In support of the CEE effort to develop a log standard, we
are trying to accurately define the concepts of "log",
"event", and "alert". When we speak of these conceptually,
a majority of us have common understanding of what we mean.
However, this is not the case when presenting these terms
to management and other people outside of the log space.

Here is our initial shot at defining these terms:

Event:
A discrete, distinct, and discernible state change in an
environment.

Alert (n):
A warning or notification generated in response to an event.

Alert (v):
The act of generating, transport, or displaying a warning or
notification in response to an event.

Log Entry:
The record of an event in a log. Event log, event record, log
message, log record, and audit record are all synonyms that have been
used to refer to log entries.

Log (n):
The record comprising one or more log entries accumulated over
a given period. This may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on paper), or even
verbal (e.g., "Between 10:00 and 10:01 we received a series of several
thousand SYN packets that we acknowledged, but full TCP connections
were not completed. At 10:02, our server resources exceeded the
maximum tolerable level and crashed.").

Log (v):
The act of recording or storing one or more events.

What do you think?
Can these definitions be changed/improved in anyway?
Is there any examples, synonyms, or clarifications that should be
added?

Thanks,

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel (at) mitre (dot) org [email concealed]
781-271-2615

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?
Å0?d0?L 


0
 *?H?÷


0Z10U
 mitre.org10UCertificate Authority1$0"UMITRE Corporation Root CA-10
060601040000Z
180601040000Z0Z10U
 mitre.org10UCertificate Authority1$0"UMITRE Corporation Root CA-10?
"0
 *?H?÷



?
0?

?

¯kZ?=??&þo2Ð??ÝNí
n}yCW
©W*/HsdùÅõ¢Ì?{%*?'?ì-L÷6ÉÔV:K`EsW?âã^Ù?<S?ÂnS÷ÃYsÜD(?ÎÞò«}Jâ+
w
åJ­%ÿ¢ë¤,
Rè#Kê???§Ç¡ØÜYN_6QÃUÏJ( C
jG?-?,pl³øg3$§?²?2ØØ
i!ó?.ÖQÕD+BnZÅî¬Ï³/ã±k¯Å\_é?îƪ÷?D:)`r,tþv?îB_3?aí@Aù-NüèGù?ÐàÈÖ?
<
ö­u9RÀ:-½Èhþ_%

£5030U

ÿ0

ÿ
0UÇpQØMþä
Ôh?Å=???þt/0

 *?H?÷


?

ùõ_
Xâ?\}l$|?î\Ò?ºq?J?zºHñ ?¢äµ?^´kCZ4jHíÈ×Ø·¹Ük(vÖ¥î?ÅSZ®m"]¿Z;?aÆ_½?7ø«MÔT°B'6&í?Ô?Fö`º;ÅG?ÝÊÄùtwêHÆáÆ©xÒX?Èñ¤Ý Â??? <µ#×-ó:
ìñ\Á3ÿ?ç­B¨?g?ôÑòË??3öi§Ç¦"õ5Û¡vqvâ?+GË6??C=AÁ6­äQNãŁ+q~S­+;ÇÒÆgí×?wöÊT-?Á?³æØ!퍪0?q0?Y 
¡0
 *?H?÷


0]10U
 mitre.org10UCertificate Authority1'0%UMITRE Corporation Primary CA-10
080109170045Z
090702170045Z0a10U
 mitre.org10
Upeople10
?&??ò,d


heinbockel10UHeinbockel William J.0?0
 *?H?÷



0?®ö_±d§6-?Ûí#PÖ &¡>ïæºÒ£:SBãQ?ÙüFÓ܍EJ^//=???Ër¥QµÞ,Éc¿æÁ9|.@kÈ2ÇT_Ïo~áñ?
ÝH+?Ë??r4Ó\?EÞ7Æ·?ƤvZ#?}
̳l¾õ?8±eW?K?Õ?

