Configuring a Snare Windows Server

Firmware: ALL

Collector: Network Collector

Tip 

If you plan to collect Windows Event Logs from a Snare Server, Tripwire recommends that you install Tripwire Axon Agent for TLC software on the server and use the Advanced Windows Collector for this purpose. In this case, you will configure the server by completing the steps in Configuring a Microsoft Windows System (rather than the steps below).

To configure a Snare Server to send log messages to TLC:

1. To download and install the appropriate version of Snare Agent for Windows, go to:

https://www.intersectalliance.com/our-product/snare-agent/
operating-system-agents/snare-agent-for-windows/

To install the Snare Agent on Windows Vista, 2008, or Windows 7, download Version 1.1.5.

For older versions of Windows, download Version 3.1.8.

2. To open Snare for Windows, select: 

Start Menu > All Programs > InterSect Alliance > Snare for Windows

3. On the left side of the Snare for Windows user interface, select Network Configuration.
4. In the Network Configuration page: 
a. Enter the IP address of your TLC Manager in the Destination Snare Server address field.
b. In the Destination Port field, enter 514.
c. Select the check box under Enable SYSLOG.
d. Click Change Configuration.
5. On the left side of the Snare for Windows user interface, select Apply the Latest Audit Configuration and click Reload Settings.

Next

If you are performing initial configuration of your TLC environment, see Configuring your TLC Environment.

Otherwise, see Adding a Monitored Asset for a new Log Source.

Tip 

When you download Tripwire-defined Normalization Rules from the Tripwire Web site, be sure to import the following rule groups:

Snare Windows

Windows XP-2003

Windows Vista-2016

Windows 10

Then, when you add the rules in the Normalization Rules tab of the properties dialog for the Log Source's Monitored Asset (see Table 48), you should position the following rules at the top of the list:

17000

17001