Your SlideShare is downloading. ×
Events Logging Markup Language
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Events Logging Markup Language

771
views

Published on


1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
771
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
2
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Events Logging Markup Languagev1.00 ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL LICENSE 2007, SOME RIGHTS RESERVED.
  • 2. EVENTS LOGGING MARKUP LANGUAGE V1.0CONTACT INFORMATION Calle Olímpico Francisco Fernández Ochoa, 9 28923 Alcorcón (Madrid) Spain Mail: consortium@ism3.com Phone:+ 34 620 527 478LEGAL DISCLAIMERThis is an informational document, and it doesnt represent legal or professional advice from the ISM3 Consortium, theauthors or reviewers of this document. This document is offered as is without any warranty of completeness, accuracyor timeliness. The ISM3 Consortium, the authors and reviewers of this document disclaim any implied warranty orliability.LICENSE AND COPYRIGHT This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by- nd/3.0/ or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.Any copyrighted material mentioned in this document is property of their respective owners.2 ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED.
  • 3. EVENTS LOGGING MARKUP LANGUAGE V1.0Table of Contents1Introduction.......................................................................................................................................................................4 1.1ISM3s components of Information Systems...............................................................................................................4 1.2Request types generated by information systems and users.....................................................................................52Glossary.............................................................................................................................................................................53Notation..............................................................................................................................................................................64Requirements....................................................................................................................................................................7 4.3Xml version..................................................................................................................................................................7 4.4Namespace.................................................................................................................................................................7 4.5Root.............................................................................................................................................................................75XML Schema......................................................................................................................................................................8ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 3
  • 4. EVENTS LOGGING MARKUP LANGUAGE V1.01 IntroductionLogs are essential to troubleshoot systems, for tracing the responsibility of users, and for otherbusiness purposes, like charging clients depending on the use they make of information systems.Unfortunately, there are nearly as many event log formats as log generating software. This canmake log management more difficult in a number of ways. It becomes more difficult to investigate,correlate, aggregate and generally speaking, manage a variety of logs from different systems.The Events Logging Markup Language helps developers to mark the most common fields used inevent logs using a common syntax and using a common vocabulary.When the internal state of an information system component changes, when a componentrequests an action from another component or, when a component responds to a requests fromanother component, an event happens. This makes necessary to use a generic model of thecomponents of information systems, the states they can have, and the requests and answers theycan mutually perform. For this purpose ELML uses the Information System Model from theInformation Security Management Maturity Model.1.1 ISM3s components of Information SystemsInformation Systems are complex and have various tangible and intangible components. The componentscan be classed at the chosen level of abstraction according to structural and transactional features.Structural Features– the various assets from which an information system may be built: • Repositories: Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media; • Interfaces: Any input/output device, such as screens, printers and fax; • Channels: Physical or logical pathways for the flow of messages, including buses, LAN networks, etc. A Network is a dynamic set of channels; • Borders define the limits of the system. Physical devices can host one or many logical components. Structural objects exist in every logical and physical level. The table below contains examples of each type of structural asset: Repository Interface Channel Payroll Database Web-based interface HTTPS Database Replica System call TCP File system Monitor, keyboard and mouse Frame relay PVC Hard drive Connector Cable4 ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED.
  • 5. EVENTS LOGGING MARKUP LANGUAGE V1.0Transactional Features – the various assets from which an information system produces actualresults: • Services. Any value provider in an information system, including services provided by BIOS, operating systems and applications. A service can collaborate with other services or lower level services to complete a task that provides value, like accessing information from a repository; • Sessions. A temporary relationship of trust between services. The establishment of this relationship can require the exchange of Credentials. • Messages. Any meaningful information exchanged between two services or a user and an interface. Requests are special messages used by services to change the state of information system components. Requests fall into one of the following categories: Transactional assets are dynamic, such as running processes and moving messages. Static assets such as mail or program files stored in a repository are not considered either a message or a service. Transactional objects exist in every logical and physical level. Service Message Session Bank Account Transfer from another Work session between user and account application SOAP API Interface SOAP Call Session between processes Port TCP Packet TCP Transmission session Ethernet Port Ethernet Packet Frame transmission session1.2 Request types generated by information systems and users Requests fall into one of the following classes. Component Initiate Finalize Freeze Unfreeze Query Change State State Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause go read write ● Note: The request “listen” can be understood as well as “receive” or “detect”, but for simplicity, only the word “listen” is used. ● Note: If the repository is RAM “block” and “unblock” are equivalent to “allocate” and “free”.ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 5
