Hello All,

I would go one-step further in defining "Event".

Event: Anything with a timestamp

When syslog-ng, for example, sends a message reporting its current state
(i.e. messages received, logged, dropped ), there is no actual change in
state per se, but I would still consider that message to be an event. Also,
lets say you were streaming sar data over syslog - that too would represent
event data.

For me, an event is a snapshot of a system state, not necessarily a
transition from one state to another. Often state transitions are the
logical trigger for emitting an event, but not always.

Thoughts?

-Michael
michael.kinsley (at) sensage (dot) com [email concealed]

On 7/23/08 8:45 AM, "Bill Scherr IV" <bschnzl (at) cotse (dot) net [email concealed]> wrote:

> Would a temporal (time stamp) aspect be appropriate to the definitions?
>
> Circa 11:26, 23 Jul 2008, a note, claiming source Heinbockel, Bill
> <heinbockel (at) mitre (dot) org [email concealed]>, was
> sent to me:
>
> Date sent: Wed, 23 Jul 2008 11:26:59 -0400
> From: "Heinbockel, Bill" <heinbockel (at) mitre (dot) org [email concealed]>
> To: <loganalysis (at) loganalysis (dot) org [email concealed]>
> Subject: [logs] How to define Log, Event, and Alert?
>
>> In support of the CEE effort to develop a log standard, we
>> are trying to accurately define the concepts of "log",
>> "event", and "alert". When we speak of these conceptually,
>> a majority of us have common understanding of what we mean.
>> However, this is not the case when presenting these terms
>> to management and other people outside of the log space.
>>
>>
>> Here is our initial shot at defining these terms:
>>
>>
>> Event:
>> A discrete, distinct, and discernible state change in an
>> environment.
>>
>> Alert (n):
>> A warning or notification generated in response to an event.
>>
>> Alert (v):
>> The act of generating, transport, or displaying a warning or
>> notification in response to an event.
>>
>> Log Entry:
>> The record of an event in a log. Event log, event record, log
>> message, log record, and audit record are all synonyms that have been
>> used to refer to log entries.
>>
>> Log (n):
>> The record comprising one or more log entries accumulated over
>> a given period. This may be electronic (e.g. stored in memory, disk,
>> software, database, text file, etc), physical (e.g. on paper), or even
>> verbal (e.g., "Between 10:00 and 10:01 we received a series of several
>> thousand SYN packets that we acknowledged, but full TCP connections
>> were not completed. At 10:02, our server resources exceeded the
>> maximum tolerable level and crashed.").
>>
>> Log (v):
>> The act of recording or storing one or more events.
>>
>>
>>
>> What do you think?
>> Can these definitions be changed/improved in anyway?
>> Is there any examples, synonyms, or clarifications that should be
>> added?
>>
>>
>> Thanks,
>>
>> William Heinbockel
>> Infosec Engineer, Sr.
>> The MITRE Corporation
>> 202 Burlington Rd. MS S145
>> Bedford, MA 01730
>> heinbockel (at) mitre (dot) org [email concealed]
>> 781-271-2615
>>
>>
>
>
> Bill Scherr IV, GSEC, GCIA
> Principal Security Engineer
> EWA Information and Infrastructure Technologies
> bscherr (at) iit-tek (dot) com [email concealed]
> bscherr (at) ewa (dot) com [email concealed]
> 703-478-7608
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis (at) loganalysis (dot) org [email concealed]
> http://www.loganalysis.org/mailman/listinfo/loganalysis
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]