[logs] Defining Events, Logs, and Alerts (Round 2)

Heinbockel, Bill heinbockel at mitre.org
Thu Jul 31 06:31:17 PDT 2008 

Thank you for all of the great feedback and discussion.

After compiling all of the suggestions, we have gone
through and revised our definitions.

The main points of feedback were that (1) logs have
a temporal quality that is important, and (2) that
there are different connotations regarding the term
"log" -- some think of logs as only containing
records of events, while others point out that there
are other things (e.g., "reports", debug info) that
also appear in today's log files.

To help clarify this, we define both "log" and
"event log". An "event log" contains only "event
records", and is a subset of a "log".

Without further ado:


1. Event

* An observable occurrence in a computer system. The
classification of events may be dependent on the observer
and domain.


2. Event Record

* A persistent representation of the details of an
individual event.


3. Event Log

* A collection of time-stamped event records.


4. Log

* A collection of event records and other informational
data pertaining to a particular domain.

A log may be electronic (e.g. stored in memory, disk,
software, database, text file, etc), physical (e.g. on
paper), or even verbal (e.g., "Between 10:00 and 10:01 we
received a series of several thousand SYN packets that we
acknowledged, but full TCP connections were not completed.
At 10:02, our server resources exceeded the maximum
tolerable level and crashed.").



5. Log Record

* A single entry in a log. Entries may take the form of an
Event Record, status or attribute report, debug data, or
similar environmental information.



6. Alert (n):

* A warning or notification to a user or system, usually
indicating that some action should be taken in response to
one or more events.


7. Alert (v):

* The act of generating, transporting, or displaying a
warning or notification.


8. Log (v):

* The act of recording or storing one or more events.





William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org
781-271-2615


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3520 bytes
Desc: not available
Url : http://www.loganalysis.org/pipermail/loganalysis/attachments/20080731/e56f472b/smime.bin

More information about the LogAnalysis mailing list