/
Appendix A - Audit Policy
Appendix A - Audit Policy
- Svetlana Sheptiy
Owned by Svetlana Sheptiy
Snare Windows WEC Agent installed on a Windows Event Collector (WEC) server can be configured to collect events forwarded from other Windows servers.
To configure this capability, navigate to the Snare WEC agent's web UI > Log Sources > Audit Policies ("Audit Policy Configuration" in version earlier than v5.9.0).
Under Identify log sources to capture events from, tick the Windows Forwarded Events checkbox. This checkbox is only available in the Snare WEC agent.
This checkbox must be checked to collect events from the Windows Forwarded Events custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.
Basic Auditing:
Advanced Auditing:
Note
The agent will adjust the source host details to be the original hostname when it sends the syslog, so the destination server will understand that the logs are originally from another host and not from the forwarding host.
The host IP override settings in the Destination Configuration page will only apply to the host the Snare WEC agent is running on and the agent currently does not do any IP translations of the host details for the forwarded events.
The host IP override settings in the Destination Configuration page will only apply to the host the Snare WEC agent is running on and the agent currently does not do any IP translations of the host details for the forwarded events.