Appendix A - Event output format

The Epilog service collects data from the identified log files, appends some header tokens and passes it unaltered to the identified network destination. A 'token' is simply data, such as 'date' or 'log type'. Each token is separated by a delimiter. A delimiter may be TAB or any string other than TAB. Groups of delimiter separated header tokens along with log file data make up an event, which may look something like this, assuming the Epilog service has SNARE as log format. 

<hostname><delimiter><event log type><delimiter><criticality><delimiter><log data>

Example:

VMsql12.snare.ia ApacheLog 0 [16/Jun/2008:10:10:00 +1000] "GET / HTTP/1.1" 200 44 

If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue>