Log Types: MSWinEventLog2
Overview
This is similar to MSWinEventLog, except that the agent is sending the events to Snare Central in SNAREv2 format.
Collection
Collection is similar to MSWinEventLog, except that the destination format set in the agent is SNAREv2.
Sample Events
testcomputer MSWinEventLog 1 {"Event":{"xmlns":"http:\/\/schemas.microsoft.com\/win\/2004\/08\/events\/event","System":{"Provider":{"Name":"Microsoft-Windows-GroupPolicy","Guid":"{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}"},"EventID":"5116","Version":"0","Level":"4","Task":"0","Opcode":"0","Keywords":"0x4000000000000000","TimeCreated":{"SystemTime":"2025-06-15T14:36:19.7974869Z","LocalTime":"2025-06-16T00:06:19.797486+09:30"},"EventRecordID":"1686622","Execution":{"ProcessID":"18532","ThreadID":"8836"},"Channel":"Microsoft-Windows-GroupPolicy\/Operational","Computer":"testcomputer","Security":{"UserID":"S-1-5-18"}},"Data":{"GpsvcInitTimeElapsedInMilliseconds":"16","EventLogCounter":"5902"}}}
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
DATETIME | Event time, in RFC3339 Nano format |
SYSTEM | The source system |
TABLE | MSWinEventLog2 |
CRITICALITY | Criticality of the event |
SOURCE | Log source [1] |
EVENTID | Windows EventID |
LEVEL | Severity Level |
TASK | Task [2] |
OPCODE | OpCode [2] |
EVENTRECORDID | Windows Event Counter |
EVENTSOURCEID | Additional data injected by Snare Agent [3] |
SECURITYID | Security ID of the user that generated the event |
STATUS | Status returned by the event |
USER | The User that generated the event |
TARGETUSER | The target User of the event (For example, in events related to process creation, this refers to the user that created the process.) |
PROCESS | Process that generated the event |
SNAREDATAMAP | Contains any other field in the event that does not map with existing Snare fields. Format is key=value with carriage returns (\r) as delimiter. |
Notes
[1] In contrast with MSWinEventLog where events from different log sources are sorted into 4 different tables in Snare Central, MSWinEventLog2 events are always stored in a single table and uses SOURCE field to differentiate log sources.
[2] Task and opcode are typically used to identify the location in the application from where the event was logged.
[3] Optional field, value and presence depends on Snare Agent configuration.
External Links
Windows Event Log - Win32 apps, Accessed 16/06/2025 11:17 UTC+9:30