Latest Release
Snare Agent v5.10 & Snare Agent Manager v2.2.0
Snare Agent — Endpoint Log Collection
Snare Agent is a lightweight, tamper-resistant endpoint log collector that captures security event data directly at the OS level — with full chain-of-custody from source to SIEM. Supporting 200+ operating systems and device types, it normalises log data into a consistent English-language standard across every region, reducing SIEM complexity and analyst effort simultaneously.
Unlike agentless alternatives that rely on network-level visibility or API polling, Snare Agent captures logs at the kernel and application layer at the point of generation — ensuring no events are dropped, no normalisation gaps, and no reliance on network-level monitoring.
✓✓| ✓ ✓
Current Agent release
Current SAM release
OS & device types supported
Typical SIEM ingest reduction
HOW SNARE AGENT WORKS
Hooks directly into the OS event subsystem, Windows Event Log, Linux auditd, macOS Unified Logging, capturing events at the point of generation before any application-layer processing can modify or suppress them.
Windows audit data is translated to English regardless of endpoint OS language, enabling consistent detection rules globally. Configurable filter rules are then applied locally — by event type, user, process, severity, keyword, or regex — reducing downstream volumes 40–60%.
Events are written to an encrypted local buffer before forwarding. TLS 1.2/1.3 protects all in-flight data. If connectivity is lost, the local buffer retains events until the connection recovers — no log gaps during network outages or SIEM maintenance windows.
TLS 1.2/1.3 | local buffer
Policy-to-destination routing sends the right data to the right platform using port-based parsing — purpose-built for Securonix and Devo, supporting Splunk and others. Simultaneously delivers to up to 8 destinations, each independently configured.
TECHNICAL SPECIFICATIONS
| Windows | Server 2008 R2 through 2025; Windows 10/11; Windows Core and Server Core editions |
| Linux | RHEL 6+, Ubuntu 16.04+, Debian 9+, SUSE 12+, CentOS, Rocky Linux, AlmaLinux, Oracle Linux |
| macOS [v5.10] | macOS 10.14 Mojave through macOS 15 Sequoia |
| Unix | Solaris 10/11, AIX 6.1+, HP-UX 11i v2/v3 |
| Cloud | AWS EC2, Azure VMs, GCP Compute Engine — all supported OS types |
| Network devices | Syslog-capable network devices and appliances via Snare Syslog Agent |
| Total coverage | 200+ OS and device type combinations supported |
| Windows | Security, System, Application, PowerShell, DNS, DHCP, IIS, RDP, WMI, custom event logs. Log Translation → English v5.10 |
| Linux | auditd, syslog, journald, auth.log, /var/log/*, PAM, custom files |
| macOS | Unified Logging System, asl, system.log, security events. box.audit.macos.event for Devo v5.10 |
| FIM | File create/modify/delete/rename + SHA-256 hash. Satisfies PCI-DSS Req 11.5 |
| Process events | PID, PPID, command line, user context, parent-child process chain |
| Linux telemetry | CPU, Disk, Memory, Network metrics — operational context for threat hunting and MTTR v5.10 |
| Encryption | TLS 1.2 and TLS 1.3 for all in-transit log data |
| Authentication | Certificate-based mutual TLS (mTLS) supported for destination authentication |
| Protocols | Syslog RFC 3164/5424, TCP, TLS, UDP, Snare native protocol |
| Local buffering | Configurable encrypted local disk buffer — events retained during network outages, delivered in sequence on recovery |
| Tamper protection | Signed configuration files, tamper-resistant agent process, sequence-numbered log streams |
| Chain of custody | Source hostname, timestamp, event sequence ID, and integrity metadata preserved in every forwarded record |
| System footprint | Under 50 MB RAM, under 1% CPU under typical production load |
| Deployment methods | MSI (Windows), RPM/DEB (Linux), PKG (macOS) — unattended/scripted deployment supported |
| Simultaneous destinations | Up to 8 concurrent delivery destinations per agent instance, each independently configured |
| Policy-to-destination [v5.10] | Route log data to specific platforms via port-based parsing — Securonix, Devo, Splunk, and others |
| Filter capabilities | Per-event-type include/exclude, user/group membership, process name/path, keyword, regex |
| Output formats | Snare native, Syslog (RFC 3164/5424), JSON, CEF, LEEF, custom format templates |
KEY CAPABILITIES
Translates Windows audit event data to English while endpoints continue operating in their local language. Enables global enterprises and MSSPs to maintain a single set of detection rules, SIEM dashboards, and threat hunting queries across every region — without any endpoint configuration changes.
