SNARE Logging Levels and CS-MARS

niall-wilkins · ‎05-31-2008

If you install SNARE on a Windows 2003 Server to push events to CS-MARS, what is the default logging level of SNARE. Somone told me that the default level of SNARE is lower then the log level that we currently have set on our Windows 2003 Server. I was under the impression that SNARE converts the string format of the event log record to text format and simply pushed the events to CS-MARS regardless of logging levels on Windows. What would happen if you did no select Allow SNARE to automatically set audit configuration and Allow SNARE to automatically set file audit configuration?. would CS-MARS still get events from windows devices?

mhellman · ‎06-03-2008

Snare converts the binary Windows event log messages into syslog messages. I don't think the logging level (I assume you are referring to the syslog priority) is relevant to MARS. MARS sets the severity based on how it maps the event, and it doesn't consider the syslog priority AFAICT. So, you can set it to whatever you want. By default, it appears to be NOTICE.

The "Allow SNARE to automatically set file audit configuration" has nothing to do with this really. The Windows audit policy settings determine what events get logged, even to the local security event log. If an event isn't in the windows event log, it can't be sent by Snare. The audit policy settings in a domain (i.e. on a member server) are almost always done via Group Policy and Snare shouldn't be required to automatically set the configuration. That's more for standalone Windows servers.

See this link for a discussion on Windows audit policy (it's for 2000, but still relevant):

http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/localpol/w2kadm11.mspx