Appendix B - Event Output Format

Owned by Andrew Madge
Last updated: Apr 13, 2021 by Svetlana Sheptiy
2 min read

The Snare agent receives data from the native Linux audit subsystem.  The native audit daemon reports data in such a way that:

  • It is 'programmatically' difficult to determine how many 'lines' make up an audit event. Some lines can be repeated, with slightly different values.
  • You can have multiple, identical tokens for an event (e.g. two "path=" tokens)
  • Event lines may be interleaved (i.e. you might get two lines from event # 1000, then one line from event # 1001, then another line from event # 1000).
  • Some filename characters are translated into their HEX equivalents which will make matching filenames difficult.

Snare for Linux uses an internal cache to amalgamate all lines relating to an individual event, into "one line per event" format, once appropriate filtering/event selection has taken place. An event will look like this once processed by Snare:

127.0.0.1       LinuxKAudit     0       event,fchmod,2018-05-15 00:00:01        sequence,1219936        uid,4294967295,unknown  euid,0,root     gid,0,root      egid,0,root     process,,/usr/lib/systemd/systemd-logind        return,0,yes    name,null        exe,/usr/lib/systemd/systemd-logind  success,yes  return,0  syscall,91,fchmod uid,unknown  euid,root  gid,root  egid,root  arch,  name,null a0,17 a1,1a4 a2,fbad2484 a3,24 items,1 ppid,1 pid,742 uid,0 suid,0 fsuid,0 sgid,0 fsgid,0 tty,none ses,4294967295 comm,systemd-logind key,obj-3-1 item,0 inode,17098379 dev,00:13 mode,0100600 ouid,0 ogid,0 rdev,00:00 objtype,NORMAL proctitle,/usr/lib/systemd/systemd-logind   snareseq,33945

Snare for Linux presents the information in a series of token/data groups. Three different field separators are used in order to facilitate follow-on processing - TABS (by default) separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'header', and a series of comma separated fields which make up data that relates to the header. Depending on the log format selected to be sent to the destination SIEM, different delimiters may be selected to separate the 'tokens'.

If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue>