The Snare dispatcher agent receives data from the native Linux audit subsystem. The native audit daemon reports data in such a way that:
...
Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into "one line per event" format, once appropriate filtering/event selection has taken place. An event will look like this once processed by Snare:
127.0.0.1 LinuxKAudit 0 event,fchmod,2018-05-15 00:00:01 sequence,1219936 uid,4294967295,unknown euid,0,root gid,0,root egid,0,root process,,/usr/lib/systemd/systemd-logind return,0,yes name,null exe,/usr/lib/systemd/systemd-logind success,yes return,0 syscall,91,fchmod uid,unknown euid,root gid,root egid,root arch, name,null a0,17 a1,1a4 a2,fbad2484 a3,24 items,1 ppid,1 pid,742 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,systemd-logind key,obj-3-1 item,0 inode,17098379 dev,00:13 mode,0100600 ouid,0 ogid,0 rdev,00:00 objtype,NORMAL proctitle,/usr/lib/systemd/systemd-logind snareseq,33945
Snare for Linux presents the information in a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS (by default) separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header. Depending on the log format selected to be sent to the destination SIEM, different delimiters may be selected to separate the 'tokens'.
Info |
---|
If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue> |