare expects logs to be comma delimited, and be composed of fields in the following order:

Date/Time
Ignored field
Source IP Address
User Name
Bytes
Status Code
Content
URL
Policy
Category

Checkpoint Firewall1 Logs

Checkpoint Firewall 1 firewalls can export log data to a CSV file. Snare is capable of coping with a range of formats, as long as the header line, specifying the log format, is included as the first line in each exported file.

A sample header line is:

num,date,time,orig,type,action,alert,i/f_name,i/f_dir,proto,src,dst,service,s_port,len,rule,icmp-type,icmp-code,reason:,rpc_prog,IKE Log:,product,additionals:,sys_msgs

Snare will try and pull out the following information from the log data, and incorporate it into the Snare log archive:

Date
Time
Action
Interface
Source IP Address
Source Port
Destination IP Address
Destination Port
Protocol
Rule
All other information will be included within a general 'Data' field.

Checkpoint Firewall logs can be transferred to the directory /data/SnareCollect/Firewall1Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Gauntlet Firewall Logs

Gauntlet Firewall logs can be transferred to the directory /data/SnareCollect/GauntletFirewallLog/ via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Content is assumed to be in ASCII format, and values are space separated.

OS400 Logs

OS400 logs can be transferred to the directory /data/SnareCollect/OS400Log via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Snare is capable of coping with a range of log formats, as long as the header line, specifying the log format, is included as the first line in each exported file.

Snare understands the following fields:

Journal Code (JournalCode)
Journal Entry Code (JournalEntryCode)
Journal Entry Date (Date)
Journal Entry Time (Time)
System name (System)
Job Name (JobName)
User Name (JobUser)
Job Number (JobNumber)
Program Accessing Object (Program)
Object Failure Object Name (OFName)
Object Failure Library Name (OFLibrary)
Object Failure Object Type (OFType)
Failed Login User (Strings)
Failed Login Job (Strings)
System Value name (Strings)
Changed Value (Strings)

Squid Proxy Logs

Squid proxy logs (in the default squid log format) can be transferred to the directory /data/SnareCollect/SquidProxyLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Apache Logs

Apache web server logs (in the default apache 'combined' format) can be transferred to the directory /data/SnareCollect/ApacheLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Internet Information Server (IIS) Logs

IIS web server logs can be transferred to the directory /data/SnareCollect/IISWebLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

IIS logs should retain the header information, that includes the 'Fields' definition line.

Snare Central requires the following fields to be included:

date
time
s-ip
cs-method
cs-uri-stem
cs-uri-query
s-port
cs-username
c-ip
cs(User-Agent)
sc-status
sc-substatus
sc-win32-status

Windows Event Logs (Exported from Snare Agents)

Snare for Windows agents are capable of exporting log data to a file on disk, rather than pushing the events back to a central server.

In situations where systems are air-gapped, or have sporadic internet connectivity, directly transferring the archived log data to Snare Central via FTP is possible.

Logs should be in standard Snare Agent tab-delimited text format, and can be transferred to the directory /data/SnareCollect/MSWinEventLog via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

Windows Event Logs (EVTX files)

Note: Only available in Snare Central version 7.1 or newer

EVTX files can be exported from windows machines, and transferred to a subdirectory within /data/SnareCollect/MSWinEVTX via FTP using the user 'snarexfer'. Logs will be processed daily, at around midnight.

There are several limitations of the EVTX format that need to be considered:

