FIST Conference September/Madrid 2007 @



                          Sponsored by:



             Events Logging Markup
             Language
                   Vicente Aceituno Canal
Index

Log Management
Standards
Information System Model
XML Markup
Vocabulary




                           2
What gets logged

 A Record contains a series of
events.
   Startup, restart, abnormal termination.
   Physical and Logical thresholds being
  exceeded.
   Access attempts to resources.
   Network connections.
   Privilege and access rights changes.
   Configuration changes.

                               3
Log Management

 Logs are generated everywhere.
 Logs have very different formats.
 There are hundreds of logs APIs.
 There are many logs transports.
 Logs are a trail and a measure.
 Log collection, correlation,
aggregation.


                           4
Standards

 CEE (MITRE initiative in the making)
 CEF (ArcSight)
 Extended Log File Format (W3C)
 ELML – Events Logging Markup
Language (ISM3 Consortium)
 WebTrends Enhanced Log file Format.
 WSDM Event Format (OASIS)
 XDAS – Distributed Audit Service (The
Open Group)
RFC3164 – syslog (IETF)

                             5
Information System Model (UNIX)

  Processes




  Files




                       6
Information System Model (ELML)

  Interfaces
  Repositories
  Services
  Channels
  Messages
  Sessions



                       7
Information System Model (ELML)

  Interface
   Web-based interface
   System call
   Monitor, keyboard and mouse
   Connector
   Keyboard
   Printer
   Scanner
   Data acquisition board
   DB9
   RJ-45


                                 8
Information System Model (ELML)

  Repository
   Payroll Database
   Database Replica
   File system
   Directory
   File
   Hard drive
   Cluster
   CD
   DVD
   RAM
   Registers


                       9
Information System Model (ELML)

  Service
   Bank Account
   SOAP API Interface
   Ethernet Port
   Application
   System process
   Threads
   Running instruction


                         10
Information System Model (ELML)

  Channel
   Phone call
   HTTPS
   TCP connection
   SFTP connection
   Frame relay PVC
   Optic fiber
   Ethernet cable
   IDE cable

                       11
Information System Model (ELML)

  Message
   Transfer from another account
   Mail
   SOAP Call
   TCP packet
   IP Packet
   Ethernet Packet
   802.11g Packet


                             12
Information System Model (ELML)

  Session
    Work session between user and
   application
    Session between processes
    TCP Transmission session
    Frame transmission session
    su (nested session)
    Software agent session
    WAP2 session
    etc…

                             13
XML Markup

 Every event can have an eventID.
 If the event is not logged by the agent of the
event, the logger can be identified using a
loggerID.
 The agent of the event can be identified using a
sourceID.
 The agent of the event can stay in different
locations, identified using a addressID.
 The credential used by the source to perform a
request can be identified using a credentialID.
 The resource (subject) of the event is identified
using a resourceID.


                                     14
XML Markup

 The request (access attempt) performed has a
RequestType and a Result. The reason for the
Result is stated in the ResultText.
 The payload contains the information necessary
to perform the request.
dateTime is the date and time when the request is
performed.
signature is the digital signature of the event using
the credentialID.
hash is the digital summary of the event. It is
recommended that the hash of the previous event
in the Record is used to calculate it.


                                      15
XML Vocabulary
Component    Initiate   Finalize     Freeze      Unfreeze   Query   Change
                                                            State   State

Credential   create     delete       block       unblock    read    write


Session      login      logout       suspend     resume     read    write


Message      send       listen       retain      forward    read    write


Repository   create     delete       block       unblock    read    write


Interface    connect    disconnect   interrupt   continue   read    write


Channel      open       close        hold        release    read    write


Service      start      stop         pause       resume     read    write



                                                            16
Example - ProFTPd
Connection closed:
   May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net
   (192.168.20.10[192.168.20.10]): FTP session closed.
Login sucessful:
   May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net
   (192.168.20.10[192.168.20.10]): USER dcid-test: Login
   successful.
Login failed:
   May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net
   (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed):
   Incorrect password.
Invalid user login attempt:
   May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net
   (192.168.20.10[192.168.20.10]): no such user 'dcid-inv'
   May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net
   (190.48.150.156[190.48.150.156]): USER abad: no such user
   found from 190.48.150.156 [190.48.150.156] to
   proftpd.lab.ossec.net:21


                                               17
Example - ProFTPd

Connection closed (native):
 May 21 20:22:14 slacker proftpd[25530]
 proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP
 session closed.


