[siem-users] Testing

Raffael Marty raffy at loggly.com
Tue Dec 21 21:07:29 UTC 2010 

That's interesting you bring up CEF. I am assuming you mean ArcSight's CEF. I was one of the authors of that ;)

CEF only addresses the syntax of an event and is tailored towards ArcSight's event schema. We took what I learned from CEF and folded it into CEE. CEE supports a more generic dictionary and not just one encoding format (syslog). In essence it is very very similar (the syntax part of CEE). CEE also covers a taxonomy and recommendations, as well as a transport.

Hope this helps

  Raffael

--
Raffael Marty                        Founder and President @ Loggly
@zrlram                                              about.me/raffy

On Dec 21, 2010, at 1:03 PM, <John.Kula at tdameritrade.com> wrote:

> I haven’t had time to look into this much, how does it compare to something like CEF.  I’m sure like all new standards it’s “more robust” “faster” “more flexible”....   CEF is in a lot of places so the question is…. Is there a compelling reason to support CEE over CEF or CEE & CEF?
>  
> From: discussion-bounces at siemusers.org [mailto:discussion-bounces at siemusers.org] On Behalf Of Lance James
> Sent: Tuesday, December 21, 2010 4:00 PM
> To: Raffael Marty
> Cc: discussion at siemusers.org
> Subject: Re: [siem-users] Testing
>  
> Thanks Raffael, 
>  
> This is very enlightening. I'll start checking out what I can about it.
> 
> On Tue, Dec 21, 2010 at 3:56 PM, Raffael Marty <raffy at loggly.com> wrote:
> Well, that's a good question. What's a standard? Is it a standard if someone calls it that or is it a standard if everyone implements it. I think it's the latter. Do I think it will get broad adoption? Not sure. I think it is a proposed standard that makes a lot of sense, it's simple to implement and it will help developers (producers) and consumers of the logs a lot. In terms of generating meaningful and complete log records. Also in terms of well consumable log record that make correlation easier.
> 
> Especially the logging recommendations are going to be a great help for all types of devices to make sure they log the at the right places (log the right events) and log enough information for each of those events.
> 
> Sorry for the long winded answer, but adoption is going to be a huge effort and we need everyones help to get it out there. We have RedHat and Microsoft on the board. Hope that will help!
> 
>  Raffael
> 
> --
> Raffael Marty                        Founder and President @ Loggly
> @zrlram                                              about.me/raffy
> 
> On Dec 21, 2010, at 12:50 PM, Lance James wrote:
> 
> > Do you guys feel that it will become a standard syntax/format?
> >
> > On Tue, Dec 21, 2010 at 3:41 PM, Raffael Marty <raffy at loggly.com> wrote:
> > I am on the board of CEE. We have released some overview documents at this point. We are currently working on releasing a draft for the syntax and then one for the taxonomy part of the proposed standard. We have the syntax proposal almost done. I am assuming we will release that early next year.
> >
> > Nobody is using CEE in production yet. Except for rsyslog that has a reference implementation to format logs in CEE, but it's preliminary and might still change once CEE is coming out with a first actual version.
> >
> > If there are developers that are interested, we are happy to share what we have and collect input.
> >
> > Thanks
> >
> >  Raffael
> >
> > --
> > Raffael Marty                        Founder and President @ Loggly
> > @zrlram                                              about.me/raffy
> >
> > On Dec 21, 2010, at 12:32 PM, Lance James wrote:
> >
> > > Hi guys,
> > >
> > > Anyone familiar with Mitre's proposed CEE yet, or it's status? Is this being used today for any log correlation?
> > >
> > > On Tue, Nov 2, 2010 at 11:19 AM, Jason Arrington <jarrington at novell.com> wrote:
> > > I thought I'd send a test message through the mailing list to make sure the registration worked OK.
> > >
> > > _______________________________________________
> > > Discussion mailing list
> > > Discussion at siemusers.org
> > > http://siemusers.org/mailman/listinfo/discussion_siemusers.org
> > >
> > >
> > >
> > >
> > > --
> > > Lance James
> > > Secure Science Corporation
> > > Office: 760-262-4141
> > > lancej at securescience.net
> > > PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED
> > > _______________________________________________
> > > Discussion mailing list
> > > Discussion at siemusers.org
> > > http://siemusers.org/mailman/listinfo/discussion_siemusers.org
> >
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at siemusers.org
> > http://siemusers.org/mailman/listinfo/discussion_siemusers.org
> >
> >
> >
> > --
> > Lance James
> > Secure Science Corporation
> > Office: 760-262-4141
> > lancej at securescience.net
> > PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED
> 
> 
> _______________________________________________
> Discussion mailing list
> Discussion at siemusers.org
> http://siemusers.org/mailman/listinfo/discussion_siemusers.org
> 
> 
> 
> -- 
> Lance James
> Secure Science Corporation
> Office: 760-262-4141
> lancej at securescience.net
> PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED

More information about the Discussion mailing list