#1 Put in Timer to fix NotifyChangeEventLog sync problems

closed
Leigh Purdie
None
5
2012-10-09
2003-07-29
Leigh Purdie
No

Snare for Windows uses the 'NotifyChangeEventLog'
system call to monitor changes to the windows event logs.

Unfortunately, this system call is not guaranteed to
send a signal to the host program on every event - if
several events come through in close proximity, there
is a chance that Snare will not be notified, and
therefore the event will not be sent to the remote
server until a new event triggers the
NotifyChangeEventLog call.

It may be worth adding in a timer that polls each log
every (say) few minutes, to try and pick up these
temporarilly-ignored events.

Discussion

  • Logged In: NO

    Perhaps the following algorithm may be helpful.

    while forever {
    wait for change notify OR x second timeout
    while unprocessed events exist {
    copy to syslog
    if not processing due to timeout
    set timer for x seconds
    }
    }
    }

    This way, the timer is only running for x seconds after
    an actual event has taken place. This should minimize the
    overhead.

    You could also set the timer to 1 second interval, and only
    set the timer for the 30 times after a real event. This would
    mean that the event list is checked every second for 30
    seconds following an actual event.

    set TimerCount 0
    while forever {
    wait for change notify OR 1 second timeout
    while unprocessed events exist {
    copy to syslog
    if processing due to timeout
    increment TimerCount by 1
    if TimerCount < 30 {
    set timer for 1 second
    } else {
    set TimerCount 0
    }
    } else {
    set timer for 1 second
    }
    }
    }

     
  • Leigh Purdie
    Leigh Purdie
    2003-10-13

    Logged In: YES
    user_id=369701

    Fixed in Snare 2.2