Appendix A - Event Output Format
- Andrew Madge
- Mortuza.Ali (Unlicensed)
The SnareMSSQL service reads data from the Windows operating system via the Trace Logs. It converts the binary audit data into text format and separates information out into a series of TAB delimited tokens. The token delimiter may also be specified as any string other than TAB. A 'token' is simply data, such as 'date' or 'user'. Groups of tab separated tokens make up an audit event, which may look something like this, assuming the SnareMSSQL service has SNARE as log format.
<hostname><delimiter><event log type><delimiter><criticality><date time><delimiter><version><delimiter><event class><delimiter><event subclass><delimiter><SPID><delimiter><instance name><delimiter><username><delimiter><text>
Example:
VMsql12.snare.ia MSSQLLog 0 2016-02-16 09:00:32.947 11.00.2100 17 0 51 MSSQLSERVER/master SNARE\administrator TextData,-- network protocol: TCP/IP  set quoted_identifier on  set arithabort off  set numeric_roundabort off  set ansi_warnings on  set ansi_padding on  set ansi_nulls on  set concat_null_yields_null on  set cursor_close_on_commit off  set implicit_transactions off  set language us_english  set dateformat mdy  set datefirst 7  set transaction isolation level read committed  Success,0  SessionLoginName,SNARE\Administrator NTUserName,Administrator HostName,TESTVMWIN08R2SQ ApplicationName,Microsoft SQL Server Management StudioÂ
If additional optional fields are configured, they are appended at the end of event log message as <delimiter><FieldName>=<FieldValue>
The format of the event log record is as follows:
| Token | Value |
|---|---|
| Hostname | VMsql12.snare.ia |
| Event Log Type | MSSQLLog |
| Criticality | 0 |
| Date and Time | 2016-02-16 09:00:32.947 |
| Version | 11.00.2100 |
| Event Class | 17 |
| Event Sub Class | 0 |
| SPID | 51 |
| Instance/Database Name | MSSQLSERVER/master |
| UserName | Â SNARE\administrator |
| Event Text | TextData,-- network protocol: TCP/IP  set quoted_identifier on  set arithabort off  set numeric_roundabort off  set ansi_warnings on  set ansi_padding on  set ansi_nulls on  set concat_null_yields_null on  set cursor_close_on_commit off  set implicit_transactions off  set language us_english  set dateformat mdy  set datefirst 7  set transaction isolation level read committed   Success,0 SessionLoginName,SNARE\Administrator NTUserName,Administrator HostName,TESTVMWIN08R2SQ ApplicationName,Microsoft SQL Server Management Studio |