Defining Log, Event, and Alert (Round 2)

classic Classic list List threaded Threaded
21 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Defining Log, Event, and Alert (Round 2)

heinbockel
Thank you for all of the great feedback and discussion.

After compiling all of the suggestions from both this list
and the LogAnalysis list, we have gone through and revised
the definitions.

One thing of note is that we have added the concept of
"event log" and "event record". This serves two purposes:
1) it acknowledges that logs are used for more than just
recording events, and 2) it allows us to explicitly define
that CEE is concerned with standardizing *event records*.


Without further ado:


1. Event

* An observable occurrence in a computer system. The
classification of events may be dependent on the observer
and domain.


2. Event Record

* A persistent representation of the details of an
individual event.
--CEE standardizes the Event Record syntax and make
recommendations as to which events and corresponding
details should be recorded.--


3. Event Log

* A collection of time-stamped event records.


4. Log

* A collection of event records and other informational
data pertaining to a particular domain.

A log may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on
paper), or even verbal (e.g., "Between 10:00 and 10:01 we
received a series of several thousand SYN packets that we
acknowledged, but full TCP connections were not completed.
At 10:02, our server resources exceeded the maximum
tolerable level and crashed.").



5. Log Record

* A single entry in a log. Entries may take the form of an
Event Record, status or attribute report, debug data, or
similar environmental information.



6. Alert (n):

* A warning or notification to a user or system, usually
indicating that some action should be taken in response to
one or more events.


7. Alert (v):

* The act of generating, transporting, or displaying a
warning or notification.


8. Log (v):

* The act of recording or storing one or more events.




William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Raffael Marty-3
Good morning,

Below are some things that I am unclear about:

> 1. Event
>
> * An observable occurrence in a computer system. The
> classification of events may be dependent on the observer
> and domain.

Why in a computer system? Are we sure there are no other systems that  
we want to include?

> 2. Event Record
>
> * A persistent representation of the details of an
> individual event.
> --CEE standardizes the Event Record syntax and make
> recommendations as to which events and corresponding
> details should be recorded.--
>
> 3. Event Log
>
> * A collection of time-stamped event records.
>
> 4. Log
>
> * A collection of event records and other informational
> data pertaining to a particular domain.

Log and Event Log? Why do we need both terms with slightly different  
definitions? Can we merge them into the same definition? Otherwise,  
there should be a definition on "informational data". What's that?

> A log may be electronic (e.g. stored in memory, disk,
> software, database, text file, etc), physical (e.g. on
> paper), or even verbal (e.g., "Between 10:00 and 10:01 we
> received a series of several thousand SYN packets that we
> acknowledged, but full TCP connections were not completed.
> At 10:02, our server resources exceeded the maximum
> tolerable level and crashed.").
>
> 5. Log Record
>
> * A single entry in a log. Entries may take the form of an
> Event Record, status or attribute report, debug data, or
> similar environmental information.

And if we don't merge log and event log, we need an "event record" also.

> 6. Alert (n):
>
> * A warning or notification to a user or system, usually
> indicating that some action should be taken in response to
> one or more events.

The word "action" seems important here? How exactly does this relate  
to events? Is an alert an event? Is it persisted? Or does an alert  
generate a log record? Sometimes?

> 7. Alert (v):
>
> * The act of generating, transporting, or displaying a
> warning or notification.

Do we need to define warning and notification? What's the difference?

> 8. Log (v):
>
> * The act of recording or storing one or more events.

Here, "log" refers to events? Isn't it to "generate an event record"?

Thx

   -raffy
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
Raffy Marty said:

>> 1. Event
>>
>> * An observable occurrence in a computer system. The classification of
>> events may be dependent on the observer and domain.

> Why in a computer system? Are we sure there are no other systems that
> we want to include?

I agree.  "IT system" is more generic and implies inclusion of event-generating hardware devices like routers, but I am not stuck on this point.

I do not think that the second sentence thematically fits into this definition- it just is hanging out there and does not help enhance understanding of the definition; I think it goes elsewhere in our documentation but not here.

>> 2. Event Record
>>
>> * A persistent representation of the details of an individual event.
>> --CEE standardizes the Event Record syntax and make recommendations as
>> to which events and corresponding details should be recorded.--

I'm not sure why the CEE plug is in this particular location, again it does not belong in the definition but rather elsewhere in the documentation.

