As Anton mentioned, there is a new event logging standard in the works. What Anton did not mention is the four areas that you need to talk about when you talk about a logging standard. Well, here they are:
1. Common Event Syntax, like CEF
2. Common Event Taxonomy. This is where you attach “meaning” or “semantics” to an event. There are a few proprietary ones, nothing standardized though.
3. Common Event Transport
4. Common Event Representation, defining what a device should log. An operating system should log user logins for example.
And don’t mix these things. The transport has nothing to do with the syntax! I don’t want to implement a SOAP environment to transport some events. Unfortunately a few companies and even standards have made that mistake! I don’t want to mention anyone here… Stay tuned for http://cee.mitre.org to go live and learn more about all of this.
Postings on this site don't necessarily represent Arcsight's positions, strategies or opinions. Raffael Marty manages the solutions team at ArcSight, the global leader in Enterprise Security Management. Raffy’s information security expertise includes log management, intrusion detection, insider threat, regulatory compliance and security data visualization. He will be writing a series of guest posts for Security Blog.
For more on Raffael's work, Read his blog here.