Fwd: RE: [CEE-DISCUSSION-LIST] [logs] Defining Events, Logs,and Alerts(Round 2) Jul 31 2008 08:34PM
David Corlette (DCorlette novell com) (1 replies)

> I don't like "data stream" as it doesn't have any connotation with logs, in
> my mind.

Exactly, as I was trying to differentiate between a persisted stream of events (could maybe be called an "event log") and an object that contains events as well as "other things" that people have been alluding to, like debug records. I'd be fine just leaving it off and saying that's out of scope for our event standard.

>> 8. Audit (v)
>> * The act of observing an event and generating an event record with
>> details about the event.
> "Audit" is a very overloaded word and I would prefer to avoid it. The
> common use as a term of art is something along the lines of "to compare an IT
> system's configuration against a baseline". A distant second in terms of
> usage is "a security-relevant event record" or "to generate a security-relevant
> event record".

>> 9. Store (v)
>> * The act of committing an event record that is part of a data stream
>> to some form of implementation-dependent storage. Colloquially the term
>> "log" is often used for this activity but is deprecated.
> "Store" is also a noun meaning a persistent data repository. We haven't
> agreed that "Log" is deprecated.

Yes, but that's my suggestion.

> Note also that to "raise" an event is distinct from storing an event.
> "Raising" an event does not imply persisting it.

I think I was using "audit" in the same sense as you use the word "raise". I'd be happy to use "raise" instead, as that is indeed clearer. And the whole point was to differentiate that from the activity of storing an event record.

LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus