General Configuration

Owned by Svetlana Sheptiy
Last updated: Jan 27, 2023
6 min read

General configuration parameters to consider are as follows:

  • Perform a scan of ALL audit policies, and display the maximum criticality? Enabling this setting will cause the agent to scan through each defined audit policy, and save the highest criticality value encountered. The event will be sent with this criticality value. Turning off this option will send the event as soon as ONE match is detected, which may reduce the CPU usage of the Snare agent, but the criticality value may not be the highest possible value. Users of the Snare Server SIEM can safely choose to not enable this option, as the Snare Server does not use the Windows criticality value.
  • Allow SNARE to automatically set audit configuration? For effective auditing it is recommended that the audit configuration parameter is enabled.  This effects event log retention and auditing of categories:

Event Log Retention. There is a risk in event auditing, that the Windows event logs may fill up. If this is the case, then no further events are able to be read and the auditing function effectively stops. If the Allow SNARE to automatically set audit configuration checkbox is set then Snare will set all the event logs to overwrite the logs as required. This will therefore prevent the event log subsystem from stopping. To prevent the agent from modifying the retention settings, use the LeaveRetention registry value defined in Appendix B -Snare Windows registry configuration description.

Auditing of Categories. If the Allow SNARE to automatically set audit configuration checkbox is set then the system will also select the required event log parameters to meet those audit policies which have been set. This will alleviate any problems associated with ensuring that the correct audit event categories have been selected, based on those event IDs which are required to be filtered. This is also the most optimized setting in terms of system performance.

IF YOU DO NOT SELECT THIS OPTION AND/OR THE WINDOWS ACTIVE DOMAIN GROUP POLICIES OVERWRITE THE AUDIT SETTINGS, THEN YOU WILL NEED TO MANUALLY ENSURE THAT THE WINDOWS AUDIT SETTINGS MATCH YOUR DESIRED AUDIT POLICY CONFIGURATION.

Use advanced auditing (Licence required): The agent requires a specific licence to use this feature. When this feature is selected the agent can use the advanced audit policy configuration in Group Policy (introduced in Windows Server 2008 R2 and Windows 7) which allows administrators to configure the new granular audit settings. A set of default audit policies are also included with the agent to capture important and recommended events. However, users can add audit policies as many as required based on their requirements on top of the default policies or by removing those. Details of the default policies and the captured events can be found in Appendix-C.  If Use advanced auditing is selected, windows advanced auditing will be used rather than basic auditing. Advanced audit policies can be configured via the Snare Agent > Audit Policy Configuration page. Note that either basic or advanced auditing (but not both at the same time) can be applied to a windows system.

Including for 'Any event(s)' audit policies. This option, when selected, will enable the auditing for all the events (i.e. System Audit, Logon Audit, ObjectAccess Audit, PrivilegeUse Audit, DetailedTracking Audit, PolicyChange Audit, AccountManagement Audit, DirectoryServiceAccess Audit and AccountLogon Audit). Enable this option *only* when you know what you are doing.

  • Allow Snare to automatically set auditing of file/folder and registry for FAM/RAM policies? Enables the file system and registry auditing to be controlled by the Snare audit policy settings. In order for Windows to collect file and registry access records, not only must the correct audit category be selected, but also the correct object auditing parameters must also be set. Setting this field will automatically set these parameters, based on the audit policies which have been configured. It is highly recommended that this checkbox be selected. See the FAM / RAM audit policies on "Audit Policy Configuration" documentation page.
  • Allow SNARE to automatically set max event log cache size. Select this option to enable the usage of setting the Windows event log cache size (as per Event Viewer).  
  • Event Log Cache Size. Modify the default Windows event log size, allowing you to easily configure the desired cache size. Combined with TCP or TLS  this option will allow the agent to cache messages if there is a network failure or the destination server is otherwise unavailable. Ensure the  Allow SNARE to automatically set max event log cache size checkbox is set to use this disk cache memory setting. 

  • Enable active USB auditing? Select this option if a series of plug and play and drive events are required to be captured and managed by an audit policy. A new audit policy is required to capture USB events as the events will NOT be captured by default.  When creating a new audit policy select the High Level Event of USB Event which automatically presets the other fields for this audit policy.  Please note that after setting the option Enable active USB auditing? the Snare service must be fully restarted.  By enabling USB auditing it will report on the USB devices connected or disconnected, any user details, device types, and the serial number of the device where it is present. 

    USB auditing is supported on Windows Server 2008 / Windows 7 or newer. It is not supported on Windows XP or Windows Server 2003.
  • IIS Log Flushing? By default, Internet Information Services (IIS) manager takes 60 seconds to write log messages thus it will take at least 60 seconds for the agent to receive the IIS log messages. Enabling this setting will configure IIS Manager to immediately flush log messages. Setting this option may cause serious performance issues since it can results in immediate writing of the log messages on disk by the IIS Manager.
  • Import settings from Snare Epilog Agent? The Snare agent can import Logs and Filters settings from a Snare Epilog agent installed on the same machine. Select this option to import Logs and Filters settings from the Snare Epilog Agent. Note, the relevant settings from the Snare Epilog agent can be imported only ONCE during the lifetime of the agent.

 If this option is selected while no Epilog settings is detected in the machine, then the agent will perform the import after the Snare Epilog agent is installed.

This option becomes disabled once the import has been completed.

  • Truncate List. Some events generated by windows can be triggered often and contain verbose information which may not be of much interest to the audit subsystem. To reduce the load on the target servers, these events may be truncated. This means the event is not discarded from an audit point of view, but reduces the amount of unnecessary message detail sent across the network. This feature can save substantial server resources including storage and cost where licenses are charged per megabyte.
    For example typing the following text into the text box will truncate the event from the first character of the match:






would cause an event like below:

Windows update Hotfix for Windows (KB2664825) requires a computer restart to complete the installation. (Command line: ""C:\windows\SysNative\wusa.exe" "C:\ProgramData\Package Cache\9F35FB1FD995814D2F4FDEB95A5D8B40F8F499A6\packages\localdbMsu\Windows6.1-KB2664825-v3-x64.msu" /quiet /norestart")

to become:

Windows update Hotfix for Windows (KB2664825) requires a computer restart<truncated 222 bytes>

The number of bytes truncated from the event is appended to the event in angle brackets, highlighted above as <truncated 222 bytes>


To save and set the changes to the above settings, and to ensure the audit daemon has received the new configuration perform the following:

  1. Click on Change Configuration to save any changes to the registry.
  2. Click on the Apply Configuration & Restart Service menu item.