Prior to the integration of an in-kernel audit subsystem for the GNU/Linux operating system, the Snare for Linux agent included a linux loadable kernel module, which monitored key system calls, and pushed the resulting event data to userspace.

More modern versions of the Snare for Linux agents now integrate into the updated audit logging capability, and the older snare kernel module has been deprecated. A module still exists in Snare Central to process these historic logs however.

Sample Events

firewall.private.com LinuxAudit objective,priority,Thu Nov 14 10:28:16 2002,The file /var/log/audit/audit.log has been opened (read only) by the user root event,open(O_RDONLY),Thu Nov 14 10:28:16 2002 user,root(0),ben(0),jorge(0),steve(0) process,22776,1234,tail path,/var/log/audit/audit.log return,3,1 sequence,1030
firewall.private.com LinuxAudit objective,priority,Thu Nov 14 10:28:16 2002,The file /var/log/audit/audit.log has been opened (read only) by the user root event,open(O_RDONLY),Thu Nov 14 10:28:16 2002 user,root(0),ben(0),jorge(0),steve(0) process,22776,1234,tail path,/var/log/audit/audit.log arguments,-f return,3,1 sequence,1030 my extra strings
firewall.private.com LinuxAudit objective,priority,Thu Nov 14 10:28:16 2002,The file /var/log/audit/audit.log has been opened (read only) by the user root event,open(O_RDONLY),Thu Nov 14 10:28:16 2002 user,root(0),ben(0),jorge(0),steve(0) process,22776,1234,tail my extra strings path,/var/log/audit/audit.log arguments,-f return,3,1 sequence,1030 target,root(3)