LogAnalysis
[logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 01:31PM
Heinbockel, Bill (heinbockel mitre org) (3 replies)
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 10:24PM
Greg Vickers (g vickers qut edu au)
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 06:10PM
David Corlette (DCorlette novell com)
Apologies for the cross-post, but this discussion is going on simultaneously on both lists, with some members replying to different lists than the one the original post went to!

My take on this is as follows:

- The term "event" is problematic, I think I would agree with Raffy that saying "events" occur in computing systems is artificial. I would also clarify the language a bit to say:

1. Event
* An observable occurrence in a system. This implies that some action or activity has taken place, but what types of actions and activities are relevant, and their
classification, may be dependent on the observer and domain.

- For the most part I am happy with the definition of "event record", although Eric did make an interesting call to distinguish between the internal, machine-oriented record and an external, displayable representation. I think however that I lean toward letting the implementation handle that and not embedding it in our definitions.

2. Event Record
* A persistent representation of the details of an individual event.

- I really don't like the term "log" because of its quite problematic and confusing overlapping meanings. Same for "Event Log", "Log Record". I would instead suggest:

3. Event Stream
* A set of time-stamped event records.

4. Data Stream
* A set of time stamped event records as well as records containing other types of data.

5. Log
* A colloquial term used to indicate a static collection of event records and other informational data. Not used in this standard, but typically an event stream is ultimately stored in some sort of log depending on the implementation.

- Similarly "alert" doesn't really seem to be anything that we care about in this standard - if an implementation chooses to generate alerts based on event records in the stream, so be it, but it has nothing to do with the standard per se.

6. Alert (n):
* A colloquial term used to indicate a warning or notification to a user or system, usually indicating that some action should be taken in response to
one or more events. Not used in this standard.

7. Alert (v):
* The act of generating, transporting, or displaying a warning or notification. Not used in this standard.

- "Log" rears its ugly head again. As Raffy points out, this term fails to differentiate between generating vs. storing. So I would replace this with:

8. Audit (v)
* The act of observing an event and generating an event record with details about the event.

9. Store (v)
* The act of committing an event record that is part of a data stream to some form of implementation-dependent storage. Colloquially the term "log" is often used for this activity but is deprecated.

>>> "Heinbockel, Bill" <heinbockel (at) mitre (dot) org [email concealed]> 07/31/08 9:31 AM >>>
Thank you for all of the great feedback and discussion.

After compiling all of the suggestions, we have gone
through and revised our definitions.

The main points of feedback were that (1) logs have
a temporal quality that is important, and (2) that
there are different connotations regarding the term
"log" -- some think of logs as only containing
records of events, while others point out that there
are other things (e.g., "reports", debug info) that
also appear in today's log files.

To help clarify this, we define both "log" and
"event log". An "event log" contains only "event
records", and is a subset of a "log".

Without further ado:

1. Event

* An observable occurrence in a computer system. The
classification of events may be dependent on the observer
and domain.

2. Event Record

* A persistent representation of the details of an
individual event.

3. Event Log

* A collection of time-stamped event records.

4. Log

* A collection of event records and other informational
data pertaining to a particular domain.

A log may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on
paper), or even verbal (e.g., "Between 10:00 and 10:01 we
received a series of several thousand SYN packets that we
acknowledged, but full TCP connections were not completed.
At 10:02, our server resources exceeded the maximum
tolerable level and crashed.").

5. Log Record

* A single entry in a log. Entries may take the form of an
Event Record, status or attribute report, debug data, or
similar environmental information.

6. Alert (n):

* A warning or notification to a user or system, usually
indicating that some action should be taken in response to
one or more events.

7. Alert (v):

* The act of generating, transporting, or displaying a
warning or notification.

8. Log (v):

* The act of recording or storing one or more events.

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel (at) mitre (dot) org [email concealed]
781-271-2615

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]
Re: [logs] Defining Events, Logs, and Alerts (Round 2) Jul 31 2008 04:58PM
Anton Chuvakin (anton chuvakin org)


 

Privacy Statement
Copyright 2010, SecurityFocus