...
<Hostname> TelemetryLog <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SNARE V2
<Hostname> TelemetryLog <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime>","LocalTime":"<LocalTime>","EventChecksum": "<EventChecksum>"}}}}
SYSLOG (RFC3164)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> TelemetryLog <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SYSLOG Alt (RFC5424 Compatible)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> TelemetryLog[<SeverityLevel>]:<TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SYSLOG (RFC5424)
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
CEF
<TimeCreated (MMM DD HH:MM:SS)> <Hostname> CEF:<CEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>
...
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>","EventChecksum": "<EventChecksum>"}}}
2. Telemetry Event Fields
...
Field | Type | Description |
---|---|---|
Hostname | String | The host name of the originating computer. |
EventType | String | TelemetryLog - the type of event generated. |
SeverityLevel | Integer | The severity level (Criticality) of the generated event. |
TimeCreated | Datetime | The time at which the telemetry event was . (YYYY-MM-DDT hh:mm:ss) |
MetricType | String | This is the hardware component source of the event; Events from the CPU, Disk, Memory or Network can be collected and are labelled as CPU, DSK, MEM or NET respectively. |
InstanceName (May change to ObjectName) | String | The name of the hardware interface the event is sourced. For example, if events from the Disk (DSK) are collected, there may be multiple storage interfaces present such as HarddiskVolume1, HarddiskVolume2, etc. |
EventName | String | The name of the metric of the hardware interface. Given a hardware interface named by it's InstanceName, the EventName denotes the metric of the interface that is collected. Eg, EventName: ' % Free Space' from InstanceName:'HarddiskVolume1' |
Value | Float | The value of the metric. |
EventChecksum (Optional) | String | The calculated digest (checksum) value; this is additional optional data that may be set in the Event Options settings of the Agent. |
EventSourceId (Optional) | Integer | The unique ID of the event. This is also optional data like the EventChecksum and is selected likewise. |
Please refer to The Web User Interface (UI) → Log Sources → Telemetry page in this User Guide for instructions on how to configure periodic Telemetry scans in the Snare Agent.
...