Firmware: ALL
Tip |
If you plan to collect Windows Event Logs from a Snare Server, Tripwire recommends that you install Agent software on the server and use the Advanced Windows Collector for this purpose. In this case, you will configure the server by completing the steps in Configuring a Microsoft Windows System (rather than the steps below). |
---|
To configure a Snare Server to send log messages to TLC:
1. | To download and install the appropriate version of Snare Agent for Windows, go to: |
To install the Snare Agent on Windows Vista, 2008, or Windows 7, download Version 1.1.5.
For older versions of Windows, download Version 3.1.8.
2. | To open Snare for Windows, select: |
Start Menu > All Programs > InterSect Alliance > Snare for Windows
3. | On the left side of the Snare for Windows user interface, select Network Configuration. |
4. | In the Network Configuration page: |
a. | Enter the IP address of your TLC Manager in the Destination Snare Server address field. |
b. | In the Destination Port field, enter 514. |
c. | Select the check box under Enable SYSLOG. |
d. | Click Change Configuration. |
5. | On the left side of the Snare for Windows user interface, select Apply the Latest Audit Configuration and click Reload Settings. |
Next |
If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment. Otherwise, see Adding an Asset for a new Log Source. |
---|
Tip |
When you download Tripwire-defined Normalization Rules from the Tripwire Web site, be sure to import the following rule groups: Snare Windows Windows Windows 2008 - Vista Then, when you add the rules in the Normalization Rules tab of the properties dialog for the Log Source's Asset (see Table 48), you should position the following rules at the top of the list: 17000 17001 |
---|