« Return to Thread: CEE Field List
Re: CEE Field List
by Eric Fitzgerald
::
Rate this Message:
Reply (Restricted by the Administrator) | Reply to Author | View in Thread
-----Original Message-----
From: David Corlette [mailto:DCorlette@...]
Sent: Thursday, March 06, 2008 2:35 PM
To: CEE-DISCUSSION-LIST@...
Subject: Re: [CEE-DISCUSSION-LIST] CEE Field List
> So, we've been struggling with this very same issue for years,
> because in our product what we do is try to map vendor's event
> data into our standard event structure. I will point out that
> the tags and semantic meaning that vendors choose for their
> data seems to be essentially random. ;-)
Agreed, but this happens because in the absence of a standard taxonomy, every vendor is forced to start from scratch and create a new taxonomy out of thin air. Perhaps if we agreed on a standard taxonomy with a fairly rich set of "default" tags we could start to change this...
> The latest work we've done in this area is based on some of the
> concepts within XDAS. For example, we are now treating an "event"
> as an interaction between three things: an initiator, an
> originator, and a target. The initiator is the "thing(s)" that
> caused the event to occur, the originator is the "thing(s)" that
> detected the event and reported it, and the target is the "thing(s)"
> affected by the event.
> What this leads to is four fundamental classes of data within an
> event structure, e.g. the initiator, originator, target, and action.
I strongly concur with the idea of a [subject (initiator), action, object (target), source (originator)] tuple for each event record, although I prefer different nomenclature.
I also hope that whatever we end up with, adequately captures the "Who what where when how" idea that Tina Bird suggested; ultimately log data is intended for human beings even if logs themselves are not, and too often the events are not rich enough, even with correlation, to answer these simple human questions.
We started the taxonomy discussion several times, failed to reach agreement, and dropped the issue. Fundamentally today's discussion is about the root taxonomy and I think that we can't have a useful discussion about more complex issues without accidentally re-raising this issue over and over until it's agreed on.
I propose that we try to settle the core issue once and for all. I am willing to propose a process to achieve that if anyone thinks it would be helpful.
Eric
Eric Fitzgerald
Microsoft Corporation
From: David Corlette [mailto:DCorlette@...]
Sent: Thursday, March 06, 2008 2:35 PM
To: CEE-DISCUSSION-LIST@...
Subject: Re: [CEE-DISCUSSION-LIST] CEE Field List
> So, we've been struggling with this very same issue for years,
> because in our product what we do is try to map vendor's event
> data into our standard event structure. I will point out that
> the tags and semantic meaning that vendors choose for their
> data seems to be essentially random. ;-)
Agreed, but this happens because in the absence of a standard taxonomy, every vendor is forced to start from scratch and create a new taxonomy out of thin air. Perhaps if we agreed on a standard taxonomy with a fairly rich set of "default" tags we could start to change this...
> The latest work we've done in this area is based on some of the
> concepts within XDAS. For example, we are now treating an "event"
> as an interaction between three things: an initiator, an
> originator, and a target. The initiator is the "thing(s)" that
> caused the event to occur, the originator is the "thing(s)" that
> detected the event and reported it, and the target is the "thing(s)"
> affected by the event.
> What this leads to is four fundamental classes of data within an
> event structure, e.g. the initiator, originator, target, and action.
I strongly concur with the idea of a [subject (initiator), action, object (target), source (originator)] tuple for each event record, although I prefer different nomenclature.
I also hope that whatever we end up with, adequately captures the "Who what where when how" idea that Tina Bird suggested; ultimately log data is intended for human beings even if logs themselves are not, and too often the events are not rich enough, even with correlation, to answer these simple human questions.
We started the taxonomy discussion several times, failed to reach agreement, and dropped the issue. Fundamentally today's discussion is about the root taxonomy and I think that we can't have a useful discussion about more complex issues without accidentally re-raising this issue over and over until it's agreed on.
I propose that we try to settle the core issue once and for all. I am willing to propose a process to achieve that if anyone thinks it would be helpful.
Eric
Eric Fitzgerald
Microsoft Corporation
« Return to Thread: CEE Field List
| Free Forum Powered by Nabble | Forum Help |