LogAnalysis
[logs] How to define Log, Event, and Alert? Jul 23 2008 03:26PM
Heinbockel, Bill (heinbockel mitre org) (3 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:43PM
Jon Stearley (jrstear sandia gov)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 05:47PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 08:21PM
Anton Chuvakin (anton chuvakin org) (3 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:22PM
David Corlette (DCorlette novell com)
Hello all,

There are a threads on this very topic on a couple different lists at the moment; recent discussion is even covering the exact same ground.

Rather than re-invent the wheel, I would suggest that any and all interested parties join the CEE + XDAS standards effort as soon as possible.

In fact there are three ongoing things to get involved in:

- The CEE plans to expand its scope of activities under a Mitre-facilitated self-governing editorial board. The plan for now is that collaboration with XDAS participants and other contributors will take place under this framework.
CALL TO ACTION: Sign up to join the CEE discussion list (http://cee.mitre.org/discussiongroup.html) to keep abreast of standardization and collaboration activities as they evolve under this framework.

- The collaboration environment, including a wiki, set up during the preparation for the CES, is being opened for access to all SIG attendees or interested parties. The same collaboration environment may be used to support CEE. Initially, this offer is for read only access but those that are interested in contributing can arrange an individual account. CALL TO ACTION: check out the wiki (which has documents on event standard terminology and use cases) at http://12.193.84.139:8080/ through the shared account (username: "visitor" and password "standards"), follow the links to "team sharing" and "standards" and you'll see the link to "wiki" and other links on the left.

- Going to Blackhat / Defcon? A face to face CEE Meet Up is planned. Current plans are to meet on Friday, 8 August 2008 at 12 noon outside the DefCon registration area at the Riviera Hotel & Casino. The group will organize there and then find a place to talk.

I will compile the responses on both the CEE and loganalysis lists into a discussion thread on the wiki, so folks can go back and review prior comments. One problem with e-mail is that you don't see old messages if you join late ;-)

If folks want to get their own personal accounts on the collaboration site please let me know and I will add you.

----------------
David Corlette
GRC Solution Architect
DCorlette (at) novell (dot) com [email concealed]
703.663.5517

Novell, Inc.
Secure Your Enterprise with Sentinel from Novell
http://www.novell.com/products/sentinel/

>>> On Wed, Jul 23, 2008 at 4:21 PM, in message
<b2591e2e0807231321o238c0a01ka65cf053264ca231 (at) mail.gmail (dot) com [email concealed]>, "Anton Chuvakin"
<anton (at) chuvakin (dot) org [email concealed]> wrote:
>> I'm good with the definitions, except for the concept of an "event":
>
> Same thing. Event is not necessarily "a state change." It is a
> broader thing, basically, "something that happened" (even though a
> state is the same - e.g. backup is proceeding, attack was seen, etc)
>
>
>>
>>> Event:
>>> A discrete, distinct, and discernible state change in an
>>> environment.
>>
>> In some aspects, state changes such as processes dieing or starting
>> are surely events, but I also think that some logs which don't indicate
>> a state change such as login failures, port scanning, intrusion
>> detection logs, and so on are noteworthy and worth alerting on.
>>
>> Ron
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> LogAnalysis mailing list
>> LogAnalysis (at) loganalysis (dot) org [email concealed]
>> http://www.loganalysis.org/mailman/listinfo/loganalysis
>>
>
>

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:12PM
Andrew Hay (andrewsmhay gmail com) (2 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 24 2008 12:59PM
Ron Gula (rgula tenablesecurity com) (1 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 24 2008 04:17PM
Andrew Hay (andrewsmhay gmail com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 09:33PM
Anton Chuvakin (anton chuvakin org)
RE: [logs] How to define Log, Event, and Alert? Jul 23 2008 08:56PM
Tina Bird (tbird precision-guesswork com) (2 replies)
[logs] RE: How to define Log, Event, and Alert? Jul 24 2008 02:55PM
Heinbockel, Bill (heinbockel mitre org)
RE: [logs] How to define Log, Event, and Alert? Jul 24 2008 09:36AM
Rainer Gerhards (rgerhards hq adiscon com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 03:45PM
Bill Scherr IV (bschnzl cotse net) (2 replies)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 05:37PM
Michael Kinsley (michael kinsley sensage com)
Re: [logs] How to define Log, Event, and Alert? Jul 23 2008 04:40PM
Chris Lonvick (clonvick cisco com)


 

Privacy Statement
Copyright 2010, SecurityFocus