About this Guide

This guide instructs the user to install the Snare Enterprise Agent for Windows for WEC. The WEC version of the Snare for Windows agent will allow event logs collected by the Windows operating system on Microsoft WEC versions only (32 bit and 64 bit versions where applicable, including 2008 (R2), 2012 (R2) and 2016) to be forwarded to a remote audit event collection facility or SIEM. 

The WEC version of the Snare for Windows agent will allow a security administrator to fully remote control the application through a standard web browser if so desired, using the same mechanics eg. https://localhost:6169, and be managed from the Snare Central's Agent Management Console (AMC). This version of the Snare agent has the same features and functions as the Snare Enterprise Agent for Windows however it is only licensed to run on server versions of the Microsoft Windows platforms. The Snare WEC agent has a modified audit policy that includes an additional checkbox to collect from the Windows 'Forwarded Events' custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.  See Appendix A.

For details on how to setup Microsoft event log forwarding and subscriptions please refer to Setting up a Source Initiated Subscription and Setting Up Security Event Log Subscriptions with Windows Server 2003/2008.

If you require Snare to directly collect event logs from any Windows Server, for example, Server 2003, 2008, Server 2008 R2, Server 2012 and Server 2012 R2, Server 2016, then you require to install the Snare Enterprise Agent for Windows on those systems.

Please refer to the user guide Snare Enterprise Agent for Windows User Guide v5 for the functionality of the Snare Enterprise Agent for Windows.

Other guides that may be useful to read include:

• Snare Agent Manager User Guide
• Guide to Creating a Custom MSI