// Business impact
– One detection ruleset for all regions
– Consistent SOC dashboards worldwide
– No SIEM parser changes per language
– Ideal for MSSPs & dispersed enterprises
Collects CPU, disk, memory, and network performance metrics from Linux endpoints alongside security events — in the same collection pipeline. Provides operational context that strengthens threat hunting, speeds root-cause analysis, and improves mean time to resolve (MTTR) by correlating security and infrastructure signals.
// Telemetry collected
– CPU utilisation metrics
– Disk I/O and capacity
– Memory usage patterns
– Network traffic statistics
Routes log data to specific third-party platforms using port-based parsing rules. Purpose-built for Securonix and Devo, with support for Splunk and any standards-based destination. Ensures data arrives in the correct format, triggers the right detections, and avoids misparse errors in downstream platforms.
// Supported routing targets
– Securonix (port-based parsing)
– Devo (incl. table-level routing)
– Splunk HEC
– Any standards-based SIEM
Logs are captured at OS level before any userspace process can modify or suppress them. Local disk buffering with signed configuration and sequence-numbered streams ensures forensic integrity from capture through delivery — critical for legal admissibility and compliance audit evidence.
// Integrity mechanisms
– Kernel-level event hooks
– Signed configuration files
– Sequence-numbered log streams
– Source metadata per record
Built-in FIM engine monitors specified file system paths for create, modify, delete, and rename events with SHA-256 hash verification in real time. Centrally managed via SAM with remote policy updates — no site visits or manual agent changes required. Satisfies PCI-DSS Req 11.5 and ISO 27001 A.12.4.3.
// FIM capabilities
– Recursive directory monitoring
– Include/exclude path rules
– SHA-256 hash per event
– Remote policy management via SAM
A single agent simultaneously delivers to up to 8 destinations, each with independent filter rules, format transformation, and protocol configuration. Security events to a SIEM, FIM events to a compliance archive, telemetry to an observability platform — all from one agent with no duplicate collection infrastructure.
// Destination support
– Splunk HEC (HTTP/HTTPS)
– Securonix, Devo (port routing)
– Microsoft Sentinel (HTTPS)
– IBM QRadar, Snare Central
– Kafka, S3, Syslog (any)
Runs natively on AWS EC2, Azure VMs, and GCP Compute Engine across all supported OS types. Supports auto-scaling groups, AMI/VM image packaging, and cloud-init deployment. Same agent, same management, same policy — regardless of whether endpoints are on-premises, cloud, or hybrid.
// Cloud capabilities
– Auto-scaling group support
– AMI / VM image packaging
– UserData / cloud-init deploy
– Centralised management via SAM
Event filtering is applied locally at the agent — not in a downstream aggregator. Only events matching forwarding policy leave the endpoint, reducing network bandwidth, SIEM ingest volume, and storage costs before data reaches any ingestion-priced system. Saves 40–60% of SIEM ingest in typical enterprise deployments.
// Filter rule types
– Windows Event ID include/exclude
– User and group membership
– Process name/path matching
– Keyword and regex patterns
Centralised management console included with Snare Agent. SAM v2.2.0 adds LDAP authentication for enterprise directory integration, default configuration templates eliminating the master-agent pattern, bulk tagging for multi-tenant estates, agent import/export for air-gapped networks, and the ability to unmanage agents for break-glass scenarios.