Connection closed (ELMLized):
 <sourceID>proftpd.lab.ossec.net</sourceID>
 <addressID>192.168.20.10</addressID>
 <loggerID>slacker proftpd[25530]</loggerID>
 <Result>success</Result>
 <ResultText>FTP session closed. </ResultText>
 <dateTime>21/5/2007 20:22:14</dateTime>




                                           18
Example - ProFTPd

Invalid user login attempt (native):
 May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net
 (190.48.150.156[190.48.150.156]): USER abad: no such user
 found from 190.48.150.156 [190.48.150.156] to
 proftpd.lab.ossec.net:21

Invalid user login attempt (ELMLized):
 <sourceID>proftpd.lab.ossec.net</sourceID>
 <addressID>190.48.150.156</addressID>
 <credentialID>abad</credentialID>
 <loggerID> proftpd.lab.ossec.net:21:slacker
 proftpd[31806]</loggerID>
 <RequestType>login</RequestType>
 <Result>failure</Result>
 <ResultText>no such user found</ResultText>
 <dateTime>21/5/2007 20:21:21</dateTime>



                                             19
What is ELML good for?

 Don’t design log syntax ever again.
 Use a common format, requesttype and
result vocabulary.
 Make it easier for everyone to correlate
and integrate logs.
 Download ELML from www.ism3.com




                              20
Creative Commons
                                          Attribution-ShareAlike 2.0
You are free:
•to copy, distribute, display, and perform this work
•to make commercial use of this work
Under the following conditions:


                Attribution. You must give the original author credit.



                Share Alike. If you alter, transform, or build upon this
                work, you may distribute the resulting work only under
                a license identical to this one.

For any reuse or distribution, you must make clear to others the license terms of this
work.

Any of these conditions can be waived if you get permission from the author.

Your fair use and other rights are in no way affected by the above.

This work is licensed under the Creative Commons Attribution-ShareAlike License. To
view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a
letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA.

                                                                     21
@

           with the sponsorship of:




    THANKS

www.fistconference.org

More Related Content

PPTX
как формировался характер юрия гагарина в семье
PDF
Access Control Management
KEY
Unity makes strength
PDF
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
PDF
Ontolog Forum: Semantic Interop March 2008
PPT
Migrating Interactive Legacy Systems To Web Services
PPTX
Topic # 16 of outline Managing Network Services.pptx
PPT
Application layer protocols
как формировался характер юрия гагарина в семье
Access Control Management
Unity makes strength
Matthias Vallentin - Towards Interactive Network Forensics and Incident Respo...
Ontolog Forum: Semantic Interop March 2008
Migrating Interactive Legacy Systems To Web Services
Topic # 16 of outline Managing Network Services.pptx
Application layer protocols

Similar to Events Logging Markup Language (20)

PPT
Internetpresentation Internetpresentation.ppt
KEY
Switch! Recommending Artifacts Needed Next Based on Personal and Shared Context
PPT
Network security and protocols
PDF
Analysis of Network Traffic and Security through Log Aggregation
PPS
PPTX
Web Technology
PPTX
Web Technology
PPTX
Web Technology
PDF
Insider Threat Visualization - HITB 2007, Kuala Lumpur
PDF
6 networking
PPTX
PACE-IT: Network Monitoring (part 1) - N10 006
PDF
Insider Threat Visualization - HackInTheBox 2007
PPTX
Cybersecurity cyberlab2
PPT
Network protocol
PPTX
NISO Webinar: The Three S's of Electronic Resource Management: Systems, Stand...
PPTX
XACML - XML Amsterdam2011
PDF
958870 62257 sunnysunny_
PDF
IP Messenger And File Transfer over Ethernet LAN
PPTX
LogChaos: Challenges and Opportunities of Security Log Standardization
PPTX
SOA - Architecture and Design
Internetpresentation Internetpresentation.ppt
Switch! Recommending Artifacts Needed Next Based on Personal and Shared Context
Network security and protocols
Analysis of Network Traffic and Security through Log Aggregation
Web Technology
Web Technology
Web Technology
Insider Threat Visualization - HITB 2007, Kuala Lumpur
6 networking
PACE-IT: Network Monitoring (part 1) - N10 006
Insider Threat Visualization - HackInTheBox 2007
Cybersecurity cyberlab2
Network protocol
NISO Webinar: The Three S's of Electronic Resource Management: Systems, Stand...
XACML - XML Amsterdam2011
958870 62257 sunnysunny_
IP Messenger And File Transfer over Ethernet LAN
LogChaos: Challenges and Opportunities of Security Log Standardization
SOA - Architecture and Design
Ad

