<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"></head><body><div>There is something to be said for making it easy to use syslog-ng with the major players and right now that is splunk. I would hasten to add keeping json actively used and the native elasticsearch destination current also makes it easy to position syslog-ng as a standard collection and distribution layer. </div><div><br></div><div>Within 2 to 3 years something will leapfrog splunk and if syslog-ng is ready, it will make that transition much easier.</div><div><br></div><div>Jim</div><div><br></div><div><br></div><div id="composer_signature"><div style="font-size:85%;color:#575757" dir="auto">Sent from my Verizon, Samsung Galaxy smartphone</div></div><div><br></div><div style="font-size:100%;color:#000000"><!-- originalMessage --><div>-------- Original message --------</div><div>From: "Scheidler, Balázs" <balazs.scheidler@balabit.com> </div><div>Date: 6/12/16 5:44 AM (GMT-05:00) </div><div>To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> </div><div>Subject: Re: [syslog-ng] Is there a standard for naming tag/value pairs when parsing </div><div><br></div></div><p dir="ltr">Well, CEE is pretty much dead, and I didn't see too much activity wrt lumberjack either.</p>
<p dir="ltr">I would rather see consolidation instead of further fragmentation in this area.</p>
<p dir="ltr">Cheers<br>
Bazsi </p>
<div class="gmail_quot<blockquote class=" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>You are the last person I thought would
point me toward the splunk CIM. Given the support that Balabit has
put behind CEE and then lumberjack and even the experimental
patternDB schema
(<a href="https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt" target="_blank">https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt</a>)
I was sure you would steer me toward lumberjack.<br>
<br>
At first glance the splunk CIM appears to be structured around and
partially dependant on some of the data flows of the splunk
product. I'll continue to review it but at this point I am still
open to alternate suggestions.<br>
<br>
Evan.<br>
<br>
On 06/11/2016 11:45 AM, Scheidler, Balázs wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">There's common information model at splunk or the
field dictionary of CEF, of arcsight fame.</p>
<p dir="ltr">I would probably use the splunk one, except if you
plan to use arcsight at the end.</p>
<div class="gmail_quote">On Jun 11, 2016 18:32, "Evan Rempel" <<a href="mailto:erempel@uvic.ca" target="_blank"></a><a href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">There was a
project by Mitre (<a href="https://www.mitre.org/" rel="noreferrer" target="_blank">https://www.mitre.org/</a>) called the
Common<br>
Event Expression (<a href="https://cee.mitre.org/" rel="noreferrer" target="_blank">https://cee.mitre.org/</a>) that was going
to be the<br>
official standard for metadata names for events, but that
project has<br>
been stopped.<br>
<br>
Other than the two references that the CEE project has for
logging<br>
standardization efforts, does anyone know of any major efforts
by any<br>
group to define a standard for metadata naming?<br>
<br>
Evan.</blockquote>
</div>
</blockquote>
<br>
</div>
<br>______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
<br></div>
</body></html>