[logs] How to define Log, Event, and Alert?

[Heinbockel, Bill]

In support of the CEE effort to develop a log standard, we
are trying to accurately define the concepts of "log",
"event", and "alert". When we speak of these conceptually,
a majority of us have common understanding of what we mean.
However, this is not the case when presenting these terms
to management and other people outside of the log space.


Here is our initial shot at defining these terms:


Event:
	A discrete, distinct, and discernible state change in an
environment.

Alert (n):
	A warning or notification generated in response to an event.

Alert (v):
	The act of generating, transport, or displaying a warning or
notification in response to an event.

Log Entry:
	The record of an event in a log. Event log, event record, log
message, log record, and audit record are all synonyms that have been
used to refer to log entries. 

Log (n): 
	The record comprising one or more log entries accumulated over
a given period. This may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on paper), or even
verbal (e.g., "Between 10:00 and 10:01 we received a series of several
thousand SYN packets that we acknowledged, but full TCP connections
were not completed. At 10:02, our server resources exceeded the
maximum tolerable level and crashed.").

Log (v):
	The act of recording or storing one or more events.



What do you think?
Can these definitions be changed/improved in anyway?
Is there any examples, synonyms, or clarifications that should be
added?


Thanks,

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3520 bytes
Desc: not available
Url : http://www.loganalysis.org/pipermail/loganalysis/attachments/20080723/de04537c/smime.bin