More from Conferencias FIST (20)

PDF
Seguridad en Open Solaris
PDF
Seguridad en Entornos Web Open Source
PDF
Spanish Honeynet Project
PDF
Seguridad en Windows Mobile
PDF
SAP Security
PDF
Que es Seguridad
PDF
Network Access Protection
PDF
Las Evidencias Digitales en la Informática Forense
PDF
Evolución y situación actual de la seguridad en redes WiFi
PDF
El Information Security Forum
PDF
Criptografia Cuántica
PDF
Inseguridad en Redes Wireless
PDF
Mas allá de la Concienciación
PDF
Security Metrics
PDF
PKI Interoperability
PDF
Wifislax 3.1
PDF
Network Forensics
PDF
Riesgo y Vulnerabilidades en el Desarrollo
PDF
Demostracion Hacking Honeypot y Análisis Forense
PDF
Security Maturity Model
Seguridad en Open Solaris
Seguridad en Entornos Web Open Source
Spanish Honeynet Project
Seguridad en Windows Mobile
SAP Security
Que es Seguridad
Network Access Protection
Las Evidencias Digitales en la Informática Forense
Evolución y situación actual de la seguridad en redes WiFi
El Information Security Forum
Criptografia Cuántica
Inseguridad en Redes Wireless
Mas allá de la Concienciación
Security Metrics
PKI Interoperability
Wifislax 3.1
Network Forensics
Riesgo y Vulnerabilidades en el Desarrollo
Demostracion Hacking Honeypot y Análisis Forense
Security Maturity Model
Ad

Recently uploaded (20)

PDF
Connector Corner: Transform Unstructured Documents with Agentic Automation
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
PDF
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
PDF
Rapid Prototyping: A lecture on prototyping techniques for interface design
PPTX
agenticai-neweraofintelligence-250529192801-1b5e6870.pptx
PDF
Advancing precision in air quality forecasting through machine learning integ...
PPTX
MuleSoft-Compete-Deck for midddleware integrations
DOCX
Basics of Cloud Computing - Cloud Ecosystem
PPTX
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
PDF
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
PDF
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
PPTX
Internet of Everything -Basic concepts details
PDF
giants, standing on the shoulders of - by Daniel Stenberg
PDF
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
PDF
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
PPTX
future_of_ai_comprehensive_20250822032121.pptx
PPTX
Training Program for knowledge in solar cell and solar industry
PDF
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
PDF
NewMind AI Weekly Chronicles – August ’25 Week IV
Connector Corner: Transform Unstructured Documents with Agentic Automation
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Dell Pro Micro: Speed customer interactions, patient processing, and learning...
Rapid Prototyping: A lecture on prototyping techniques for interface design
agenticai-neweraofintelligence-250529192801-1b5e6870.pptx
Advancing precision in air quality forecasting through machine learning integ...
MuleSoft-Compete-Deck for midddleware integrations
Basics of Cloud Computing - Cloud Ecosystem
AI-driven Assurance Across Your End-to-end Network With ThousandEyes
AI.gov: A Trojan Horse in the Age of Artificial Intelligence
The-Future-of-Automotive-Quality-is-Here-AI-Driven-Engineering.pdf
Internet of Everything -Basic concepts details
giants, standing on the shoulders of - by Daniel Stenberg
A hybrid framework for wild animal classification using fine-tuned DenseNet12...
INTERSPEECH 2025 「Recent Advances and Future Directions in Voice Conversion」
Enhancing plagiarism detection using data pre-processing and machine learning...
future_of_ai_comprehensive_20250822032121.pptx
Training Program for knowledge in solar cell and solar industry
Planning-an-Audit-A-How-To-Guide-Checklist-WP.pdf
NewMind AI Weekly Chronicles – August ’25 Week IV

