Latest Event Page – Connection Status

Owned by Carlos Osorio
Last updated: Nov 06, 2020


SUMMARY

  • Jan 13, 2017

On the Latest Events page of the Snare agent, each destination configure for logging and its status is displayed, for example,

Destination 10.1.2.3:6161(UDP)

Status  Connected

The current state of the connection indicates what Snare is currently doing with the connection. You will see many different states including:

  • INITIAL - The remote log location is about to begin setup

  • RESOLVING - DNS resolution for a hostname is occurring

  • RESOLVE_DELAY(x) - DNS resolution failed, a retry will occur in X seconds

  • CONNECTING - Snare is trying to connect to the destination

  • CONNECT_FAILED - The connection to the destination failed

  • CONNECT_DELAY(x) - Connecting to the remote end failed, it will be retried again in X seconds

  • CONNECTED - Snare has an active connection to the destination

  • SENDING - Snare is currently sending logs to the destination

  • DISCONNECTED - The destination has disconnected the snare agent.. a reconnection will occur automatically.

  • HANDSHAKE - A SSL/TLS Handshake is in progress

  • HANDSHAKE_FAILED - The SSL/TLS Handshake failed

  • OPENING - Opening a a file destination is in progress

  • WRITING - Writing is occurring to a file

  • WRITE_FAILED - A write to file failed

  • CLOSED - A file has been closed

It is common to see the agent cycle between CONNECTED and SENDING.

Why Offline?

The agents will drop connections to the SIEM if there is nothing to send after 5-10 minutes or the SIEM drops the connection from the agent. But once there is some data to send it will resend to the destination system if it allows a connection.