Menu
▾
▴
#31 Collecting back to the beginning of the event log?
When Snare is installed for the first time on a system, does it start collecting logs from that installation date/time going forward, or does it go back and grab every possible event log off of the system back to the beginning of the event log? If it just goes from the installation date/time going forward, but you needed it to go back to the beginning of every log and gather logs, is there a value to change the Intersect Alliance Status registry key to tell it to start from the beginning of the Application/System/Security event logs? I have a few servers that need an install of Snare and need for collecting to go all of the way back to the very beginning of the event logs. Thanks.
Yes; Snare assumes that you want to start collecting from the installation point. However, when Snare shuts down, it will attempt to bookmark it's location in the eventlog. This means that the next time Snare starts up, it will continue auditing from the last sent message (rather than only sending events that occurred while it was active & running).
Although there is no command-line, or registry flag to tell snare to 'go right from the start', there may be an unsupported 'cheat' available.. I haven't tried this myself, but looking at the microsoft event bookmarking functionality, it might be viable.
The format of the XML in the registry, I'm not certain of; it's been a while (read: years) since I've played with that section of code; and unfortunately, Dave (who wrote that code), is travelling today.
I'd be interested to know how you go! If this works, please write up a bit of a summary for us, on how you implemented it.
I went to the registry and under HKLM\Software\InterSect Alliance\AuditService\Status and saw entries for LOG_TYPE_APPLICATION and others. The DWORD entries are stored as Hexadecimal or Decimal values, but I did not see XML. I don't mess with decimal/hexidecimal values a lot, so I searched online for a decimal to date converter and vice versa to test out your suggestion. I tried several out, but each time when I input the decimal or Hexadecimal value, I always ended up with a date that was incorrect. I tried http://www.epochconverter.com/epoch/unix-hex-timestamp.php as part of testing ans was unaware if the hexidecimal/decimal was being stored in GMT or local timezone, but the converted date, I always received was some date in January 1970. I think there is a step missing that I need, so I can view the current value of the timestamp in the HKLM\Software\InterSect Alliance\AuditService\Status branch and correctly execute the cheat. Do you have any information on the conversion or the best converter to use? Thank you again for the help, and I look forward to trying this cheat out once I get the hexidecimal/decimal conversion problem worked through. Thanks again.
The DWORD stored in the status registry entries is not a date/time but a reference to the eventlog number for the particular log. You can find this by looking in windows event viewer. Find an event, click the 'details' tab then under the system options find EventRecordID.
ie:
EventRecordID 18814
That's the number you need in the registry, anything after that should be replayed when snare is started.
Thanks Benjamin. So if the newest EventRecordID is 10001 and the oldest EventRecordID is 2001 for the application event log, the DWORD value that was stored would have to be set to 2000 or 2001 for it to start collecting from the 2001 event forward? To push that to more than one machine easily to perform the same task, could I just enter a zero (0) for the EventRecordID, so it would for the next available EventRecordID after 0 it found, which would be EventRecordID 2001? If Snare was missing a significant amount of time, how does quickly does it catch up? Does it become more resource intensive to catch up, so would be back to eventually collecting events in near real-time or does it catch up gradually? Thanks again.