Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SNARE Logging Levels and CS-MARS

If you install SNARE on a Windows 2003 Server to push events to CS-MARS, what is the default logging level of SNARE. Somone told me that the default level of SNARE is lower then the log level that we currently have set on our Windows 2003 Server. I was under the impression that SNARE converts the string format of the event log record to text format and simply pushed the events to CS-MARS regardless of logging levels on Windows. What would happen if you did no select Allow SNARE to automatically set audit configuration and Allow SNARE to automatically set file audit configuration?. would CS-MARS still get events from windows devices?


Re: SNARE Logging Levels and CS-MARS

Snare converts the binary Windows event log messages into syslog messages. I don't think the logging level (I assume you are referring to the syslog priority) is relevant to MARS. MARS sets the severity based on how it maps the event, and it doesn't consider the syslog priority AFAICT. So, you can set it to whatever you want. By default, it appears to be NOTICE.

The "Allow SNARE to automatically set file audit configuration" has nothing to do with this really. The Windows audit policy settings determine what events get logged, even to the local security event log. If an event isn't in the windows event log, it can't be sent by Snare. The audit policy settings in a domain (i.e. on a member server) are almost always done via Group Policy and Snare shouldn't be required to automatically set the configuration. That's more for standalone Windows servers.

See this link for a discussion on Windows audit policy (it's for 2000, but still relevant):