Specifications   Search
CEE™ Common Event Expression: A Unified Event Language for Interoperability
CEE Website is in "Archive" status — read the announcement

About CEE



CEE Language

Current Release

Previous Releases

CEE Community

CEE Board

Discussion Archive

News & Events


Search the Site

About CEE




Additional Information

Terms of Use

CEE Terminology — Archive

The CEE effort uses the following terms as defined below.

Aggregation — The identification and combination of two or more similar log entries. Aggregation is used to identify and remove duplicate log entries or to merge the details from log entries regarding the same event instance.

Correlation — The association of two or more log entries of unique events. Correlation can be used to group events into a series, often by time sequence or causality.

Correlation Engine — Any automated piece of software capable of correlating logs (events and incidents) from multiple sources.

Events — Observable situations or modifications within an environment that occurs over a time interval. An event may be a state change or reporting of an activity by a single component within a system, or may be an interaction between multiple systems. Events may occur at differing levels of abstraction and at multiple places along the log management path. As such, an event can describe an original (base) event, aggregated event, or correlated event.

Event Field — Describes one characteristic of an event. Examples of an event field include date, time, source IP, user identification, and host identification.

Event Record — A collection of event fields that, together, describe a single event. Terms synonymous to event record include "audit record" and "log entry".

Event Consumers — Log management devices and analysis engines that process, store, or otherwise use logs.

Event Producers — Information systems that observe an event. This observation may be made autonomously ("an application reporting a login failure"), by an involved party in an interaction ("I received a message from another system"), or by an observational third-party ("I observed system A sending a message to system B") such as a network sniffer or IDS.

Incident — A computer intrusion or other occurrence, usually reported by a network operations security center (NOSC), computer emergency/incident response team (CERT/CIRT), or similar. Incidents include point-of-contact, impacts, assessment, or mitigation information in addition to the standard event details. Unlike log entries, which are recorded by a machine, incident details are typically recorded by humans.

Log — A collection of event records. Terms such as data log, activity log, audit log, audit trail, log file, and event log are often used to mean the same thing as log.

Log Entry — A single record involving details from one or more events and incidents. A log entry is sometimes referred to as an event log, event record, alert, alarm, log message, log record, or audit record. For the sake of CEE, "log entry" is synonymous with "log."

Taxonomy — A representation of all individual components and their relationships within a finite group. The most common taxonomy is the hierarchical tree used to classify organisms, with the links representing common biological features. Within operating systems, an example would be the organization of the directories within a filesystem according to parent-child (i.e., directory-subdirectory) relationships.


Page Last Updated: May 27, 2010