Appendix B - Epilog Windows registry configuration description
The purpose of this section is to discuss the makeup of the configuration items in the registry. The Epilog configuration registry key is located at HKEY_LOCAL_MACHINE\SOFTWARE\Intersect Alliance\Epilog, and this location may not be changed. If the configuration key does not exist, the Epilog service will create it during installation, but will not actively audit events until a correctly formatted at least one log monitor is present.
Epilog can be configured in several different ways, namely:
- Via the remote control interface (Recommended).
By manually editing the registry (NOT Recommended).
Note manual editing of the registry location is possible, but care should be taken to ensure that it conforms to the required Snare format. Failure to specify a correct configuration will not 'crash' the Epilog service, but may result in selected events not being able to be read, and the system not working as specified.Any use of the web based Remote Control Interface to modify selected configurations, will result in manual configuration changes being overwritten.
The format of the audit configuration registry subkeys is discussed below.
|
|
---|---|
AgentLog | This value is of type |
CachePath | This is the disk cache path where the agent will temporarily save all unsent events if the agent needs to restart. Agent will read and send the events on next start. |
|
|
|
|
|
|
FileSize | This is the maximum generated size of an output file receiving events. The file is rotated upon reaching this maximum. |
HeartBeat | This values is the frequency with which a heartbeat is sent, set in minutes. |
HeartBeatFileExport | This value determines whether heartbeats are logged to a file. Set this value to 0 for no, or 1 for Yes. |
HeartBeatOutputPath | This is the path where the heartbeat messages are exported to, if selected. |
HostGUID |
|
HostIP |
|
IISLogFlush | This
value is of type REG_DWORD. Enabling this setting will allow IIS to immediately flush all log messages, allowing Epilog to get them. |
Separator | Legacy agent setting required to upgrade agents (if it was set to be the identifier to separate events). Defunct for v5 as now set in Destination Configuration. |
UpgradePath |
|
UseHostIP | If set it resolves the machines IP address from the first wired adapter. It will not resolve wireless IP's at present. Set this value to 0 for no, or 1 for Yes. |
|
|
|
|
|
|
|
|
[Network] | This subkey stores the general network configurations. |
|
|
|
|
CheckTime | Number of seconds the agent will internally reload its settings, drop and reestablish network connection. Minimum set time is 300 seconds (5 minutes). |
|
|
Destination1Format | This value is of type REG_DWORD and is the format the events are sent to the server as such as Snare (0), |
Destination1Host |
|
|
|
Destination1SocketType | This value is of type REG_DWORD, and determines the protocol used
(0 for UDP, 1 for TCP, 2 for TLS/SSL). This feature only appears in
supported agents. |
FileOutput1Delimiter | This
value ranges from 1 to 255. It includes the path of the files where the
events will be stored per format (e.g. Snare, SYSLOG) |
FileOutput1FileName | The path and location of the file the events are sent to. Multiple files may be set. |
FileOutput1Format | The format to write to the log, either Snare, SYSLOG, SYSLOG Alt, CEF,LEEF |
NotifyMsgLimit | This value is of type REG_DWORD having value 0 or 1, and
determines whether to send or not the EPS notification to server (1
means send and 0 means not to send) whenever agent reaches EPS
RateLimit. This feature only appears in supported agents. |
NotifyMsgLimitFrequency | This value is of type REG_DWORD, and determines the frequency of
events per second notification. The value is treated in minutes and only
one EPS notification message is sent to server regardless of how many
times agent reaches EPS limit during these minutes. This feature only
appears in supported agents. |
RateLimit | This value is of type REG_DWORD, and determines the upper limit
for events per second (EPS) that the agent will send to server. This
feature only appears in supported agents. |
SyslogDynamicCritic | This value is of type REG_DWORD, and represents the entry DYNAMIC for SYSLOG Priority, for SYSLOG format. |
SyslogFacility | This value represents the SYSLOG facility for SYSLOG format |
SyslogPriority | This value represents the SYSLOG priority for SYSLOG format |
|
|
|
|
|
|
|
|
AllowBasicAuth | Only available via the registry. Set to 0 by default. Enable if agent should support basic http authentication in the web UI. |
|
|
|
|
WebHttps | Set to 0 | 1 to allow HTTPS (secure session). Setting this to TRUE (1) requires relevant certificate setup. |
|
|
| This subsection stores the log monitors |
Log# (where # is a serial number) |
|