Wednesday, April 18, 2007

Finally, Common Event Expression (CEE) is Out!!!

After long months of undercover work, CEE is ready to be presented to the world. Keep in mind, you read it here first!

Below is an excerpt from a brochure, to be published at MITRE's site any day now. I do think that the world is ready for another battle for the establishment of a logging standard, after a long string of miserable failures.

"Common Event Expression (CEE™): A standard log language for event interoperability in electronic systems.

CEE standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.

Why CEE?

If multiple systems observe the same occurrence, it should be expected that their description of that event is identical. When combined with relevant event details (time, source, destination), a computer should be able to immediately determine whether two or more logs, data logs, audit logs, alerts, alarms, or audit trails refer to the same event. In order to make this happen, there needs to be a scalable, well-defined way to express events."

I will post more stuff as well as the link to the brochure, when it is available. Next: four areas of log standardization, recommended by CEE. Stand by!

5 comments:

PaulM said...

So can we assume that 3 of the 4 areas of log standardization recommended by CEE will be format, transport, and content? :-)

Don't get me wrong, I like the utopia that a single logging standard represents. And I know the more boutique vendors that use standard logging formats (because dynamic, self-labeling logs are still a format) the easier your life becomes. But - and this remains to be seen until MITRE publishes the paper - how do you incent small and/or niche vendors to support a log standard that they weren't at the table to design? After all, security appliance installs drive SIM sales*, not the other way around.

PaulM

* Because security appliance UI's suck.

Anton Chuvakin said...

>format, transport, and content?

+ logging recommendation: what needs to be logged (#4)

>until MITRE publishes the paper
This Friday seems likely ...

>And I know the more boutique vendors
>that use standard logging formats
Nah, we are talking MUCH bigger players than boutique vendors ... just wait.

PaulM said...

I didn't want to dump a small novel in your comments, so my further response is here:

http://pmelson.blogspot.com/2007/04/who-to-sell-log-standards-to.html

Anonymous said...

I read this already on ArcSight's website, although they call it CEF. Is that something different then? Doesn't seem like anyone can agree on this Common Event thingy... :)

Anton Chuvakin said...

I would take it as an offense, in fact :-)

CEF is just an ArcSight thingy.

CEE is an emerging standard by MITRE.

They have nothing to do with each other.

Dr Anton Chuvakin