[logs] How to define Log, Event, and Alert?

Bill Scherr IV bschnzl at cotse.net
Thu Jul 24 19:23:14 PDT 2008 

So...

I gather a temporal mention to be appropriate beyond the definition of the Log.  Also, most systems break off their logs by 
size, not time.  Although there is a definite time to each log, they are not consistent, even with the same log gatherer.  Right or 
wrong, that is how I find them.  Suggestions below (if I may be so bold):

Circa 11:26, 23 Jul 2008, a note, claiming source Heinbockel, Bill <heinbockel at mitre.org>, was sent to me:

From:           	"Heinbockel, Bill" <heinbockel at mitre.org>
To:             	<loganalysis at loganalysis.org>
Subject:        	[logs] How to define Log, Event, and Alert?

> 
> 
> Here is our initial shot at defining these terms:
> 
> 
> Event:
> 	A discrete, distinct, and discernible state change in an
> environment.

A discrete, distinct, and discernible state change in an environment at a recorded (or given) time.
> 
> Alert (n):
> 	A warning or notification generated in response to an event.
> 
> Alert (v):
> 	The act of generating, transport, or displaying a warning or
> notification in response to an event.
> 
> Log Entry:
> 	The record of an event in a log. Event log, event record, log
> message, log record, and audit record are all synonyms that have been
> used to refer to log entries. 

The record of an event in a log, in sequence, usually with a timestamp.  <thesaurus reference to follow>
> 
> Log (n): 
> 	The record comprising one or more log entries accumulated over
> a given period. This may be electronic (e.g. stored in memory, disk,
> software, database, text file, etc), physical (e.g. on paper), or even
> verbal (e.g., "Between 10:00 and 10:01 we received a series of several
> thousand SYN packets that we acknowledged, but full TCP connections
> were not completed. At 10:02, our server resources exceeded the
> maximum tolerable level and crashed.").
> 
> Log (v):
> 	The act of recording or storing one or more events.
> 
> 
> 
> What do you think?
> Can these definitions be changed/improved in anyway?
> Is there any examples, synonyms, or clarifications that should be
> added?
> 

Event:  The same state change may occur repeatedly.
Log Entry:  No entry happens without context.




Bill Scherr IV, GSEC, GCIA
Principal Security Engineer
EWA Information and Infrastructure Technologies
bscherr at iit-tek.com
bscherr at ewa.com
703-478-7608

More information about the LogAnalysis mailing list