If you install SNARE on a Windows 2003 Server to push events to CS-MARS, what is the default logging level of SNARE. Somone told me that the default level of SNARE is lower then the log level that we currently have set on our Windows 2003 Server. I was under the impression that SNARE converts the string format of the event log record to text format and simply pushed the events to CS-MARS regardless of logging levels on Windows. What would happen if you did no select Allow SNARE to automatically set audit configuration and Allow SNARE to automatically set file audit configuration?. would CS-MARS still get events from windows devices?
Snare converts the binary Windows event log messages into syslog messages. I don't think the logging level (I assume you are referring to the syslog priority) is relevant to MARS. MARS sets the severity based on how it maps the event, and it doesn't consider the syslog priority AFAICT. So, you can set it to whatever you want. By default, it appears to be NOTICE.
The "Allow SNARE to automatically set file audit configuration" has nothing to do with this really. The Windows audit policy settings determine what events get logged, even to the local security event log. If an event isn't in the windows event log, it can't be sent by Snare. The audit policy settings in a domain (i.e. on a member server) are almost always done via Group Policy and Snare shouldn't be required to automatically set the configuration. That's more for standalone Windows servers.
See this link for a discussion on Windows audit policy (it's for 2000, but still relevant):
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...