Snare for Windows is a service designed to interact with the underlying Windows Eventlog subsystem to facilitate remote, real-time transfer of event log information.
Snare is a program that facilitates the central collection and processing of Event Log information. All three primary event logs(Application, System and Security) are monitored, and the secondary logs (DNS, Active Directory, and File Replication) are monitored if available. Event information is converted to tab delimited text format, then delivered over UDP to a remote server.
Snare is currently configured to deliver audit information to a SYSLOG server
running on a remote (or local) machine. A configuration utility allows you to set the appropriate syslog target and priority, as well as the target DNS or IP address of the server that should receive the event information.
It should be noted that many syslog servers are not designed to cope with the sorts of volume of data that multiple snare agents can potentially generate.
The Snare service will automatically start after you have completed the initial
configuration process. It is recommended that you configure each of your event logs to 'overwrite as required', as opposed to 'overwrite > 7 days', which is the default on Windows 2000 machines.
We also recommend that you configure appropriate access controls on the Snare registry entries using regedt32.exe - perhaps restricting the permission to read or modify the keys and values to Local or Domain Administrators only.
Snare stores it's registry settings in: HKEY_LOCAL_MACHINESOFTWAREInterSect AllianceAuditService.
Please remember that event monitoring is a complex area in most modern operating systems, and is not often very granular. Turning on significant event monitoring for a system can often produce unpredictable results, and could seriously detract from the resources available to the rest of your system or network.
We recommend that you have a good understanding of exactly what event information is going to be used for, proir to enabling event monitoring on your servers.
What's New in This Release: [ read full changelog ]
· Fixed bug in silent deployment of remote access password