[syslog-ng] Is there a standard for naming tag/value pairs when parsing

Sun Jun 12 11:44:45 CEST 2016

Well, CEE is pretty much dead, and I didn't see too much activity wrt
lumberjack either.

I would rather see consolidation instead of further fragmentation in this
area.

Cheers
Bazsi
You are the last person I thought would point me toward the splunk CIM.
Given the support that Balabit has put behind CEE and then lumberjack and
even the experimental patternDB schema (
https://github.com/balabit/syslog-ng-patterndb/blob/master/SCHEMAS.txt) I
was sure you would steer me toward lumberjack.

At first glance the splunk CIM appears to be structured around and
partially dependant on some of the data flows of the splunk product. I'll
continue to review it but at this point I am still open to alternate
suggestions.

Evan.

On 06/11/2016 11:45 AM, Scheidler, Balázs wrote:

There's common information model at splunk or the field dictionary of CEF,
of arcsight fame.

I would probably use the splunk one, except if you plan to use arcsight at
the end.
On Jun 11, 2016 18:32, "Evan Rempel" <erempel at uvic.ca> wrote:

> There was a project by Mitre (https://www.mitre.org/) called the Common
> Event Expression (https://cee.mitre.org/) that was going to be the
> official standard for metadata names for events, but that project has
> been stopped.
>
> Other than the two references that the CEE project has for logging
> standardization efforts, does anyone know of any major efforts by any
> group to define a standard for metadata naming?
>
> Evan.

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation:
http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160612/305a0f00/attachment.htm 