For those of you who haven't noticed, the newest version of Syslog was
promoted to RFC status back in March.
http://www.ietf.org/rfc/rfc5424.txt While it looks similar to the Syslog we all know and love, there are
some important changes.
1. Structured Data
Syslog now allows for name-value pairs to be included as part of the
log, making it easier on log parsers.
2. Registered Data Identifiers
Part of the structured data is the data identifiers. It allows
organizations to use their own value names beyond those registered
with the IANA (thus far only about 10 are identified). Hopefully this
will be better than the SNMP OID mess.
3. Better Timestamps
Syslog now supports millisecond precision and UTC offsets.
What does this mean for CEE?
Syslog is simply another log transport mechanism for CEE to leverage.
This newest version provides a better basis from which CEE can
concentrate on the actual name-value pairs, possibly helping to extend
the data identifiers.
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email] 781-271-2615