LogAnalysis
[logs] How to define Log, Event, and Alert? Jul 23 2008 03:26PM
Heinbockel, Bill (heinbockel mitre org) (3 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:43PM
Jon Stearley (jrstear sandia gov)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 05:47PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 08:21PM
Anton Chuvakin (anton chuvakin org) (3 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:22PM
David Corlette (DCorlette novell com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:12PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 24 2008 12:59PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 24 2008 04:17PM
Andrew Hay (andrewsmhay gmail com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:33PM
Anton Chuvakin (anton chuvakin org)
RE: [logs] How to define Log, Event, and Alert? Jul 23 2008 08:56PM
Tina Bird (tbird precision-guesswork com) (2 replies)
[logs] RE: How to define Log, Event, and Alert? Jul 24 2008 02:55PM
Heinbockel, Bill (heinbockel mitre org)
RE: [logs] How to define Log, Event, and Alert? Jul 24 2008 09:36AM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 03:45PM
Bill Scherr IV (bschnzl cotse net) (2 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 05:37PM
Michael Kinsley (michael kinsley sensage com)
Hello All,

I would go one-step further in defining "Event".

Event: Anything with a timestamp

When syslog-ng, for example, sends a message reporting its current state
(i.e. messages received, logged, dropped ), there is no actual change in
state per se, but I would still consider that message to be an event. Also,
lets say you were streaming sar data over syslog - that too would represent
event data.

For me, an event is a snapshot of a system state, not necessarily a
transition from one state to another. Often state transitions are the
logical trigger for emitting an event, but not always.

Thoughts?

-Michael
michael.kinsley (at) sensage (dot) com [email concealed]

On 7/23/08 8:45 AM, "Bill Scherr IV" <bschnzl (at) cotse (dot) net [email concealed]> wrote:

> Would a temporal (time stamp) aspect be appropriate to the definitions?
>
> Circa 11:26, 23 Jul 2008, a note, claiming source Heinbockel, Bill
> <heinbockel (at) mitre (dot) org [email concealed]>, was
> sent to me:
>
> Date sent: Wed, 23 Jul 2008 11:26:59 -0400
> From: "Heinbockel, Bill" <heinbockel (at) mitre (dot) org [email concealed]>
> To: <loganalysis (at) loganalysis (dot) org [email concealed]>
> Subject: [logs] How to define Log, Event, and Alert?
>
>> In support of the CEE effort to develop a log standard, we
>> are trying to accurately define the concepts of "log",
>> "event", and "alert". When we speak of these conceptually,
>> a majority of us have common understanding of what we mean.
>> However, this is not the case when presenting these terms
>> to management and other people outside of the log space.
>>
>>
>> Here is our initial shot at defining these terms:
>>
>>
>> Event:
>> A discrete, distinct, and discernible state change in an
>> environment.
>>
>> Alert (n):
>> A warning or notification generated in response to an event.
>>
>> Alert (v):
>> The act of generating, transport, or displaying a warning or
>> notification in response to an event.
>>
>> Log Entry:
>> The record of an event in a log. Event log, event record, log
>> message, log record, and audit record are all synonyms that have been
>> used to refer to log entries.
>>
>> Log (n):
>> The record comprising one or more log entries accumulated over
>> a given period. This may be electronic (e.g. stored in memory, disk,
>> software, database, text file, etc), physical (e.g. on paper), or even
>> verbal (e.g., "Between 10:00 and 10:01 we received a series of several
>> thousand SYN packets that we acknowledged, but full TCP connections
>> were not completed. At 10:02, our server resources exceeded the
>> maximum tolerable level and crashed.").
>>
>> Log (v):
>> The act of recording or storing one or more events.
>>
>>
>>
>> What do you think?
>> Can these definitions be changed/improved in anyway?
>> Is there any examples, synonyms, or clarifications that should be
>> added?
>>
>>
>> Thanks,
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> heinbockel (at) mitre (dot) org [email concealed]
>> 781-271-2615
>>
>>
>
>
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr (at) iit-tek (dot) com [email concealed]
> bscherr (at) ewa (dot) com [email concealed]
> 703-478-7608
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 04:40PM
Chris Lonvick (clonvick cisco com)


 

Privacy Statement
Copyright 2010, SecurityFocus