Specifications
Guide to Snare for Linux
Appendix A - Configuration File Description
The purpose of this section is to discuss the parameter settings of the configuration file. The Snare
configuration file is located at /etc/audit/snare.conf, and this location may not be changed. If the
configuration file does not exist, the audit daemon will not actively audit events until a correctly
formatted configuration file is present.
Snare can be configured in several different ways, namely:
a. Via the embedded web server (recommended for novice users), or
b. By manually editing the configuration file (recommended for advanced users).
The format of the audit configuration file is discussed below. Any line beginning with “#” will be
treated as a comment line and ignored. Any number of tabs or spaces can be used. Major tokens
such as [Config] must be surrounded by the square brackets.
[Config]
This section allows you to specify settings relating to the
operation of the Snare agent.
clientname=override
The hostname of the client. If no hostname is set, the
value of “hostname --fqdn” will be used
set_audit=[1|0]
This value determines if Snare should set the auditing
configuration for the local machine.
syslog_facility=facility
The SYSLOG facility used when sending to a SYSLOG
server.
syslog_priority=priority
The SYSLOG priority used when sending to a SYSLOG
server.
cache_size=(0 - 100000)
This value determines the size of the event cache,ie; the
number of events, that Snare should keep if it cannot
reach at least one of the hosts. The value must be
between 0 and 100000. This feature only appears in
Enterprise Agents only.
use_utc=1
Enable UTC (Universal Coordinated Time). This feature
only appears in Enterprise Agents only.
version=4 Future inclusion: Snare version for informational
purposes.
© InterSect Alliance, September 2014 Page 26 of 30 Version 4.1