Gartner Blog Network


CEE Log Standard Guide for the Community

by Anton Chuvakin  |  October 1, 2011  |  2 Comments

As esteemed readers of my “old”, personal blog know, I am a bit of a log fanatic. And my log fanaticism raises to a fevered pitch in the area of LOG and EVENT STANDARDS.  Along this line, I  was working with CEE team (from the time before it was called that; we figured “CEX” was not a good name for a log standard effort…) on developing a set of log standards that can actually be adopted in real life (adoption or lack thereof was an issue that doomed all previous attempts at log standardization).

For those who have never heard of MITRE CEE standard effort, the website provides a one-line explanation: “CEE™ standardizes the way computer events are described, logged, and exchanged. By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE.” The work has been going on for a few years, but recently the team released a set of key draft documents, a major milestone.

With this post, I am providing a quick roadmap to this key step in log standardization (all quotes are from MITRE CEE site, documents and communication; URLs are shown for easier printing):

  • CEE Architecturehttp://cee.mitre.org/docs/CEE_Architecture_Overview-v0.6.pdf  – “This updated document provides a  high-level overview of CEE along with details on the overall architecture  and introduces each of the CEE components including the data dictionary,  event taxonomies, syntax encodings, and profiles. ” Also see the CEE language page; there is also a short and easy overview for beginners.
  • CEE Common Log Syntaxhttp://cee.mitre.org/repository/downloads/CEE_Common_Log_Syntax-v0.6.html  – “The CLS Specification describes the abstract format for CEE Event Records,  which is designed for maximum interoperability with existing event and interchange standards, and provides CLS Encodings that enable compatibility with other encoding standards. Each CLS Encoding defines a mapping from the CLS abstracted format to an encoding syntax, such as XML or JSON. ” This is the main part of how CEE logs are composed.
  • CEE CLS Encoding: JSONhttp://cee.mitre.org/repository/downloads/CEE_Common_Log_Syntax-JSON-v0.6.html – “The CLS Encoding: JSON Specification defines a CEE CLS encoding that is compatible with the RFC4627 JavaScript Object Notation (JSON) format, specifying how to  encode a CEE event record using JSON as well as how to extract the CEE event record data from a JSON encoded event record. ” JSON is here since it is OBVIOUS that NOT everybody can, should or  will ever log in XML. Think of JSON as simple structured plain text that is easy to read by humans and machines as well.
  • CEE CLS Encoding: XMLhttp://cee.mitre.org/repository/downloads/CEE_Common_Log_Syntax-XML-v0.6.html – “the CLS Encoding: XML Specification defines a CEE CLS encoding that is compatible with the W3C Extensible Markup Language (XML) 1.0 format, specifying how to encode a CEE event record using XML as well as how to extract the CEE event record data from an XML encoded event record. “
  • CEE Profileshttp://cee.mitre.org/docs/CEE_Profile_Specification-v0.6.pdf  – “ This community-developed  specification combines two important components of the CEE Architecture, the  CEE Dictionary and Event Taxonomy (CDET) and the CEE Event Log Recommendations (CELR), into the single, machine-interpretable specification document. "CEE Profiles" are how the community identifies the event data, event type tags, and event fields to record in logs for common log events; the event details that should be logged when a device completes a function  or activity; and the specific events and fields that are produced by a particular product. ” Profiles are optional; they just make life easier for both log producers and consumers.
  • CEE Repositoryhttp://cee.mitre.org/repository/  – “A CEE Repository section that gathers all community-developed CEE Profiles,  CEE Specifications, CEE Schemas, and related documents in XML format into a  single location has been added to the CEE Web site.”
  • CEE Discussion list sign-uphttp://cee.mitre.org/discussiongroup.html – this is where YOU can get involved! If you make logs OR consume logs, this is the place to be. If you have ANY feedback on the standard, go there and share.

By the way, a quick one page guide for application/platform developers on how to log “the CEE way” is coming soon as well.

Let’s kill log chaos together!

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research

Category: cee  logging  standards  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on CEE Log Standard Guide for the Community


  1. […] Excerpt from: CEE Log Standard Guide for the Community […]

  2. Terrence says:

    Thanks for using the time and effort to write something so interesting.

    My blog:
    Rachat de credit rachatdecredit.net



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.