Re: [logs] How to define Log, Event, and Alert?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [logs] How to define Log, Event, and Alert?

Tina Bird
 
> Same thing. Event is not necessarily "a state change."  It is a
> broader thing, basically,   "something that happened" (even though a
> state is the same - e.g. backup is proceeding, attack was seen, etc)

> >> Event:
> >>        A discrete, distinct, and discernible state change in an
> >> environment.
> >
> > In some aspects, state changes such as processes dieing or starting
> > are surely events, but I also think that some logs which
> don't indicate
> > a state change such as login failures, port scanning, intrusion
> > detection logs, and so on are noteworthy and worth alerting on.

[Now's the time to ask the question -- how much overlap *is* there between
the CEE discussion list and this list?]...pardon the cross-posting, I've
been meaning to respond to this since yesterday...

The whole point of this discussion is to clarify terms, so I guess this is
one place where nit-picking is actually encouraged ;-)

The word "event" carries the connotation of something happening. "Something"
may be a state change; in the discussions of nomenclature in which I've
participated "something" has been used primarily to describe authentication,
application functions and errors, alarms generated by IDS, etc.

In the situation in which I've discussed possible candidates for "action" in
a message template (you know who you are ;-)), I've strongly advocated
"report" as an action. "Report" complicates things, because most actions can
be assigned a success or failure token, but knowing that the "report" action
was successful doesn't help you much -- you don't want to know the report
*worked*, you want to know what the report *reported*.

Consider the large number of UNIXen running cron jobs to verify disk
utilization, available memory etc. and dumping the results into syslog. And
then consider the impressive amounts of frustration generated in all those
sysadmins who get the message "cron job ran" or "cron job failed" and then
realized they had to go back and actually capture the output somehow....

If we stick with the word "event," I argue that it needs to be defined in
such a way that it includes reporting activities, and also allows for a
result other than success or failure. For instance, the result may store the
numeric result of the report, if applicable, or the name of a file in which
the report is stored. If we structure the definition to include only state
changes, we disregard the often critical contextual information that gives
the event significance.

The more I think about it, though, the more I wonder if we can't just skip
over the definition of event -- at least temporarily (like writers do when
they leave the introduction or first chapter of the book for last) -- and
work on the components of the entry/record first. That might make it easier
to clarify what "event" means in the context of data collection, after we've
got a reasonable amount of use cases and data samples to play with.

cheers -- tbird
Reply | Threaded
Open this post in threaded view
|

Re: [logs] How to define Log, Event, and Alert?

David Corlette
I've suggested to the loganalysis list that the discussion be moved to the collaboration site, so late entrants can see prior discussion.  I would discourage e-mail commentary since AFAIK there's no archive for back referencing.

Or is there, Bill?

> [Now's the time to ask the question -- how much overlap *is* there between
> the CEE discussion list and this list?]...pardon the cross-posting, I've
> been meaning to respond to this since yesterday...
Reply | Threaded
Open this post in threaded view
|

Re: How to define Log, Event, and Alert?

heinbockel
In reply to this post by Tina Bird

>-----Original Message-----
>From: Tina Bird [mailto:[hidden email]]
>Sent: Wednesday, 23 July 2008 16:57
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] [logs] How to define Log,
>Event, and Alert?
>
>
>[Now's the time to ask the question -- how much overlap *is* there
>between
>the CEE discussion list and this list?]...pardon the cross-
>posting, I've
>been meaning to respond to this since yesterday...
>
While I'm still going through and compiling all of the responses
to the definitions, I will address this question now.

* The loganalysis is for general log-related discussion.

* The CEE Discussion list is for CEE-related log discussion.


My thoughts are that the few things that have any sort of
implication to the more general log arena (such as these
definitions) are applicable to the entire log community.
-- The only other topic that I can think of cross-posting
is the various source of log policies, regulatory compliance,
and legal log requirements. --

I hope that everybody on the loganalysis list that is interest
in log standards will join us on the CEE Discussion list.



William Heinbockel
The MITRE Corporation

smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: How to define Log, Event, and Alert?

David Corlette
Hi Bill,

Can you respond to my earlier question: is there an archive of the CEE list that folks can look at, so they can see prior discussion before commenting?



>>> "Heinbockel, Bill" <[hidden email]> 07/24/08 10:55 AM >>>

>-----Original Message-----
>From: Tina Bird [mailto:[hidden email]]
>Sent: Wednesday, 23 July 2008 16:57
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] [logs] How to define Log,
>Event, and Alert?
>
>
>[Now's the time to ask the question -- how much overlap *is* there
>between
>the CEE discussion list and this list?]...pardon the cross-
>posting, I've
>been meaning to respond to this since yesterday...
>

While I'm still going through and compiling all of the responses
to the definitions, I will address this question now.

* The loganalysis is for general log-related discussion.

* The CEE Discussion list is for CEE-related log discussion.


My thoughts are that the few things that have any sort of
implication to the more general log arena (such as these
definitions) are applicable to the entire log community.
-- The only other topic that I can think of cross-posting
is the various source of log policies, regulatory compliance,
and legal log requirements. --

I hope that everybody on the loganalysis list that is interest
in log standards will join us on the CEE Discussion list.



William Heinbockel
The MITRE Corporation
Reply | Threaded
Open this post in threaded view
|

Re: How to define Log, Event, and Alert?