>> 3. Event Log
>>
>> * A collection of time-stamped event records.
>>
>> 4. Log
>>
>> * A collection of event records and other informational data
>> pertaining to a particular domain.
>
> Log and Event Log? Why do we need both terms with slightly
> different definitions? Can we merge them into the same
> definition? Otherwise, there should be a definition on
> "informational data". What's that?

I concur, I think that the definition for "Log" should be:
"see 'Event Log'".

I think that we should drop the term and definition for "Log Record".  If we keep the term then it should be defined as "see 'Event Record'".  The definition has problems; as Raffy has pointed out it uses unclear and undefined terms, and in addition I do not agree that a log record can be verbal for our purposes- such representations are not consumable by IT systems and therefore are probably beyond the scope of our charter.

By changing the definition of "Event Log" to use the word "store" then we implicitly include everything that is referenced in the definition of "Log", but we could include a non-exhaustive list of samples if this is going to be a sticking point, e.g.:

Event Log: a persistent store of ordered or time-stamped event records, such as, but not limited to, a sequential-access text file, a relational database, or a printout.

I agree with Raffy that we should stay away from alerts and such, these are activities that management systems might take, perhaps upon encountering particular event records.

>> 8. Log (v):
>>
>> * The act of recording or storing one or more events.

> Here, "log" refers to events? Isn't it to "generate an event record"?

I think that "or more" does not belong in the definition, and that it is "event records", not "events" that are stored.  Otherwise I like both Bill's and Raffy's definition.

Eric


-----Original Message-----
From: Raffael Marty [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 10:08 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Sanford Whitehouse
Sorry for coming back to this so late.

An event is not limited to an IT system.  It can be anything.  A
accounting app stating an entry has been posted.  An oil pipeline
stating that a valve has been opened.  A user login.  A disk failure.
If the nature of the standard is only to address systems, devices, and
under-the-hood application activities, okay.  The context has to be
stated and adhered to.  Otherwise, the term needs to be qualified.  A
general term that fit's closer to "something happened" would be the
basis for the qualified terms.  The perspective I hold to is the drive
behind this effort is business (compliance).  It's an umbrella that
covers systems/devices/apps and more.

A log is a collection of information considered noteworthy by the
product vendor creating the log.  Most are time stamped.  Should the
ones that aren't time stamped be considered.

The log can contain anything.  It is generally event related, but can be
information, such as the summary reports put out by some IDSes.
Limiting it to events is an unnatural constraint.  Like "event", if
there is context that supports the proposed definition, it should be
stated.  Otherwise, the term should reflect its qualifications.

Sanford


-----Original Message-----
From: Eric Fitzgerald [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 10:57 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round
2)

Raffy Marty said:

>> 1. Event
>>
>> * An observable occurrence in a computer system. The classification
>> of events may be dependent on the observer and domain.

> Why in a computer system? Are we sure there are no other systems that
> we want to include?

I agree.  "IT system" is more generic and implies inclusion of
event-generating hardware devices like routers, but I am not stuck on
this point.

I do not think that the second sentence thematically fits into this
definition- it just is hanging out there and does not help enhance
understanding of the definition; I think it goes elsewhere in our
documentation but not here.

>> 2. Event Record
>>
>> * A persistent representation of the details of an individual event.
>> --CEE standardizes the Event Record syntax and make recommendations
>> as to which events and corresponding details should be recorded.--

I'm not sure why the CEE plug is in this particular location, again it
does not belong in the definition but rather elsewhere in the
documentation.

>> 3. Event Log
>>
>> * A collection of time-stamped event records.
>>
>> 4. Log
>>
>> * A collection of event records and other informational data
>> pertaining to a particular domain.
>
> Log and Event Log? Why do we need both terms with slightly different
> definitions? Can we merge them into the same definition? Otherwise,
> there should be a definition on "informational data". What's that?

I concur, I think that the definition for "Log" should be:
"see 'Event Log'".

I think that we should drop the term and definition for "Log Record".
If we keep the term then it should be defined as "see 'Event Record'".
The definition has problems; as Raffy has pointed out it uses unclear
and undefined terms, and in addition I do not agree that a log record
can be verbal for our purposes- such representations are not consumable
by IT systems and therefore are probably beyond the scope of our
charter.

By changing the definition of "Event Log" to use the word "store" then
we implicitly include everything that is referenced in the definition of
"Log", but we could include a non-exhaustive list of samples if this is
going to be a sticking point, e.g.:

Event Log: a persistent store of ordered or time-stamped event records,
such as, but not limited to, a sequential-access text file, a relational
database, or a printout.

