>Frank, > >>talking about the contents or details of the event, but some kind of name or >>number that answers the most basic question, which is "what happened?", or >>if you prefer "what event or type of event is this?". > >Isn't this what a CVE CAN number is all about? A CVE number would work for log entries concerning vulnerabilities, but doesn't cover other cases. However there's nothing to say that a similar definition mechanism couldn't be used for other things. To take a concrete example, think about a login event. That could be generated by an OS login, a network authentication service, a business application, many other things. But in each case it is some kind of login event, only the details differ. So, should that be treated as event #200? Event #200, subtype #3 (UNIX)? Is it 12 different types of event? Or what? Can everyone make up their own IDs, or does it need some kind of co-ordination and registration? It's also clear that trying to standardise on even that one type of event is a fairly large piece of work that takes you far from home - including such issues as how to represent a user ID in various systems. Should that be a string? A number (e.g. a UNIX UID)? An NT SID? Kerberos principal name? All of the above? Should a user ID be a part of all events, a standard header item? What about things like delegation, impersonation and effective user ids? If a session is created, should the ID of THAT be logged with related events, or should the analyzer have to infer it? What if there is no session? And so on... Cheers, Frank _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:34:44 PST