LogAnalysis
[logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 01:31PM
Heinbockel, Bill (heinbockel mitre org) (3 replies)
Thank you for all of the great feedback and discussion.

After compiling all of the suggestions, we have gone
through and revised our definitions.

The main points of feedback were that (1) logs have
a temporal quality that is important, and (2) that
there are different connotations regarding the term
"log" -- some think of logs as only containing
records of events, while others point out that there
are other things (e.g., "reports", debug info) that
also appear in today's log files.

To help clarify this, we define both "log" and
"event log". An "event log" contains only "event
records", and is a subset of a "log".

Without further ado:

1. Event

* An observable occurrence in a computer system. The
classification of events may be dependent on the observer
and domain.

2. Event Record

* A persistent representation of the details of an
individual event.

3. Event Log

* A collection of time-stamped event records.

4. Log

* A collection of event records and other informational
data pertaining to a particular domain.

A log may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on
paper), or even verbal (e.g., "Between 10:00 and 10:01 we
received a series of several thousand SYN packets that we
acknowledged, but full TCP connections were not completed.
At 10:02, our server resources exceeded the maximum
tolerable level and crashed.").

5. Log Record

* A single entry in a log. Entries may take the form of an
Event Record, status or attribute report, debug data, or
similar environmental information.

6. Alert (n):

* A warning or notification to a user or system, usually
indicating that some action should be taken in response to
one or more events.

7. Alert (v):

* The act of generating, transporting, or displaying a
warning or notification.

8. Log (v):

* The act of recording or storing one or more events.

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel (at) mitre (dot) org [email concealed]
781-271-2615

0? *?H?÷
 ?0?1 0 +0? *?H?÷
 ?
Å0?d0?L 0
 *?H?÷
0Z10U
 mitre.org10U Certificate Authority1$0"UMITRE Corporation Root CA-10
060601040000Z
180601040000Z0Z10U
 mitre.org10U Certificate Authority1$0"UMITRE Corporation Root CA-10?"0
 *?H?÷
?0?
?¯kZ?=??&þo2Ð??ÝNí
n}yCW
©W*/HsdùÅõ¢Ì?{%*?'?ì-L÷6ÉÔV:K`EsW?âã^Ù?<S?ÂnS÷ÃYsÜD(?ÎÞò«}Jâ+
w
åJ­%ÿ¢ë¤,
Rè#Kê? ??§Ç¡ØÜYN_6QÃUÏJ( C
jG?-?,pl³øg3$§ ?²?2Ø Øi!ó?.ÖQÕD+BnZÅî¬Ï³/ã±k¯Å\_é?îƪ÷?D:)`r,tþv?îB_3?aí@Aù-NüèGù?ÐàÈÖ?<
ö­ u9RÀ:-½Èhþ_%£5030Uÿ0ÿ0UÇpQØMþäÔh?Å=???þt/0

