April 23, 2007

Common Event Expression (CEE)

Category: Log Analysis — Raffael Marty @ 4:31 pm

I have some more detilas on the CEE effort, which is captured in this CEE Brochure. The most interesting part is probably page two where the benefits are outlined. This effort will continue by tackling one of the four standard areas after the other. I have a feeling that we will tackle the taxonomy part first. I can already see it, this is going to be HARD!

April 19, 2007

Standard Logging Format – Common Event Expression (CEE)

Category: Log Analysis — Raffael Marty @ 8:08 pm

As Anton mentioned, there is a new event logging standard in the works. What Anton did not mention is the four areas that you need to talk about when you talk about a logging standard. Well, here they are:

  1. Common Event Syntax, like CEF
  2. Common Event Taxonomy. This is where you attach “meaning” or “semantics” to an event. There are a few proprietary ones, nothing standardized though.
  3. Common Event Transport
  4. Common Event Representation, defining what a device should log. An operating system should log user logins for example.

And don’t mix these things. The transport has nothing to do with the syntax! I don’t want to implement a SOAP environment to transport some events. Unfortunately a few companies and even standards have made that mistake! I don’t want to mention anyone here…
Stay tuned for http://cee.mitre.org to go live and learn more about all of this.