Events Logging Markup Language
Download as PPT, PDF0 likes314 views
The document summarizes the FIST Conference on log management standards that was held in September in Madrid 2007. It discusses what types of events are typically logged, existing and emerging log management standards, and proposes a new XML-based standard called the Events Logging Markup Language (ELML) to unify log formats and enable better log correlation. Sample log entries are provided to demonstrate how logs could be converted to the proposed ELML format.
![Example - ProFTPd
Connection closed:
May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net
(192.168.20.10[192.168.20.10]): FTP session closed.
Login sucessful:
May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net
(192.168.20.10[192.168.20.10]): USER dcid-test: Login
successful.
Login failed:
May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net
(192.168.20.10[192.168.20.10]): USER dcid-test (Login failed):
Incorrect password.
Invalid user login attempt:
May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net
(192.168.20.10[192.168.20.10]): no such user 'dcid-inv'
May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net
(190.48.150.156[190.48.150.156]): USER abad: no such user
found from 190.48.150.156 [190.48.150.156] to
proftpd.lab.ossec.net:21
17](https://image.slidesharecdn.com/eventslogginmarkuplanguage-130215135251-phpapp02/85/Events-Logging-Markup-Language-17-320.jpg)
![Example - ProFTPd
Connection closed (native):
May 21 20:22:14 slacker proftpd[25530]
proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP
session closed.
Connection closed (ELMLized):
<sourceID>proftpd.lab.ossec.net</sourceID>
<addressID>192.168.20.10</addressID>
<loggerID>slacker proftpd[25530]</loggerID>
<Result>success</Result>
<ResultText>FTP session closed. </ResultText>
<dateTime>21/5/2007 20:22:14</dateTime>
18](https://image.slidesharecdn.com/eventslogginmarkuplanguage-130215135251-phpapp02/85/Events-Logging-Markup-Language-18-320.jpg)
![Example - ProFTPd
Invalid user login attempt (native):
May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net
(190.48.150.156[190.48.150.156]): USER abad: no such user
found from 190.48.150.156 [190.48.150.156] to
proftpd.lab.ossec.net:21
Invalid user login attempt (ELMLized):
<sourceID>proftpd.lab.ossec.net</sourceID>
<addressID>190.48.150.156</addressID>
<credentialID>abad</credentialID>
<loggerID> proftpd.lab.ossec.net:21:slacker
proftpd[31806]</loggerID>
<RequestType>login</RequestType>
<Result>failure</Result>
<ResultText>no such user found</ResultText>
<dateTime>21/5/2007 20:21:21</dateTime>
19](https://image.slidesharecdn.com/eventslogginmarkuplanguage-130215135251-phpapp02/85/Events-Logging-Markup-Language-19-320.jpg)
Events Logging Markup Language
- 1. FIST Conference September/Madrid 2007 @ Sponsored by: Events Logging Markup Language Vicente Aceituno Canal
- 2. Index Log Management Standards Information System Model XML Markup Vocabulary 2
- 3. What gets logged A Record contains a series of events. Startup, restart, abnormal termination. Physical and Logical thresholds being exceeded. Access attempts to resources. Network connections. Privilege and access rights changes. Configuration changes. 3
- 4. Log Management Logs are generated everywhere. Logs have very different formats. There are hundreds of logs APIs. There are many logs transports. Logs are a trail and a measure. Log collection, correlation, aggregation. 4
- 5. Standards CEE (MITRE initiative in the making) CEF (ArcSight) Extended Log File Format (W3C) ELML – Events Logging Markup Language (ISM3 Consortium) WebTrends Enhanced Log file Format. WSDM Event Format (OASIS) XDAS – Distributed Audit Service (The Open Group) RFC3164 – syslog (IETF) 5
- 6. Information System Model (UNIX) Processes Files 6
- 7. Information System Model (ELML) Interfaces Repositories Services Channels Messages Sessions 7
- 8. Information System Model (ELML) Interface Web-based interface System call Monitor, keyboard and mouse Connector Keyboard Printer Scanner Data acquisition board DB9 RJ-45 8
- 9. Information System Model (ELML) Repository Payroll Database Database Replica File system Directory File Hard drive Cluster CD DVD RAM Registers 9
- 10. Information System Model (ELML) Service Bank Account SOAP API Interface Ethernet Port Application System process Threads Running instruction 10
- 11. Information System Model (ELML) Channel Phone call HTTPS TCP connection SFTP connection Frame relay PVC Optic fiber Ethernet cable IDE cable 11
- 12. Information System Model (ELML) Message Transfer from another account Mail SOAP Call TCP packet IP Packet Ethernet Packet 802.11g Packet 12
- 13. Information System Model (ELML) Session Work session between user and application Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 13
- 14. XML Markup Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID. The agent of the event can be identified using a sourceID. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID. The resource (subject) of the event is identified using a resourceID. 14
- 15. XML Markup The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText. The payload contains the information necessary to perform the request. dateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it. 15
- 16. XML Vocabulary Component Initiate Finalize Freeze Unfreeze Query Change State State Credential create delete block unblock read write Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause resume read write 16
- 17. Example - ProFTPd Connection closed: May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Login sucessful: May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test: Login successful. Login failed: May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed): Incorrect password. Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): no such user 'dcid-inv' May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 17
- 18. Example - ProFTPd Connection closed (native): May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Connection closed (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>192.168.20.10</addressID> <loggerID>slacker proftpd[25530]</loggerID> <Result>success</Result> <ResultText>FTP session closed. </ResultText> <dateTime>21/5/2007 20:22:14</dateTime> 18
- 19. Example - ProFTPd Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 Invalid user login attempt (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>190.48.150.156</addressID> <credentialID>abad</credentialID> <loggerID> proftpd.lab.ossec.net:21:slacker proftpd[31806]</loggerID> <RequestType>login</RequestType> <Result>failure</Result> <ResultText>no such user found</ResultText> <dateTime>21/5/2007 20:21:21</dateTime> 19
- 20. What is ELML good for? Don’t design log syntax ever again. Use a common format, requesttype and result vocabulary. Make it easier for everyone to correlate and integrate logs. Download ELML from www.ism3.com 20
- 21. Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 21
- 22. @ with the sponsorship of: THANKS www.fistconference.org