Interested in an agent capable of processing the Windows Forwarded Events log and format the logs so they appear to come from the original host?  Look no further!

The Snare Enterprise Agent for Windows for WEC is a new agent with the same features and functions as the Snare Enterprise Agent for Windows but also will allow event logs collected by the Windows operating system on Microsoft WEC configured systems, only to be forwarded to a remote audit event collection facility or SIEM, such as Snare Central.  It is only licensed to run on server versions of the Microsoft Windows platforms.

The Snare WEC agent has a modified objective that includes an additional checkbox to collect from the Windows ‘Forwarded Events’ custom event log, which is used to collect logs using the Microsoft event log subscription process and uses WinRM to poll the remote hosts to collect the event logs.

Further Information

  • A short video on Snare WEC agent and Windows Event Forwarding.

Available from version 5.0.2, for further information contact your Snare Sales representative for an evaluation license.

Released in September 2016, the version 5 agents are rearchitectured to handle all your logging needs. The new features and enhancements in the version 5.0.0 agents for Snare Enterprise Agent for Windows, Snare Enterprise Epilog for Windows and Snare Enterprise Agent for MSSQL are detailed below. Note: ‘Legacy’ agents references pre version 5.0 agents.

  • New Encrypted Remote Configuration Management
    • Support for TLS for remote configuration management, through the Snare Server Agent Management Console (AMC), to provide a central point of management of agent configuration across all Snare Enterprise Agents.
  • New Agent Statistics and Active Monitoring
    • Support for broadcasting Agent statistics and status monitoring information, so it can be reported through the SAM and from within the agent web user interface.  The SAM will be enhanced to display and report on the agent statistics.
    • Includes graphical representation
    • EPS statistics details on latest events screen.
  • Different log format and protocol per destination
    • The ability to specify multiple event destinations, each with their own specific format, protocol and delimiter, and simulcast events to all destinations as soon as they are received by the Agent.
    • Available formats: Snare, Syslog(RFC3164 , ALT format which is 5242 compatible and RFC5424), CEF and LEEF.
  • Agent Heart Beat Notifications
    • The Agent Heart Beat notification system, which sends custom log messages regarding the status and health of the Snare Enterprise Agent to the event collector.
    • It can send periodic health messages, as a way of keeping track of online and offline agents, as well as messages triggered by specific events occurring within the Enterprise Agent. Along with the improved heartbeats are additional log levels to provide more information on the agent operation, configuration and performance activity.
    • On setting heartbeats a heartbeat is sent immediately.
    • If enabled, the agent sends a heartbeat to configured server(s) after specified minutes. Agent internally records all debug messages, and all debug messages are sent once per heartbeat cycle and the number of times (xx times) is added in the end of each message; showing how many times this debug message was generated since the heartbeat was sent previously. Error and critical messages are exceptions as they are sent as soon as they are generated.  Repetitive error and critical messages are blocked for 10 minutes, and these messages are sent to the event collector.
  • New Snare Agent Manager (SAM) Support
    • To facilitate functionality provided through the new SAM, support in the Enterprise Agents will provide centralised management for all agent licensing.
  • New Snare Agent Licensing Support
    • Support for the new Snare Agent Licensing system, which is managed through the SAM.
  • Event Throttling and Notifications
    • The ability to throttle event transmission speeds, and send notification messages based on event throughput.
    • This is useful for busy networks and systems, to prevent excessive bandwidth from being used in some situations. Each configured destination will dynamically load balance its Events Per Second (EPS) rate and cache when one destination is slow or not available.
  • Implement HTTPS UI Access
    • All agents implement the option to use HTTPS for the Web UI. The agents use a self signed generated certificate for the initial install but this certificate can be replaced to use an existing one from the certificate store by the customer if required.
  • Certificate Validation Support