// SAM v2.2.0 capabilities
– LDAP authentication
– Default config templates
– Bulk tagging across estates
– Remote FIM/RIM/network/Linux policy
– Agent import/export (air-gap safe)
– Unmanage agents for local control
SNARE AGENT MANAGER (SAM V2.2.0)
Snare Agent Manager (SAM) is the management and orchestration layer for all Snare Agent deployments. Included with Snare Agent at no additional cost. SAM v2.2.0 extends central management with enterprise directory integration, template-driven policy management, and capabilities designed for MSSPs managing large, complex, or multi-tenant estates.
| Health dashboard | Real-time connectivity and health status across the full agent estate |
| Event volume metrics | Events-per-second and bytes-per-second per agent and destination group |
| Offline alerting | Configurable alerts on agent offline, error states, or event volume anomalies |
| Licence management | Centralised licence tracking and validation across all managed agents |
| LDAP authentication [SAM v2.2.0] | Delegate SAM logins to enterprise LDAP — apply existing directory policies to SAM access, track actions by user and group |
| RBAC | Role-based access control for operator and administrator permission levels across the full agent estate |
| Audit trail | All SAM actions logged — who made which change, when, on which agents |
| Default config templates [SAM v2.2.0] | Build and manage policies entirely within SAM without a master-agent dependency — stand up new groups faster, reduce configuration drift |
| Expanded remote policy [SAM v2.2.0] | Centrally manage network destinations, FIM, RIM, and Linux audit policies from SAM — no site visits or manual agent changes |
| Bulk tagging [SAM v2.2.0] | Tag, group, and action across large estates simultaneously — built for MSSP multi-tenant management |
| Agent import/export [SAM v2.2.0] | Move configurations securely across isolated or air-gapped networks via the SAM UI — simplifies OT and defence network management |
| Unmanage agents [SAM v2.2.0] | Move agents to the Unmanaged group to revert to local policy control for break-glass or special-case scenarios |
| Network scan discovery | Scan-based discovery identifies and onboards unmanaged endpoints without console access |
| Remote upgrade | Push agent upgrades to endpoints from SAM — no manual intervention or site visits required |
| Licence management | Centralised licence tracking and validation across all managed agents |
| Health monitoring | Agent connectivity status, event volumes, and error conditions surfaced per-agent and per-group |
| Offline alerting | Configurable alerts on agent offline, error states, or event volume anomalies |
USE CASES
MSSP / GLOBAL ENTERPRISE
An MSSP managing enterprise clients across Europe, Asia, and the Americas was maintaining separate SIEM detection rulesets per region because Windows audit data arrived in local languages. Different event descriptions meant different parser logic, divergent alert thresholds, and inconsistent reporting. Log Translation normalised all Windows audit data to English at the agent — enabling one ruleset, one dashboard standard, and consistent SOC collaboration across time zones.
OUTCOME
Regional SIEM rulesets consolidated to a single standard. Dashboard consistency achieved across all customer environments. SOC collaboration measurably improved across time zones.
CISO / ENTERPRISE
A large financial institution was significantly overspending on SIEM ingestion for Windows Security event logs dominated by high-volume, low-value noise. Deploying Snare Agent with precision event-ID filtering removed 65% of log volume before SIEM ingest while retaining all security-relevant events (Event IDs 4624, 4625, 4648, 4688, and equivalents). The filtering was applied at the endpoint with zero changes to SIEM configuration.
OUTCOME
40% reduction in annual SIEM ingest cost. Zero reduction in detection coverage. PCI-DSS audit passed with Snare FIM evidence for Requirement 11.5.
SECOPS ENGINEERING / DEVO CUSTOMER
A security team running Devo as their primary SIEM was experiencing parser delays and table mismatches from inconsistently tagged Snare Agent data. Policy-to-destination routing mapped log data directly to the correct Devo tables using custom tags — including macOS audit logs routing to box.audit.macos.event — without any code changes. Parser rollout that previously required engineering sprints was completed in hours.
OUTCOME
Parser deployment time reduced from sprints to hours. Devo table ingestion accuracy improved to 100%. Engineering time freed for higher-value security work.
GOVERNMENT / DEFENCE
A government agency required log evidence that could withstand legal scrutiny during a compromise investigation. Snare Agent’s tamper-resistant OS-level capture, local disk buffering, and chain-of-custody metadata provided a complete, unbroken record from the affected endpoints — even after hosts were taken offline for forensic imaging. SAM’s import/export capability had previously been used to manage agent policy across the air-gapped network without direct connectivity.
OUTCOME
Full forensic log chain admitted as evidence. Breach timeline reconstructed to the second. No log gaps despite host quarantine and offline forensic imaging.
