SlideShare a Scribd company logo

Events Logging Markup Language

Download as PPT, PDF
Conferencias FIST
Conferencias FIST
Technology
1 of 22
FIST Conference September/Madrid 2007 @ Sponsored by: Events Logging Markup Language Vicente Aceituno Canal
Index Log Management Standards Information System Model XML Markup Vocabulary 2
What gets logged A Record contains a series of events. Startup, restart, abnormal termination. Physical and Logical thresholds being exceeded. Access attempts to resources. Network connections. Privilege and access rights changes. Configuration changes. 3
Log Management Logs are generated everywhere. Logs have very different formats. There are hundreds of logs APIs. There are many logs transports. Logs are a trail and a measure. Log collection, correlation, aggregation. 4
Standards CEE (MITRE initiative in the making) CEF (ArcSight) Extended Log File Format (W3C) ELML – Events Logging Markup Language (ISM3 Consortium) WebTrends Enhanced Log file Format. WSDM Event Format (OASIS) XDAS – Distributed Audit Service (The Open Group) RFC3164 – syslog (IETF) 5
Information System Model (UNIX) Processes Files 6
Information System Model (ELML) Interfaces Repositories Services Channels Messages Sessions 7
Information System Model (ELML) Interface Web-based interface System call Monitor, keyboard and mouse Connector Keyboard Printer Scanner Data acquisition board DB9 RJ-45 8
Information System Model (ELML) Repository Payroll Database Database Replica File system Directory File Hard drive Cluster CD DVD RAM Registers 9
Information System Model (ELML) Service Bank Account SOAP API Interface Ethernet Port Application System process Threads Running instruction 10
Information System Model (ELML) Channel Phone call HTTPS TCP connection SFTP connection Frame relay PVC Optic fiber Ethernet cable IDE cable 11
Information System Model (ELML) Message Transfer from another account Mail SOAP Call TCP packet IP Packet Ethernet Packet 802.11g Packet 12
Information System Model (ELML) Session Work session between user and application Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 13
XML Markup Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID. The agent of the event can be identified using a sourceID. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID. The resource (subject) of the event is identified using a resourceID. 14
XML Markup The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText. The payload contains the information necessary to perform the request. dateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it. 15
XML Vocabulary Component Initiate Finalize Freeze Unfreeze Query Change State State Credential create delete block unblock read write Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause resume read write 16
Example - ProFTPd Connection closed: May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Login sucessful: May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test: Login successful. Login failed: May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed): Incorrect password. Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): no such user 'dcid-inv' May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 17
Example - ProFTPd Connection closed (native): May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Connection closed (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>192.168.20.10</addressID> <loggerID>slacker proftpd[25530]</loggerID> <Result>success</Result> <ResultText>FTP session closed. </ResultText> <dateTime>21/5/2007 20:22:14</dateTime> 18
Example - ProFTPd Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 Invalid user login attempt (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>190.48.150.156</addressID> <credentialID>abad</credentialID> <loggerID> proftpd.lab.ossec.net:21:slacker proftpd[31806]</loggerID> <RequestType>login</RequestType> <Result>failure</Result> <ResultText>no such user found</ResultText> <dateTime>21/5/2007 20:21:21</dateTime> 19
What is ELML good for? Don’t design log syntax ever again. Use a common format, requesttype and result vocabulary. Make it easier for everyone to correlate and integrate logs. Download ELML from www.ism3.com 20
Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 21
@ with the sponsorship of: THANKS www.fistconference.org

Recommended

как формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьекак формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьеSvetlana Chucha
 
Dh2 Apps Training Part2
Dh2 Apps Training Part2Dh2 Apps Training Part2
Dh2 Apps Training Part2jamram82
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)Sri Prasanna
 
SOA patterns
SOA patterns SOA patterns
SOA patterns Arnon Rotem-Gal-Oz
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMSkoolkampus
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk
 
World Wide Web(WWW)
World Wide Web(WWW)World Wide Web(WWW)
World Wide Web(WWW)Pratik Tambekar
 
