Release Notes for Snare Windows Agent v5.5.1
Snare Windows Agent v5.5.1 was released on 28th September 2021.
Security Updates
- OpenSSL upgraded to version 1.1.1l
Bug Fixes
- Resolved an issue in bookmarking mechanism where Windows events could get skipped and not sent to the destination when the cache is full
- Fixed the issue where Snare Agent was showing 'cache is full' warning even when network destination is not down and not very slow. Due to this issue, the overall EPS of the Snare starts dropping and in some cases EPS becomes 0.
Snare Agent might still show this message for very slow network destination or when there is network congestion. - Removed misleading logging of Error 15033 and 15100. Snare Agent will log an appropriate warning message when event metadata is not provided by a provider/publisher, or when event metadata cannot be read due to unavailability of MultiLanguage User Interface (MUI) from the provider.
- Heartbeat events sent in Syslog JSON format now have criticality (severity) in the syslog header.
- Windows events related to Oracle application sent in Snare v2 or Syslog JSON format now include correct EventID field.
- Windows events related to scheduled tasks (4698, 4699, etc) that contain nested XML are now correctly parsed into Snare v2 and Syslog JSON formats.
- Syslog 5424 headers of events sent in Syslog (RFC 5424) and Syslog JSON formats no longer contain erroneous tab character in MSGID field
- Fixed inconsistent Auth Keys' length validation, allowing TLS Auth Key and SAM Auth Key length to be within [8, 4096] range
- Removed erroneous error message when the destination is configured with a combination of Snare v2 format and TLS_AUTH protocol.
- When Windows Agent settings are loaded, if there is at least one destination using Snare v2 or Syslog JSON formats then Windows XML event reading is automatically enabled
- Updated Knowledge Base link that was broken
- Updated description of log sources selector on Add/Edit Audit Policy screen to make it more accurate
- Windows Agent now properly removes carriage return and line feed characters from inside event data for better interoperability with Snare Central
- Fixed the issue where upon changing the destination format to Syslog JSON or Snare v2, events that were already in the cache were sent with empty JSON content
- Fixed the issue where cache loading for audit log events was causing the loading of incomplete events
User Guide
For an up-to-date version refer to the online version here.