String order may not match the order found in normal Snare agent logs.
- Some existing Snare Central objectives may require strings to be in a particular order, to pull out information of particular interest, from the 'Strings' section of events, such as as user name.
String names may not match those found in normal Snare agent logs.
- The string "SubjectUserSid" in the EVTX file, is actually translated to "Subject: Security ID:" in many events.
- The string "SubjectUserName" in the EVTX file may be "User Name" in some circumstances, or "Account Name" in others. There is no obvious consistency , and there does not seem to be a generally available lookup-table to hint at what translations are appropriate.
- Snare Central will attempt to convert the 'CamelCase' string headers to space-included versions, which are more likely to match those displayed by the Windows event viewer (and therefore transmitted by Snare), however, case may be incorrect in some circumstances:
  - SubjectUserId may be translated as "Subject User Id", whereas the Windows event view will display it as "Subject User ID".
  - There are a few 'special cases' defined in the EVTX converter, that may fix the more obvious examples.
The contents of the 'Data' field is not currently supported for conversion.
Content that is usually interpreted at display-time in the Windows event viewer, or at transmission time in the Snare agents, will not be interpreted.
- At event display-time, the Windows event viewer interrogates the registry, and sometimes native or third party DLL's, to try and resolve event template components to human readable text. The Snare for Windows agent does the same, when it converts the events to text-format prior to transmission.
- These DLL's/registry entries are not guaranteed to be installed on all windows machines - for example, Internet Information Server template conversion DLL's will not be installed on a server that is not running IIS.
- As such, information that is available to a Snare Agent on the source system, is NOT available to Snare Central when it attempts to convert the binary EVTX log data to text format.
- Human-readable event descriptions that are often included within the strings section, will not be available.
Date/Time values within the EVTX files are in UTC format, and the EVTX files do not contain UTC offset information for the source server.
In general, the conversion tool may require assistance in determining the source of the source EVTX file (eg: Security, Application, System, etc).
- The two points above, can be addressed with the assistance of file path hints.
- Logs should be included in one of the following file paths, depending on the log type/source:
  - /data/SnareCollect/MSWinEVTX/Security
  - /data/SnareCollect/MSWinEVTX/Application
  - /data/SnareCollect/MSWinEVTX/System
- Under these directories, if time zone conversion is required (highly recommended), a directory should be created with the textual representation of the time-zone (but with the forward-slash character switched out for a COLON)
  - For example:
    - /data/SnareCollect/MSWinEVTX/Security/America:New_York
    - /data/SnareCollect/MSWinEVTX/Security/Australia:Adelaide

Example

A Sample log line, as received by Snare Central from a Snare Agent, and after conversion from an EVTX file. Key differences are highlighted.

Snare Agent	EVTX Converter
2015-02-05	2015-02-05
14:23:27	14:23:27
WIN08R264DC2	WIN08R264DC2
WinSecurity	WinSecurity
47	47
4719	4719
Microsoft-Windows-Security-Auditing	Microsoft-Windows-Security-Auditing
TEST\WIN08R264DC2$	TEST\WIN08R264DC2$
N/A	N/A
Success Audit	Success Audit
System audit policy was changed.
Subject: Security ID: S-1-5-18	Subject User Sid: S-1-5-18
Account Name: WIN08R264DC2$	Subject Account Name: WIN08R264DC2$
Account Domain: TEST	Subject Account Domain: TEST
Logon ID: 0x3e7	Logon Id: 0x3e7
Audit Policy Change: Category: System	Category Id: %%8272
Subcategory: Security State Change	Subcategory Id: %%12288
Subcategory GUID: {0CCE9210-69AE-11D9-BED3-505054503030}	Subcategory Guid: {0CCE9210-69AE-11D9-BED3-505054503030}
Changes: Success removed, Failure removed	Audit Policy Changes: %%8448, %%8450

Caveats

It should be noted however, that the EVTX import tool, will 'cheat' in some circumstances, and performs some transformations on events that are considered high priority by Snare Central customers, in order to make them appear very similar to the events generated by Snare Agents. These transformations may include:

Reordering fields
Relabelling some strings (eg: SubjectUserSid becomes "Subject: Security ID")
Inserting human readable event descriptions.