XMPP-IoT Protocol designed mainly to send mesages
XMPP-IoT Protocol designed mainly to send mesagesXMPP-IoT Protocol designed mainly to send mesages
XMPP-IoT Protocol designed mainly to send mesagesssuserd1be3f1
 

Recommended

как формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьекак формировался характер юрия гагарина в семье
как формировался характер юрия гагарина в семьеSvetlana Chucha
 
Dh2 Apps Training Part2
Dh2 Apps Training Part2Dh2 Apps Training Part2
Dh2 Apps Training Part2jamram82
 
Serverless (Distributed computing)
Serverless (Distributed computing)Serverless (Distributed computing)
Serverless (Distributed computing)Sri Prasanna
 
SOA patterns
SOA patterns SOA patterns
SOA patterns Arnon Rotem-Gal-Oz
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMSkoolkampus
 
Splunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk Stream - Einblicke in Netzwerk Traffic
Splunk Stream - Einblicke in Netzwerk TrafficSplunk
 
World Wide Web(WWW)
World Wide Web(WWW)World Wide Web(WWW)
World Wide Web(WWW)Pratik Tambekar
 
XMPP-IoT Protocol designed mainly to send mesages
XMPP-IoT Protocol designed mainly to send mesagesXMPP-IoT Protocol designed mainly to send mesages
XMPP-IoT Protocol designed mainly to send mesagesssuserd1be3f1
 
Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web appsyoavrubin
 
Silverlight 2.0
Silverlight 2.0Silverlight 2.0
Silverlight 2.0Dave Allen
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2Adrian Stevenson
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)Kiran Jonnalagadda
 
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 Databricks
 
Soap Toolkit Dcphp
Soap Toolkit DcphpSoap Toolkit Dcphp
Soap Toolkit DcphpMichael Tutty
 
Webtechnologies
Webtechnologies Webtechnologies
Webtechnologies -jyothish kumar sirigidi
 
Play framework : A Walkthrough
Play framework : A WalkthroughPlay framework : A Walkthrough
Play framework : A Walkthroughmitesh_sharma
 
J2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net WorkshopJ2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net Workshopdanglvh
 
OPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONOPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONSUMIT KUMAR
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web servicesNeil Ghosh
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)Tim Burks
 
FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration SeminarYoss Cohen
 
Building a web application with ontinuation monads
Building a web application with ontinuation monadsBuilding a web application with ontinuation monads
Building a web application with ontinuation monadsSeitaro Yuuki
 
8023.ppt
8023.ppt8023.ppt
8023.pptPoojaTripathi92
 
Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open SolarisConferencias FIST
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 

More Related Content

Similar to Events Logging Markup Language

Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web appsyoavrubin
 
Silverlight 2.0
Silverlight 2.0Silverlight 2.0
Silverlight 2.0Dave Allen
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Richard Bullington-McGuire
 
Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2Adrian Stevenson
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETDavid McCarter
 
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 Databricks
 
Play framework : A Walkthrough
Play framework : A WalkthroughPlay framework : A Walkthrough
Play framework : A Walkthroughmitesh_sharma
 
J2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net WorkshopJ2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net Workshopdanglvh
 
OPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONOPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONSUMIT KUMAR
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web servicesNeil Ghosh
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)Tim Burks
 
FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration SeminarYoss Cohen
 
Building a web application with ontinuation monads
Building a web application with ontinuation monadsBuilding a web application with ontinuation monads
Building a web application with ontinuation monadsSeitaro Yuuki
 

Similar to Events Logging Markup Language (20)

Dojo - from web page to web apps
Dojo - from web page to web appsDojo - from web page to web apps
Dojo - from web page to web apps
 
Silverlight 2.0
Silverlight 2.0Silverlight 2.0
Silverlight 2.0
 
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
Enabling Web Apps For DoD Security via PKI/CAC Enablement (Forge.Mil case study)
 
Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2Interoperability Fundamentals: SWORD 2
Interoperability Fundamentals: SWORD 2
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
Back-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NETBack-2-Basics: Exception & Event Instrumentation in .NET
Back-2-Basics: Exception & Event Instrumentation in .NET
 
XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)XML-RPC and SOAP (April 2003)
XML-RPC and SOAP (April 2003)
 
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016 A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
A Deep Dive into Structured Streaming: Apache Spark Meetup at Bloomberg 2016
 
Soap Toolkit Dcphp
Soap Toolkit DcphpSoap Toolkit Dcphp
Soap Toolkit Dcphp
 
Webtechnologies
Webtechnologies Webtechnologies
Webtechnologies
 
Play framework : A Walkthrough
Play framework : A WalkthroughPlay framework : A Walkthrough
Play framework : A Walkthrough
 
J2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net WorkshopJ2 Ee Vs. .Net Workshop
J2 Ee Vs. .Net Workshop
 
OPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATIONOPEN TEXT ADMINISTRATION
OPEN TEXT ADMINISTRATION
 
Intro to web services
Intro to web servicesIntro to web services
Intro to web services
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)Creating Great REST and gRPC API Experiences (in Swift)
Creating Great REST and gRPC API Experiences (in Swift)
 
FMS Administration Seminar
FMS Administration SeminarFMS Administration Seminar
FMS Administration Seminar
 
Building a web application with ontinuation monads
Building a web application with ontinuation monadsBuilding a web application with ontinuation monads
Building a web application with ontinuation monads
 
8023.ppt
8023.ppt8023.ppt
8023.ppt
 

More from Conferencias FIST

Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceConferencias FIST
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseConferencias FIST
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiConferencias FIST
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security ForumConferencias FIST
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes WirelessConferencias FIST
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la ConcienciaciónConferencias FIST
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloConferencias FIST
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseConferencias FIST
 

More from Conferencias FIST (20)

Seguridad en Open Solaris
Seguridad en Open SolarisSeguridad en Open Solaris
Seguridad en Open Solaris
 
Seguridad en Entornos Web Open Source
Seguridad en Entornos Web Open SourceSeguridad en Entornos Web Open Source
Seguridad en Entornos Web Open Source
 
Spanish Honeynet Project
Spanish Honeynet ProjectSpanish Honeynet Project
Spanish Honeynet Project
 
Seguridad en Windows Mobile
Seguridad en Windows MobileSeguridad en Windows Mobile
Seguridad en Windows Mobile
 
SAP Security
SAP SecuritySAP Security
SAP Security
 
Que es Seguridad
Que es SeguridadQue es Seguridad
Que es Seguridad
 
Network Access Protection
Network Access ProtectionNetwork Access Protection
Network Access Protection
 
Las Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática ForenseLas Evidencias Digitales en la Informática Forense
Las Evidencias Digitales en la Informática Forense
 
Evolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFiEvolución y situación actual de la seguridad en redes WiFi
Evolución y situación actual de la seguridad en redes WiFi
 
El Information Security Forum
El Information Security ForumEl Information Security Forum
El Information Security Forum
 
Criptografia Cuántica
Criptografia CuánticaCriptografia Cuántica
Criptografia Cuántica
 
Inseguridad en Redes Wireless
Inseguridad en Redes WirelessInseguridad en Redes Wireless
Inseguridad en Redes Wireless
 
Mas allá de la Concienciación
Mas allá de la ConcienciaciónMas allá de la Concienciación
Mas allá de la Concienciación
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
PKI Interoperability
PKI InteroperabilityPKI Interoperability
PKI Interoperability
 
Wifislax 3.1
Wifislax 3.1Wifislax 3.1
Wifislax 3.1
 
Network Forensics
Network ForensicsNetwork Forensics
Network Forensics
 
Riesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el DesarrolloRiesgo y Vulnerabilidades en el Desarrollo
Riesgo y Vulnerabilidades en el Desarrollo
 
Demostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis ForenseDemostracion Hacking Honeypot y Análisis Forense
Demostracion Hacking Honeypot y Análisis Forense
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Events Logging Markup Language