I agree with Raffy that we should stay away from alerts and such, these
are activities that management systems might take, perhaps upon
encountering particular event records.

>> 8. Log (v):
>>
>> * The act of recording or storing one or more events.

> Here, "log" refers to events? Isn't it to "generate an event record"?

I think that "or more" does not belong in the definition, and that it is
"event records", not "events" that are stored.  Otherwise I like both
Bill's and Raffy's definition.

Eric


-----Original Message-----
From: Raffael Marty [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 10:08 AM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round
2)
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

heinbockel
In reply to this post by Raffael Marty-3
Responses inline.


William Heinbockel
The MITRE Corporation


>-----Original Message-----
>From: Raffael Marty [mailto:[hidden email]]
>Sent: Thursday, 31 July 2008 13:08
>To: Heinbockel, Bill
>Cc: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
>(Round 2)
>
>Good morning,
>
>Below are some things that I am unclear about:
>
>> 1. Event
>>
>> * An observable occurrence in a computer system. The
>> classification of events may be dependent on the observer
>> and domain.
>
>Why in a computer system? Are we sure there are no other systems
>that
>we want to include?
>
I agree that "computer system" might be too confined.
However, "An observable occurrence" is too broad.
Eric suggested "An observable occurrence in an IT system" which, I
think, imposes even more limitation than "computer system". In the CEE
whitepaper, we used "electronic system"... is that a better term?


>> 2. Event Record
>>
>> * A persistent representation of the details of an
>> individual event.
>> --CEE standardizes the Event Record syntax and make
>> recommendations as to which events and corresponding
>> details should be recorded.--
>>
>> 3. Event Log
>>
>> * A collection of time-stamped event records.
>>
>> 4. Log
>>
>> * A collection of event records and other informational
>> data pertaining to a particular domain.
>
>Log and Event Log? Why do we need both terms with slightly
>different
>definitions? Can we merge them into the same definition?
>Otherwise,
>there should be a definition on "informational data". What's that?
>
Many people (Dave, Tina, etc.) pointed out that logs hold
more than just "event records". In order to make this
separation clear, we defined "event log" as a subset of a
"log". Another possibility would be to just distinguish
between "log records" (log entries) and "event records".

Why do we need the different definitions for "log" and "event log"?
1. Not all log records are event records -- we may argue that all log
records _should be_ event records, but in practice, this is not true
2. CEE only standardizes event records


>> A log may be electronic (e.g. stored in memory, disk,
>> software, database, text file, etc), physical (e.g. on
>> paper), or even verbal (e.g., "Between 10:00 and 10:01 we
>> received a series of several thousand SYN packets that we
>> acknowledged, but full TCP connections were not completed.
>> At 10:02, our server resources exceeded the maximum
>> tolerable level and crashed.").
>>
>> 5. Log Record
>>
>> * A single entry in a log. Entries may take the form of an
>> Event Record, status or attribute report, debug data, or
>> similar environmental information.
>
>And if we don't merge log and event log, we need an "event record"
>also.
>
>> 6. Alert (n):
>>
>> * A warning or notification to a user or system, usually
>> indicating that some action should be taken in response to
>> one or more events.
>
>The word "action" seems important here? How exactly does this
>relate
>to events? Is an alert an event? Is it persisted? Or does an alert
>generate a log record? Sometimes?
>
>> 7. Alert (v):
>>
>> * The act of generating, transporting, or displaying a
>> warning or notification.
>
>Do we need to define warning and notification? What's the
>difference?
>
The need to define alert is because some people use
it synonymously with "log", "audit trail", etc.
As Eric pointed out, alerts are notifications to
the user (in terms of alert message boxes in Windows).

So, an "alert" is not an event. An alert might be
produced in response to an event, the displaying of
an alert is an event, but "alert" is not synonymous
with "event".

It is just included hear to distinguish the point
that alerts are separate from events. Thus could
easily be removed.


>> 8. Log (v):
>>
>> * The act of recording or storing one or more events.
>
>Here, "log" refers to events? Isn't it to "generate an event
>record"?

Your right.
However, I think that "to log" = "to generate a log record"
It is possible to log non-event data, right?

On second thought, are the definition of these verbs even
necessary?