Time Zones

The following Time Zones are supported:

Africa:Abidjan	Africa:Accra	Africa:Addis_Ababa	Africa:Algiers	Africa:Asmara
Africa:Asmera	Africa:Bamako	Africa:Bangui	Africa:Banjul	Africa:Bissau
Africa:Blantyre	Africa:Brazzaville	Africa:Bujumbura	Africa:Cairo	Africa:Casablanca
Africa:Ceuta	Africa:Conakry	Africa:Dakar	Africa:Dar_es_Salaam	Africa:Djibouti
Africa:Douala	Africa:El_Aaiun	Africa:Freetown	Africa:Gaborone	Africa:Harare
Africa:Johannesburg	Africa:Juba	Africa:Kampala	Africa:Khartoum	Africa:Kigali
Africa:Kinshasa	Africa:Lagos	Africa:Libreville	Africa:Lome	Africa:Luanda
Africa:Lubumbashi	Africa:Lusaka	Africa:Malabo	Africa:Maputo	Africa:Maseru
Africa:Mbabane	Africa:Mogadishu	Africa:Monrovia	Africa:Nairobi	Africa:Ndjamena
Africa:Niamey	Africa:Nouakchott	Africa:Ouagadougou	Africa:Porto-Novo	Africa:Sao_Tome
Africa:Timbuktu	Africa:Tripoli	Africa:Tunis	Africa:Windhoek
America:Adak	America:Anchorage	America:Anguilla	America:Antigua	America:Araguaina
America:Argentina:Buenos_Aires	America:Argentina:Catamarca	America:Argentina:ComodRivadavia	America:Argentina:Cordoba	America:Argentina:Jujuy
America:Argentina:La_Rioja	America:Argentina:Mendoza	America:Argentina:Rio_Gallegos	America:Argentina:Salta	America:Argentina:San_Juan
America:Argentina:San_Luis	America:Argentina:Tucuman	America:Argentina:Ushuaia	America:Aruba	America:Asuncion
America:Atikokan	America:Atka	America:Bahia	America:Bahia_Banderas	America:Barbados
America:Belem	America:Belize	America:Blanc-Sablon	America:Boa_Vista	America:Bogota
America:Boise	America:Buenos_Aires	America:Cambridge_Bay	America:Campo_Grande	America:Cancun
America:Caracas	America:Catamarca	America:Cayenne	America:Cayman	America:Chicago
America:Chihuahua	America:Coral_Harbour	America:Cordoba	America:Costa_Rica	America:Creston
America:Cuiaba	America:Curacao	America:Danmarkshavn	America:Dawson	America:Dawson_Creek
America:Denver	America:Detroit	America:Dominica	America:Edmonton	America:Eirunepe
America:El_Salvador	America:Ensenada	America:Fort_Wayne	America:Fortaleza	America:Glace_Bay
America:Godthab	America:Goose_Bay	America:Grand_Turk	America:Grenada	America:Guadeloupe
America:Guatemala	America:Guayaquil	America:Guyana	America:Halifax	America:Havana
America:Hermosillo	America:Indiana:Indianapolis	America:Indiana:Knox	America:Indiana:Marengo	America:Indiana:Petersburg
America:Indiana:Tell_City	America:Indiana:Vevay	America:Indiana:Vincennes	America:Indiana:Winamac	America:Indianapolis
America:Inuvik	America:Iqaluit	America:Jamaica	America:Jujuy	America:Juneau
America:Kentucky:Louisville	America:Kentucky:Monticello	America:Knox_IN	America:Kralendijk	America:La_Paz
America:Lima	America:Los_Angeles	America:Louisville	America:Lower_Princes	America:Maceio
America:Managua	America:Manaus	America:Marigot	America:Martinique	America:Matamoros
