{"id":290,"date":"2007-04-27T03:47:00","date_gmt":"2007-04-27T03:47:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=290"},"modified":"2020-07-03T03:48:50","modified_gmt":"2020-07-03T03:48:50","slug":"cee-logging-standard","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/04\/cee-logging-standard\/","title":{"rendered":"CEE \u2013 Logging standard"},"content":{"rendered":"\n

If you are not at the log analysis<\/a> mailing list, you are missing a good discussion<\/a> regarding the efforts to create a new logging standard, CEE (Common Event Expression). MITRE<\/a> is in charge of the process, but it is probably sponsored by Log logic (1)<\/em>, since they were the first ones to report<\/a> about it.<\/p>\n\n\n\n

Before I go any further, I would like to say that I am very interested in this initiative and that I already contacted MITRE to be a part of the CEE working group. Unfortunately, I am not very optimistic that it is going to be widely adopted (hope I am wrong).<\/p>\n\n\n\n

First of all, it will require significant changes to all major applications and if the protocols are not very well designed, no one is going to use it.<\/p>\n\n\n\n

Secondly, the protocol must be simple enough to be fast and non-blocking (like syslog), but still reliable, with support for encryption, etc.<\/p>\n\n\n\n

Thirdly, I am always worried by protocols<\/em> designed by security people. Most of them have no software engineering experience and if CEE looks anything like IDMEF or SDEE it will go no where.<\/p>\n\n\n\n

Anyway, besides my lack of optmism, I will still contribute to it and if it get past the design phase, I will volunteer to write free libraries (LGPL or BSD licensed) to support it.<\/p>\n\n\n\n

If you want more information, check out the following blog entries (by Anton Chuvakin and Raffy\u2019s:<\/p>\n\n\n\n

Finally, Common Event Expression (CEE) is Out!!!<\/a>
CEE brochure<\/a>
Standard Logging Format \u2013 Common Event Expression (CEE)<\/a><\/p>\n\n\n\n

[1]<\/em> Edit to add (Apr 28 2007):<\/strong> Looks like I spoke too soon (actually without any base) that Log Logic is sponsoring CEE. Thanks Raffy<\/a> for pointing it out in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"

If you are not at the log analysis mailing list, you are missing a good discussion regarding the efforts to create a new logging standard, CEE (Common Event Expression). MITRE is in charge of the process, but it is probably sponsored by Log logic (1), since they were the first ones to report about it. Before I go any further, I would like to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/290"}],"collection":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/comments?post=290"}],"version-history":[{"count":1,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/290\/revisions"}],"predecessor-version":[{"id":291,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/posts\/290\/revisions\/291"}],"wp:attachment":[{"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/media?parent=290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/categories?post=290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/defragged.org\/ossec\/wp-json\/wp\/v2\/tags?post=290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}