  • 6. EVENTS LOGGING MARKUP LANGUAGE V1.02 ExamplesThe following are examples of real log entries expressed in their native notation and in ELML notation:Connection closed (native):May 21 20:22:14 slacker proftpd[25530] proftpd.lab.ossec.net (192.168.20.10[192.168.20.10]): FTP sessionclosed.Connection closed (ELMLized):<sourceID>proftpd.lab.ossec.net</sourceID><sourceID>192.168.20.10</sourceID><addressID>192.168.20.10</addressID><loggerID>slacker proftpd[25530]</loggerID><Result>success</Result><ResultText>FTP session closed. </ResultText><dateTime>21/5/2007 20:22:14</dateTime>Invalid user login attempt (native):May 21 20:21:21 slacker proftpd[31806] proftpd.lab.ossec.net (190.48.150.156[190.48.150.156]): USERabad: no such user found from 190.48.150.156 [190.48.150.156] to proftpd.lab.ossec.net:21Invalid user login attempt (ELMLized):<sourceID>190.48.150.156</sourceID><addressID>190.48.150.156</addressID><credentialID>abad</credentialID><loggerID>slacker proftpd[31806] proftpd.lab.ossec.net</loggerID><resourceID>21</resourceID><RequestType>login</RequestType><Result>failure</Result><ResultText>no such user found</ResultText><dateTime>21/5/2007 20:21:21</dateTime>Fields in this type are implicit in original log entries, but not explicitly expressed.3 Terminology and NotationAll terms in the ISM3 glossary apply.Dublin Core terms, terminology and style are used when possible.This specification contains schema conforming to W3C XML Schema and normative text todescribe the syntax and semantics of XML-encoded requirement statements.The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD","SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to beinterpreted as described in IETF RFC 2119 [RFC2119] they MUST only be used where it isactually required for interoperation. These keywords are thus capitalized when used tounambiguously specify requirements that affect the interoperability and security ofimplementations. When these words are not capitalized, they are meant in their natural-languagesense.Conventional XML namespace prefixes are used throughout the listings in this specification tostand for their respective namespaces as follows, whether or not a namespace declaration ispresent in the example.6 ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED.
  • 7. EVENTS LOGGING MARKUP LANGUAGE V1.04 Requirements4.3 Xml version <?xml version1.0" encodingutf-8"?>4.4 Namespace schema xmlns:auto1http://www.ism3.com" blockDefault" finalDefault" targetNamespacehttp://www.ism3.com" version1.0" xmlns:xsdhttp://www.w3.org/2001/XMLSchema">4.5 RootA Record contains a series of events.Every event can have an eventID.If the event is not logged by the agent of the event, the logger can be identified using aloggerID, and a loggerIDDirectory.The agent of the event can stay in different locations, identified using an addressID.The credential used by the agent to perform a request can be identified using a credentialID,and credentialsDirectory.The agent of the event can be identified using a sourceID and a sourceDirectory.The resource (subject) of the event is identified using a resourceID and aresourceDirectory.The request (access attempt) performed has a RequestType (create, delete, block,unblock, login, logout, suspend, resume, send, listen, retain, forward, create, delete,block, unblock, connect, disconnect, interrupt, continue, open, close, hold, release,start, stop, pause, restart) and a Result (success, failure, error, source error) thereason for the Result is stated in the ResultText. In the context of a threshold event,“success” or “failure” means that a measured value passes or fails the comparison criteria withthe threshold.The payload contains the information necessary to perform the request.DateTime is the date and time when the request is performed.signature is the digital signature of the event using the credentialID.hash is the digital resume of the event. It is recommended that the hash of the previous eventin the Record is used to calculate it.ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 7
  • 8. EVENTS LOGGING MARKUP LANGUAGE V1.05 XML Schema<?xml version="1.0" encoding="utf-16"?><xsd:schema xmlns:ism3="http://xml.ism3.com/xsd/" blockDefault="" finalDefault=""targetNamespace="http://xml.ism3.com/xsd/" version="1.0"xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <xsd:complexType name="Record"> <xsd:sequence> <xsd:element minOccurs="0" name="loggerID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="loggerIDDirectory" type="xsd:anyURI" /> <xsd:attribute name="eventID" type="xsd:unsignedInt" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="credentialID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="credentialsDirectory" type="xsd:anyURI" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="sourceID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="sourceDirectory" type="xsd:anyURI" use="required" /> <xsd:attribute name="addressID" type="xsd:anyURI" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="resourceID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="resourceDirectory" type="xsd:anyURI" use="required" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="access"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="RequestType" use="required"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:enumeration value="login" /> <xsd:enumeration value="logout" /> <xsd:enumeration value="suspend" /> <xsd:enumeration value="resume" /> <xsd:enumeration value="send" /> <xsd:enumeration value="receive" /> <xsd:enumeration value="retain" /> <xsd:enumeration value="forward" /> <xsd:enumeration value="create" /> <xsd:enumeration value="delete" />8 ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED.
  • 9. EVENTS LOGGING MARKUP LANGUAGE V1.0 <xsd:enumeration value="block" /> <xsd:enumeration value="unblock" /> <xsd:enumeration value="read" /> <xsd:enumeration value="write" /> <xsd:enumeration value="connect" /> <xsd:enumeration value="disconnect" /> <xsd:enumeration value="interrupt" /> <xsd:enumeration value="continue" /> <xsd:enumeration value="open" /> <xsd:enumeration value="close" /> <xsd:enumeration value="hold" /> <xsd:enumeration value="release" /> <xsd:enumeration value="start" /> <xsd:enumeration value="stop" /> <xsd:enumeration value="pause" /> <xsd:enumeration value="go" /> <xsd:enumeration value="disconnect" /> <xsd:enumeration value="enable" /> <xsd:enumeration value="disable" /> <xsd:enumeration value="open" /> <xsd:enumeration value="close" /> </xsd:restriction> </xsd:simpleType> </xsd:attribute> <xsd:attribute name="Result"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:enumeration value="success" /> <xsd:enumeration value="failure" /> <xsd:enumeration value="error" /> <xsd:enumeration value="source error" /> </xsd:restriction> </xsd:simpleType> </xsd:attribute> <xsd:attribute name="ResultText" type="xsd:string" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="payload"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType" /> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element name="dateTime"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:dateTime" /> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="signature" type="xsd:base64Binary" /> <xsd:element minOccurs="0" name="hash" type="xsd:base64Binary" /> </xsd:sequence> </xsd:complexType> <xsd:element name="Log" type="ism3:Record" /></xsd:schema>ISM3 Consortium - CREATIVE COMMONS ATTRIB-NODERIVS-NONCOMMERCIAL 3.0 LICENSE 2007, SOME RIGHTS RESERVED. 9