America:Mazatlan	America:Mendoza	America:Menominee	America:Merida	America:Metlakatla
America:Mexico_City	America:Miquelon	America:Moncton	America:Monterrey	America:Montevideo
America:Montreal	America:Montserrat	America:Nassau	America:New_York	America:Nipigon
America:Nome	America:Noronha	America:North_Dakota:Beulah	America:North_Dakota:Center	America:North_Dakota:New_Salem
America:Ojinaga	America:Panama	America:Pangnirtung	America:Paramaribo	America:Phoenix
America:Port-au-Prince	America:Port_of_Spain	America:Porto_Acre	America:Porto_Velho	America:Puerto_Rico
America:Rainy_River	America:Rankin_Inlet	America:Recife	America:Regina	America:Resolute
America:Rio_Branco	America:Rosario	America:Santa_Isabel	America:Santarem	America:Santiago
America:Santo_Domingo	America:Sao_Paulo	America:Scoresbysund	America:Shiprock	America:Sitka
America:St_Barthelemy	America:St_Johns	America:St_Kitts	America:St_Lucia	America:St_Thomas
America:St_Vincent	America:Swift_Current	America:Tegucigalpa	America:Thule	America:Thunder_Bay
America:Tijuana	America:Toronto	America:Tortola	America:Vancouver	America:Virgin
America:Whitehorse	America:Winnipeg	America:Yakutat	America:Yellowknife
Antarctica:Casey	Antarctica:Davis	Antarctica:DumontDUrville	Antarctica:Macquarie	Antarctica:Mawson
Antarctica:McMurdo	Antarctica:Palmer	Antarctica:Rothera	Antarctica:South_Pole	Antarctica:Syowa
Antarctica:Troll	Antarctica:Vostok
Arctic:Longyearbyen
Asia:Aden	Asia:Almaty	Asia:Amman	Asia:Anadyr	Asia:Aqtau
Asia:Aqtobe	Asia:Ashgabat	Asia:Ashkhabad	Asia:Baghdad	Asia:Bahrain
Asia:Baku	Asia:Bangkok	Asia:Beirut	Asia:Bishkek	Asia:Brunei
Asia:Calcutta	Asia:Chita	Asia:Choibalsan	Asia:Chongqing	Asia:Chungking
Asia:Colombo	Asia:Dacca	Asia:Damascus	Asia:Dhaka	Asia:Dili
Asia:Dubai	Asia:Dushanbe	Asia:Gaza	Asia:Harbin	Asia:Hebron
Asia:Ho_Chi_Minh	Asia:Hong_Kong	Asia:Hovd	Asia:Irkutsk	Asia:Istanbul
Asia:Jakarta	Asia:Jayapura	Asia:Jerusalem	Asia:Kabul	Asia:Kamchatka
Asia:Karachi	Asia:Kashgar	Asia:Kathmandu	Asia:Katmandu	Asia:Khandyga
Asia:Kolkata	Asia:Krasnoyarsk	Asia:Kuala_Lumpur	Asia:Kuching	Asia:Kuwait
Asia:Macao	Asia:Macau	Asia:Magadan	Asia:Makassar	Asia:Manila
Asia:Muscat	Asia:Nicosia	Asia:Novokuznetsk	Asia:Novosibirsk	Asia:Omsk
Asia:Oral	Asia:Phnom_Penh	Asia:Pontianak	Asia:Pyongyang	Asia:Qatar
Asia:Qyzylorda	Asia:Rangoon	Asia:Riyadh	Asia:Saigon	Asia:Sakhalin
Asia:Samarkand	Asia:Seoul	Asia:Shanghai	Asia:Singapore	Asia:Srednekolymsk
Asia:Taipei	Asia:Tashkent	Asia:Tbilisi	Asia:Tehran	Asia:Tel_Aviv
Asia:Thimbu	Asia:Thimphu	Asia:Tokyo	Asia:Ujung_Pandang	Asia:Ulaanbaatar
Asia:Ulan_Bator	Asia:Urumqi	Asia:Ust-Nera	Asia:Vientiane	Asia:Vladivostok
Asia:Yakutsk	Asia:Yekaterinburg	Asia:Yerevan
Atlantic:Azores	Atlantic:Bermuda	Atlantic:Canary	Atlantic:Cape_Verde	Atlantic:Faeroe
Atlantic:Faroe	Atlantic:Jan_Mayen	Atlantic:Madeira	Atlantic:Reykjavik	Atlantic:South_Georgia
Atlantic:St_Helena	Atlantic:Stanley