£º0·0U

ÿà0U?4é þ³(ȱ°c??_
Ú/*L0U#0??´Hb3BÁ-QHÂ?»
±­0DU=0;09 7 5?3http://www.mitre.org/tech/mii/pki/ca1_mitre_org.crl
0U0heinbockel (at) mitre (dot) org0 [email concealed]
 *?H?÷


?

o|éâô©¬m?ÁÏ?>_?Ú
/?«»9i1v?E/²g(Áá
j?%I.7¤³Z ¦?ô?¦, <ÖQD÷g-*ycî =2?:?-ðc?GàÊÇ}þ6aýùÕR?ó}~oRý?Î8ä±þ"Qkó9?ÓЁò@
?³¹¨
Ü`ë
s0?>R}Hw=(?CÅ§$X?/Á.£1ÕbÌxå:Ä Ý»\&?G¥?½R?Í?_<|?å¤GrÈWàÒ°Ôn?³J
s?jÅS ¢ÄàÔÕA¨Ö_+¶î??Ú²ò
ÐRÙ?í_ms±e©?Ýí·ÇkÔÌ?|´0?ä0?Ì 

0
 *?H?÷


0Z10U
 mitre.org10UCertificate Authority1$0"UMITRE Corporation Root CA-10
060603171322Z
120603171322Z0]10U
 mitre.org10UCertificate Authority1'0%UMITRE Corporation Primary CA-10?
"0
 *?H?÷



?
0?

?

Èð{V]?¨·K¼CgnFÎÞeCç?Wå(ñO1q?ú*?¤??³©ßlSì?J¼©%É¿PEv$?7s´«Áúê{Ы µE?¾µ;HíùÔZ%°Óö ѵõ ­ ?ѳâq/?ä#xL?P.?¤SsÖev2ÔjÛɯ;+X¾íiëFÃ*~ ¢;õâUXy|³y?¬¼ºbÒB&â]Ñ_À«JF?¤æ?:ì?ëì)GÓɳµN3-?O<íì09:zø
ÙlL¦¹e&HÕí?ðÈ?Û¤tØ? Ïïtݐÿ¦é¿?JåGe¯Rðj?

£±0®0U

ÿ0


ÿ
0U

ÿ
?0U?´Hb3BÁ-QHÂ?»
±­0U#0?ÇpQØMþä
Ôh?Å=???þt/0HUA0?0= ; 9?7http://www.mitre.or
g/tech/mii/pki/rootca1_mitre_org.crl0
 *?H?÷


?

Mnnë®)ìÝ"=»^_Ú?7_?$)j?éÃr{»ºÐ²´WØÕgÑ6kç41??¢7\ÁNk_68°À?úÁPhï
¨È9Ï??eå|a«F???¨ÿüX3ó?çY3?:ÔÚ{¡ð§r$o§ÖAÿë¾ö-ºÚØ"$òk¼*^hOÚâ ÍÑ><j<Ù?²S¯4ºH?÷!zRa¹Èï»F@q2^??2+´'?E?Ø.¶®xè?ìO?Ì?}?
LéaÜÅeí§pÈ­Z?ü6k×?% ?ªM MxrjD?YéX»K?~T?~@*3?·µH?Î;)ÙÑ\L?gaìÚ 1?½0?¹


0c0]10U
 mitre.org10UCertificate Authority1'0%UMITRE Corporation Primary CA-1¡0 + ?
°0 *?H?÷

1 *?H?÷


0 *?H?÷

1
080723152659Z0# *?H?÷

1?ù©?t"??Q?¸«.²w$6²0g *?H?÷

1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0
*?H?÷
0r +

?71e0c0]10U
 mitre.org10UCertificate Authority1'0%UMITRE Corporation Primary CA-1¡0t*?H?÷

1e c0]10U
 mitre.org10UCertificate Authority1'0%UMITRE Corporation Primary CA-1¡0
 *?H?÷



?[¹?ÁÜ=ÑØzYG ¢?ØûÚ¡êÿ?Æ"6/?©/W)¾??Ä<(²L½Gþ¨úç?9+Ú?"{ Áu?Od?î?#í0<ñh?ëêÝTr'å3»Ç87ÿ²÷°}?hë®Y£+ýÞßØ?ìU±o?gËbþ?'??²ÞA___________________________________________
____
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]