[syslog-ng] [patterndb] classification

Anton Chuvakin anton at chuvakin.org
Fri Sep 10 07:48:37 CEST 2010 

Balasz and others:

For the benefit of the logging community, I am sharing a few ideas
from the upcoming CEE taxonomy docs (all these are pre-DRAFTS):

"The CEE Event Taxonomy defines a collection of "tags" that can be
used to categorize events. Its goal is to provide a common vocabulary,
through sets of tags, to help classify and relate records that pertain
to similar types of events. Using Taxonomy tags, event producers can
provide obvious and consistent event categorization identifiers. For
example, users and event consumers can leverage these categories to
improve event correlation or easily locate certain classes of events."

"The CEE Taxonomy defines a tag set as way to categorize events. Each
tag set consists of one or more tags. Similar to an event field, each
tag entry has an identifying long and short name. These tag sets allow
each event to be associated with multiple tags representing multiple
categories. This gives the event consumers the flexibility to identify
similar events based upon their needs. "

"Common tag sets include event action, status, and object, and might
include other categorizations such as attack type, device type, or
other categorizations that are required by the event consumer. "

"A tag relation describes the association that a tag has with another tag.
Individual tag relations are defined in a Relation element, with the
type attribute specifying the relation type (e.g., subclass) and the
element's text references the Tag to which the current Tag is related.
Relations are grouped together within a single Relations element."

Examples:

<Tag>
    <Name>AccountObject</Name>
    <ShortName>acct</ShortName>
    <TagSet>object</TagSet>
    <Description>A user account</Description>
</Tag>


    <Tag>
        <Name>LogonAction</Name>
        <ShortName>logon</ShortName>
        <AltName>login</AltName>
        <TagSet>ActionTagSet</TagSet>
        <Description>
An entity (typically a user, application, or system) gains access to a
system or application by properly authenticating to a user account and
starting a session, usually using a password or other credential
        </Description>
        <Relations>
            <Relation type="opposite">LogoffAction</Relation>
        </Relations>
    </Tag>

Further

"The CEE Dictionary defines a collection of event fields, field sets,
and field value types. A field is used to describe one characteristic
or property of an event (e.g., start time, account name). Each field
definition may be associated with a value type, which defines the
format for valid values for that field. For example, a "filename"
field has values of a "string" type.  Field sets, like tag sets,
simply allow related fields to be grouped."

Let me know if you'd like to see anything else...

Best,
-- 
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Consulting: http://www.securitywarriorconsulting.com
Twitter: @anton_chuvakin
Google Voice: +1-510-771-7106

More information about the syslog-ng mailing list