Example of the Telemetry events generated by a Snare Enterprise Agent for Windows:
Note
This example shows the events in Snare format. The first four fields are the event header and may be formatted differently in other event formats.
1. Formats
The following formats are possible formats for telemetry events:
SNARE
<Hostname> TelemetryLog <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>
SNARE V2
<Hostname> TelemetryLog <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>"},"System":{"TimeCreated":{"SystemTime":"<SystemTime>","LocalTime":"<LocalTime>","EventChecksum": "<EventChecksum>"}}}} SYSLOG (RFC3164)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> TelemetryLog <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>SYSLOG Alt (RFC5424 Compatible)
<<SyslogPriority>><TimeCreated (MMM DD HH:MM:SS)> <Hostname> TelemetryLog[<SeverityLevel>]:<TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>SYSLOG (RFC5424)
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> <TimeCreated> <MetricType> <InstanceName> <EventName> <Value> EventChecksum=<EventChecksum>CEF
<TimeCreated (MMM DD HH:MM:SS)> <Hostname> CEF:<CEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|<EventName>|<CEFSeverity>|value=<Value> dvchost=<Hostname> msg=<YYYY-MM-DD>|<hh:mm:ss>|<MetricType>|<InstanceName>|<EventName>|<Value>LEEF
<TimeCreated (MMM DD HH:MM:SS)> <Hostname> LEEF:<LEEFVersion>|<CompanyName>|<ProductName>|<ProductVersion>|TelemetryLog|URL=TelemetryLog sev=<LEEFSeverity> resource=<Hostname> value=<Value> msg=<TimeCreated> <MetricType> <InstanceName> <EventName> <Value>SYSLOG JSON
<<SyslogPriority>><SyslogVersion> <Time Created (YYYY-MM-DDThh:mm:ss.ssssss±hh:mm)> <Hostname> <ProductName> - TelemetryLog - <SeverityLevel> {"Event":{"Data":{"MetricType":"<MetricType>","InstanceName":"<InstanceName>","EventName":"<EventName>","Value":"<Value>","EventChecksum": "<EventChecksum>"}}}2. Fields
Below is a table describing the contents of a Telemetry Event generated by Snare Agent.
| Field | Type | Description |
|---|---|---|
| Hostname | String | The host name of the originating computer. |
| EventType | String | TelemetryLog - the type of event generated. |
SeverityLevel | Integer | The severity level (Criticality) of the generated event. |
| TimeCreated | Datetime | The time at which the telemetry event was . (YYYY-MM-DDT hh:mm:ss) |
| MetricType | String | CPU|DSK|MEM|NET |
InstanceName (May change to ObjectName) | String | The name of the hardware interface the event is sourced. |
| EventName | String | The name of the metric of the hardware interface. |
| Value | Float | The value of the metric. |
| EventChecksum | String | The calculated digest (checksum) value. |
Please refer to The Web User Interface (UI) → Log Sources → Telemetry page in this User Guide for instructions on how to configure periodic Telemetry scans in the Snare Agent.