April 19, 2007

Standard Logging Format – Common Event Expression (CEE)

Filed under: Log Analysis — Raffael Marty @ 8:08 pm

As Anton mentioned, there is a new event logging standard in the works. What Anton did not mention is the four areas that you need to talk about when you talk about a logging standard. Well, here they are:

  1. Common Event Syntax, like CEF
  2. Common Event Taxonomy. This is where you attach “meaning” or “semantics” to an event. There are a few proprietary ones, nothing standardized though.
  3. Common Event Transport
  4. Common Event Representation, defining what a device should log. An operating system should log user logins for example.

And don’t mix these things. The transport has nothing to do with the syntax! I don’t want to implement a SOAP environment to transport some events. Unfortunately a few companies and even standards have made that mistake! I don’t want to mention anyone here…
Stay tuned for http://cee.mitre.org to go live and learn more about all of this.

5 Comments »

  1. Hello,

    Item 2 above is entirely not true; there is an existing standard called XDAS which defines event taxonomy as well as formats (item 1). This is an open standard developed by the OpenGroup.

    http://www.opengroup.org/security/das/xdas_int.htm

    It also includes an API definition for auditing that can use a variety of transport methods; item 3 above is not necessary as the format should be independent of delivery method.

    Comment by David Corlette — May 16, 2007 @ 9:55 am

  2. In this post, you state there are 20 vendors or so working with CEF. Are they posted somewhere on who they are?

    http://www.loganalysis.org/pipermail/loganalysis/2007-April/000089.html

    Comment by DC — June 29, 2007 @ 9:01 am

  3. [...] for example is something that should not depend on the syntax and vice versa. I keep haing to make that point. The ArcSight CEF standard is not bound to any transport. Use anything. If you don’t have [...]

    Pingback by Raffy’s Computer Security Blog » CEE - CEF - Event Interoperability Standards — July 18, 2007 @ 5:44 pm

  4. On http://cee.mitre.org is only apache test page! Where I can get CEE?

    Comment by sectrix — November 27, 2007 @ 9:54 am

  5. It is really close now! Hang on tight. The site is ready, but is going through approval processes. It’s very very close!

    Comment by Raffael Marty — November 27, 2007 @ 10:08 am

RSS feed for comments on this post. | TrackBack URI

Leave a comment

XHTML ( You can use these tags): <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> .