Specifications   Search
CEE™ Common Event Expression: A Unified Event Language for Interoperability
CEE Website is in "Archive" status — read the announcement

About CEE



CEE Language

Current Release

Previous Releases

CEE Community

CEE Board

Discussion Archive

News & Events


Search the Site

About CEE




Additional Information

Terms of Use

About CEE — Archive

Why CEE | Benefits of CEE | CEE Architecture | Community

Common Event Expression (CEE™) improves the audit process and the ability of users to effectively interpret and analyze event log and audit data. This is accomplished by defining an extensible unified event structure, which users and developers can leverage to describe, encode, and exchange their CEE Event Records.


Event management relies on event logs. In today’s organizations, this process involves the interpretation of many different types of events, expressed using different terminologies, and represented in a multitude of formats. The goal of CEE is to unify the event categorization, terminologies, and representation formats, while also allowing organizations to tailor event reporting to meet particular needs.

By using CEE’s common language and syntax, enterprise-wide log management, correlation, aggregation, auditing, and incident handling can be performed more efficiently and produce better results than was possible prior to CEE. Additionally, CEE allows an organization to demonstrate compliance with audit requirements (e.g., HIPAA, FISMA, SOX); detect information access policy violations; improve awareness of enterprise asset status and availability (e.g., IT, SCADA), and improve awareness of attempted intrusions and other threats.

CEE Benefits

CEE provides benefits to a broad range of users and groups, including event consumers and event producers.

End User Groups (Event Consumers)

Vendors/Developers (Event Producers)

CEE Event Lifecycle
CEE standardizes the three main pieces of the Event Lifecycle:
Requirements, Events, and Records


CEE Architecture

The CEE architecture focuses on the three pieces of the Event Lifecycle: Requirements, which are addressed in the CEE Profile; Events, which are represented as records using the CEE Log Syntax (CLS); and Records, which are shared via a CEE Log Transport (CLT).


CEE Profile

The CEE Profile defines the structure of a CEE Event. This event structure includes a user-customizable CEE Event Profile definition, a Field Dictionary with definitions of commonly used fields, and an Event Taxonomy, which is a controlled vocabulary of event tags to enable a consistent identification and classification of event types.

The CEE Profile consists of three reusable components:


CEE Log Syntax (CLS)

The CEE Common Log Syntax directs how CEE Events are represented. Each CEE Event can be represented using one or more syntactical encodings. These encodings are well-defined syntaxes that CEE event producers can write and CEE event consumers will process.


CEE Log Transport (CLT)

The CEE Log Transport provides the technical support necessary for a secure and reliable event logging infrastructure. The CEE log transport provides support for international string encodings, secure logging services, standardized event interfaces, and verifiable record logs.

CEE Architecture
CEE Architecture



CEE is industry-endorsed through the CEE Board, which includes members from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.


Page Last Updated: May 15, 2013