General configuration parameters to consider are as follows:
Path to write trace files. The path where MS SQL Server will write the trace files on behalf of SnareMSSQL. The MS SQL Server service account or accounts must have write access to this folder for the trace files, and subsequently SnareMSSQL, to operate correctly.
For Microsoft Server 2012 installs and some server 2008R2 installs the group policy controls on the c:\Program Files\SnareMSSQL location may cause problems with writing the trace files due to inherited disk permissions from the c:\Program Files location. To address this adjust the setting to use another disk path that is writable by the agent, for example C:\SnareTrace. For some high activity systems this location may add additional disk busy utilization. If this is excessive then move this location to an appropriate raided location.Keep in mind, the SQL Server does not accept folders created on the desktop, and therefore cannot create trace files, and an error will be returned in your Audit Policies Configuration page.- Maximum Trace File Size (2-100MB). As the trace files are written to disk, this value, in megabytes, will define the maximum size of any single trace file. Once a trace file reaches the maximum size specified, that trace file will be closed and a new file opened.
- Maximum Trace File Count. This defines how many files can exist at any given time. As new trace files are required, the oldest trace files are deleted to ensure the total number of files does not exceed the Trace File Count.
- Total Trace Size: Based on the Trace File Size and Count fields, this value will automatically update to show the storage space required per audit policy. Snare configures each audit policy to use a specific amount of disk space as specified by this setting. These files are cycled, discarding the oldest once a new file needs to be created. It is up to the administrator to ensure that the necessary disk space is available for each configured audit policy.
- AD Group Lookup Frequency (2-100 minutes): Audit Policies allow the use of Active Directory group identifiers in the Audit Policies Configuration | User Search Term. This setting defines the frequency, in minutes, that the agent will recheck the members of any groups identified.
- Use plain text audit policy data: By default all MSSQL audit policies are stored in encrypted form. If this option is selected then audit policies are stored as plain text in the registry settings and all existing (encrypted) audit policies will be deleted and all new audit policies will be stored as plain text. This option is not recommended because it's less secure. However these plain text audit policies can be used to copy/paste in administrative audit policies and GPO.
- Memory Check Frequency (2-100 minutes): The number of minutes set when the memory usage limit of the MSSQL agent will be checked. To disable this check enter zero (0).
- Memory Usage Limit: This is the maximum memory the MSSQL agent can utilize during any stage of execution. If memory usage of MSSQL agent passes this threshold then agent will exit once it checks the memory usage as per Memory Check Frequency setting. Please use the service recovery options (Services, Right Click on SnareMSSQL | Properties | Recover tab) to automatically restart the agent if required. This option makes sure that agent does not utilize unrestricted memory.
To save and set the changes to the above settings, and to ensure the registry has received the new configuration perform the following:
- Click on Change Configuration to save any changes.
- Click on the Apply Configuration & Restart Service menu item.
Alternatively, the service may also be restarted by rebooting the system or by selecting restart service from within Windows. Whilst the SnareMSSQL Service is restarting, no events will be collected.