How to send old Windows event logs
By default when you install the Snare for Windows agent it will only send logs from the current point in time. If you need to resend old event logs that are in the Windows event logs then the agent settings can be adjusted to reset status details back to 1 to force the agent to reprocess all events that are currently stored in the windows event logs. The process to do this is as follows:
From an admin CMD prompt run “net stop snare”
Edit the values in HKLM\Software\Intersect Alliance\AuditService\Status of the relevant windows event log, typically the Application/System and Security event logs, but custom event logs can also be reset if required using the same method.
Reset the Recordid to 1 as per the images
repeat for each of the event logs that you want to resend the logs from
once complete then start the snare agent again from the admin CMD prompt “net start snare”
The agent will then start to reprocess all the old events.
NOTE: The agent will process the events as fast as it can and send based on the eps settings in the destination configuration if it can. This may affect licensing for some SIEM systems with overages on the EPS licensing. Also any events that have already rolled off the windows event logs are lost forever and the agent cant send what it cant see in the event logs.