Australia:ACT	Australia:Adelaide	Australia:Brisbane	Australia:Broken_Hill	Australia:Canberra
Australia:Currie	Australia:Darwin	Australia:Eucla	Australia:Hobart	Australia:LHI
Australia:Lindeman	Australia:Lord_Howe	Australia:Melbourne	Australia:North	Australia:NSW
Australia:Perth	Australia:Queensland	Australia:South	Australia:Sydney	Australia:Tasmania
Australia:Victoria	Australia:West	Australia:Yancowinna
Europe:Amsterdam	Europe:Andorra	Europe:Athens	Europe:Belfast	Europe:Belgrade
Europe:Berlin	Europe:Bratislava	Europe:Brussels	Europe:Bucharest	Europe:Budapest
Europe:Busingen	Europe:Chisinau	Europe:Copenhagen	Europe:Dublin	Europe:Gibraltar
Europe:Guernsey	Europe:Helsinki	Europe:Isle_of_Man	Europe:Istanbul	Europe:Jersey
Europe:Kaliningrad	Europe:Kiev	Europe:Lisbon	Europe:Ljubljana	Europe:London
Europe:Luxembourg	Europe:Madrid	Europe:Malta	Europe:Mariehamn	Europe:Minsk
Europe:Monaco	Europe:Moscow	Europe:Nicosia	Europe:Oslo	Europe:Paris
Europe:Podgorica	Europe:Prague	Europe:Riga	Europe:Rome	Europe:Samara
Europe:San_Marino	Europe:Sarajevo	Europe:Simferopol	Europe:Skopje	Europe:Sofia
Europe:Stockholm	Europe:Tallinn	Europe:Tirane	Europe:Tiraspol	Europe:Uzhgorod
Europe:Vaduz	Europe:Vatican	Europe:Vienna	Europe:Vilnius	Europe:Volgograd
Europe:Warsaw	Europe:Zagreb	Europe:Zaporozhye	Europe:Zurich
Indian:Antananarivo	Indian:Chagos	Indian:Christmas	Indian:Cocos	Indian:Comoro
Indian:Kerguelen	Indian:Mahe	Indian:Maldives	Indian:Mauritius	Indian:Mayotte
Indian:Reunion
Pacific:Apia	Pacific:Auckland	Pacific:Bougainville	Pacific:Chatham	Pacific:Chuuk
Pacific:Easter	Pacific:Efate	Pacific:Enderbury	Pacific:Fakaofo	Pacific:Fiji
Pacific:Funafuti	Pacific:Galapagos	Pacific:Gambier	Pacific:Guadalcanal	Pacific:Guam
Pacific:Honolulu	Pacific:Johnston	Pacific:Kiritimati	Pacific:Kosrae	Pacific:Kwajalein
Pacific:Majuro	Pacific:Marquesas	Pacific:Midway	Pacific:Nauru	Pacific:Niue
Pacific:Norfolk	Pacific:Noumea	Pacific:Pago_Pago	Pacific:Palau	Pacific:Pitcairn
Pacific:Pohnpei	Pacific:Ponape	Pacific:Port_Moresby	Pacific:Rarotonga	Pacific:Saipan
Pacific:Samoa	Pacific:Tahiti	Pacific:Tarawa	Pacific:Tongatapu	Pacific:Truk
Pacific:Wake	Pacific:Wallis	Pacific:Yap

Lotus Notes / Domino

Snare Central is able to connect to a Domino server to retrieve eventlog data from log.nsf. It can also retrieve user and group information, plus access controls. However, some of the default settings in Lotus Domino can cause problems with the Snare Agent; please modify the server as follows: From the Domino Administrator page, click the Configuration tab, expand the Web section and click Internet Sites.

Choose the log.nsf and click Edit Document.
Click the Domino Web Engine tab. Under "Conversion/Display" complete these fields:
1. Default lines per view page: 250 (default 30)
2. Maximum lines per view page: 0 (default 1000).

Browser not supported