Raffael Marty-3
David,

Archives are available at: http://www.nabble.com/CEE-Log-Event-Standard-f30667.html

   -raffy

--
   Raffael Marty
   Chief Security Strategist                           @ Splunk>
   Security Visualization: http://secviz.org       raffy.ch/blog



On Jul 24, 2008, at 8:31 AM, David Corlette wrote:

> Hi Bill,
>
> Can you respond to my earlier question: is there an archive of the  
> CEE list that folks can look at, so they can see prior discussion  
> before commenting?
>
>
>
>>>> "Heinbockel, Bill" <[hidden email]> 07/24/08 10:55 AM >>>
>
>> -----Original Message-----
>> From: Tina Bird [mailto:[hidden email]]
>> Sent: Wednesday, 23 July 2008 16:57
>> To: cee-discussion-list CEE-Related Discussion
>> Subject: Re: [CEE-DISCUSSION-LIST] [logs] How to define Log,
>> Event, and Alert?
>>
>>
>> [Now's the time to ask the question -- how much overlap *is* there
>> between
>> the CEE discussion list and this list?]...pardon the cross-
>> posting, I've
>> been meaning to respond to this since yesterday...
>>
>
> While I'm still going through and compiling all of the responses
> to the definitions, I will address this question now.
>
> * The loganalysis is for general log-related discussion.
>
> * The CEE Discussion list is for CEE-related log discussion.
>
>
> My thoughts are that the few things that have any sort of
> implication to the more general log arena (such as these
> definitions) are applicable to the entire log community.
> -- The only other topic that I can think of cross-posting
> is the various source of log policies, regulatory compliance,
> and legal log requirements. --
>
> I hope that everybody on the loganalysis list that is interest
> in log standards will join us on the CEE Discussion list.
>
>
>
> William Heinbockel
> The MITRE Corporation
>
Reply | Threaded
Open this post in threaded view
|

Re: How to define Log, Event, and Alert?

Tina Bird
 
> Archives are available at:
> http://www.nabble.com/CEE-Log-Event-Standard-f30667.html

I'm working on severe revampage of the Log Analysis web site, which is now
two years or so without updates :-( My first two priorities are to modify
the home page to include a link to CEE itself, as well as to a page I'll
create with pointers to all the various relevant pages; hopefully this will
drive traffic to the "main" discussion.

Next on the list is a summary of the other standards related to logging (for
which the basis was supplied in a Log Analysis list posting, I believe); and
a page reviewing laws, regulations etc. related to IT data collection.

I'll drop a line here letting folks know when it's in place.

t.
Reply | Threaded
Open this post in threaded view
|

Re: [logs] How to define Log, Event, and Alert?

Anton Chuvakin
In reply to this post by Tina Bird
Good point. So:

Event = something that happened on a system.
Log = a TIMED record of the above occurence.


On Thu, Jul 24, 2008 at 7:23 PM, Bill Scherr IV <[hidden email]> wrote:

> So...
>
> I gather a temporal mention to be appropriate beyond the definition of the Log.  Also, most systems break off their logs by
> size, not time.  Although there is a definite time to each log, they are not consistent, even with the same log gatherer.  Right or
> wrong, that is how I find them.  Suggestions below (if I may be so bold):
>
> Circa 11:26, 23 Jul 2008, a note, claiming source Heinbockel, Bill <[hidden email]>, was sent to me:
>
> From:                   "Heinbockel, Bill" <[hidden email]>
> To:                     <[hidden email]>
> Subject:                [logs] How to define Log, Event, and Alert?
>
>>
>>
>> Here is our initial shot at defining these terms:
>>
>>
>> Event:
>>       A discrete, distinct, and discernible state change in an
>> environment.
>
> A discrete, distinct, and discernible state change in an environment at a recorded (or given) time.
>>
>> Alert (n):
>>       A warning or notification generated in response to an event.
>>
>> Alert (v):
>>       The act of generating, transport, or displaying a warning or
>> notification in response to an event.
>>
>> Log Entry:
>>       The record of an event in a log. Event log, event record, log
>> message, log record, and audit record are all synonyms that have been
>> used to refer to log entries.
>
> The record of an event in a log, in sequence, usually with a timestamp.  <thesaurus reference to follow>
>>
>> Log (n):
>>       The record comprising one or more log entries accumulated over
>> a given period. This may be electronic (e.g. stored in memory, disk,
>> software, database, text file, etc), physical (e.g. on paper), or even
>> verbal (e.g., "Between 10:00 and 10:01 we received a series of several
>> thousand SYN packets that we acknowledged, but full TCP connections
>> were not completed. At 10:02, our server resources exceeded the
>> maximum tolerable level and crashed.").
>>
>> Log (v):
>>       The act of recording or storing one or more events.
>>
>>
>>
>> What do you think?
>> Can these definitions be changed/improved in anyway?
>> Is there any examples, synonyms, or clarifications that should be
>> added?
>>
>
> Event:  The same state change may occur repeatedly.
> Log Entry:  No entry happens without context.
>
>
>
>
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> [hidden email]
> [hidden email]
> 703-478-7608
> _______________________________________________
> LogAnalysis mailing list
> [hidden email]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
>



--
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
 http://www.chuvakin.org
 http://chuvakin.blogspot.com
 http://www.info-secure.org
Reply | Threaded
Open this post in threaded view
|

Discussion List Mail Archives

heinbockel
In reply to this post by David Corlette
Dave,

Yes, there is a public mailing list archive that is linked
off of the website. The more direct link is:
http://www.nabble.com/CEE-Log-Event-Standard-f30667.html


William Heinbockel
The MITRE Corporation


>-----Original Message-----
>From: David Corlette [mailto:[hidden email]]
>Sent: Thursday, 24 July 2008 11:32
>To: cee-discussion-list CEE-Related Discussion
>Subject: Re: [CEE-DISCUSSION-LIST] How to define Log, Event, and
>Alert?
>
>Hi Bill,
>
>Can you respond to my earlier question: is there an archive of the
>CEE list that folks can look at, so they can see prior discussion
>before commenting?
>

smime.p7s (4K) Download Attachment