/
Appendix B - macOS Audit Event Output Format

Appendix B - macOS Audit Event Output Format

Owned by Andrew Madge
Last updated: Apr 15, 2020

The Snare Agent reads operating system's audit log data from the auditpipe of the native macOS audit subsystem. 

Snare Agent presents the information in a series of token/data groups. Two different field separators are used in order to facilitate follow-on processing - TABS (by default) separate 'tokens', COMMAS separate data within each token. A 'token' is a group of related data, comprising a 'key', and a series of comma separated fields which make up data that relates to the token key. Depending on the log format selected to be sent to the destination SIEM, different delimiters may be selected to separate the 'tokens'.

The native audit log data is generated in such a way that:

  • The order and number of the tokens in each event is not constant
  • You can have multiple, identical tokens for an event (e.g. two path tokens)

Note

Snare will sort all the tokens between header and trailer tokens in alphabetical order, preserving the original order of the tokens that appear more than once (such as "path,").


An event will look like this once processed by Snare:

my-machine.snare.ia       AppleBSM       header,251,11,chmod(2),0,Thu Jul 4 23:35:59 2019, + 317 msec       argument,2,0x1a4,new file mode       attribute,100644,_locationd,_locationd,16777220,2246024,0       identity,1,com.apple.locationd,complete,,complete,0xbdd58d6b11549b106f8ea0d195a97df40d7114ba       path,/var/db/locationd/clients.plist       path,/private/var/db/locationd/clients.plist       return,success,0       subject,-1,_locationd,_locationd,_locationd,_locationd,80,100000,0,0.0.0.0       trailer,251       snareseq,11075


If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue>