April 19, 2007

Standard Logging Format – Common Event Expression (CEE)

Filed under: Log Analysis — Raffael Marty @ 8:08 pm

As Anton mentioned, there is a new event logging standard in the works. What Anton did not mention is the four areas that you need to talk about when you talk about a logging standard. Well, here they are:

  1. Common Event Syntax, like CEF
  2. Common Event Taxonomy. This is where you attach “meaning” or “semantics” to an event. There are a few proprietary ones, nothing standardized though.
  3. Common Event Transport
  4. Common Event Representation, defining what a device should log. An operating system should log user logins for example.

And don’t mix these things. The transport has nothing to do with the syntax! I don’t want to implement a SOAP environment to transport some events. Unfortunately a few companies and even standards have made that mistake! I don’t want to mention anyone here…
Stay tuned for http://cee.mitre.org to go live and learn more about all of this.


  1. Hello,

    Item 2 above is entirely not true; there is an existing standard called XDAS which defines event taxonomy as well as formats (item 1). This is an open standard developed by the OpenGroup.


    It also includes an API definition for auditing that can use a variety of transport methods; item 3 above is not necessary as the format should be independent of delivery method.

    Comment by David Corlette — May 16, 2007 @ 9:55 am

  2. In this post, you state there are 20 vendors or so working with CEF. Are they posted somewhere on who they are?


    Comment by DC — June 29, 2007 @ 9:01 am

  3. […] for example is something that should not depend on the syntax and vice versa. I keep haing to make that point. The ArcSight CEF standard is not bound to any transport. Use anything. If you don’t have […]

    Pingback by Raffy’s Computer Security Blog » CEE - CEF - Event Interoperability Standards — July 18, 2007 @ 5:44 pm

  4. On http://cee.mitre.org is only apache test page! Where I can get CEE?

    Comment by sectrix — November 27, 2007 @ 9:54 am

  5. It is really close now! Hang on tight. The site is ready, but is going through approval processes. It’s very very close!

    Comment by Raffael Marty — November 27, 2007 @ 10:08 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> .