Balasz and others: For the benefit of the logging community, I am sharing a few ideas from the upcoming CEE taxonomy docs (all these are pre-DRAFTS): "The CEE Event Taxonomy defines a collection of "tags" that can be used to categorize events. Its goal is to provide a common vocabulary, through sets of tags, to help classify and relate records that pertain to similar types of events. Using Taxonomy tags, event producers can provide obvious and consistent event categorization identifiers. For example, users and event consumers can leverage these categories to improve event correlation or easily locate certain classes of events." "The CEE Taxonomy defines a tag set as way to categorize events. Each tag set consists of one or more tags. Similar to an event field, each tag entry has an identifying long and short name. These tag sets allow each event to be associated with multiple tags representing multiple categories. This gives the event consumers the flexibility to identify similar events based upon their needs. " "Common tag sets include event action, status, and object, and might include other categorizations such as attack type, device type, or other categorizations that are required by the event consumer. " "A tag relation describes the association that a tag has with another tag. Individual tag relations are defined in a Relation element, with the type attribute specifying the relation type (e.g., subclass) and the element's text references the Tag to which the current Tag is related. Relations are grouped together within a single Relations element." Examples: <Tag> <Name>AccountObject</Name> <ShortName>acct</ShortName> <TagSet>object</TagSet> <Description>A user account</Description> </Tag> <Tag> <Name>LogonAction</Name> <ShortName>logon</ShortName> <AltName>login</AltName> <TagSet>ActionTagSet</TagSet> <Description> An entity (typically a user, application, or system) gains access to a system or application by properly authenticating to a user account and starting a session, usually using a password or other credential </Description> <Relations> <Relation type="opposite">LogoffAction</Relation> </Relations> </Tag> Further "The CEE Dictionary defines a collection of event fields, field sets, and field value types. A field is used to describe one characteristic or property of an event (e.g., start time, account name). Each field definition may be associated with a value type, which defines the format for valid values for that field. For example, a "filename" field has values of a "string" type. Field sets, like tag sets, simply allow related fields to be grouped." Let me know if you'd like to see anything else... Best, -- Dr. Anton Chuvakin Site: http://www.chuvakin.org Blog: http://www.securitywarrior.org LinkedIn: http://www.linkedin.com/in/chuvakin Consulting: http://www.securitywarriorconsulting.com Twitter: @anton_chuvakin Google Voice: +1-510-771-7106