Log Types: LinuxAudit2
Overview
Similar to LinuxAudit but in SNAREv2 format.
Collection
Snare Agent for Linux configured to send events in SNAREv2 format.
Sample Events
example.com LinuxKAudit 3 {"Event":{"System":{"event":{"syscall":"fchownat","datetime":"1753664832"},"sequence":"13528406","uid":{"uid":"4294967295","name":"unknown"},"euid":{"euid":"0","name":"root"},"gid":{"gid":"0","name":"root"},"egid":{"egid":"0","name":"root"},"process":"\/data\/Snare\/SnareService","return":{"code":"0","status":"yes"},"name":"\/data\/SnareArchive\/2025-07-28\/10.10.10.10","arch":"unknown","TimeCreated":{"SystemTime":"2025-07-28T01:07:12.630130Z","LocalTime":"2025-07-28T10:37:12.630130+09:30"}},"Data":{"a0":"ffffffffffffff9c","a1":"c001281110","a2":"21","a3":"21","items":"1","ppid":"1","pid":"3407","uid":"0","suid":"0","fsuid":"0","sgid":"0","fsgid":"0","tty":"none","ses":"4294967295","comm":"SnareService","key":"obj-3-2","cwd":"\/","item":"0","inode":"9953702","dev":"fd:09","mode":"040750","ouid":"0","ogid":"0","rdev":"00:00","nametype":"NORMAL","cap_fp":"0000000000000000","cap_fi":"0000000000000000","cap_fe":"0","cap_fver":"0","proctitle":"\/data\/Snare\/SnareService"}}}
example.com LinuxKAudit 1 {"Event":{"System":{"event":{"syscall":"kill","datetime":"1753664833"},"sequence":"13528447","uid":{"uid":"0","name":"root"},"euid":{"euid":"0","name":"root"},"gid":{"gid":"0","name":"root"},"egid":{"egid":"0","name":"root"},"process":"\/root\/.vscode-server\/bin\/019f4d1419fbc8219a181fab7892ebccf7ee29a2\/node","return":{"code":"0","status":"yes"},"name":"","arch":"unknown","TimeCreated":{"SystemTime":"2025-07-28T01:07:13.627331Z","LocalTime":"2025-07-28T10:37:13.627331+09:30"}},"Data":{"a0":"1377","a1":"0","a2":"0","a3":"8","items":"0","ppid":"4983","pid":"5327","uid":"0","suid":"0","fsuid":"0","sgid":"0","fsgid":"0","tty":"none","ses":"1","comm":"node","key":"obj-1-1","opid":"4983","oauid":"0","ouid":"0","oses":"1","ocomm":"node","proctitle":"2F726F6F742F2E7673636F64652D7365727665722F62696E2F303139663464313431396662633832313961313831666162373839326562636366376565323961322F6E6F6465002D2D646E732D726573756C742D6F726465723D697076346669727374002F726F6F742F2E7673636F64652D7365727665722F62696E2F303139"}}}
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | LinuxAudit2 |
DATETIME | Event date, in RFC3339 Nano format |
EVENTID | Name of the event |
UID | User ID of the user that started the process |
UIDNAME | Name of the user referred in UID |
EUID | User ID of the user the process is running on behalf of. For example, the user that the login user “sudoed” to. Also known as Effective User ID |
EUIDNAME | Name of the user referred in EUID |
GID | Group ID of the user referred in UID |
GIDNAME | Name of the group referred in GID |
EGID | Group ID of the user referred in EUID, also known as Effective Group ID |
EGIDNAME | Name of the group referred in EGID |
PROCESS | Name of the process that emitted the event |
RETURNCODE | Return code of the event |
RETURNSTATUS | Whether the event succeeded or not |
SEQUENCE | Unique ID associated with the event |
SNAREDATAMAP | Contains any other field in the event that does not map with existing Snare fields. Format is key=value with carriage returns (\r) as delimiter. |