CEE for flow 'events'?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
Report Content as Inappropriate

CEE for flow 'events'?

Mark Poepping
Speaking of "useful and usable":

Could any/all event producers on this list please provide a set of examples (or at least one) for the events they plan to produce (using CEE)?  Aside from all of the syntax and governance discussion, I'm still trying to figure out how this will work.  There are 'syntax' examples in the CEE materials on the website, but I couldn't find any useful semantic guidance for even just a few of the fields for the simplest log examples and how folks might expect to do the lightest of analytics.

Back in 2008 there was a discussion of Use Cases, and there seems to have been a "use case working group" list, but I can find only 3 posts in the archives..  I also couldn't find any documented use cases on the web site.  The "use case" words in section 4 ("CEE Capabilities") of the 1.0-beta1 CEE Overview are not use cases at all, but rather posited requirements with no elucidation for how any situation would leverage the claimed capability (in achieving "useful and usable" analysis).

Just to be clear, one simple scenario might be:

There is a 'site' with one soho router that can export sflow records and 4 hosts but no common login infrastructure (consider no NAT and no vpn).  The router WAN address is, the router LAN address is There is one windows7 box at, one Mac client at, one Fedora server running Apache at (using htaccess), and one Android phone at when it's in the office - it gets a roaming addresses when it's away from the office.  There are 2 users (Mutt and Jeff, Jeff has admin privileges) who use all of the stationary hosts, and Jeff has the phone.  Jeff coordinates login credentials by hand (account name and password sync).  On Saturday, October 6, 2012, Mutt is in the office.  At 1pm Mutt logs into the win7 box, and at 1:05 he logs into the Mac.  At 1:10, he uses the mac to pick up a few files from the web server (based on htaccess).  At 1:15, Mutt calls Jeff with a question - Jeff is at home but at 1:20pm, uses his phone (from address to ssh to the Fedora box to check on the web server.  He finds all in order and logs off at 1:25.  Mutt logs off from win7 at 1:30 and the Mac at 1:35.

Consider that Jeff is interested to coordinate information about authentications: who is logged in, when, how long, and where from.  If all five devices supported CEE, what set of log records should I expect to see (in the CEE ideal world), what fields would they have and what would values look like?

Even in this scenario then, *if* you had an EventID, what would it be, how would it help (or if you need a more complex use case to demonstrate the value, I'd love to hear it)..

> -----Original Message-----
> From: Anton Chuvakin [mailto:[hidden email]]
> Sent: Monday, October 08, 2012 7:14 PM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] Unique Event ID (RecordId)
> > The thread is getting long and unreadable so I will comment here.
> > Mandating anything is the wrong approach. It just would not work.
> > People would reject things that are "mandated"
> Thank you so much for saying this!
> I am so happy I didn't comment on this whole "mandatory craziness"
> since I was just getting angrier and angrier.
> People, what planet are you from? RIGHT is DEAD (well, not dead, but
> academic).  "The least wrong WHILE useful AND usable in the real world" is
> what we want and can ever get.
> Think for a  second, please. Lack of adoption killed all previous log standard
> efforts for the last 20+ years.  Mandatory beyond the basic = useless (due to
> lack of adoption).
> --
> Dr. Anton Chuvakin
> Site: http://www.chuvakin.org
> Twitter: @anton_chuvakin
> Work: http://www.linkedin.com/in/chuvakin