Specifications   Search
CEE™ Common Event Expression: A Unified Event Language for Interoperability
CEE Website is in "Archive" status — read the announcement
 

About CEE

Documents

FAQs

CEE Language

Current Release

Previous Releases

CEE Community

CEE Board

Discussion Archive

News & Events

Calendar

Search the Site

CEE Language

Current Release

Specifications

Schemas

Downloads

Profiles

Versioning

Terminology

Implementations

Additional Information

Previous Releases

Terms of Use

CEE Common Log Syntax — Archive

CLS Component | CLS Encodings | About the Specification | Feedback Requested

CEE Common Log Syntax (CLS) is how CEE Events are represented. Each CEE Event can be represented using one or more CLS Encodings. These CLS Encodings are well-defined syntaxes that CEE event producers write and CEE consumers process.

CLS Component

In general, each event record describes how an event is categorized and a collection of relevant event data. As described in the CEE Overview Architecture Specification, each of these pieces of data is represented by an instance of an event field. A field instance is a combination of a field name, such as those defined in the CDET Dictionary, and one or more values.

CLS Encodings

In addition to defining the general CEE event language, the CLS component defines a number of different encodings for a CEE Event. Since each encoding is based on the same event structure, translating between different CLS Encodings is efficient and straightforward. Based on CEE Community inputs, CLS will minimally support Extensible Markup Language (XML) and JavaScript Object Notation (JSON). Consideration will be given to providing compatibility with other syntaxes, such as RFC5425 TLS Syslog protocol compatible Structured Text, binary, or the W3C Extended Log Format (ELF) syntax.

CEE Events should use the event field names and associated value types defined by the CDET Dictionary and categorize events via the event category tags of the CDET Taxonomy.

About the Specification

MITRE and the CEE Community have created a machine-interpretable CEE Common Log Syntax Specification document. The Common Log Syntax (CLS) Specification describes the abstract format for CEE Event Records, which is designed for maximum interoperability with existing event and interchange standards, and provides CLS Encodings that enable compatibility with other encoding standards. Each CLS Encoding defines a mapping from the CLS abstracted format to an encoding syntax, such as XML or JSON. The CLS Encoding: JSON section of the CLS Specification defines a CEE CLS encoding that is compatible with the RFC4627 JavaScript Object Notation (JSON) format, specifying how to encode a CEE event record using JSON as well as how to extract the CEE event record data from a JSON encoded event record. And finally, the CLS Encoding: XML section of the CLS Specification defines a CEE CLS encoding that is compatible with the W3C Extensible Markup Language (XML) 1.0 format, specifying how to encode a CEE event record using XML as well as how to extract the CEE event record data from an XML encoded event record.

View the Specifications

The most current version of the CEE Common Log Syntax (CLS) Specification and CLS Encodings are available on the CLS Specification, Version 1.0α page.

Previous versions of this specification, when available, are archived in the CEE Archive.

Feedback Requested

We encourage event producers, event consumers, and IT and security operations end users to participate in the development of the CEE Common Log Syntax Specification and CLS Encodings on the CEE Email Discussion List.

BACK TO TOP

Page Last Updated: May 15, 2013