Quantcast

CEE Reference Impl.

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CEE Reference Impl.

Nick Duan

Could anyone point to any existing CEE reference implementation?  Nothing mentioned on the CEE web site.  Any open source impls?

 

Thanks!

 

Nick

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEE Reference Impl.

Keith Robertson
On 08/29/2012 10:35 PM, Nick Duan wrote:

Could anyone point to any existing CEE reference implementation?  Nothing mentioned on the CEE web site.  Any open source impls?

 

Thanks!

 

Nick

Lumberjack, but this is still a work in progress.  Looks like the CEE schemas have changed as per the recent voting process.  I need to look at them again and understand what has changed so that the logging packages would be compliant.

Question to CEE community:
 Are the schemas in [2] settled or *nearly* settled?

[1] https://fedorahosted.org/lumberjack/
[2] http://cee.mitre.org/language/1.0-beta1/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEE Reference Impl.

Balazs Scheidler
In reply to this post by Nick Duan
In project lumberjack:

https://github.com/algernon/libumberlog

On Wed, 2012-08-29 at 22:35 -0400, Nick Duan wrote:

> Could anyone point to any existing CEE reference implementation?
> Nothing mentioned on the CEE web site.  Any open source impls?
>
>  
>
> Thanks!
>
>  
>
> Nick
>
>

--
Bazsi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEE Reference Impl.

Rainer Gerhards
> In project lumberjack:
>
> https://github.com/algernon/libumberlog
>
> On Wed, 2012-08-29 at 22:35 -0400, Nick Duan wrote:
> > Could anyone point to any existing CEE reference implementation?
> > Nothing mentioned on the CEE web site.  Any open source impls?

There are no reference implementations, because CEE is not yet stable enough. However, there are various implementations of the CEE-over-Syslog method, which basically is JSON inside syslog messages. Rsyslog currently supports this, and syslog-ng does also (Baszi, pls correct me if I am wrong - I guess you didn't mention it because it is not a "reference"). On the Windows side, Adiscon EventReporter and MonitorWare Agent support the method.

Project lumberjack tries to bring all this together in a practical way. Note that there is libee, which somewhat aimed at providing a reference. However, CEE has changed so much since I wrote it (~2 years ago), that it is almost obsolete and definitely nothing to base current CEE-related work on.

While the syntax is currently fixed, we (CEE) currently does not have a standardized field list, and this makes it hard to be CEE-compliant. HOWEVER, once that list is available, I guess all existing implementations mentioned above will just need to rename some fields to implement base CEE functionality.

HTH
Rainer
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEE Reference Impl.

Balazs Scheidler
On Thu, 2012-08-30 at 16:02 +0000, Rainer Gerhards wrote:

> > In project lumberjack:
> >
> > https://github.com/algernon/libumberlog
> >
> > On Wed, 2012-08-29 at 22:35 -0400, Nick Duan wrote:
> > > Could anyone point to any existing CEE reference implementation?
> > > Nothing mentioned on the CEE web site.  Any open source impls?
>
> There are no reference implementations, because CEE is not yet stable enough. However,
>  there are various implementations of the CEE-over-Syslog method, which basically is
> JSON inside syslog messages. Rsyslog currently supports this, and syslog-ng does also
> (Baszi, pls correct me if I am wrong - I guess you didn't mention it because it is
> not a "reference"). On the Windows side, Adiscon EventReporter and MonitorWare Agent
> support the method.

I focused on closely CEE related stuff, that's why I mentioned
libumberlog only.

syslog-ng (partially in 3.3, fully in 3.4) can both parse and generate
CEE style JSON payloads:

http://bazsi.blogs.balabit.com/2012/05/cee-prototype-and-a-show-case-for-the-new-3-4-features/

>
> Project lumberjack tries to bring all this together in a practical way. Note that
> there is libee, which somewhat aimed at providing a reference. However, CEE has
> changed so much since I wrote it (~2 years ago), that it is almost obsolete and
> definitely nothing to base current CEE-related work on.
>
> While the syntax is currently fixed, we (CEE) currently does not have a standardized
> field list, and this makes it hard to be CEE-compliant. HOWEVER, once that list is
> available, I guess all existing implementations mentioned above will just need to
> rename some fields to implement base CEE functionality.

--
Bazsi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CEE Reference Impl.

Rainer Gerhards
> I focused on closely CEE related stuff, that's why I mentioned libumberlog
> only.
>
> syslog-ng (partially in 3.3, fully in 3.4) can both parse and generate CEE style
> JSON payloads:
>
> http://bazsi.blogs.balabit.com/2012/05/cee-prototype-and-a-show-case-for-
> the-new-3-4-features/

I may be totally off the track, but IMHO the CEE style JSON payload *currently* is the major achievement, and what's usable from the effort. I also think that moving to different dictionary terms is definitely a lot of work, but not from the implementation side (NOT mentioning normalization rules, like you have in patterndb).

Do I overlook something?

Rainer
Loading...