Table of Contents
Advertisement
Chapter 10
Configuring Generic, Solaris, Linux, and Windows Application Hosts
The pull method not only requires system resources for correlating, but also for contacting and pulling
the event data from each host. It also operates in a single process, completing the pull from one device
before moving to the next. As a result, the pull method may take much longer to cycle through all of the
reporting devices as the number of devices grows.
The push method is more efficient in terms of resource utilization on the MARS Appliance and in terms
of how quickly the MARS Appliance can be made aware of event data, but it requires that you install
and configure the Snare Agent for Windows on the Microsoft Windows host. The Snare Agent pushes
event data form the servers to MARS in near real time, when an audit event occurs, the agent sends a
syslog message to MARS that details the event. It is also more efficient and timely in that each Snare
Agent is able to act independently rather than being bound by a single process as with the pull method.
The following sections describe these two methods:
•
•
Push Method: Configure Generic Microsoft Windows Hosts
MARS can treat hosts running Microsoft Windows as reporting devices, monitoring the event log data
generated by the host. The host needs to run InterSect Alliance SNARE Agent for Windows, which
captures event log data and sends it to MARS. The push method requires four steps:
1.
2.
3.
4.
Install the SNARE Agent on the Microsoft Windows Host
To install the SNARE agent, follow these steps:
Log in to the target host using a username with proper administrative privileges.
Step 1
The username must have the permission to publish audit data as well as to install new programs.
Download the SNARE Agent for Windows from the following URL that corresponds to the operating
Step 2
system type installed on the target host:
Double-click the SnareSetup<version>.exe file to start the install program.
Step 3
Click Next.
Step 4
Step 5
Select the target install folder and click Next.
Step 6
Select Normal Installation in the Components list and click Next.
Select the target Start menu location and click Next.
Step 7
Verify the selection options and click Install.
Step 8
78-17020-01
Push Method: Configure Generic Microsoft Windows Hosts, page 10-5
Pull Method: Configure the Microsoft Windows Host, page 10-6
Install the SNARE agent on the Microsoft Windows host. For more information, see
SNARE Agent on the Microsoft Windows Host, page
Configure the SNARE agent to forward event data to the MARS Appliance. For more information,
see
Enable SNARE on the Microsoft Windows Host, page 10-6
Ensure that UDP 514 traffic can pass between the hosts and the MARS Appliance.
Identify that host in MARS so that it can correctly parse and correlate the event data. For more
information, see
Configure the MARS to Pull or Receive Windows Host Logs, page
http://www.intersectalliance.com/projects/SnareWindows/index.html#Download
10-5.
User Guide for Cisco Security MARS Local Controller
Microsoft Windows Hosts
Install the
10-9.
10-5
Advertisement
Table of Contents
Troubleshooting
