Example of the Telemetry events generated by a Snare Enterprise Agent for Windows:
Info | ||
---|---|---|
| ||
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats. |
1. Formats
In the following examples, EventType is always TelemetryLog since this page refers only to Telemetry Events.
SNARE
<Hostname> <EventType> <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SNARE V2
<Hostname> <EventType> <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime>","LocalTime":"<LocalTime>","EventChecksum": "<EventChecksum>"}}}}
SYSLOG (RFC3164)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType> <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SYSLOG Alt (RFC5424 Compatible)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType>[<SeverityLevel>]:<TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SYSLOG (RFC5424)
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType> - <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
CEF
<TimeCreated (MMM DD HH:MM:SS)> <Hostname> CEF:0|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>
LEEF
<TimeCreated (MMM DD HH:MM:SS)> <Hostname> LEEF:1.0|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>|URL=<EventType> sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated> <MetricType> <InstanceName> <EventName> <Value>
SYSLOG JSON
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType> - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>","EventChecksum": "<EventChecksum>"}}}
2. Fields
Below is a table describing the contents of a Telemetry Event generated by Snare Agent.
Field | Type | Description |
---|---|---|
Hostname | String | The host name of the originating computer. |
EventType | String | TelemetryLog - the type of event generated. |
SecurityLevelSeverityLevel | Integer | The severity level (Criticality) of the generated event. |
TimeCreated | Datetime | The time at which the telemetry event was . (YYYY-MM-DDT hh:mm:ss) |
MetricType | String | CPU|DSK|MEM|NET |
InstanceName (May change to ObjectName) | String | The name of the hardware interface the event is sourced. |
EventName | String | The name of the metric of the hardware interface. |
Value | Float | The value of the metric. |
EventChecksum | String | The calculated digest (checksum) value. |
...