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Fwd: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)

David Corlette
>>> 1. Event
>>> * An observable occurrence in a computer system. The classification of events may be dependent on the observer
>>> and domain.
>>
>>Why in a computer system? Are we sure there are no other systems that we want to include?
>>
> I agree that "computer system" might be too confined.
> However, "An observable occurrence" is too broad.
> Eric suggested "An observable occurrence in an IT system" which, I
> think, imposes even more limitation than "computer system". In the CEE
> whitepaper, we used "electronic system"... is that a better term?

Yes, better.  I think we can exclude any system that would not be able to produce a structured electronic record, so for example a mechanical cash register is not in scope.  So although I guess the definition for "event" is broader in the real world, within the scope of CEE we can explicitly say it applies to electronic systems.

>>Log and Event Log? Why do we need both terms with slightly
>>different
>>definitions? Can we merge them into the same definition?
>>Otherwise,
>>there should be a definition on "informational data". What's that?
>>
> Many people (Dave, Tina, etc.) pointed out that logs hold  more than just "event records". In order to make this separation clear, we
> defined "event log" as a subset of a "log". Another possibility would be to just distinguish between "log records" (log entries) and "event records".

I think the problem is the word "log".  Get rid of it.  "Event Stream" is a lot clearer.

> Why do we need the different definitions for "log" and "event log"?

> 2. CEE only standardizes event records

Bill, this is an important point.  I think we need to make it clearer which terms we are defining *for use by the standard* and which terms we are defining *to exclude them from the standard*.  See Alert below as well.

>>And if we don't merge log and event log, we need an "event record"
>>also.
>>
>>> 6. Alert (n):
>>>
>>> * A warning or notification to a user or system, usually
>>> indicating that some action should be taken in response to
>>> one or more events.

>>> 8. Log (v):
>>>
>>> * The act of recording or storing one or more events.
>>
>>Here, "log" refers to events? Isn't it to "generate an event
>>record"?
>
> Your right.
> However, I think that "to log" = "to generate a log record"
> It is possible to log non-event data, right?
>
> On second thought, are the definition of these verbs even
> necessary?

See my previous post on this topic.  Get rid of the word "log" and the problem disappears, or at least allows you to use a more precise term.
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)

heinbockel

>-----Original Message-----
>From: David Corlette [mailto:[hidden email]]
>Sent: Thursday, 31 July 2008 14:38
>To: cee-discussion-list CEE-Related Discussion
>Subject: [CEE-DISCUSSION-LIST] Fwd: Re: [CEE-DISCUSSION-LIST]
>Defining Log, Event, and Alert (Round 2)
>
>>>Log and Event Log? Why do we need both terms with slightly
>>>different
>>>definitions? Can we merge them into the same definition?
>>>Otherwise,
>>>there should be a definition on "informational data". What's
>that?
>>>
>> Many people (Dave, Tina, etc.) pointed out that logs hold  more
>than just "event records". In order to make this separation clear,
>we
>> defined "event log" as a subset of a "log". Another possibility
>would be to just distinguish between "log records" (log entries)
>and "event records".
>
>I think the problem is the word "log".  Get rid of it.  "Event
>Stream" is a lot clearer.
>
>> Why do we need the different definitions for "log" and "event
>log"?
>
>> 2. CEE only standardizes event records
>
>Bill, this is an important point.  I think we need to make it
>clearer which terms we are defining *for use by the standard* and
>which terms we are defining *to exclude them from the standard*.
>See Alert below as well.
>
Well, the purpose of the standard is two-fold:
1. To better enable/organize the log community
2. Develop an event log standard

My primary purpose for these definitions is to
"standardize" our terminology. I could easily remove the
bit about CEE and the document applies to the entire log
community.

This is why definitions for "log" and "alert" were
included -- because they are actively used by the log
community. While reading through yours (Dave's) and
others' responses, I realized that the main issue (as you
allude to) is that I was calling CEE a "log" standard.

In order to better define the scope of CEE, I defined
"event log". While I don't have any problems with renaming
it to "event stream", I would anticipate the question of
how is an "event stream" different from a "log"?

I named it "event log" because everyone is familiar with
the term "log", "event log" naturally implies that "event
log" is a specific type of "log", and I am hesitant to add
more synonyms to a community already navigating log, audit,
 audit log, and audit trail.

Though, initially I had named "event log" as "event
expression" to get away from the conceptual notions of log
(as you point out) and to make the obvious tie to CEE...



So, I think that all of these definitions should not be
*for* the standard. They should be for the logging
community (loganalysis, etc.) and are necessary for the
scoping and development of CEE.

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
In reply to this post by Sanford Whitehouse
Sanford Whitehouse wrote:
> An event is not limited to an IT system.  It can be anything.  A
> accounting app stating an entry has been posted.  An oil pipeline

Is an accounting app not part of an IT system?  Is a SCADA sensor not part of an IT system?  It was my intention to capture all such cases.

I am not stuck on the term "IT system", I'd welcome a better term if you have one, but don't clutter the definition and don't make it overbroad so that it includes people writing things down on paper, etc.

Eric
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
In reply to this post by heinbockel
Agreed on all points, esp. the substitution of the word "electronic system".

I am not sure that there are logs that contain non-event data (either the things that they contain are event records or the containers are not logs, IMO) but I am not religious about that.

Eric


> -----Original Message-----
> From: Heinbockel, Bill [mailto:[hidden email]]
> Sent: Thursday, July 31, 2008 11:18 AM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round 2)
>
> Responses inline.
>
>
> William Heinbockel
> The MITRE Corporation
>
>
> >-----Original Message-----
> >From: Raffael Marty [mailto:[hidden email]]
> >Sent: Thursday, 31 July 2008 13:08
> >To: Heinbockel, Bill
> >Cc: cee-discussion-list CEE-Related Discussion
> >Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> >(Round 2)
> >
> >Good morning,
> >
> >Below are some things that I am unclear about:
> >
> >> 1. Event
> >>
> >> * An observable occurrence in a computer system. The
> >> classification of events may be dependent on the observer
> >> and domain.
> >
> >Why in a computer system? Are we sure there are no other systems
> >that
> >we want to include?
> >
>
> I agree that "computer system" might be too confined.
> However, "An observable occurrence" is too broad.
> Eric suggested "An observable occurrence in an IT system" which, I
> think, imposes even more limitation than "computer system". In the CEE
> whitepaper, we used "electronic system"... is that a better term?
>
>
> >> 2. Event Record
> >>
> >> * A persistent representation of the details of an
> >> individual event.
> >> --CEE standardizes the Event Record syntax and make
> >> recommendations as to which events and corresponding
> >> details should be recorded.--
> >>
> >> 3. Event Log
> >>
> >> * A collection of time-stamped event records.
> >>
> >> 4. Log
> >>
> >> * A collection of event records and other informational
> >> data pertaining to a particular domain.
> >
> >Log and Event Log? Why do we need both terms with slightly
> >different
> >definitions? Can we merge them into the same definition?
> >Otherwise,
> >there should be a definition on "informational data". What's that?
> >
>
> Many people (Dave, Tina, etc.) pointed out that logs hold
> more than just "event records". In order to make this
> separation clear, we defined "event log" as a subset of a
> "log". Another possibility would be to just distinguish
> between "log records" (log entries) and "event records".
>
> Why do we need the different definitions for "log" and "event log"?
> 1. Not all log records are event records -- we may argue that all log
> records _should be_ event records, but in practice, this is not true
> 2. CEE only standardizes event records
>
>
> >> A log may be electronic (e.g. stored in memory, disk,
> >> software, database, text file, etc), physical (e.g. on
> >> paper), or even verbal (e.g., "Between 10:00 and 10:01 we
> >> received a series of several thousand SYN packets that we
> >> acknowledged, but full TCP connections were not completed.
> >> At 10:02, our server resources exceeded the maximum
> >> tolerable level and crashed.").
> >>
> >> 5. Log Record
> >>
> >> * A single entry in a log. Entries may take the form of an
> >> Event Record, status or attribute report, debug data, or
> >> similar environmental information.
> >
> >And if we don't merge log and event log, we need an "event record"
> >also.
> >
> >> 6. Alert (n):
> >>
> >> * A warning or notification to a user or system, usually
> >> indicating that some action should be taken in response to
> >> one or more events.
> >
> >The word "action" seems important here? How exactly does this
> >relate
> >to events? Is an alert an event? Is it persisted? Or does an alert
> >generate a log record? Sometimes?
> >
> >> 7. Alert (v):
> >>
> >> * The act of generating, transporting, or displaying a
> >> warning or notification.
> >
> >Do we need to define warning and notification? What's the
> >difference?
> >
>
> The need to define alert is because some people use
> it synonymously with "log", "audit trail", etc.
> As Eric pointed out, alerts are notifications to
> the user (in terms of alert message boxes in Windows).
>
> So, an "alert" is not an event. An alert might be
> produced in response to an event, the displaying of
> an alert is an event, but "alert" is not synonymous
> with "event".
>
> It is just included hear to distinguish the point
> that alerts are separate from events. Thus could
> easily be removed.
>
>
> >> 8. Log (v):
> >>
> >> * The act of recording or storing one or more events.
> >
> >Here, "log" refers to events? Isn't it to "generate an event
> >record"?
>
> Your right.
> However, I think that "to log" = "to generate a log record"
> It is possible to log non-event data, right?
>
> On second thought, are the definition of these verbs even
> necessary?
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
In reply to this post by David Corlette
David Corlette wrote:
> I think the problem is the word "log".  Get rid of it.  "Event Stream"
> is a lot clearer.

Agreed, wrt the unqualified term "Log".

I do think that "Event Log" is unambiguous (being a specific kind of log that only contains event records and therefore free from the concerns that David and Tina raised).

Note that we need a term for persisted event streams, so I think that "Event Log" fills a gap there.

Eric
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)

David Corlette
In reply to this post by heinbockel
> This is why definitions for "log" and "alert" were included -- because they are actively used by the log community.

Excellent points, and agreed.  I'm not suggesting removing any definitions, but perhaps indication which ones we will use within CEE (anticipated, anyway) will help clarify things.


> While reading through yours (Dave's) and  others' responses, I realized that the main issue (as you allude to) is that I was calling CEE a "log" standard.

And here I thought it was a Common *Event* standard ;-)


> In order to better define the scope of CEE, I defined "event log". While I don't have any problems with renaming it to "event stream", I would anticipate
> the question of how is an "event stream" different from a "log"?

Very different, in my mind.  I wouldn't consider events being sent as UDP packet data a "log", but I would consider that an event stream.  To me the word "log" implies persistence, but then again it's also a verb and has nine other meanings, which is why I prefer to avoid it.


> I named it "event log" because everyone is familiar with
> the term "log",

Familiar, yes.  Agree on what it means, no.


> So, I think that all of these definitions should not be
> *for* the standard. They should be for the logging
> community (loganalysis, etc.) and are necessary for the
> scoping and development of CEE.

Agreed, with caveat about identifying which ones we think we'll use for CEE.
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Sanford Whitehouse
In reply to this post by Eric Fitzgerald
In my mind "IT system" creates an image of events reported by systems
that involve the systems themselves or what the systems do to support
the apps running on them.  

If the definition is to include anything from creating a file system to
what an accounting app logs as a transaction, the "IT system"
qualification isn't necessary.  It applies to the standard as a whole,
not the definition of event.  Then, the definition should focus on the
distinctions between an event and the set of non-events that are
recorded.

Sanford

-----Original Message-----
From: Eric Fitzgerald [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 1:11 PM
To: Sanford Whitehouse; [hidden email]
Subject: RE: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round
2)

Sanford Whitehouse wrote:
> An event is not limited to an IT system.  It can be anything.  A
> accounting app stating an entry has been posted.  An oil pipeline

Is an accounting app not part of an IT system?  Is a SCADA sensor not
part of an IT system?  It was my intention to capture all such cases.

I am not stuck on the term "IT system", I'd welcome a better term if you
have one, but don't clutter the definition and don't make it overbroad
so that it includes people writing things down on paper, etc.

Eric
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
Hey Sanford,

We want to constrain the definition to events that can be generated and interchanged by electronic data processing equipment, because that is what aligns with the CEE charter.

I think that on a different branch of the thread we have settled on the term "electronic system".

If you disagree, please reply to that thread with proposed alternative text.

Thanks!
Eric

> -----Original Message-----
> From: Sanford Whitehouse [mailto:[hidden email]]
> Sent: Thursday, July 31, 2008 4:18 PM
> To: Eric Fitzgerald; [hidden email]
> Subject: RE: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round 2)
>
> In my mind "IT system" creates an image of events reported by systems
> that involve the systems themselves or what the systems do to support
> the apps running on them.
>
> If the definition is to include anything from creating a file system to
> what an accounting app logs as a transaction, the "IT system"
> qualification isn't necessary.  It applies to the standard as a whole,
> not the definition of event.  Then, the definition should focus on the
> distinctions between an event and the set of non-events that are
> recorded.
>
> Sanford
>
> -----Original Message-----
> From: Eric Fitzgerald [mailto:[hidden email]]
> Sent: Thursday, July 31, 2008 1:11 PM
> To: Sanford Whitehouse; [hidden email]
> Subject: RE: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round
> 2)
>
> Sanford Whitehouse wrote:
> > An event is not limited to an IT system.  It can be anything.  A
> > accounting app stating an entry has been posted.  An oil pipeline
>
> Is an accounting app not part of an IT system?  Is a SCADA sensor not
> part of an IT system?  It was my intention to capture all such cases.
>
> I am not stuck on the term "IT system", I'd welcome a better term if
> you
> have one, but don't clutter the definition and don't make it overbroad
> so that it includes people writing things down on paper, etc.
>
> Eric
>
>
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Rainer Gerhards
In reply to this post by heinbockel
Hi, I am new to this list and joined it after the def question was
raised on the log analysis list.

real comment inline...

On Thu, 2008-07-31 at 14:18 -0400, Heinbockel, Bill wrote:
> Many people (Dave, Tina, etc.) pointed out that logs hold
> more than just "event records". In order to make this
> separation clear, we defined "event log" as a subset of a
> "log". Another possibility would be to just distinguish
> between "log records" (log entries) and "event records".

I think this was settled on the loganalysis list. I still can not think
of any object contained in a "log" that is not an event record. I find
the distinction between the two counter-productive, because it
essentially excludes a lot of potentially-useful information from logs.
Do you have a sample (or definition) of an object that is NOT an event
but usually included inside a log?

Rainer
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Reynolds, Gail K
In reply to this post by Sanford Whitehouse
I learned of CEE at Catalyst Conference and recently joined the list.

As someone who attempts to architect security for an insurance company,
I'd like to emphasize my requirement that this standard pertain to
business applications (purchased and developed internally) as well as
core infrastructure and network.  

Gail



-----Original Message-----
From: Sanford Whitehouse [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 7:18 PM
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round
2)

In my mind "IT system" creates an image of events reported by systems
that involve the systems themselves or what the systems do to support
the apps running on them.  

If the definition is to include anything from creating a file system to
what an accounting app logs as a transaction, the "IT system"
qualification isn't necessary.  It applies to the standard as a whole,
not the definition of event.  Then, the definition should focus on the
distinctions between an event and the set of non-events that are
recorded.

Sanford

-----Original Message-----
From: Eric Fitzgerald [mailto:[hidden email]]
Sent: Thursday, July 31, 2008 1:11 PM
To: Sanford Whitehouse; [hidden email]
Subject: RE: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round
2)

Sanford Whitehouse wrote:
> An event is not limited to an IT system.  It can be anything.  A
> accounting app stating an entry has been posted.  An oil pipeline

Is an accounting app not part of an IT system?  Is a SCADA sensor not
part of an IT system?  It was my intention to capture all such cases.

I am not stuck on the term "IT system", I'd welcome a better term if you
have one, but don't clutter the definition and don't make it overbroad
so that it includes people writing things down on paper, etc.

Eric
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Anton Chuvakin
In reply to this post by Eric Fitzgerald
> We want to constrain the definition to events that can be generated and interchanged by electronic data processing equipment, because that is what aligns with the CEE charter.

I think "electronic system" vs "IT system" is splitting hairs. We
should not go all the way to paper file cabinets and logging while
making firewood. Either is fine; most electronics now deals with
information so to me they are MORE OR LESS the same...

BTW, "log" should stay. Remember, "event" is what HAPPENED, "log" is
what is RECORDED. Maybe one can trade "log" -> "event record"  but
this will be creating terminology where one exists: event record =
log.

--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
 http://www.chuvakin.org
 http://chuvakin.blogspot.com
 http://www.info-secure.org
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Rainer Gerhards
> -----Original Message-----
> From: Anton Chuvakin [mailto:[hidden email]]
> Sent: Friday, August 01, 2008 6:56 PM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round 2)
>


[snip]

> BTW, "log" should stay. Remember, "event" is what HAPPENED, "log" is
> what is RECORDED. Maybe one can trade "log" -> "event record"  but
> this will be creating terminology where one exists: event record =
> log.

I have always viewed a "log" as a *set* of event records. So an event
record is the physical representation of a single event whereas a log
(file) contains zero or more event records...

As of your definition an event record contains zero or more events. I
think this is not usual terminology.

Rainer
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Sanford Whitehouse
This is the definition of event from the dictionary.  It feels good.
It's the definition used at my company.

Event
1. Something that happens or is regarded as happening; an
occurrence, especially one of some importance.
2. The outcome, issue, or result of anything.


A log is a record of information, including events, determined to be
worth recording.  Recognizing that information other than events may
exist in a log is an aspect of the challenge.

Sanford
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Eric Fitzgerald
In reply to this post by Reynolds, Gail K
Thanks Gail!

I will make sure to bring up your feedback in any discussions that we have.  (As a side note I also strongly agree).

Best regards,
Eric


> -----Original Message-----
> From: Reynolds, Gail K [mailto:[hidden email]]
> Sent: Friday, August 01, 2008 6:05 AM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round 2)
>
> I learned of CEE at Catalyst Conference and recently joined the list.
>
> As someone who attempts to architect security for an insurance company,
> I'd like to emphasize my requirement that this standard pertain to
> business applications (purchased and developed internally) as well as
> core infrastructure and network.
>
> Gail
>
>
>
> -----Original Message-----
> From: Sanford Whitehouse [mailto:[hidden email]]
> Sent: Thursday, July 31, 2008 7:18 PM
> To: [hidden email]
> Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round
> 2)
>
> In my mind "IT system" creates an image of events reported by systems
> that involve the systems themselves or what the systems do to support
> the apps running on them.
>
> If the definition is to include anything from creating a file system to
> what an accounting app logs as a transaction, the "IT system"
> qualification isn't necessary.  It applies to the standard as a whole,
> not the definition of event.  Then, the definition should focus on the
> distinctions between an event and the set of non-events that are
> recorded.
>
> Sanford
>
> -----Original Message-----
> From: Eric Fitzgerald [mailto:[hidden email]]
> Sent: Thursday, July 31, 2008 1:11 PM
> To: Sanford Whitehouse; [hidden email]
> Subject: RE: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert
> (Round
> 2)
>
> Sanford Whitehouse wrote:
> > An event is not limited to an IT system.  It can be anything.  A
> > accounting app stating an entry has been posted.  An oil pipeline
>
> Is an accounting app not part of an IT system?  Is a SCADA sensor not
> part of an IT system?  It was my intention to capture all such cases.
>
> I am not stuck on the term "IT system", I'd welcome a better term if
> you
> have one, but don't clutter the definition and don't make it overbroad
> so that it includes people writing things down on paper, etc.
>
> Eric
> This e-mail may contain confidential or privileged information. If
> you think you have received this e-mail in error, please advise the
> sender by reply e-mail and then delete this e-mail immediately.
> Thank you. Aetna
Reply | Threaded
Open this post in threaded view
|

Re: Defining Log, Event, and Alert (Round 2)

Onwubiko, Cyril
In reply to this post by Sanford Whitehouse
Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)
One approach to define a concept for a standard is to visualise the concept as a "pyramid" with a very broad base and a "sharp" or pointed top. So, we could start off from the bottom, which is very broad and then gradually narrow the definition down to a very simple, concise and achievable definition. This, in my opinion is a realistic way to approach this task of coming up with a firm definition of an event, whether it's an event from an "electronic system" or from an "IT system". The definition should still be relevant to most use cases.
 
I think given the volume of emails on this, it is time for us to start pruning the contributions down to a definition that is concise, achievable and "meets the need of CEE".
 
 
PS: can we look at an event from a "cause and effect" standpoint? For example:
1. An event is generated because a traffic was allowed or denied.
2. An event is generated because a debugger showed an error or ran complete without an error.
3. One broad way I would approach the definition of an event  is to look an event as being gener which is what the email trails have being showcasing. Hence, another
 
Regards,
Cyril
 
Dr. Cyril Onwubiko
 
Intelligence and Security Assurance Chair
E-Security Group
Faculty of Computing, Information Systems and Mathematics (CISM)
Kingston University
London, UK


From: Sanford Whitehouse [mailto:[hidden email]]
Sent: Fri 01/08/2008 18:29
To: [hidden email]
Subject: Re: [CEE-DISCUSSION-LIST] Defining Log, Event, and Alert (Round 2)

This is the definition of event from the dictionary.  It feels good.
It's the definition used at my company.

Event
1.      Something that happens or is regarded as happening; an
occurrence, especially one of some importance.
2.      The outcome, issue, or result of anything.


A log is a record of information, including events, determined to be
worth recording.  Recognizing that information other than events may
exist in a log is an aspect of the challenge.

Sanford

This email has been scanned for all viruses by the MessageLabs Email
Security System.


This email has been scanned for all viruses by the MessageLabs Email
Security System.
12