Fwd: RE: [CEE-DISCUSSION-LIST] [logs] Defining Events, Logs,and Alerts(Round 2) Jul 31 2008 08:34PM
David Corlette (DCorlette novell com) (1 replies)
RE: [CEE-DISCUSSION-LIST] Fwd: RE: [CEE-DISCUSSION-LIST] [logs]Defining Events, Logs, and Alerts(Round 2) Aug 01 2008 06:44AM
Rainer Gerhards (rgerhards hq adiscon com) (1 replies)
> -----Original Message-----
> From: David Corlette [mailto:DCorlette (at) NOVELL (dot) COM [email concealed]]
> Sent: Thursday, July 31, 2008 10:35 PM
> To: CEE-DISCUSSION-LIST (at) LISTS.MITRE (dot) ORG [email concealed]
> Defining Events, Logs, and Alerts(Round 2)
> > I don't like "data stream" as it doesn't have any connotation with
> logs, in
> > my mind.
> Exactly, as I was trying to differentiate between a persisted stream
> events (could maybe be called an "event log") and an object that
> contains events as well as "other things" that people have been
> alluding to, like debug records. I'd be fine just leaving it off and
> saying that's out of scope for our event standard.

IMHO this brings up the question how to qualify an object as either an
"event" or an "other thing". "Debug logs" contain "debug events" (in my
POV), so why not classify them as such?

If you look at syslog, this distinction becomes quite problematic. If we
say a debug record is not an event, how do we handle syslog logs that
contain records that are explicitly flagged as being debug records (be
virtue of their assigned priority). Does that mean that a syslog log is
a superset of an event log, one that contains both events and "other
things"? If so, must we first build the event subset before we can
process a syslog log as a log? I can't think this is desired behavior.
So I conclude it is counter-productive to try to exclude debug-like
information from the definition of an event.


LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus