Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Example of the Telemetry events generated by a Snare Enterprise Agent for Windows:

Info
titleNote

This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats.

1. Formats

In the following examples, EventType is always TelemetryLog since this page refers only to Telemetry Events.

SNARE

<Hostname>    <EventType>    <SeverityLevel>   <TimeCreated>   <MetricType> <InstanceName> <EventName>  <Value>  EventChecksum=<EventChecksum>

SNARE V2

<Hostname>    <EventType>    <SeverityLevel>    {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime>","LocalTime":"<LocalTime>","EventChecksum": "<EventChecksum>"}}}} 

SYSLOG (RFC3164)

<<S>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType> <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

SYSLOG Alt (RFC5424 Compatible)

<<S>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> <EventType>[<SeverityLevel>]:<TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

SYSLOG (RFC5424)

<<S>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType> - <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>

CEF

<TimeCreated (MMM DD HH:MM:SS)> <Hostname> CEF:0|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>

LEEF

<TimeCreated (MMM DD HH:MM:SS)> <Hostname> LEEF:1.0|<CompanyName>|<ProductName>|<ProductVersion>|<EventType>|URL=<EventType> sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated> <MetricType> <InstanceName> <EventName> <Value>

SYSLOG JSON

<<S>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - <EventType> - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>","EventChecksum": "<EventChecksum>"}}}

2. Fields

Below is a table describing the contents of a Telemetry Event generated by Snare Agent. 

FieldTypeDescription
HostnameStringThe host name of the originating computer.
EventTypeStringTelemetryLog - the type of event generated.

SecurityLevelSeverityLevel

IntegerThe severity level (Criticality) of the generated event.
TimeCreatedDatetimeThe time at which the telemetry event was . (YYYY-MM-DDT hh:mm:ss)
MetricTypeStringCPU|DSK|MEM|NET

InstanceName

(May change to ObjectName)

StringThe name of the hardware interface the event is sourced.
EventNameStringThe name of the metric of the hardware interface.
ValueFloatThe value of the metric.
EventChecksumStringThe calculated digest (checksum) value.

...