Events Logging Markup Language

  • 1. FIST Conference September/Madrid 2007 @ Sponsored by: Events Logging Markup Language Vicente Aceituno Canal
  • 3. What gets logged A Record contains a series of events. Startup, restart, abnormal termination. Physical and Logical thresholds being exceeded. Access attempts to resources. Network connections. Privilege and access rights changes. Configuration changes. 3
  • 4. Log Management Logs are generated everywhere. Logs have very different formats. There are hundreds of logs APIs. There are many logs transports. Logs are a trail and a measure. Log collection, correlation, aggregation. 4
  • 5. Standards CEE (MITRE initiative in the making) CEF (ArcSight) Extended Log File Format (W3C) ELML – Events Logging Markup Language (ISM3 Consortium) WebTrends Enhanced Log file Format. WSDM Event Format (OASIS) XDAS – Distributed Audit Service (The Open Group) RFC3164 – syslog (IETF) 5
  • 6. Information System Model (UNIX) Processes Files 6
  • 7. Information System Model (ELML) Interfaces Repositories Services Channels Messages Sessions 7
  • 8. Information System Model (ELML) Interface Web-based interface System call Monitor, keyboard and mouse Connector Keyboard Printer Scanner Data acquisition board DB9 RJ-45 8
  • 9. Information System Model (ELML) Repository Payroll Database Database Replica File system Directory File Hard drive Cluster CD DVD RAM Registers 9
  • 10. Information System Model (ELML) Service Bank Account SOAP API Interface Ethernet Port Application System process Threads Running instruction 10
  • 11. Information System Model (ELML) Channel Phone call HTTPS TCP connection SFTP connection Frame relay PVC Optic fiber Ethernet cable IDE cable 11
  • 12. Information System Model (ELML) Message Transfer from another account Mail SOAP Call TCP packet IP Packet Ethernet Packet 802.11g Packet 12
  • 13. Information System Model (ELML) Session Work session between user and application Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 13
  • 14. XML Markup Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID. The agent of the event can be identified using a sourceID. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID. The resource (subject) of the event is identified using a resourceID. 14
  • 15. XML Markup The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText. The payload contains the information necessary to perform the request. dateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it. 15
  • 16. XML Vocabulary Component Initiate Finalize Freeze Unfreeze Query Change State State Credential create delete block unblock read write Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause resume read write 16
  • 17. Example - ProFTPd Connection closed: May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Login sucessful: May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test: Login successful. Login failed: May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed): Incorrect password. Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): no such user 'dcid-inv' May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 17
  • 18. Example - ProFTPd Connection closed (native): May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Connection closed (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>192.168.20.10</addressID> <loggerID>slacker proftpd[25530]</loggerID> <Result>success</Result> <ResultText>FTP session closed. </ResultText> <dateTime>21/5/2007 20:22:14</dateTime> 18
  • 19. Example - ProFTPd Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 Invalid user login attempt (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>190.48.150.156</addressID> <credentialID>abad</credentialID> <loggerID> proftpd.lab.ossec.net:21:slacker proftpd[31806]</loggerID> <RequestType>login</RequestType> <Result>failure</Result> <ResultText>no such user found</ResultText> <dateTime>21/5/2007 20:21:21</dateTime> 19
  • 20. What is ELML good for? Don’t design log syntax ever again. Use a common format, requesttype and result vocabulary. Make it easier for everyone to correlate and integrate logs. Download ELML from www.ism3.com 20
  • 21. Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 21
  • 22. @ with the sponsorship of: THANKS www.fistconference.org

Editor's Notes

  • #9: Channel endpoint
  • #10: Holds data permanent or temporarily
  • #11: Processes data
  • #12: Delivers messages between interfaces
  • #13: Moves information from one service to another
  • #14: Temporary trust relationship