What are people saying about SNARE?

“One of the things I really like about the SNARE agent is the “Objectives Configuration”.  The flexibility of the settings is extremely powerful.  The out of the box settings are pretty good.”  syslog.org

“Kiwi Syslog Server is unable to natively read the Windows event logs. If you are wanting to collect information from the Windows event logs, you will need to use a third-party application. For this purpose, we recommend Snare Agent for Windows”  kiwisyslog.com

“I think the SNARE agent is pretty slick.  I particularly like that there are prepackaged distributions for mass silent installs, and I really like how configurable the “Objectives” are.  I should note that the Windows SNARE agent is just one of a whole suite of agents built around what Intersect Alliance calls the SNARE Server.”  syslog.org

IBM Global Solutions Directory:  The Snare series of applications work together to provide a centralized collection, analysis, reporting and archival facility for audit and event log information, from a variety of operating systems, network security appliances and applications, including AIX, Lotus Notes, Linux, Solaris, Windows, Irix, Pix and Checkpoint. IBM


“SNARE (System iNtrusion Analysis and Reporting Environment) is a series of log collection agents that facilitate centralized analysis of audit log data.  Agents are available for Linux, Windows, Solaris, IIS, Lotus Notes, Irix, AIX, ISA/IIS + more.”  Sourceforge

This week’s daily count of SNARE Open Source Agent Downloads can be found here.

“For central windows logging that should work with almost any commercial or open source central log collection tool, I recommend using SNARE as your agent for getting the logs from your windows systems to whatever central log system you have.”  DFIR Journal

“As you know, UDP is not a protocol that we can trust for delivering information. UDP does not provide guarantee of delivery which can cause data to go missing. When considering connection problems or missing data, the TCP connection is much more desirable. Also, if you need to encrypt the data connection, you should use TCP. So we strongly recommend you to communicate with the ArcSight Syslog SmartConnector in TCP protocol. But the free version of SNARE for Windows only support UDP protocol, so we will do this demonstration with UDP. If you want to have TCP support for SNARE, you need to buy SNARE (Enterprise Agents).”  EricRomangBlog

“There are lots of devices, including some operating in Windows-based systems, that can’t natively push their logs to a central location, so many log management systems require agents on these devices for log collection. Some agent-based technologies work well, such as the SNARE agent that works on Windows servers and imposes minimal load.” SANS – ArcSight Logger Review

Configure Windows for Syslog Using Snare (Instructional Video)
“There are a lot of things that Microsoft does right, however one that they have not yet seem to master is an effective centralized logging solution. In this video we are going to cover centralized log management using the standard syslog protocol, and in the open source syslog format SNARE. SNARE is a piece of open source software by a company called Intersect Alliance. Intersect Alliance has an open source client for Microsoft Windows platforms, and an open source server to allow the central collection of Windows event logs in your environment. There installation process is very simple and can be accomplished in about 2 to 3 min. per host.” winsrvtuts

“SNARE for Windows is a Windows NT, Windows 2000, Windows XP, and Windows 2003, Windows 2012 compatible service that interacts with the underlying Windows Eventlog subsystem to facilitate remote, real-time transfer of event log information. If you want to capture Windows events, like those in your Event logs, currently the SNARE EventLog Agent is the easiest way to do this.” splunk>docs