    • The agents have a new option to provide public key certificate validation of the destination syslog or SIEM (Security Information and Event Management) server.  Customers will be able to install their own public/private keys on the client systems to use as part of the certificate validation of the destination SIEM.
  • Disk cache support for v5 agents
    • Added disk cache support whenever the Snare agent performs a normal shutdown down, as it will write all unsent events that are still in memory to a disk file and on next start up it will read those messages and will add them to send queue. The path of disk cache can be specified on Destination Configuration page.
  • New look and feel for the Web User Interface
    • Incorporating the new Snare logo
    • Gone are the reds and yellows from the agent, replaced with greys
    • Product consistency across Snare agents and the new SAM
    • Audit Service Status page includes extra system information
    • Latest Events page changes include:
      • displays details, status and the events per second of events sent to your destination(s)
      • an alarm bell notation signifies when new events are displayed
      • events are colour coded based on the criticality level set on your objective (Windows Agent only)
    • Network Configuration page now referred to as Destination Configuration and changes include:
      • ability to set multiple server destinations per protocol (UDP,TCP,TLS) per format (Snare,Syslog,Syslog Alt,CEF,LEEF)
      • new setting for Event Cache Size which is event number based or Event Cache Memory Size, Disk Cache Path
    • New General Configuration page with general settings from Network Configuration page in legacy moved here.
    • Remote Control Configuration page in legacy updated to Access Configuration page.  Includes Web Server Protocol and configuration for SAM
    • Each objective on the Objectives Configuration page reflects the criticality level given to the objective. The Latest Events page will highlight the event in the selected colour assigned to your objective so it’s easier to identify the important events.(Windows Agent only)
    • Improved interface for Log Configuration as it displays a separate text file of the files watched in the directory (Epilog only)
    • In Log Configuration, there is only one text field available to specify input for fixed line or multi-line (previously two input fields). This input text box will be treated as per selection.(Epilog only)
    • Added new log type for Microsoft DNS Server logs (Epilog only)
    • Added new log type for Microsoft Exchange 2013 logs (Epilog only)
    • New Event Lookup page (MSSQL Agent only)
    • New Enumerate Databases page (MSSQL Agent only)
    • Heartbeat & Agent Log page updated to set a number of agent logging options, heartbeat frequency (including custom format) and ability to export the heartbeats file.
    • New Audit Service Statistics page displays the statistics for each destination server including any file output logs defined in Destination Configuration including a daily bytes graph which is a graphical representation of the bytes transmitted from 5 minute intervals and up to 30 days.
    • New Security Certificates page allows the generation of self signed certificates or selection of the certificate you would like to use to secure the events you are sending to the destination SIEM.
    • New sub menu for Users and Members page to link to local users, domain users and group users.
    • New License page displaying the KeyIDs for the host, the license token from the Snare Agent Manager and the ability to add stand alone licenses to your version 5 agent.
    • The old Apply Latest Audit Configuration button has been replaced with a dynamic button that will show if settings have not yet been applied and have a tick icon, this will now be called Appy Configuration & Restart Service.  If the agent is does not have any outstanding changes this will just display Restart Service with a recycle icon.
  • Registry changes
    • Removed from v5
      • [CONFIG] EnableRegdump,OutputFilePath,SyslogDynamicCritic,SyslogDest,FileExport
      • [NETWORK] Destination,DestPort,EncryptMsg,Syslog,SyslogAlt,SyslogDest,SocketType
      • [REMOTE] EnableCookies,WebPortChange
    • New in v5
      • [CONFIG]  FileSize,HeartbeatOutputPath
      • [NETWORK] Destination1Delimiter,Destination1Format,Destination1Host, Destination1Port,Destination1Sockettype,FileOutput1Delimiter,FileOutput1FileName,SyslogFacility,SyslogPriority,CacheSize,CacheSizeEventLog
      • [REMOTE]  WebHttps
      • [SAM]
      • [CERTIFICATE]
      • [LICENSE]
      • [STATE]
      • [STATUS]
    • Changes in v5
      • [NETWORK] CacheSizeM has changes to be used for the in memory cache settings and not the Eventlog size. Refer above to the new CacheSizeEventLog setting for the equivalent v4 agent usage.
  • Group Policy Changes
