Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Snare dispatcher agent receives data from the native Linux audit subsystem.  The native audit daemon reports data in such a way that:

...

Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into "one line per event" format, once appropriate filtering/event selection has taken place. An event will look like this once processed by Snare:

127.0.0.1       LinuxKAudit     0       event,fchmod,2018-05-15 00:00:01        sequence,1219936        uid,4294967295,unknown  euid,0,root     gid,0,root      egid,0,root     process,,/usr/lib/systemd/systemd-logind        return,0,yes    name,null        exe,/usr/lib/systemd/systemd-logind  success,yes  return,0  syscall,91,fchmod uid,unknown  euid,root  gid,root  egid,root  arch,  name,null a0,17 a1,1a4 a2,fbad2484 a3,24 items,1 ppid,1 pid,742 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,systemd-logind key,obj-3-1 item,0 inode,17098379 dev,00:13 mode,0100600 ouid,0 ogid,0 rdev,00:00 objtype,NORMAL proctitle,/usr/lib/systemd/systemd-logind   snareseq,33945

Snare for Linux presents the information in a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS (by default) separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header. Depending on the log format selected to be sent to the destination SIEM, different delimiters may be selected to separate the 'tokens'.

Info

If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue>