Given William's question below I got to thinking that this is a chicken and egg type question. Nobody wants to invest the energy into profiling all of their events until they are confident that the event description is stable, and without a clear winner in the event expression space, nobody dedicates time to making it stable.
For years there have been projects that have attempted to standardize logging and they have all failed. Partly due to the specifics of the projects, but mostly because it took so long to stabilize the event expressions that a new expression group started and it took momentum away from it.
CEE is in an unprecedented place in that the tools to actually implement the event expressions have just recently become available (The structured log RFC, the lumberjack project, syslog-ng, ELSA, OSSEC etc.)
All of these have stated that they want to move forward using the CEE, but if the CEE is not stable in time, these projects will not wait. They will pick or invent a new standard, and since these projects, which are already involved in a very significant amount of the Internet's logs (linux) they will have mass adoption and will win the race regardless of merit.
Like Michael Starks wrote: "Let's fix this".
In my opinion, we only have short weeks before the next Linux releases come out with some aspect of Lumberjack on them. As for my own in house project, I have even less time.
I am not sure how much freedom I have in proposing changes to a 1.0alpha document, but I will write up what I think is a reasonable change to the taxonomy.
> [hidden email] wrote: > > > Raffael Marty, > > How many device and or software companies are now considering or have > processes in place to implement CEE? or do you think CEE is still > needs a significant amount of work? Any interest from ArcSight, or > EnVision in implementing.