 *?H?÷
?ùõ_
Xâ?\}l$|?î\Ò?ºq?J?zºHñ ?¢äµ?^´kCZ4jHíÈ×Ø·¹Ük(vÖ¥î?ÅS Z®m"]¿Z;?aÆ_½?7ø«MÔT°B'6&í?Ô?Fö`º;ÅG?ÝÊ ÄùtwêHÆáÆ©xÒX?Èñ¤Ý Â??? <µ#×-ó:
ìñ\Á3ÿ?ç­B¨?g?ôÑòË??3öi§Ç¦"õ5Û¡vqvâ?+GË6 ??C=AÁ6­äQNãŁ+q~S­+; ÇÒÆgí×? wöÊT-?Á?³æØ!퍪0?q0?Y ¡0
 *?H?÷
0]10U
 mitre.org10U Certificate Authority1'0%UMITRE Corporation Primary CA-10
080109170045Z
090702170045Z0a10U
 mitre.org10
U people10
?&??ò,d
heinbockel10UHeinbockel William J.0?0
 *?H?÷
0?®ö_±d§6-?Ûí#PÖ &¡>ïæºÒ£:SBãQ?ÙüFÓ܍EJ^//=???Ër¥QµÞ,Éc¿æÁ9|.@kÈ2ÇT_Ïo~áñ?
ÝH+?Ë??r4Ó\?EÞ7Æ·?ƤvZ#?}
̳l¾õ?8±eW?K?Õ?£º0·0Uÿà0U?4é þ³(ȱ°c??_
Ú/*L0U#0??´Hb3BÁ-QHÂ?»
±­0DU=0;09 7 5?3http://www.mitre.org/tech/mii/pki/ca1_mitre_org.crl
0U0heinbockel (at) mitre (dot) org0 [email concealed]
 *?H?÷
?o|éâô©¬m?ÁÏ?>_?Ú
/?«»9i1v?E/²g(Ááj?%I.7¤³Z ¦?ô?¦, <ÖQD÷g-*ycî =2?:?-ðc?GàÊÇ}þ6aýùÕR?ó}~oRý?Î8ä±þ"Qkó9?ÓЁò@?³¹¨Ü`ë
s0?>R}Hw=(?CÅ§$X?/Á.£1ÕbÌxå:Ä Ý»\&?G¥?½R?Í?_<|?å¤GrÈWàÒ°Ôn?³J
s?jÅS ¢ÄàÔÕA¨Ö_+¶î??Ú²ò
ÐRÙ?í_ms±e©?Ýí·ÇkÔÌ?|´0?ä0?Ì 0
 *?H?÷
0Z10U
 mitre.org10U Certificate Authority1$0"UMITRE Corporation Root CA-10
060603171322Z
120603171322Z0]10U
 mitre.org10U Certificate Authority1'0%UMITRE Corporation Primary CA-10?"0
 *?H?÷
?0?
?Èð{V]?¨·K¼CgnFÎÞeCç?Wå(ñO1q?ú*?¤??³©ßlSì?J¼©%É¿PEv$?7s´«Áúê{Ы µE?¾µ;HíùÔZ%°Óö ѵõ ­ ?ѳâq/?ä#x L?P.?¤SsÖev2ÔjÛɯ;+X¾íiëFÃ*~ ¢;õâUXy|³y?¬¼ºbÒB&â]Ñ_À«JF?¤æ?:ì?ëì)GÓɳµN3-?O<í ì09:zø
ÙlL¦¹e&HÕí?ðÈ?Û¤tØ? Ïïtݐ ÿ¦é¿?JåGe¯Rðj?£±0®0Uÿ0
ÿ0Uÿ?0U?´Hb3BÁ-QHÂ?»
±­0U#0?ÇpQØMþäÔh?Å=???þt/0HUA0?0= ; 9?7http://www.mitre.or
g/tech/mii/pki/rootca1_mitre_org.crl0
 *?H?÷
?Mnnë®)ìÝ"=»^_Ú?7_?$)j?éÃr{»ºÐ²´WØÕgÑ6kç41??¢7\ÁNk_68°À?úÁPhï
¨È9Ï??e å|a«F???¨ÿüX3ó?çY3?:ÔÚ{¡ð§r$o§ÖAÿë¾ö-ºÚØ"$òk¼*^hOÚâ ÍÑ><j<Ù?²S¯4ºH?÷!zRa¹Èï»F@q2^??2+´'?E?Ø.¶®xè?ìO?Ì?}?
LéaÜÅeí§pÈ­Z?ü6k×?% ?ªM MxrjD?YéX»K?~T?~@*3?·µH?Î;)ÙÑ\L?gaìÚ 1?½0?¹
0c0]10U
 mitre.org10U Certificate Authority1'0%UMITRE Corporation Primary CA-1¡0 + ?°0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
080731133117Z0# *?H?÷
 1¦R®£'¦óºÁþU¶÷*+"ë0g *?H?÷
 1Z0X0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0+0
*?H?÷
0r +?71e0c0]10U
 mitre.org10U Certificate Authority1'0%UMITRE Corporation Primary CA-1¡0t *?H?÷
  1e c0]10U
 mitre.org10U Certificate Authority1'0%UMITRE Corporation Primary CA-1¡0
 *?H?÷
?(6P ??Eèî2lÕÍn?Þ?lùyØyù@8??yÎ!hj
ó¨L?¨«7?/?F=Rx
ª,Ò$2HLpáLPgtÛ?µç»uy7|?~ìóÛu¦?ok=ðe>Ø·LÉ5ó8;?¥~/>t,ÛܧL¶.2æ(

Næ_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 10:24PM
Greg Vickers (g vickers qut edu au)
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 06:10PM
David Corlette (DCorlette novell com)
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 04:58PM
Anton Chuvakin (anton chuvakin org)


 

Privacy Statement
Copyright 2010, SecurityFocus