{"id":401,"date":"2010-09-04T11:24:57","date_gmt":"2010-09-04T19:24:57","guid":{"rendered":"http:\/\/raffy.ch\/blog\/?p=401"},"modified":"2010-09-04T11:24:57","modified_gmt":"2010-09-04T19:24:57","slug":"logging-formats-and-standards","status":"publish","type":"post","link":"https:\/\/raffy.ch\/blog\/2010\/09\/04\/logging-formats-and-standards\/","title":{"rendered":"Logging Formats and Standards"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/raffy.ch\/blog\/wp-content\/uploads\/2010\/09\/IMG_0612.jpg\" alt=\"cee working group\" title=\"cee working group\" width=\"160\" height=\"120\" style=\"float:right\" \/> I have discussed the topic of logging standards <a href=\"http:\/\/raffy.ch\/blog\/2007\/04\/19\/standard-logging-format-common-event-exchange-cee\/\">multiple times<\/a> on this blog. Some recent developments in the logging space urged me to give an update and provide my opinion:<\/p>\n<p>Yet another vendor just released a &#8220;standard&#8221; log format (note the quotes around standard). It&#8217;s called UCF, the Universal Collection Framework\u2122 (UCF). This is how the vendor describes it:<\/p>\n<blockquote><p>UCF is the first WAN-aware, store-and-forward, encrypted, compressed IT data transport. It allows customers to gather IT data, increase resilience, reduce network chatter and encrypt from almost any device, anywhere, quickly and easily. UCF leverages a new transport and store protocol that LogLogic intends to open source in the near future. <\/p><\/blockquote>\n<p>Sounds a whole lot like syslog. (<a href=\"http:\/\/www.balabit.com\/network-security\/syslog-ng\">syslog-ng<\/a> and <a href=\"http:\/\/www.rsyslog.com\">rsyslog<\/a> seem to support exactly this!) Okay, let&#8217;s just look at this description: WAN aware? What the heck is that supposed to mean? You mean it won&#8217;t work well on a LAN? Does that mean it knows the Internets? That&#8217;s just a strange description to start with. Oh, and it&#8217;s the first property mentioned! The rest of the description sounds like a transport protocol. Interesting. Why not stick with syslog that is well known, has proven to work, and has integration libraries built already. I never understood why vendors implemented their own transport protocols. They are hard (very hard) to implement and even harder for producers and consumers to adopt to. Oh well.<\/p>\n<p>When people talk about UCF, they keep bringing up ArcSight&#8217;s CEF. Well, I am greatly responsible for that specification. But guess what? It&#8217;s not a transport protocol! It&#8217;s a syntax definition. It tells a log producer how to format their log file. Not how to transport it. Because, there is always syslog that a lot of machines have installed already and it&#8217;s easy to use. (And in newer versions you get encryption, caching, etc.).<\/p>\n<p>Now, my last point about standards. Why do vendors keep trying to come up with standards by themselves? It just doesn&#8217;t make any sense. How is going to adapt it? At ArcSight, about 4 years ago, we came up with CEF because <a href=\"http:\/\/cee.mitre.org\">CEE<\/a> didn&#8217;t move fast enough and we wanted something that our partners could easily use. An analyst wrote that ArcSight is planning to take CEF to the IETF. I hope they are not going to do that. I don&#8217;t have any control over that anymore, but that would be stupid. We rather push CEE through IETF. If you have a chance, compare the CEE syntax proposal with CEF. Notice something? Yes. It&#8217;s very similar. Again, I might have had something to do with that. Anyways. Vendors should not define logging standards!<\/p>\n<p>On a good note: CEE is moving forward and just released the <a href=\"http:\/\/cee.mitre.org\/docs\/CEE_Architecture_Overview_May_2010.pdf\">architecture overview<\/a> for public commentary. Check them out!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have discussed the topic of logging standards multiple times on this blog. Some recent developments in the logging space urged me to give an update and provide my opinion: Yet another vendor just released a &#8220;standard&#8221; log format (note the quotes around standard). It&#8217;s called UCF, the Universal Collection Framework\u2122 (UCF). This is how [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-401","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/401","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/comments?post=401"}],"version-history":[{"count":8,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/401\/revisions"}],"predecessor-version":[{"id":410,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/posts\/401\/revisions\/410"}],"wp:attachment":[{"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/media?parent=401"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/categories?post=401"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/raffy.ch\/blog\/wp-json\/wp\/v2\/tags?post=401"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}