As esteemed readers of my “old”, personal blog know, I am a bit of a log fanatic. And my log fanaticism raises to a fevered pitch in the area of LOG and EVENT STANDARDS. Along this line, I was working with CEE team (from the time before it was called that; we figured “CEX” was not a good name for a log standard effort…) on developing a set of log standards that can actually be adopted in real life (adoption or lack thereof was an issue that doomed all previous attempts at log standardization).
For those who have never heard of MITRE CEE standard effort, the website provides a one-line explanation: “CEE™ standardizes the way computer events are described, logged, and exchanged. By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE.” The work has been going on for a few years, but recently the team released a set of key draft documents, a major milestone.
With this post, I am providing a quick roadmap to this key step in log standardization (all quotes are from MITRE CEE site, documents and communication; URLs are shown for easier printing):
- CEE Architecture – http://cee.mitre.org/docs/CEE_Architecture_Overview-v0.6.pdf – “This updated document provides a high-level overview of CEE along with details on the overall architecture and introduces each of the CEE components including the data dictionary, event taxonomies, syntax encodings, and profiles. ” Also see the CEE language page; there is also a short and easy overview for beginners.
- CEE Common Log Syntax – http://cee.mitre.org/repository/downloads/CEE_Common_Log_Syntax-v0.6.html – “The CLS Specification describes the abstract format for CEE Event Records, which is designed for maximum interoperability with existing event and interchange standards, and provides CLS Encodings that enable compatibility with other encoding standards. Each CLS Encoding defines a mapping from the CLS abstracted format to an encoding syntax, such as XML or JSON. ” This is the main part of how CEE logs are composed.
- CEE CLS Encoding: XML – http://cee.mitre.org/repository/downloads/CEE_Common_Log_Syntax-XML-v0.6.html – “the CLS Encoding: XML Specification defines a CEE CLS encoding that is compatible with the W3C Extensible Markup Language (XML) 1.0 format, specifying how to encode a CEE event record using XML as well as how to extract the CEE event record data from an XML encoded event record. “
- CEE Profiles – http://cee.mitre.org/docs/CEE_Profile_Specification-v0.6.pdf – “ This community-developed specification combines two important components of the CEE Architecture, the CEE Dictionary and Event Taxonomy (CDET) and the CEE Event Log Recommendations (CELR), into the single, machine-interpretable specification document. "CEE Profiles" are how the community identifies the event data, event type tags, and event fields to record in logs for common log events; the event details that should be logged when a device completes a function or activity; and the specific events and fields that are produced by a particular product. ” Profiles are optional; they just make life easier for both log producers and consumers.
- CEE Repository – http://cee.mitre.org/repository/ – “A CEE Repository section that gathers all community-developed CEE Profiles, CEE Specifications, CEE Schemas, and related documents in XML format into a single location has been added to the CEE Web site.”
- CEE Discussion list sign-up – http://cee.mitre.org/discussiongroup.html – this is where YOU can get involved! If you make logs OR consume logs, this is the place to be. If you have ANY feedback on the standard, go there and share.
By the way, a quick one page guide for application/platform developers on how to log “the CEE way” is coming soon as well.
Let’s kill log chaos together!
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.