[siem-users] CEE/CEF Was: Testing

Joe Magee jmagee at thevigilant.com
Tue Dec 21 21:40:27 UTC 2010 

I'm a big fan of CEF, originally founded by ArcSight, it has become a
widely used by a number of vendors (Imperva, Guardium and I believe
NetWitness...)

 

Comparative details between CEE and other formats are found here: 

http://cee.mitre.org/comparison.html

 

CEF looks and feels a lot like FIX for those FiServs peeps out there... 

 

Joe Magee

CTO and Co-Founder

Cell +1-617-921-8671

Office +1-201-324-1800 x202

 

  

securing and enabling dynamic business

www.thevigilant.com <http://www.thevigilant.com/>    (check out our new
website!)

 

From: discussion-bounces at siemusers.org
[mailto:discussion-bounces at siemusers.org] On Behalf Of
John.Kula at tdameritrade.com
Sent: Tuesday, December 21, 2010 4:03 PM
To: lancej at securescience.net; raffy at loggly.com
Cc: discussion at siemusers.org
Subject: Re: [siem-users] Testing

 

I haven't had time to look into this much, how does it compare to
something like CEF.  I'm sure like all new standards it's "more robust"
"faster" "more flexible"....   CEF is in a lot of places so the question
is.... Is there a compelling reason to support CEE over CEF or CEE &
CEF?

 

From: discussion-bounces at siemusers.org
[mailto:discussion-bounces at siemusers.org] On Behalf Of Lance James
Sent: Tuesday, December 21, 2010 4:00 PM
To: Raffael Marty
Cc: discussion at siemusers.org
Subject: Re: [siem-users] Testing

 

Thanks Raffael, 

 

This is very enlightening. I'll start checking out what I can about it.

On Tue, Dec 21, 2010 at 3:56 PM, Raffael Marty <raffy at loggly.com> wrote:

Well, that's a good question. What's a standard? Is it a standard if
someone calls it that or is it a standard if everyone implements it. I
think it's the latter. Do I think it will get broad adoption? Not sure.
I think it is a proposed standard that makes a lot of sense, it's simple
to implement and it will help developers (producers) and consumers of
the logs a lot. In terms of generating meaningful and complete log
records. Also in terms of well consumable log record that make
correlation easier.

Especially the logging recommendations are going to be a great help for
all types of devices to make sure they log the at the right places (log
the right events) and log enough information for each of those events.

Sorry for the long winded answer, but adoption is going to be a huge
effort and we need everyones help to get it out there. We have RedHat
and Microsoft on the board. Hope that will help!


 Raffael

--
Raffael Marty                        Founder and President @ Loggly
@zrlram                                              about.me/raffy

On Dec 21, 2010, at 12:50 PM, Lance James wrote:

> Do you guys feel that it will become a standard syntax/format?
>
> On Tue, Dec 21, 2010 at 3:41 PM, Raffael Marty <raffy at loggly.com>
wrote:
> I am on the board of CEE. We have released some overview documents at
this point. We are currently working on releasing a draft for the syntax
and then one for the taxonomy part of the proposed standard. We have the
syntax proposal almost done. I am assuming we will release that early
next year.
>
> Nobody is using CEE in production yet. Except for rsyslog that has a
reference implementation to format logs in CEE, but it's preliminary and
might still change once CEE is coming out with a first actual version.
>
> If there are developers that are interested, we are happy to share
what we have and collect input.
>
> Thanks
>
>  Raffael
>
> --
> Raffael Marty                        Founder and President @ Loggly
> @zrlram                                              about.me/raffy
>
> On Dec 21, 2010, at 12:32 PM, Lance James wrote:
>
> > Hi guys,
> >
> > Anyone familiar with Mitre's proposed CEE yet, or it's status? Is
this being used today for any log correlation?
> >
> > On Tue, Nov 2, 2010 at 11:19 AM, Jason Arrington <
jarrington at novell.com> wrote:
> > I thought I'd send a test message through the mailing list to make
sure the registration worked OK.
> >
> > _______________________________________________
> > Discussion mailing list
> > Discussion at siemusers.org
> > http://siemusers.org/mailman/listinfo/discussion_siemusers.org
> >
> >
> >
> >
> > --
> > Lance James
> > Secure Science Corporation
> > Office: 760-262-4141
> > lancej at securescience.net
> > PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED
> > _______________________________________________
> > Discussion mailing list
> > Discussion at siemusers.org
> > http://siemusers.org/mailman/listinfo/discussion_siemusers.org
>
>
> _______________________________________________
> Discussion mailing list
> Discussion at siemusers.org
> http://siemusers.org/mailman/listinfo/discussion_siemusers.org
>
>
>
> --
> Lance James
> Secure Science Corporation
> Office: 760-262-4141
> lancej at securescience.net
> PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED


_______________________________________________
Discussion mailing list
Discussion at siemusers.org
http://siemusers.org/mailman/listinfo/discussion_siemusers.org




-- 
Lance James
Secure Science Corporation
Office: 760-262-4141
lancej at securescience.net
PGP Fingerprint: 90E8 BECC 4F3A 0F1A 7F8B 6960 51F6 1704 F92B 6CED

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://siemusers.org/pipermail/discussion_siemusers.org/attachments/20101221/51fd35ce/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 1661 bytes
Desc: image001.jpg
URL: <http://siemusers.org/pipermail/discussion_siemusers.org/attachments/20101221/51fd35ce/attachment.jpe>

More information about the Discussion mailing list