  • 1. FIST Conference September/Madrid 2007 @ Sponsored by: Events Logging Markup Language Vicente Aceituno Canal
  • 3. What gets logged A Record contains a series of events. Startup, restart, abnormal termination. Physical and Logical thresholds being exceeded. Access attempts to resources. Network connections. Privilege and access rights changes. Configuration changes. 3
  • 4. Log Management Logs are generated everywhere. Logs have very different formats. There are hundreds of logs APIs. There are many logs transports. Logs are a trail and a measure. Log collection, correlation, aggregation. 4
  • 5. Standards CEE (MITRE initiative in the making) CEF (ArcSight) Extended Log File Format (W3C) ELML – Events Logging Markup Language (ISM3 Consortium) WebTrends Enhanced Log file Format. WSDM Event Format (OASIS) XDAS – Distributed Audit Service (The Open Group) RFC3164 – syslog (IETF) 5
  • 6. Information System Model (UNIX) Processes Files 6
  • 7. Information System Model (ELML) Interfaces Repositories Services Channels Messages Sessions 7
  • 8. Information System Model (ELML) Interface Web-based interface System call Monitor, keyboard and mouse Connector Keyboard Printer Scanner Data acquisition board DB9 RJ-45 8
  • 9. Information System Model (ELML) Repository Payroll Database Database Replica File system Directory File Hard drive Cluster CD DVD RAM Registers 9
  • 10. Information System Model (ELML) Service Bank Account SOAP API Interface Ethernet Port Application System process Threads Running instruction 10
  • 11. Information System Model (ELML) Channel Phone call HTTPS TCP connection SFTP connection Frame relay PVC Optic fiber Ethernet cable IDE cable 11
  • 12. Information System Model (ELML) Message Transfer from another account Mail SOAP Call TCP packet IP Packet Ethernet Packet 802.11g Packet 12
  • 13. Information System Model (ELML) Session Work session between user and application Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc… 13
  • 14. XML Markup Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID. The agent of the event can be identified using a sourceID. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID. The resource (subject) of the event is identified using a resourceID. 14
  • 15. XML Markup The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText. The payload contains the information necessary to perform the request. dateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it. 15
  • 16. XML Vocabulary Component Initiate Finalize Freeze Unfreeze Query Change State State Credential create delete block unblock read write Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause resume read write 16
  • 17. Example - ProFTPd Connection closed: May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Login sucessful: May 21 20:22:28 slacker proftpd[25556] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test: Login successful. Login failed: May 21 20:22:44 slacker proftpd[25557] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): USER dcid-test (Login failed): Incorrect password. Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): no such user 'dcid-inv' May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 17
  • 18. Example - ProFTPd Connection closed (native): May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP session closed. Connection closed (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>192.168.20.10</addressID> <loggerID>slacker proftpd[25530]</loggerID> <Result>success</Result> <ResultText>FTP session closed. </ResultText> <dateTime>21/5/2007 20:22:14</dateTime> 18
  • 19. Example - ProFTPd Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USER abad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21 Invalid user login attempt (ELMLized): <sourceID>proftpd.lab.ossec.net</sourceID> <addressID>190.48.150.156</addressID> <credentialID>abad</credentialID> <loggerID> proftpd.lab.ossec.net:21:slacker proftpd[31806]</loggerID> <RequestType>login</RequestType> <Result>failure</Result> <ResultText>no such user found</ResultText> <dateTime>21/5/2007 20:21:21</dateTime> 19
  • 20. What is ELML good for? Don’t design log syntax ever again. Use a common format, requesttype and result vocabulary. Make it easier for everyone to correlate and integrate logs. Download ELML from www.ism3.com 20
  • 21. Creative Commons Attribution-ShareAlike 2.0 You are free: •to copy, distribute, display, and perform this work •to make commercial use of this work Under the following conditions: Attribution. You must give the original author credit. Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above. This work is licensed under the Creative Commons Attribution-ShareAlike License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/2.0/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. 21
  • 22. @ with the sponsorship of: THANKS www.fistconference.org

Editor's Notes

  1. Channel endpoint
  2. Holds data permanent or temporarily
  3. Processes data
  4. Delivers messages between interfaces
  5. Moves information from one service to another
  6. Temporary trust relationship