CEE Join the CEE Effort News

About CEE

Terminology

Documents

FAQs

CEE Language

Event Taxonomy

Log Syntax

Log Transport

Log Recommendations

Community

CEE Editorial Board

CEE Working Group

Discussion List

News

Calendar

Free Newsletter

Contact Us

About CEE
Terminology Documents FAQs Additional Information Comparison to other Efforts Road Map

About CEE

Introduction | Why CEE | Benefits of CEE | Community | Contact Us

Introduction

Common Event Expression (CEE™) standardizes the way computer events are described, logged, and exchanged. By utilizing a common language and syntax, CEE takes the guesswork out of even the most menial of event- or log-related tasks. Tasks including log correlation and aggregation, enterprise-wide log management, auditing, and incident handling which once required expensive, specialized analysts or equipment can now be performed more efficiently and produce better results.

Why CEE

If multiple systems observe the same occurrence, it should be expected that their description of that event is identical. When combined with relevant event details (time, source, destination), a computer should be able to immediately determine whether two or more logs, data logs, audit logs, alerts, alarms, or audit trails refer to the same event. In order to make this happen, there needs to be a scalable, well-defined way to express events.

Problem

Currently, vendors and products employ varying logging practices such as using inconsistent formats and terminology when describing events. This presents a significant burden to analysts and products in normalizing the vast quantities of heterogeneous log records in order to allow for aggregation, correlation, and further processing. With the potential for varying interpretations among event log consumers, the network and security awareness levels will fluctuate. NIST Publication 800-92: Guide to Computer Security Log Management describes this as a major problem stemming from "inconsistent log formats," noting that "there is no consensus in the security community as to the standard terms to be used to describe the composition of log entries and files."

BACK TO TOP

Solution

CEE addresses the problem of event representation and communication. Previous attempts in this area have failed to gain adoption since they only target a portion of the larger problem by providing log format guidelines and ignoring the content. As a solution, the CEE initiative suggests the following to facilitate log transmission and interpretation:

• Creation of a Common Event Taxonomy that allows event producers to consistently and unambiguously define each heterogeneous event.
• Creation of a Common Log Syntax combined with a public data dictionary to provide consistency for specifying and gathering event-specific details.
• Establishment of a Common Log Transport to ensure the event data is properly transmitted and provides flexibility for each device to utilize the transport best suited for the data, environment, and operational requirements.
• Develop Common Event Log Recommendations of industry agreement upon which events and associated attributes a device should log.

BACK TO TOP

Benefits of CEE

Easier Regulatory Compliance Efforts — CEE simplifies the task of establishing and maintaining compliance with various regulatory standards that incorporate audit or security guidelines, including PCI DSS, SOX, HIPAA, FISMA, ISO27001, ITIL, COBIT, GLBA, and others.

Improved Monitoring and Awareness — A log standard allows companies to more easily monitor their product lines and identify problems. Just think: one standard could be used to handle everything from recordings of financial transactions to workflow monitoring to operational troubleshooting, improving overall awareness, and allowing inefficiencies to be quickly identified and corrected.

Improved Security Awareness — CEE represents a large component of the "Monitor and Evaluate" portion of the COBIT structure and supports many of the management procedures present in the ITIL framework. Additionally, many organizations feed their logs to security analysis engines, such as SIMs, for data mining and correlation purposes.

De facto Standard for Inter-Organization Communication — With every device supporting the same event log standard, there is instant interoperability potential for devices deployed across multi-national enterprises and governments.

Improved Code Reuse — Developers and vendors can use a single log library to support all CEE-compliant logs. The community can develop and support a single library API instead of re-architecting the log framework for each new device version; the current usage of log message dictionaries would no longer be required.

Vendor and Device Agnostic — Established log management infrastructures rely on the logs generated by several chosen devices, essentially locking the customer into the use of those products. The purchasing of replacements or upgrades requires a costly testing and process overhaul to even maintain an equivalent level of awareness. CEE frees customers from product dependency, enabling new devices to be quickly integrated into the current environment.

Reduced IT and Security Operations Costs — With a standard set of information, operations centers will not require auditors and operators to be trained in interpreting messages in product-specific languages. Fewer operators can be leveraged to manage more systems.

Log Message Internationalization — Standard expressions result in unambiguous interpretation. Instead of vendors needing to individually produce and maintain libraries of international log messages, CEE allows for a single application to more easily translate any CEE-compatible log record.

CEE Will Especially Benefit: Event Producers (Vendors & Products) will be able to decrease cost associated with logging and reuse log libraries. Vendors could move away from encouraging developers from picking log messages on a closest-fit basis from a limited, product-specific message index. Furthermore, the generation of these log messages could be bases on a single API call. Also product interoperability will increase with the others who speak with the same event expressions, resulting in satisfied customers. Event Consumers (Vendors & Products) will not have to worry about handling a different event syntax and description for each new version of each product, since these discrepancies should be non-existent in products supporting this standard. There would be no longer a need to employ an event mapping team to manually interpret and handle the different events produced by different devices. Additionally, the consumers can produce better, more accurate analysis because of the availability of detailed, meaningful information. End Users (IT and Security Operations) will be able to decrease unnecessary log management overhead, and easily manage and replace unrelated systems. The log messages are more informative and understandable, permitting enhanced log analysis capabilities while ensuring all various log compliance needs are met.

BACK TO TOP

Community

CEE is industry-endorsed through the CEE Working Group, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.

We encourage members of the information security community to participate in the CEE effort by joining the CEE Email Discussion List and offering feedback on the preliminary drafts of the CEE Event Taxonomy, CEE Syntax, CEE Transport, and CEE Log Recommendations documents, and/or by joining the CEE Working Group.

Contact Us

Please send any feedback about CEE to cee@mitre.org.

BACK TO TOP

Page Last Updated: April 3, 2008