Event Output Format
LogLogic® Universal Collector collects Windows Event logs and forwards them in Snare over syslog format.
Snare over Syslog format
<PRI>CurrentDate<SPACE>HostName<SPACE>MSWinEventLog<TAB>Criticality<TAB>Criticality<TAB>Security<TAB> SnareCounter<TAB>SubmitTime<TAB>EventID<TAB>SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB> ComputerName<TAB>CategoryString<TAB>DataString<TAB>ExpandedString<TAB>MD5 checksum (optional)
The following table describes the differences between data elements passed in a typical Snare format vs Snare over Syslog format:
| Field | Snare format | Snare over Syslog format | Description |
|---|---|---|---|
| PRI | NA | ID |
The <SYSLOGNUM> is the appropriate numeric syslog facility/severity combination for the objective, as defined in the Snare configuration. |
| CurrentDate | NA | Date and Time |
The CurrentDate is the syslog timestamp. |
| Host name | Hostname | NA |
The assigned hostname of the machine or the override value entered using the Snare front. |
| Hostname | The host name for syslog is the syslog IP address. | ||
| Event Log Type | MSWINEventLog | MSWINEventLog | Literal value of 'MSWinEventLog'. |
| Criticality | Criticality | Criticality |
This is determined by the Alert level given to the objective by the user and is a number between 0 and 4. LogLogic® Universal Collector uses fixed value of 0. |
| SourceName | EventLogSource | EventLogSource |
This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the 'security' event log. |
| Snare Event Counter | SnareCounter | SnareCounter |
SnareCounter is a sequential event counter that determines the percentage of delivery when using the UDP protocol. SnareCounter is similar to GlobalCounter. Default value: 0. |
| DateTime | SubmitTime | SubmitTime | This is the date time stamp of the event record. LogLogic® Universal Collector uses the UTC format. |
| EventID | EventID | EventID | This is the Windows Event ID. |
| SourceName | SourceName | SourceName |
This is the Windows Event Log from which the event record was derived. In the above example, the event record was derived from the 'security' event log. |
| UserName | UserName | UserName | This is the Windows user name. |
| SIDType | SIDType | SIDType | This is the type of SID used. |
| EventLogType | EventLogType | EventLogType | This can be anyone of 'Success Audit', 'Failure Audit', 'Error', 'Information', or 'Warning'. |
| ComputerName | ComputerName | ComputerName | This is the Windows computer name. |
| CategoryStrint | Category | Category |
This is the category of audit event, as detailed by the Windows event logging system |
| DataString | Data | Data | This contains the data strings. |
| ExpandedString | Expanded | EventRecordID | This contains the expanded data strings.
In LogLogic® Universal Collector, it contains the event record id. |
| MD5 Checksum | MD5Checksum | <Optional> | An md5 checksum of the event can optionally be included with each event sent over the network by the Snare for Windows Agent. Note that the application that evaluates each record will need to strip the final delimiter, plus the checksum, prior to evaluating the event. |
HostName<TAB>MSWinEventLog<TAB>Criticality<TAB>EventLogSource<TAB>SnareCounter<TAB>SubmitTime<TAB>EventID<TAB> SourceName<TAB>UserName<TAB>SIDType<TAB>EventLogType<TAB>ComputerName<TAB>CategoryString<TAB>DataString<TAB> ExpandedString<TAB>MD5 checksum (optional)