|
The main initiative in this area is Common Event Expression (CEE), which is meant to be a standard log language for reporting events across different systems. The rationale for a common logging language is common sense. With a common way to report events, malicious activity can not only be tracked across different systems and platforms, it can also be tracked universally in a common repository for security investigators.
Before CEE, log reporting was platform specific, making it difficult, if not impossible, to correlate similar events across systems. CEE, which was spearheaded by MITRE in 2007 through an industry working group, is a common taxonomy, syntax and language for reporting log events. MITRE is an organization that works with the U.S. government on technology issues, including IT security.
The benefits of consistent event and log reporting are enormous. It defines an event unambiguously according to an agreed upon standard, no matter the platform where it occurred, and tightens compliance by providing a standard definition for events for auditors and regulators. It can also cut costs of log management by reducing redundancy in logging from multiple systems.
The status of CEE is that MITRE has an active working group with a mailing list for those interested in participating. For more information about the working group, including how to subscribe to the mailing list, check the MITRE website.
Another good guide on security log management is Special Publication 800-92 from the National Institute of Standards and Technology (NIST).
More information:
|
