Core issue

In this issue, CS-MARS fails to get logs from Microsoft Windows 2003 server as the default port for SNARE client is 6161, but it needs to be port 514 in order to communicate with CS-MARS.

Resolution

In order to resolve this issue, verify that syslog port for SNARE client is 514.

Complete these steps in order to enable SNARE client on the Windows host:

1. Choose All Programs > InterSect Alliance > Snare for Windows in order to run the SNARE - Remote Event Logging for Windows user interface.
   
   
2. Choose Setup > Network Configuration. The Network Configuration page appears.
   
   
3. Specify values for these fields:
   
      
   • Override detected DNS Name with Specify the IP address or DNS name of the local host in the field.
     
     
   • Destination Snare Server address Specify the IP address or the DNS name of the MARS Appliance.
     
     
      
4. Verify that these options are selected:
   
   

• Allow SNARE to automatically set audit configuration.
  
  
• Allow SNARE to automatically set file audit configuration.
  
  
• Enable SYSLOG Header.
  
  
  Note: Verify the syslog port is 514.
  
  

• Click Apply the Latest Audit Configuration on the Network Configuration page.
  
  
• Choose File > Close in order to close SNARE - Remote Event Logging for Windows user interface.
  
  The SNARE agent is stopped and restarted in order to pick up the configuration changes.

Refer to the Microsoft Windows Host section of Configuring Generic, Solaris, Linux, and Windows Application Hosts for more information on the Push and Pull method.