CEE – Logging standard

If you are not at the log analysis mailing list, you are missing a good discussion regarding the efforts to create a new logging standard, CEE (Common Event Expression). MITRE is in charge of the process, but it is probably sponsored by Log logic (1), since they were the first ones to report about it.

Before I go any further, I would like to say that I am very interested in this initiative and that I already contacted MITRE to be a part of the CEE working group. Unfortunately, I am not very optimistic that it is going to be widely adopted (hope I am wrong).

First of all, it will require significant changes to all major applications and if the protocols are not very well designed, no one is going to use it.

Secondly, the protocol must be simple enough to be fast and non-blocking (like syslog), but still reliable, with support for encryption, etc.

Thirdly, I am always worried by protocols designed by security people. Most of them have no software engineering experience and if CEE looks anything like IDMEF or SDEE it will go no where.

Anyway, besides my lack of optmism, I will still contribute to it and if it get past the design phase, I will volunteer to write free libraries (LGPL or BSD licensed) to support it.

If you want more information, check out the following blog entries (by Anton Chuvakin and Raffy’s:

Finally, Common Event Expression (CEE) is Out!!!
CEE brochure
Standard Logging Format – Common Event Expression (CEE)

[1] Edit to add (Apr 28 2007): Looks like I spoke too soon (actually without any base) that Log Logic is sponsoring CEE. Thanks Raffy for pointing it out in the comments.

This entry was posted in CEE, log analysis. Bookmark the permalink.

5 Responses to CEE – Logging standard

  1. Anonymous says:

    I am sorry to tell you, but CEE looks like a BIG waste of time. Have you heard of CEF, WELF, ASL, IDMEF, etc, etc, etc? It is like trying to force an editor standard (EVERYONE MUST USE VI)!

  2. Raffy says:

    Just to set the record straight LogLogic is not sponsoring the CEE effort, nor is ArcSight or any other SIM/ESM vendor. The effort is sponsored in part by some government entities.
    I wonder how “Anonymous” can say CEE is a waste of time without even knowing exactly what CEE is. And yes, I am intimately familiar with CEF (I wrote that) and the other standards. I hear your frustration and believe me, I am too. Give CEE a chance and see where it is going. If you don’t like the direction at any point in time, voice your opinion in a constructive way!

  3. dcid says:

    Hi Raffy,

    Thanks for the feedback. It was just a guess on my part (see “probably” in the entry) since the first place I saw about CEE was on Log Logic’s and Anton’s blog.

    As far as I am concerned, I will support the CEE efforts, and hopefull we will get somewhere.


    Daniel B. Cid
    dcid ( at ) ossec.net

  4. Jason says:

    Why do these standards need to focus on a protocol? First and foremost should be what is logged, and consistent fields, transports can then come after.

    I see a place for a tool to take all the existing log formats and converting/normalizeing to CEE, which is something I’d be into working on (I’m developer first, security 2nd).

  5. “Why do these standards need to focus on a protocol? First and foremost should be what is logged, and consistent fields, transports can then come after.”

    EXACTLY! See CEE :-)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>