Common Intrusion Detection Framework (CIDF) — Sponsored by DARPA and defined the Common Intrusion Specification Language (CISL). CISL was proposed in 1999 and used English-like sentence expressions and syntax trees in order to represent intrusion events. CIDF was later merged with IDMEF.

Intrusion Detection Message Exchange Format (IDMEF) — IDMEF was designed to enable the communication of intrusion events observed by IDS devices, and consists of two entities: a syntax expressed in XML and the transport protocol (IDXP). First proposed in 2002, the most recent update occurred in 2004 and is supported by a very limited number of intrusion detection products. It also suffers from a narrow focus on intrusion event, thus unsuitable for audit logging and system troubleshooting logging.

Common Base Event (CBE) — Led by IBM, CBE is a standard that defines an XML event syntax. CBE is described as a "common language to detect, log and resolve system problems" and is supported by several Tivoli products with the goal of achieving autonomic computing. After the public release of the specification and partnering with Cisco in 2003, CBE is still actively being maintained but has yet to have any noticeable industry impact, even across IBM’s own product lines.

Security Device Event Exchange (SDEE) — Developed by the ICSA Labs and the Intrusion Detection Systems Consortium (IDSC), the SDEE XML syntax is built on the SOAP transport and appears to be only supported by Cisco. Since its introduction in 2003, there has been little done to update and support this effort.

Distributed Audit Service (XDAS) — XDAS is a prior Open Group effort that has been reinvigorated with the help of Novell and has been renamed OpenXDAS. The XDAS specification is quite large and looks to solve the log exchange problem by defining logging APIs. While the use of a common programming library with a listing of log events is a step in the right direction, there will never be a "one size fits all" programmatic solution — the standard should drive the software libraries, not vice versa. Besides the support of Novell, it is unlikely that XDAS will see their API in any major codebase.

Common Event Format (CEF) — Developed by ArcSight, Inc., CEF is the newest foray into the event syntax standards selection (September 2006). A CEF message is comprised of delimited plain text strings with optional sets of key-value pairs. It is relatively simple to generate and parse, and is transport independent. CEF is the preferred communication method of ArcSight products, such as the Enterprise Security Manager (ESM), and is supported by several other products.

WebTrends Enhanced Log file Format (WELF) — Similar to CEF in that it is not bound to any specific transport and represents log data using plaintext, key-value pairs, WELF consists of four required and twenty optional syntax fields limited to expressing firewall, VPN, and other simple network-based events.

Incident Object Description Exchange Format (IODEF) — Commonly and incorrectly categorized as an event standard, IODEF was developed by the IETF to improve computer incident response communications and is often associated with IDMEF. Since CEE and IODEF are focused on different areas, they should be viewed as complements and not replacements for one another. IODEF is focused on the human-to-human communication of incident response, not in how the incident was discovered or the formatting of related log files. While CEE messages should be included in IODEF reports, IODEF is considered to be outside the scope of CEE.