Status Menu

Owned by Svetlana Sheptiy
Last updated: Aug 14, 2024
6 min read


The Status menu allows you to monitor the status and performance of Snare Central.
This includes general system information, events statistics, summaries of the data in the data store and general health check information.

The key sub-categories are:

Collection Status - Agent Information

This objective displays an overview of the systems that have recently reported to Snare Central.  The number of days of historical data to query is configurable.  Ensure to Regenerate the objective to review current information.  The output is available as a CSV and PDF attachment.

General Statistics

This objective provides a number of graphical displays, summarising the data currently held in the Snare Central data store.

Tabs include:

  • A stacked horizontal bar graph of events per month.
  • A vertical bar graph of total events for the current year.
  • A vertical bar graph of events per second, per day, for the last 12 weeks.
  • A collective clickable graph that displays total number of events, compressed storage size, and average compressed bytes per event for each log type, and each agent within the log type.
  • A pattern map of events per system over the last 12 weeks.

A horizontal graph of total events per system, sorted by system.


Monitor Live Data

This objective provides a way to preview the events that are being received by Snare Central live. It is designed for debugging and event collection health checking, rather than for auditing the exact events received by the server.


The box on the left lists all of the Log Types for the incoming Events, and the number of bytes received for each Log Type. Clicking on a specific Log Type filters the other displays to make it easier to drill down and see specific events coming into the server.

The box on the right lists all of the Servers or hosts that are sending events to Snare Central. Like the Log Types list, it shows the number of bytes received. Clicking on a Log Type will filter the Servers listed in this box to only those that have sent events of that specific type.


The bottom box shows the last 10 events received, to provide a preview of the events coming in for the selected Log Type and Server.

This objective consumes system resources while active. It may have a small negative effect on event collection rates if left open for long periods of time.

Snare Health Checker

This objective provides a 'health check' for Snare Central by querying the status of key functions of Snare Central, including, but not limited to:

  • licensing,
  • whether the key services are still functioning,
  • reporting agents,
  • integrity checks
  • the amount of disk space available and,
  • status of the Reflector/Collector disk cache.

Functions are configurable via the "Configure" tab and includes:

  • reports may be configured to be emailed when there is an exception (any issues) in the Snare Health Checker
  • disk space thresholds
  • agent event volumes and reporting
  • discarding event reporting

It is recommended that any (red) problem indications are reported and resolved immediately.

Warning messages (in orange) should be investigated when time permits.

Unlike most other Snare Central objectives, it is not necessary to 'regenerate' this objective. The results are calculated 'on the fly' every time it is loaded.

Snare Central License section in Health Checker

This section shows various information regarding the loaded license in your server, specifically:
- It shows whether your using a trial license or a full license.
- It shows when your license is going to expire.
- It warns you if your license is going to expire within 30 days.

Clicking the "Show Details" link will display technical information of your license.
Clicking the "License Page" button will direct you to the "License Update" page which allows you to upload a different license.

You can also see here how many systems your Snare Central received a log from and a list of log types received from the last 30 days.

NOTE

Please note that the system count includes all systems. Separate counting of syslog devices is not yet supported.

Agent Event Volumes and Agent Reporting in the Health Checker

The Health Checker can detect agents and log types that have stopped reporting during the last N days, and it can also identify agents whose Event Per Second (EPS) rate has deviated significantly from the average over the last N days.

Enabling and Configuring Checks

To enable these checks, the administrator must go to the Configuration section of the Health Checker. Here, they can specify the number of days to use for detection (the default is 7 days, and the maximum is 30 days).

Non-Reporting Agents

For non-reporting agents, you can use INCLUDE or EXCLUDE regular-expression filters for agent names and log types. These filters help narrow down the agent list shown in the "Agent Reporting" section.

Agent Event Volumes

The "Agent Event Volumes" section lists agents that have deviated significantly from the average EPS in the last N days (i.e., two or more standard deviations from the average). For example, if an agent's EPS for log type A, more than doubles from one day to the next, it will appear in this list as Agent - LogType A.

NOTE

Please note that these agent related detections, will not work for the current day. Any change in agent's EPS behaviour or agent stopped reporting can only be found until the next day due to the random nature of event surge.


Visuals of Agent Event Volumes and Agent Reporting

The "Agent Event Volumes" and "Agent Reporting" sections in the Health Checker look like this:

Limitations

Due to the nature of the metadata required to detect changes in agent-log type behaviour, Snare can only detect changes that occurred yesterday, not today. This is because Snare Central compares EPS behaviour on a daily basis.

Acknowledging Alerts

Both the "Agent Event Volumes" and "Agent Reporting" sections allow you to acknowledge daily alerts per Agent-LogType. Select the agents to acknowledge and click the "Acknowledge Selected Agents" button

Receiving Alerts

To receive alerts, schedule a periodic Health Checker report and configure it to send attachments via email in the Schedule section. Follow these steps:

  1. Select the Status|Snare Health Checker.
  2. Select Configure.
  3. There are two extra options:
  • Include Agent Event Volumes
  • Include Agent Reporting
  • Set the Non Reporting Period

Check these options and save the configuration.

After the objective is updated you will see an extra boxed area at the bottom of the Health Checker screen displaying the agents that have stopped reporting.

You may also set this Health Checker to run on a schedule if you like an get the report emailed to you on a regular basis.


System Status

This objective provides the details of the Snare Central status. It includes hardware description, operating system distribution, uptime and information and graphs on CPU, network, memory, swap and mounted file system usage.