CEE Join the CEE Effort News
CEE™ Common Event Expression: A Standard Log Language for Event Interoperability in Electronic Systems
 

About CEE

Terminology

Documents

FAQs

CEE Language

Event Taxonomy

Log Syntax

Log Transport

Log Recommendations

Community

CEE Editorial Board

CEE Working Group

Discussion List

Discussion Archive

News

Calendar

Free Newsletter

Contact Us

About CEE

Terminology

Documents

FAQs


Additional Information

Comparison to other Efforts

Road Map

CEE Terminology

The CEE effort uses the following terms as defined below.

Aggregation — The identification and combination of two or more similar log entries. Aggregation is used to identify and remove duplicate log entries or to merge the details from log entries regarding the same event instance.

Correlation — The association of two or more log entries of unique events. Correlation can be used to group events into a series, often by time sequence or causality.

Correlation Engine — Any automated piece of software capable of correlating logs (events and incidents) from multiple sources.

Events — Observable situations or modifications within an environment that occurs over a time interval. An event may be a state change or reporting of an activity by a single component within a system, or may be an interaction between multiple systems. Events may occur at differing levels of abstraction and at multiple places along the log management path. As such, an event can describe an original (base) event, aggregated event, or correlated event.

Event Consumers — Log management devices and analysis engines that process, store, or otherwise use logs.

Event Producers — Information systems that observe an event. This observation may be made autonomously ("an application reporting a login failure"), by an involved party in an interaction ("I received a message from another system"), or by an observational third-party ("I observed system A sending a message to system B") such as a network sniffer or IDS.

Incident — A computer intrusion or other occurrence, usually reported by a network operations security center (NOSC), computer emergency/incident response team (CERT/CIRT), or similar. Incidents include point-of-contact, impacts, assessment, or mitigation information in addition to the standard event details. Unlike log entries, which are recorded by a machine, incident details are typically recorded by humans.

Log — The collection of one or more log entries typically written to a local log file or sent across the network to a server via Syslog, SNMP, or a custom protocol. A log may also be referred to as an audit log or audit trail.

Log Entry — A single record involving details from one or more events and incidents. A log entry is sometimes referred to as an event log, event record, alert, alarm, log message, log record, or audit record. For the sake of CEE, "log entry" is synonymous with "log."

Taxonomy — A representation of all individual components and their relationships within a finite group. The most common taxonomy is the hierarchical tree used to classify organisms, with the links representing common biological features. Within operating systems, an example would be the organization of the directories within a filesystem according to parent-child (i.e., directory-subdirectory) relationships.

BACK TO TOP

Page Last Updated: March 19, 2008