Appendix A - Windows Event Output Format

Owned by Andrew Madge
Last updated: Apr 13, 2021
2 min read

The SnareCore service reads data from the Windows operating system via the Event Logs. It converts the binary audit data into text format, and separates information out into a series of TAB delimited tokens. The token delimiter may be specified as something other than TAB. A 'token' is simply data, such as 'date' or 'user'. Groups of tab separated tokens make up an audit event, which may look something like this, depending on whether the SnareCore service has SYSLOG header functionality active.

<hostname> <event log type> <criticality> <logname> <snare event counter> <date time> <event id> <sourcename> <username> <sidtype> <event log type> <computername> <strings...>

Example:

propc12    MSWinEventLog    4    System    2174    Fri Nov 27 09:58:51 2015    7036    Service Control Manager    N/A    N/A    Information    propc12    None        The Application Experience service entered the stopped state.    0

The format of the event log record is as follows:

Example:

Test_Host MSWinEventLog 2 Security 3027 Fri May 24 20:30:43 2010 593 Security Administrator User Success Audit LE5678WSP Detailed Tracking A process has exited:Process ID: 656 User Name: Administrator Domain: LE5678WSPLogon ID: (0x0,0x6C52)

  1. Hostname (the assigned hostname of the machine or the override value entered using the Snare front).
  2. Event Log Type. Fixed value of 'MSWinEventLog'.
  3. Criticality. This is determined by the Alert level given to the audit policy by the user and is a number between 0 and 4, as detailed in the registry settings in Appendix B.
  4. LogName. This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the 'security' event log.
  5. Snare Event Counter. Based on the internal Snare event counter. Rotates at 'MAXDWORD'.
  6. DateTime. This is the date time stamp of the event record.
  7. EventID. This is the Windows Event ID.
  8. SourceName. This is the Source of the Windows Event Log from which the event record was derived. In the above example, source is 'Security Administrator'.
  9. UserName. This is the Window's user name.
  10. SIDType. This is the type of SID used. In the above example, it is a 'User' SID, but it may also be a 'computer' or other type of SID.
  11. EventLogType. This can be anyone of 'Success Audit', 'Failure Audit', 'Error', 'Information', or 'Warning'.
  12. ComputerName. This is the Windows computer name.
  13. CategoryString. This is the category of audit event, as detailed by the Windows event logging system.
  14. DataString. This contains the data strings.
  15. ExpandedString. This contains the expanded data strings.
  16. EventSourceId (optional). Additional data to be included in each event as specified in Event Options settings of the Agent
  17. MD5 Checksum (optional). An md5 checksum of the event can optionally be included with each event sent over the network by the Snare for Windows agent. Note that the application that evaluates each record will need to strip the final delimiter, plus the checksum, prior to evaluating the event.  See Appendix B - Snare Windows Registry Configuration Description for setting the checksum.