Events collected by the agent that meet the filtering requirements as per the audit configuration, will be displayed in the Latest Events window. This display is NOT a display from the event log file, but rather a temporary display from a shared memory connection between the Snare Remote Control Interface and the SnareCore service. This list will be empty if the agent has not yet found any matching events or if there has been a network problem and the agent has temporarily suspended event processing.
A key feature of the SnareCore service is that events are not stored locally on the host (except for events stored natively in the Windows event log), but rather sent out over the network to one or more remote hosts, and a summary version of the events is displayed on the window.
Other useful information of the Latest Events Window is as follows:
- restricted to a list of 20 entries and cannot be cleared, except by restarting the agent
- new events will be displayed in green
- the window will automatically refresh every 30 seconds or when the Latest Events option is selected
- the status of the current network connection(s) to the log server is also displayed on this screen
- displays the date and time of the last HeartBeat sent
- the Source column is composed of the bold part which is the Channel name eg DNS Server, followed by the Source Name eg Microsoft-Windows-DNS-Server-Service