Snare Enterprise Agent for macOS configures the macOS audit sub-system to generate events of interest and extracts events that match additional filtering criteria from the operating system, as configured in audit policies. The format of macOS audit events is discussed in /wiki/spaces/MACV5/pages/141296515 Appendix B - macOS Audit Event Output Format. Snare Agent is also capable of collecting events from any text-based log files, as well as generating File Integrity Monitoring (FIM) events.
...