Sample data sent to syslog


3/12/14 1:11:31.339 PM Data Fence[2287]: <?xml version="1.0" standalone="yes"?><MatchedFilter><RuleDescription>Packet (bpf) watcher</RuleDescription><WarningValue>1.000000</WarningValue><ProcessId>2739</ProcessId><SessionId>437</SessionId><Seconds>1394655091</Seconds><MicroSeconds>330</MicroSeconds><EventId>80</EventId><ProgramName>/usr/sbin/tcpdump</ProgramName><ProgramArguments>tcpdump</ProgramArguments><Ancestors><Ancestor><ProgramName>/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal</ProgramName><SessionId>428</SessionId></Ancestor><Ancestor><ProgramName>/usr/bin/login</ProgramName><SessionId>430</SessionId></Ancestor><Ancestor><ProgramName>/bin/bash</ProgramName><SessionId>431</SessionId></Ancestor><Ancestor><ProgramName>/usr/bin/sudo</ProgramName><SessionId>436</SessionId></Ancestor></Ancestors><Details><Detail ElementName="PathSet">/dev/bpf0</Detail><Detail ElementName="AuditRecord">Header: Token = 20,  Bytes = 137,  Version = 11,  Event = 80  AUE_OPEN_RW  open(2) - read,write,  Modifier=0,  Seconds=1394655091,  uSeconds=330
Argument: Token = 45,  Number = 2,  Value = 2,  Length = 6,  Text = flags
Path: Token = 35,  length = 10,  Text = /dev/bpf0
Path: Token = 35,  length = 10,  Text = /dev/bpf0
Attr32: Token = 62,  Mode = U:rw- G:--- O:--- specCharacter,  File Mode = 8576,  UID = 0,  GID = 0,  Filesystem = 1179211688,  Inode = 580,  Device = 385875968,
Subject: Token = 36,  Audit ID = 501,  EUID = 0,  EGID = 0,  RUID = 0,  RGID = 0,  PID = 2739,  Session = 100026,  Device = 50331650,  Machine = 0.0.0.0
Return: Token = 39,  Error = 0,  Value = 3
Trailer: Token = 19,  Magic = 45317,  Bytes = 137
</Detail></Details></MatchedFilter>

Here is what the alert looks like in Data Fence: