Defining Logs, Events, and Alerts

Before we begin talking about log standards, specifications, and so
forth, we need to settle on terminology.

Even in the talking of logs, events, and alerts, people seem to have
different understandings.

As a first cut at trying to agree on a common vocabulary, let's start
with the basics. Below is MITRE's attempt at trying to define the
terms of event, alert, and log:


Event:
        A discrete, distinct, and discernible state change in an
environment.

Alert (n):
        A warning or notification generated in response to an event.

Alert (v):
        The act of generating, transport, or displaying a warning or
notification in response to an event.

Log Entry:
        The record of an event in a log. Event log, event record, log
message, log record, and audit record are all synonyms that have been
used to refer to log entries.

Log (n):
        The record comprising one or more log entries accumulated over
a given period. This may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on paper), or even
verbal (e.g., "Between 10:00 and 10:01 we received a series of several
thousand SYN packets that we acknowledged, but full TCP connections
were not completed. At 10:02, our server resources exceeded the
maximum tolerable level and crashed.").

Log (v):
        The act of recording or storing one or more events.




Can these definitions be changed/improved in anyway?
Is there any examples, synonyms, or clarifications that should be
added?


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel@...
781-271-2615

Hello all,

First off, thanks Bill for initiating this discussion.

Second, the definitions provided I think are good, but I've added some of my thoughts (flagged with '+') for analysis:

Event:
A discrete, distinct, and discernible state change in an environment.
+ Also important is what's *not* included, e.g. reporting on the current state of a variable, whether an interface is enabled, etc etc - since these are not changes, they are not covered under the definition of an event.  I would also argue that a debug message is also not an event - the event in that case is that the program experienced an issue; the debug information (stack trace etc) is merely meta-information about why that might have happened.  Whether or not we want to encompass the expression of these non-events in our "language" is something we need to discuss.


Alert (n):
A warning or notification generated in response to an event.
+ I'd like to be careful to distinguish between a "log entry" (see below) and an "alert".  The way this is written they are basically synonyms - I think we need some language to indicate that an alert is typically anomalous behavior, and intended to cause some sort of reaction, whereas a log entry can be more passive.
+ Also, I'm not clear on whether any sense of "alert" is part of this standard or not.  My thought is that we are worried about the log entries, and someone else can determine if they should cause an alert or not.


Alert (v):
The act of generating, transport, or displaying a warning ornotification in response to an event.


Log Entry:
The record of an event in a log. Event log, event record, log message, log record, and audit record are all synonyms that have been
used to refer to log entries.


Log (n):
The record comprising one or more log entries accumulated over a given period. This may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on paper), or even verbal (e.g., "Between 10:00 and 10:01 we received a series of several
thousand SYN packets that we acknowledged, but full TCP connections were not completed. At 10:02, our server resources exceeded the
maximum tolerable level and crashed.").
+ My inclination is to not use this term in our vocabulary.  A "log" implies some sort of static structure that has a beginning and an end - typically the log events we are dealing with are more of a stream.  The fact that we might store the stream of log events in a chunked format called a "log" is merely an artifact of implementation, I think.   Bill makes an attempt to include all types of storage in his definition, but I think many people would not naturally call a stream of events passing by on a console display or over the network a "log".  
+ To wit, I would recommend that we use the terms "event record" and "event stream" instead of "log entry" and "log".  What do other people think?


Log (v):
The act of recording or storing one or more events.
+ I have the feeling we need to distinguish between the *generation* of event records, which I've often called "audit", and the *recording* of events onto persistent storage, which I often call "logging".  Where I'm coming from here is the idea that you might naturally ask:
+ "Which types of events would you like to audit on this platform?"
+ "Where would you like to log those events?"
+ Whether this distinction makes sense or not I'm not sure...

I absolutely disagree with your definition of "event", Bill- there are state
change events as well as activity recording events.

Your other definitions are ok but I have my own.

My definitions:

An event (for our purposes) is an observable occurrence in an IT
environment.

An event record is a data structure that contains information about an
event.

An event log is a store that persists event records, commonly (but not
limited to) a sequential access file.

A log (n) is a colloquial term for an event log.

To log (v) is a colloquial term for generation of an event record in an
event log.

An alert (n)  is a method of interrupting a user such as a sysadmin.
Typically this is only done under explicit conditions, such as an occurrence
of a specific event record in a specific event log.

To alert (v) is to instantiate an alert.

Eric

-----Original Message-----
From: Heinbockel, Bill [mailto:heinbockel@...]
Sent: Tuesday, July 22, 2008 1:03 PM
To: CEE-DISCUSSION-LIST@...
Subject: [CEE-DISCUSSION-LIST] Defining Logs, Events, and Alerts

Before we begin talking about log standards, specifications, and so
forth, we need to settle on terminology.

Even in the talking of logs, events, and alerts, people seem to have
different understandings.

As a first cut at trying to agree on a common vocabulary, let's start
with the basics. Below is MITRE's attempt at trying to define the
terms of event, alert, and log:


Event:
        A discrete, distinct, and discernible state change in an
environment.

Alert (n):
        A warning or notification generated in response to an event.

Alert (v):
        The act of generating, transport, or displaying a warning or
notification in response to an event.

Log Entry:
        The record of an event in a log. Event log, event record, log
message, log record, and audit record are all synonyms that have been
used to refer to log entries.

Log (n):
        The record comprising one or more log entries accumulated over
a given period. This may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on paper), or even
verbal (e.g., "Between 10:00 and 10:01 we received a series of several
thousand SYN packets that we acknowledged, but full TCP connections
were not completed. At 10:02, our server resources exceeded the
maximum tolerable level and crashed.").

Log (v):
        The act of recording or storing one or more events.




Can these definitions be changed/improved in anyway?
Is there any examples, synonyms, or clarifications that should be
added?


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel@...
781-271-2615

 
> My definitions:
>
> An event (for our purposes) is an observable occurrence in an IT
> environment.

I would prefer to extend this definition even further, as I just described
-- for our purposes, "event" should incorporate observable *properties* of
the system (or at least, reporting on observable properties) as well as
occurrences...

t.

Event can be constrained to something that happened.  Another term can
be found for informational messages or non-IT type messages?  The term
is loaded with something-happened uses.

Something to consider.  What is the difference between an action, an
event, and an activity?  (Yeah, I have my terms but want to see if it's
necessary to make these kinds of distinctions.

Sanford

-----Original Message-----
From: Tina Bird [mailto:tbird@...]
Sent: Wednesday, July 23, 2008 2:22 PM
To: CEE-DISCUSSION-LIST@...
Subject: Re: [CEE-DISCUSSION-LIST] Defining Logs, Events, and Alerts


 
> My definitions:
>
> An event (for our purposes) is an observable occurrence in an IT
> environment.

I would prefer to extend this definition even further, as I just
described
-- for our purposes, "event" should incorporate observable *properties*
of the system (or at least, reporting on observable properties) as well
as occurrences...

t.

Hi Sanford,

I think you are on the same track I am.  I have posted your comments and all others (including those sent to the loganalysis list) to the discussion area on the collaboration site:

Visit http://12.193.84.139:8080/ through the shared account (username: "visitor" and password "standards"), follow the links to "team sharing" and "standards" and you'll see the link to "wiki" and other links on the left.


If anyone on this list would like their own account on the collaboration site, please let me know.

>>> On Wed, Jul 23, 2008 at  5:26 PM, in message
<117A6478DABB1D4E9509EA7F413AE78907D5258C@...>, Sanford
Whitehouse <swhitehouse@...> wrote:

I've seen Splunk's "registry as events" feature and it's really cool.

I'm not sure, though, that system properties are event-like.

A change in a property is most definitely an event.


-----Original Message-----
From: Tina Bird [mailto:tbird@...]
Sent: Wednesday, July 23, 2008 2:22 PM
To: CEE-DISCUSSION-LIST@...
Subject: Re: [CEE-DISCUSSION-LIST] Defining Logs, Events, and Alerts


> My definitions:
>
> An event (for our purposes) is an observable occurrence in an IT
> environment.

I would prefer to extend this definition even further, as I just described
-- for our purposes, "event" should incorporate observable *properties* of
the system (or at least, reporting on observable properties) as well as
occurrences...

t.

 
> I've seen Splunk's "registry as events" feature and it's really cool.
>
> I'm not sure, though, that system properties are event-like.
>
> A change in a property is most definitely an event.

This is precisely my point. As a sys admin, there are many times when
writing a script to report on disk utilization (or whatever) and then
sending the results to syslog for archiving and alerts is a perfectly
reasonable thing to do. Being perfectly reasonable, I think the standard
should include some provision for data collection in the case where the data
is not created by an action, an event or a state change.

I'm totally cool with the definition of a new category ("report" leaps to
mind) of log data that would exist in parallel with "event" to incorporate
data collection not triggered by a state change.

And yes, Splunk's ability to collect data from places other than syslog or
the Event Log is very cool, but I really was thinking of all those scripts I
cobbled together in the Dark Ages to help me monitor my production
systems...and don't get me started on AIX ;-)