Latest Events

Events collected by the agent that meet the filtering requirements as per the audit configuration, will be displayed in the Latest Events window.  This display is NOT a display from the event log file, but rather a temporary display from a shared memory connection between the web UI and the SnareCore service.  This list will be empty if the agent has not yet found any matching events or if there has been a network problem and the agent has temporarily suspended event processing.

A key feature of the SnareCore service is that events are not stored locally on the host (except for events stored natively in the Windows event log), but rather sent out over the network to one or more remote hosts, and a summary version of the events is displayed on the window.

Events may be Audit Events, Log Audit Events, File Integrity Events or Registry Integrity Events.  By default, the audit events are displayed, however to review the file integrity monitoring events, select the File Integrity button. This will restrict the display of latest events to only FIM events, if enabled via menu item File Integrity Monitoring.  Similarly, you can display the events for Log Audit and Registry Integrity by selecting the Log Audit and Registry Integrity buttons respectively.

At the top of the page each destination is displayed, along with its status, and current throughput in bytes per second, and events per second (EPS).

Note

No events will be generated unless there is a valid destination configured to which to send them.


Beneath this are buttons that allow you to view lists of entries displaying the Event Logs, Log Audit, File Integrity, and Registry Integrity output. 

An example of the latest Event Logs is shown below:


An example of the latest Log Audit events is shown below:


An example of the latest File Integrity events is shown below:


An example of the latest Registry Integrity events is shown below:


Please note:

  • each list is restricted to 20 entries and cannot be cleared, except by restarting the SnareCore service
  • new events will be displayed with an alarm bell icon next to it
  • events are highlighted in the criticality level colour nominated in your audit policies
  • the window will automatically refresh every 15 seconds for event logs or when the Latest Events menu item is selected
  • displays the status of the current network connection(s) to the log server
  • displays the date and time of the last HeartBeat sent, if applicable
  • for audit events, the Source column is composed of the bold part which is the Channel name eg DNS Server, followed by the Source Name eg Microsoft-Windows-DNS-Server-Service