Snoopy Logger¶
About¶
Snoopy is a small library that logs all program executions on your Linux/BSD system.
Product Details¶
Vendor URL: Snoopy Logger
Product Type: execution logger
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: Syslog
Expected Normalization Rate: 100%
Data Label: SNOOPY_LOGGER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| all custom filters | metadata.event_type |
| metadata.vendor_name | |
| metadata.product_name | |
| src.file.full_path | |
| target.process.pid | |
| target.process.parent_pid | |
| target.process.file.full_path | |
| target.process.command_line | |
| observer.hostname | |
| observer.ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| All | GENERIC_EVENT |
Log Sample¶
<134>Oct 5 14:16:35 hostname1 snoopy[32220]: [uid:111 name:(none) sid:32221 pid:32222 ppid:32223 tty:(none) cwd:/var/lib/program1 filename:/usr/bin/ps]: ps -p 760 -o rss=
Sample Parsing¶
metadata.event_timestamp.seconds = 1664979395
metadata.event_timestamp.nanos = 0
metadata.event_type = "GENERIC_EVENT"
metadata.vendor_name = "Snoopy"
metadata.product_name = "Logger"
src.file.full_path = "/var/lib/program1"
target.process.pid = "32222"
target.process.parent_pid = "32223"
target.process.file.full_path = "/usr/bin/ps"
target.process.command_line = "ps -p 760 -o rss="
observer.hostname = "hostname1"
Parser Alerting¶
No parser-based alerting exists
Rules¶
Coming Soon