« Return to Thread: CEE Field List
CEE Field List
by Raffael Marty-3
::
Rate this Message:
We have been busy working on the Common Event Syntax. As part of the
syntax, we came up with a list of field names that should be used in
log messages. A common name for fields helps cross-correlate log
records between different products and log files. The list of field
names is independent of the exact syntax that is used to write the log
messages or the transport/format. Whether the data is written in an
XML file, a flat text file, a CSV file, or using a binary encoding, a
common set of field names helps cross-correlating these log messages.
A sample message that uses these field names could look as follows:
Feb 22 08:57:21 ram sudo[11033]: src_ip=10.2.2.1 dest_host=ram
name=what an event dvc_location=home
Here are some specific questions we would like to pose to the
community:
- is the list more or less complete?
- are the descriptions meaningful? where do we need to tighten them up?
- do the data types make sense?
- how should we handle lists of values? For example, an event might
talk about multiple ports.
- any other comments?
--
Raffael Marty
Chief Security Strategist @ Splunk>
Security Visualization: http://secviz.org raffy.ch/blog
syntax, we came up with a list of field names that should be used in
log messages. A common name for fields helps cross-correlate log
records between different products and log files. The list of field
names is independent of the exact syntax that is used to write the log
messages or the transport/format. Whether the data is written in an
XML file, a flat text file, a CSV file, or using a binary encoding, a
common set of field names helps cross-correlating these log messages.
A sample message that uses these field names could look as follows:
Feb 22 08:57:21 ram sudo[11033]: src_ip=10.2.2.1 dest_host=ram
name=what an event dvc_location=home
Here are some specific questions we would like to pose to the
community:
- is the list more or less complete?
- are the descriptions meaningful? where do we need to tighten them up?
- do the data types make sense?
- how should we handle lists of values? For example, an event might
talk about multiple ports.
- any other comments?
--
Raffael Marty
Chief Security Strategist @ Splunk>
Security Visualization: http://secviz.org raffy.ch/blog
fields_march08.csv (8K) « Return to Thread: CEE Field List
| Free Forum Powered by Nabble | Forum Help |