Snare

RiverMuse Core Edition 3.4.3 & 3.4.4

Snare forwards messages from the Windows event log to Syslog; therefore, you require a Snare agent to be running on a Windows machine.

If you do not have a Snare agent on your windows macine, you can download one of two snare agents, dependent on your Windows operating system, from the RiverMuse desktop. RiverMuse provides instructions in the desktop documentation, under Process Manager, on how to download either a snare agent for Windows Vista, or Windows XP. You can check that the Snare agent is installed by viewing your local Services.

After installing the snare agent you must go to the snare web interface and configure the Snare server address, the destination port address and enable the syslog header.

Locating the snare web interface

1. On your local machine go to start.
2. Select All Programs, InterSect Alliance.
3. Click on Snare for Windows.

Configuring the snare web interface

1. Select the Network Configuration option from the left hand side menu.
2. In the Destination Snare Server address field, enter the address of your syslog server that is running rsyslog-lite with the Snare instance enabled.
3. In the Destination Port field, enter the port address. By default, the Snare agent listens on port 20015 for Snare messages.
4. Tick the Enable SYSLOG Header check box.
5. Click on the Change Configuration button.

To be able to configure a Snare agent from wherever you want on the network through the web interface on IP address computer port 6161, do the following:

1. Select the SNARE Remote Control Configuration option from the left hand side menu.
2. Uncheck the Restrict remote control of SNARE agent to certain hosts check box.
3. Click on the Change Configuration button.

RiverMuse recommends that to ensure you log all changes, you should restart Service on Windows.

Check that rsyslog-lite, snare.conf is enabled to talk to the snare agent. Refer to the rsyslog-lite section for detailed instructions.