What happens to the logs when communication is lost between the Snare for Windows Agent and the server?

Owned by Carlos Osorio
Nov 10, 2020
1 min read


SUMMARY

Aug 18, 2015

When the Snare for Windows Agent is in TCP mode and is unable to connect to the server, it maintains a bookmark of the last sent Windows log event and waits. The events aren't cached separately by the Agent, but rather it just waits until the server is ready before continuing to read the log and send more events through.

This means no extra space is taken up by Snare specifically for log events, rather that the space is used by the Windows event log with the cache size increased as required for long periods where the Agent cannot talk to the server.