Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info
titleNote

This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats.

1. Formats

In the following examples, EventType is always TelemetryLog since this page refers only to Telemetry Events.The following formats are possible formats for telemetry events:

SNARE

<Hostname>    <EventType>TelemetryLog    <SeverityLevel>   <TimeCreated>   <MetricType> <InstanceName> <EventName>  <Value>  EventChecksum=<EventChecksum>

SNARE V2

<Hostname>    <EventType>TelemetryLog    <SeverityLevel>    {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime>","LocalTime":"<LocalTime>","EventChecksum": "<EventChecksum>"}}}} 

...

<<S>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType>TelemetryLog <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

...

<<S>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType>TelemetryLog[<SeverityLevel>]:<TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

...

<<S>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType>TelemetryLog - <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

...

<TimeCreated (MMM DD HH:MM:SS)> <Hostname> CEF:<CEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>TelemetryLog|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>

...

<TimeCreated (MMM DD HH:MM:SS)> <Hostname> LEEF:<LEEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>TelemetryLog|URL=<EventType>TelemetryLog sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated> <MetricType> <InstanceName> <EventName> <Value>

...

<<S>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType>TelemetryLog - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>","EventChecksum": "<EventChecksum>"}}}

...