Appendix A - Windows Event Output Format

The Snare Agent reads audit log data from the Windows operating system. Before sending the audit event to a destination, the Agent converts the audit data into the destination format, such as SNARE, SNARE v2, SYSLOG (RFC 3164), etc. Please see Destination Configuration page in this User Guide for the full list of supported formats. 

Below is the description of the event content in SNARE and SNARE v2 formats:

SNARE Format

In SNARE format, TAB delimiter is used to separate the event data values.
The format of the event log record is as follows:

The format of the event record is as follows:

1. Hostname. The assigned hostname of the machine or the override value configured in Snare Agent.

2. Event Log Type. Fixed value of 'MSWinEventLog'.

3. Criticality. This is a numeric value, determined by the Alert level configured in the audit policy in Snare Agent, as detailed in the configuration settings in Appendix B.

4. LogName. This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the 'Security' event log.

5. Snare Event Counter. Based on the internal Snare event counter. Rotates at 'MAXDWORD'.

6. DateTime. This is the date time stamp of the event record.

7. EventID. This is the Windows Event ID.

8. SourceName. This is the Source of the Windows Event Log from which the event record was derived. In the above example, source is 'Microsoft-Windows-Security-Auditing'.

9. UserName. This is the Windows' user name.

10. SIDType. This is the type of SID used. In the above example, it is a 'N/A', but for some events it may also be a 'user', 'computer' or other type of SID.

11. EventLogType. This can be any of 'Success Audit', 'Failure Audit', 'Error', 'Information' or 'Warning'.

12. ComputerName. This is the Windows computer name.

13. CategoryString. This is the category of audit event, as detailed by the Windows event logging system. In the above example it is 'Sensitive Privilege Use'

14. DataString. This contains the event data. This field is generally blank except for a few particular events.

15. ExpandedString. This contains the expanded event details.

16. EventLogCounter. This is a counter of the events collected by Snare Agent from a certain Windows event log source (Security, System, Application, etc.). This counter resets to 0 for all log sources after the Snare service restart.

17. EventSourceId (optional). Additional data to be included in each event as specified in Event Options settings of the Agent

18. EventChecksum (optional). A SHA3-512 checksum of the event can optionally be included with each event sent over the network by the Snare for Windows agent. Note that the application that evaluates each record will need to strip the final delimiter, plus the checksum, prior to evaluating the event.  See Destination Configuration page for enabling the checksum.

SNARE v2 Format

SNARE v2 format is comprised of Snare header followed by a single-line JSON content. As this format reads the XML representation of the Windows event log, it contains more detailed event information, and a more accurate timestamp with time zone and millisecond precision. The SNARE v2 format includes up to 12 additional fields of information depending on the event id of information from the windows event logs over the original SNARE format. Some of the additional fields include, TImeCreated which includes millisecond timing of the event, EventRecordID a windows event sequence number, process and thread information etc. The SNARE v2 log format also automatically truncates all the documentation out of the events so overall the events are smaller than the original SNARE format for which there is a truncation feature in the agent general configuration screen.