[syslog-ng] [patterndb] classification

Balazs Scheidler bazsi at balabit.hu
Mon Sep 20 17:41:16 CEST 2010


Hi Anton,

Thanks for letting us know. The things you posted about CEE so far
definitely influences me while trying to work on patterndb (both as the
collect the patterns project and both as code within syslog-ng itself).

So, I wanted to thank you for taking the time to post this.


On Thu, 2010-09-09 at 22:48 -0700, Anton Chuvakin wrote:
> Balasz and others:
> 
> For the benefit of the logging community, I am sharing a few ideas
> from the upcoming CEE taxonomy docs (all these are pre-DRAFTS):
> 
> "The CEE Event Taxonomy defines a collection of "tags" that can be
> used to categorize events. Its goal is to provide a common vocabulary,
> through sets of tags, to help classify and relate records that pertain
> to similar types of events. Using Taxonomy tags, event producers can
> provide obvious and consistent event categorization identifiers. For
> example, users and event consumers can leverage these categories to
> improve event correlation or easily locate certain classes of events."
> 
> "The CEE Taxonomy defines a tag set as way to categorize events. Each
> tag set consists of one or more tags. Similar to an event field, each
> tag entry has an identifying long and short name. These tag sets allow
> each event to be associated with multiple tags representing multiple
> categories. This gives the event consumers the flexibility to identify
> similar events based upon their needs. "
> 
> "Common tag sets include event action, status, and object, and might
> include other categorizations such as attack type, device type, or
> other categorizations that are required by the event consumer. "
> 
> "A tag relation describes the association that a tag has with another tag.
> Individual tag relations are defined in a Relation element, with the
> type attribute specifying the relation type (e.g., subclass) and the
> element's text references the Tag to which the current Tag is related.
> Relations are grouped together within a single Relations element."
> 
> Examples:
> 
> <Tag>
>     <Name>AccountObject</Name>
>     <ShortName>acct</ShortName>
>     <TagSet>object</TagSet>
>     <Description>A user account</Description>
> </Tag>
> 
> 
>     <Tag>
>         <Name>LogonAction</Name>
>         <ShortName>logon</ShortName>
>         <AltName>login</AltName>
>         <TagSet>ActionTagSet</TagSet>
>         <Description>
> An entity (typically a user, application, or system) gains access to a
> system or application by properly authenticating to a user account and
> starting a session, usually using a password or other credential
>         </Description>
>         <Relations>
>             <Relation type="opposite">LogoffAction</Relation>
>         </Relations>
>     </Tag>
> 
> Further
> 
> "The CEE Dictionary defines a collection of event fields, field sets,
> and field value types. A field is used to describe one characteristic
> or property of an event (e.g., start time, account name). Each field
> definition may be associated with a value type, which defines the
> format for valid values for that field. For example, a "filename"
> field has values of a "string" type.  Field sets, like tag sets,
> simply allow related fields to be grouped."
> 
> Let me know if you'd like to see anything else...
> 
> Best,

-- 
Bazsi



More information about the syslog-ng mailing list