
<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <div class="moz-cite-prefix">Thanks, I just wanted to see your

      reasoning behind your decision. <br>

      <br>

      Does anyone know of any patternDB parsing that was intended to

      conform to the Splunk CIM that I could take a look at. I'm just

      trying to shorten the learning curve.<br>

      <br>

      Evan.<br>

      <br>

      On 06/12/2016 02:44 AM, Scheidler, Balázs wrote:<br>

    </div>

    <blockquote

cite="mid:CANWQT2NaZp-PBMW9NK2WBOrzrjwX4g4FQR-pqh-8TAVMR=ZQyA@mail.gmail.com"

      type="cite">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <p dir="ltr">Well, CEE is pretty much dead, and I didn't see too

        much activity wrt lumberjack either.</p>

      <p dir="ltr">I would rather see consolidation instead of further

        fragmentation in this area.</p>

      <p dir="ltr">Cheers<br>

        Bazsi </p>

      <div class="gmail_quot&lt;blockquote class=" style="margin:0 0 0

        .8ex;border-left:1px #ccc solid;padding-left:1ex">

        <div bgcolor="#FFFFFF" text="#000000">

          <div>You are the last person I thought would point me toward

            the splunk CIM. Given the support that Balabit has put

            behind CEE and then lumberjack and even the experimental

            patternDB schema (<a moz-do-not-send="true"

href="https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt"

              target="_blank">https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt</a>)

            I was sure you would steer me toward lumberjack.<br>

            <br>

            At first glance the splunk CIM appears to be structured

            around and partially dependant on some of the data flows of

            the splunk product. I'll continue to review it but at this

            point I am still open to alternate suggestions.<br>

            <br>

            Evan.<br>

            <br>

            On 06/11/2016 11:45 AM, Scheidler, Balázs wrote:<br>

          </div>

          <blockquote type="cite">

            <p dir="ltr">There's common information model at splunk or

              the field dictionary of CEF, of arcsight fame.</p>

            <p dir="ltr">I would probably use the splunk one, except if

              you plan to use arcsight at the end.</p>

            <div class="gmail_quote">On Jun 11, 2016 18:32, "Evan

              Rempel" &lt;<a moz-do-not-send="true"

                href="mailto:erempel@uvic.ca" target="_blank">erempel@uvic.ca</a>&gt;

              wrote:<br type="attribution">

              <blockquote class="gmail_quote" style="margin:0 0 0

                .8ex;border-left:1px #ccc solid;padding-left:1ex">There

                was a project by Mitre (<a moz-do-not-send="true"

                  href="https://www.mitre.org/" rel="noreferrer"

                  target="_blank">https://www.mitre.org/</a>) called the

                Common<br>

                Event Expression (<a moz-do-not-send="true"

                  href="https://cee.mitre.org/" rel="noreferrer"

                  target="_blank">https://cee.mitre.org/</a>) that was

                going to be the<br>

                official standard for metadata names for events, but

                that project has<br>

                been stopped.<br>

                <br>

                Other than the two references that the CEE project has

                for logging<br>

                standardization efforts, does anyone know of any major

                efforts by any<br>

                group to define a standard for metadata naming?<br>

                <br>

                Evan.</blockquote>

            </div>

          </blockquote>

          <br>

        </div>

        <br>

______________________________________________________________________________<br>

        Member info: <a moz-do-not-send="true"

          href="https://lists.balabit.hu/mailman/listinfo/syslog-ng"

          rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>

        Documentation: <a moz-do-not-send="true"

          href="http://www.balabit.com/support/documentation/?product=syslog-ng"

          rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>

        FAQ: <a moz-do-not-send="true"

          href="http://www.balabit.com/wiki/syslog-ng-faq"

          rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>

        <br>

        <br>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">______________________________________________________________________________

Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>

Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>

FAQ: <a class="moz-txt-link-freetext" href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a>


</pre>

    </blockquote>

    <br>

    <p><br>

    </p>

    <pre class="moz-signature" cols="500">-- 

Evan Rempel                                      <a class="moz-txt-link-abbreviated" href="mailto:erempel@uvic.ca">erempel@uvic.ca</a>

Senior Systems Administrator                        250.721.7691

Data Centre Services, University Systems, University of Victoria 

</pre>

  </body>

</html>