i am using snare window agent for window integration but getting 3 logs of same event form same source that have same information .
because of this i am getting 3 entry at same time in report. how can we correct it ? huan zhouAdam Rasnick
timestamp is same?
yes everything is same, even size is also same
the session id is different, event was sent multiple times?
so, now whats the solution, have to re-install that snare agent or is there any other option?
Because of this, in report i am getting three entry of the same time
for all the events? or only the event?
you can do a data reset.
it would be on even source or SA decoder?
is that possible to delete duplicate event and meta data from SA side or what setting should be on snare so it can send each event one time ?
To thicken the plot...Snare will send "bulk" messages and repetitions of the same message under certain conditions. For example if Snare or event viewer were to "bounce", it's possible Snare will go back to it's last known good read point in event viewer and start sending messages...even though it may have set them prior to bouncing. Windows Logging issue as opposed to a problem with Snare. I've had this bite me in the past in another MSSP life.
Not sure if this has anything to do with your message conundrum, but wanted to throw it out there
Retrieving data ...