COMPLIANCE COVERAGE
Framework |
Relevant Requirements |
Snare Agent Capability |
PCI-DSS v4.0 |
Req 10.2–10.7 (audit log collection), Req 11.5 (FIM) | Captures all required Windows and Linux event types. FIM engine with SHA-256 hash verification, managed remotely via SAM, satisfies Req 11.5. Tamper-evident storage supports QSA audit evidence. |
HIPAA |
§164.312(b) Audit controls — record and examine access to PHI systems | Technical control layer for HIPAA audit logging. Captures all user access events, authentication events, and system activity. LDAP access control in SAM supports identity governance requirements. |
ISO 27001 |
A.12.4.1 (event logging), A.12.4.2 (log protection), A.12.4.3 (admin logs) | Tamper-resistant OS-level capture (A.12.4.1), encrypted local buffer and transport (A.12.4.2), comprehensive admin/operator logging (A.12.4.3). Remote FIM/RIM policy via SAM. |
NIST CSF |
DE.CM-1, DE.CM-3, DE.CM-7 (monitoring controls) | Provides endpoint and infrastructure telemetry for all Detection-category controls. Linux telemetry adds operational context for anomaly investigation and MTTR improvement. |
SOX |
IT General Controls — access, change management, IT operations logging | Audit trail for access events, privilege use, and configuration changes on financial systems. LDAP access control in SAM supports identity governance for SOX ITGC. |
NERC CIP |
CIP-007-6 R4 (security event monitoring), CIP-010-4 (configuration change management) | FIM and security event logging address both requirements. SAM import/export enables air-gap-safe policy management for operational technology network environments. |
FREQUENTLY ASKED QUESTIONS
Q: What is the current version of Snare Agent and Snare Agent Manager?
The current release is Snare Agent v5.10 and Snare Agent Manager v2.2.0. v5.10 introduces Windows log translation to English, Linux telemetry collection (CPU, disk, memory, network), policy-to-destination routing for Securonix and Devo, and macOS 15 Sequoia support. SAM v2.2.0 adds LDAP authentication, default configuration templates eliminating the master-agent pattern, bulk tagging, expanded remote policy management, agent import/export for air-gapped networks, and the ability to unmanage agents. For full release notes visit snaresolutions.com/products/snare-agents-v5-10/
Q: What is Log Translation and why does it matter for global deployments?
Log Translation normalises Windows audit event data to English regardless of the OS display language on the endpoint. This is critical for global enterprises and MSSPs with endpoints running in multiple languages — a single SIEM detection ruleset, dashboard, and threat hunting query works consistently across all regions without per-region parser maintenance or SIEM configuration changes. Endpoints continue running in their local language; translation happens at the agent before forwarding.
Q: What does Linux telemetry collect and is there a performance impact?
Snare Agent v5.10 collects CPU utilisation, disk I/O, memory usage, and network traffic metrics from Linux endpoints alongside security event data in the same pipeline. This operational context allows analysts to correlate security events with infrastructure conditions, improving root-cause analysis and mean time to resolve. Telemetry collection is lightweight and configurable — scope and frequency can be tuned per policy and environment requirements.
Q: What are default configuration templates in SAM and what problem do they solve?
Previously, SAM required a live master agent as the configuration reference for a group. Default templates replace this pattern by allowing policies to be built and managed entirely within SAM. New configuration groups can be stood up immediately without a running agent, configuration drift is reduced, and onboarding new customers or environments is significantly faster. Templates are managed via SAM and pushed to agents remotely.
Q: How does LDAP authentication work in Snare Agent Manager?
SAM v2.2.0 can delegate authentication to an enterprise LDAP directory. Operators authenticate using their directory credentials, and group membership maps to SAM permission levels. This centralises access management, applies consistent identity governance across the security tool stack, and provides a full audit trail of SAM actions attributed to directory users — simplifying compliance evidence for access management controls.
Q: How does agent import/export work for air-gapped or isolated networks?
SAM v2.2.0 provides a UI-based import/export for agent configurations. Policies can be exported from one environment and imported into an air-gapped or isolated network without requiring direct connectivity. This enables policy management for OT environments, defence networks, and any deployment where network segmentation prevents direct SAM access to managed agents. It also simplifies disaster recovery preparation by exporting configurations for backup.