« Return to Thread: CEE Field List
Re: CEE Field List
by Andrew Hay-2
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View in Thread
The only other one I can think of would be a field for OSVDB entries but
I haven't even finished convincing myself that's a good idea yet :)
Other than that, the list looks great! The one thing I thought would be
left out was start/end-time but I noticed it was in there (which will
make some of the vendors, for example Juniper, happy). Good work!
Andrew Hay
Integration Services Program Manager
Q1 Labs Inc - The Nexus of Security and Networking
Office: (506)462-9117 x124
Fax: (506)459-7016
andrew.hay@... | www.q1labs.com
-----Original Message-----
From: Raffael Marty [mailto:rmarty@...]
Sent: Thursday, March 06, 2008 3:12 PM
To: CEE-DISCUSSION-LIST@...
Subject: [CEE-DISCUSSION-LIST] CEE Field List
We have been busy working on the Common Event Syntax. As part of the
syntax, we came up with a list of field names that should be used in
log messages. A common name for fields helps cross-correlate log
records between different products and log files. The list of field
names is independent of the exact syntax that is used to write the log
messages or the transport/format. Whether the data is written in an
XML file, a flat text file, a CSV file, or using a binary encoding, a
common set of field names helps cross-correlating these log messages.
A sample message that uses these field names could look as follows:
Feb 22 08:57:21 ram sudo[11033]: src_ip=10.2.2.1 dest_host=ram name=what
an event dvc_location=home
Here are some specific questions we would like to pose to the
community:
- is the list more or less complete?
- are the descriptions meaningful? where do we need to tighten them up?
- do the data types make sense?
- how should we handle lists of values? For example, an event might
talk about multiple ports.
- any other comments?
I haven't even finished convincing myself that's a good idea yet :)
Other than that, the list looks great! The one thing I thought would be
left out was start/end-time but I noticed it was in there (which will
make some of the vendors, for example Juniper, happy). Good work!
Andrew Hay
Integration Services Program Manager
Q1 Labs Inc - The Nexus of Security and Networking
Office: (506)462-9117 x124
Fax: (506)459-7016
andrew.hay@... | www.q1labs.com
-----Original Message-----
From: Raffael Marty [mailto:rmarty@...]
Sent: Thursday, March 06, 2008 3:12 PM
To: CEE-DISCUSSION-LIST@...
Subject: [CEE-DISCUSSION-LIST] CEE Field List
We have been busy working on the Common Event Syntax. As part of the
syntax, we came up with a list of field names that should be used in
log messages. A common name for fields helps cross-correlate log
records between different products and log files. The list of field
names is independent of the exact syntax that is used to write the log
messages or the transport/format. Whether the data is written in an
XML file, a flat text file, a CSV file, or using a binary encoding, a
common set of field names helps cross-correlating these log messages.
A sample message that uses these field names could look as follows:
Feb 22 08:57:21 ram sudo[11033]: src_ip=10.2.2.1 dest_host=ram name=what
an event dvc_location=home
Here are some specific questions we would like to pose to the
community:
- is the list more or less complete?
- are the descriptions meaningful? where do we need to tighten them up?
- do the data types make sense?
- how should we handle lists of values? For example, an event might
talk about multiple ports.
- any other comments?
« Return to Thread: CEE Field List
| Free Forum Powered by Nabble | Forum Help |