    • Each .adm and .admx/.adml GPO file is now versioned. When loaded in GPO editor, the version number will be appended in the GPO name and any GPO settings pushed using a specific version of .adm and .admx/.adml will be saved in registry under its version key.  For example. if some GPO settings are pushed using v5.0.0.0 of .adm template then the settings will be written into following path of registry \HKLM\Software\Policies\<AgentName>\5.0.0.0\<KeyName>. This feature supports pushing multiple versions of the GPO settings across the network. Each agent supports specific version(s) of .adm and .admx/.adml and will not use the GPO settings pushed by the unsupported version of .adm and .admx/.adml. Refer to the documentation Windows ADM Templates and Group Policy for supported versions of the .adm and .admx/.adml by each agent. If agent finds multiple supported versions of the GPO settings in the registry then it will load the GPO settings of latest version.
  • Changes to agent operation
    • The agent no longer saves the settings to the registry when the change configuration button is selected. The registry changes are only saved in memory.  The changes will only be written out to the registry once the Apply Configuration button is selected. This allows the user to just restart the agent service if a mistake was made during a change of settings and it will reload what was saved to the registry.   The agent will still reread its current registry settings every 10 minutes and apply any changes as the current legacy agents do.
  • Other
    • One click to apply configuration. After saving your individual settings per page, just click Apply Audit Configuration & Restart Service button to apply the new configuration to the agent.
    • Implemented PCRE Regular Expression filtering for Event Objectives for all agents.
    • Support of encrypted objectives in cluster mode (MSSQL Agent)
    • Dynamic DNS Checking.
    • Improved error checking
    • Improved session handling
    • Enhanced debug log options
    • Improved registry settings structure and format. The agent can repair invalid registry settings to use correct defaults.
    • Improved multi threading and UI speed improvements so the agent can operate faster on large highly loaded systems.
    • Various security improvements and hardening including: Address Space Layout Randomization (ASLR), Stack buffer overrun detection and Heap Corruption detection
    • Agents will generate a log file during install and uninstall, however if /log parameter is provided then log file will be created on given path. If log parameter is not provided then, during installation the log file will be created in the current folder from where setup is run (the name of the log will be <AgentName>.snare.log). During uninstall, the log file will be created in the %temp% directory of the user currently logged in or running setup (the name of the log file will be un<AgentName>.snare.log).
    • Previously, the user associated with the SnareMSSQL service must be member of local administrator group. This restriction is removed from this version of SnareMSSQL and now any non-admin user can also run the SnareMSSQL service. Though, installer of SnareMSSQL must be run by an administrator and the non-admin user must be mentioned during installer. Administrators should also explicitly assign some rights to non-admin users before running SnareMSSQL installer. These explicit rights includes, non-admin user should be added as ‘dbadmin’ into MSSQL Server and should also be given full rights on cluster (if any).
    • SnareMSSQL agent has a new command line switch ‘-e’ that can be used to delete temporarily .cache files. These cache files are generated when SnareMSSQL service is stopped and there are some unsent events.

Further Information

Ready for v5?
VIDEO:Configuring v5 Agents and SAM
KeyIDs are required to generate full licenses.

Snare has released an IBM App Exchange update for the IBM QRadar software. The Snare Log Analysis QRadar application is designed to provide an overview dashboardof auditing log activity that the Snare for Windows Agents are sending to the QRadar System.

A new application v1.1.0 and user guide have been released on the IBM App exchange portal.   The update includes many new features covering:

  • USB activity
  • Administration events
  • Logon success and failures
  • Process command execution information.
  • Threat Analysis
  • Filtering enhancements

In addition, events can be correlated together and matched against known fingerprints to detect possible threats on the network including an example of detecting the Rubber Ducky events from using this USB device. The main dashboard and other screens have also had a makeover to provide an enhanced user experience. Filtering has also had a makeover with enhanced date ranges to find logs for particular users or systems.