/
Log Types: TelemetryLog

Log Types: TelemetryLog

Overview

TelemetryLog log is information (telemetry) collected from a system, device, or application to monitor its performance, health, or behavior.

Snare Enterprise Agents for Windows and Linux are capable of collecting and forwarding CPU, Memory, Disk, and Network telemetry data periodically collected from the system on which the Agent is installed.

Collection

The Snare Enterprise Agent for Windows or Linux must be installed on the device(s) being monitored. It should be configured with the appropriate Telemetry policies and set to forward events to a Snare Central instance using either the SNARE or SNARE v2 format. For detailed configuration instructions, please refer to the corresponding Snare Agent User Guide.

Below is an example of Telemetry events sent in SNARE format:

Sample Events

2025-05-19 09:03:01 2025-05-19T09:03:01 SYSTEM-NAME TelemetryLog CLEAR CPU Total % Privileged Time 21.46

2025-05-19 09:03:01 2025-05-19T09:03:01 SYSTEM-NAME TelemetryLog CLEAR NET Bluetooth Device [Personal Area Network] Bytes Received/sec 0.00

2025-05-19 09:03:01 2025-05-19T09:03:01 SYSTEM-NAME TelemetryLog CLEAR DSK C: - % Free Space 65.92

 

2025-05-19 09:03:01 2025-05-19T09:03:01 SYSTEM-NAME TelemetryLog CLEAR MEM - Committed Bytes 13847310336

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The host name of the originating computer.

TABLE

TelemetryLog

DATETIME

 Event date and time, in the format YYYY-MM-DD:HH:MM:SS

CRITICALITY

The severity level (Criticality) of the generated event.
CLEAR = 0, INFORMATION = 1, WARNING = 2, PRIORITY = 3, CRITICAL = 4

METRICTYPE

This is the hardware component source of the event; Events from the CPU, Disk, Memory, or Network can be collected and are labelled as CPU, DSK, MEM or NET, respectively.

INSTANCENAME

The name of the hardware interface the event is sourced. For example, if events from the Disk (DSK) are collected, there may be multiple storage interfaces present, such as  HarddiskVolume1, HarddiskVolume2, etc.

MOUNTPOINT
(Optional)

The directory in a Linux file system where an additional file system is attached. This field is exclusive for the Linux TelemetryLog DSK metric type.

EVENTNAME

The name of the metric of the hardware interface. Given a hardware interface named by its InstanceName, the EventName denotes the metric of the interface that is collected. e.g. , EventName: ' % Free Space' from InstanceName:'HarddiskVolume1'

VALUE

The value of the metric.

EVENTCHECKSUM
(Optional)

The calculated SHA3-512 hash of the event, excluding the EventChecksum field; this is additional optional data that may be set in the Event Options settings of the Agent.

EVENTSOURCEID
(Optional)

Configurable ID/string for identifying the agent/host. This is also optional data, like the EventChecksum, and is selected likewise.