Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Events Logging Markup Language v1.0

6,989 views

Published on

Events Logging Markup Language v1.0

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Events Logging Markup Language v1.0

  1. 1. 1 Events Logging Markup Language Authored by: Vicente Aceituno e-mail: vaceituno@inovement.es COPYRIGHT NOTICE: Version 1.0: 2007 This Language is copyrighted by Inovement Europe.
  2. 2. 2 Table of Contents 1 Introduction ................................................................................................. 3 1.1 ISM3's components of Information Systems ......................................... 3 Request types generated by information systems and users.......................... 4 2 Glossary...................................................................................................... 4 3 Notation....................................................................................................... 5 4 Requirements.............................................................................................. 6 4.3 Xml version............................................................................................ 6 4.4 Namespace ........................................................................................... 6 4.5 Root....................................................................................................... 6 5 XML Schema (Download from www.inovement.eselmlv1.0.xsd) ............... 7
  3. 3. 3 1 Introduction Logs are essential to troubleshoot systems, for tracing the responsibility of users, and for other business purposes, like charging clients depending on the use they make of information systems. Unfortunately, there are nearly as many event log formats as log generating software. This can make log management more difficult in a number of ways. It becomes more difficult to investigate, correlate, aggregate and generally speaking, manage a variety of logs from different systems. The Events Logging Markup Language helps developers to mark the most common fields used in event logs using a common syntax. When the internal state of an information system component changes, when a component requests an action from another component or, when a component responds to a requests from another component, an event happens. This makes necessary to use a generic model of the components of information systems, the states they can have, and the requests and answers they can mutually perform. For this purpose ELML uses and expands the Information System Model from the Information Security Management Maturity Model. 1.1 ISM3's components of Information Systems Information Systems are complex and have various tangible and intangible components. The components can be classed at the chosen level of abstraction according to structural and transactional features. Structural Features– the various assets from which an information system may be built:  Repositories: Any temporary or permanent storage of information, including RAM, databases, file systems and any kind of portable media;  Interfaces: Any input/output device, such as screens, printers and fax;  Channels: Physical or logical pathways for the flow of messages, including buses, LAN networks, etc. A Network is a dynamic set of channels;  Borders define the limits of the system. Physical devices can host one or many logical components. Structural objects exist in every logical and physical level. The table below contains examples of each type of structural asset: Repository Interface Channel Payroll Database Web-based interface HTTPS Database Replica System call TCP File system Monitor, keyboard and mouse Frame relay PVC Hard drive Connector Cable
  4. 4. 4 Transactional Features – the various assets from which an information system produces actual results:  Services. Any value provider in an information system, including services provided by BIOS, operating systems and applications. A service can collaborate with other services or lower level services to complete a task that provides value, like accessing information from a repository;  Messages. Any meaningful information exchanged between two services or a user and an interface.  Sessions. A temporary relationship of trust between services. The establishment of this relationship can require the exchange of credentials. Transactional assets are dynamic, such as running processes and moving messages. Static assets such as mail or program files stored in a repository are not considered either a message or a service. Transactional objects exist in every logical and physical level. Service Message Bank Account Transfer from another account SOAP API Interface SOAP Call Port TCP Packet Ethernet Port Ethernet Packet Request types generated by information systems and users Requests fall into one of the following classes. Component Initiate Finalize Freeze Unfreeze Query State Change State Request Rights Cancel Rights Credential create delete block unblock read write grant cancel Session login logout suspend resume read write grant cancel Message send listen retain forward read write grant cancel Repository create delete block unblock read write grant cancel Interface connect disconnect interrupt continue read write grant cancel Channel open close hold release read write grant cancel Service start stop pause resume read write grant cancel  Note: The request “listen” can be understood as well as “receive” or “detect”, but for simplicity, only the word “listen” is used.  Note: If the repository is RAM “block” and “unblock” are equivalent to “allocate” and “free”. 2 Glossary  All terms in the ISM3 glossary apply.  Dublin Core terms, terminology and style are used when possible.
  5. 5. 5 3 Notation This specification contains schema conforming to W3C XML Schema and normative text to describe the syntax and semantics of XML-encoded requirement statements. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this specification are to be interpreted as described in IETF RFC 2119 [RFC2119] they MUST only be used where it is actually required for interoperation. These keywords are thus capitalized when used to unambiguously specify requirements that affect the interoperability and security of implementations. When these words are not capitalized, they are meant in their natural-language sense. Conventional XML namespace prefixes are used throughout the listings in this specification to stand for their respective namespaces as follows, whether or not a namespace declaration is present in the example.
  6. 6. 6 4 Requirements 4.3 Xml version <?xml version1.0" encodingutf-8"?> 4.4 Namespace schema xmlns:auto1http://www.ism3.com" blockDefault" finalDefault" targetNamespacehttp://www.ism3.com" version1.0" xmlns:xsdhttp://www.w3.org/2001/XMLSchema"> 4.5 Root A Record contains a series of events. Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID, and a loggerIDDirectory. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID, and credentialsDirectory. The source (agent) of the event can be identified using a sourceID and a sourceDirectory. The resource (subject) of the event is identified using a resourceID and a resourceDirectory. The request (access attempt) performed has a RequestType (login, logout, suspend, resume, send, receive, retain, forward, create, delete, block, unblock, read, write, connect, disconnect, interrupt, continue, open, close, hold, release, start, stop, pause, resume, disconnect, enable, disable, open, close) and a Result (success, failure, error, source error) the reason for the Result is stated in the ResultText. In the context of a threshold event, “success” or “failure” means that a measured value passes or fails the comparison criteria with the threshold. The payload contains the information necessary to perform the request. DateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital resume of the event. It is recommended that the hash of the previous event in the Record is used to calculate it.
  7. 7. 7 5 XML Schema (Download from www.inovement.eselmlv1.0.xsd) <?xml version="1.0" encoding="utf-8"?> <xsd:schema xmlns:ism3="http://xml.ism3.com/xsd/" blockDefault="" finalDefault="" targetNamespace="http://xml.ism3.com/xsd/" version="1.0" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <xsd:complexType name="Record"> <xsd:sequence> <xsd:element minOccurs="0" name="eventID" type="xsd:unsignedInt" /> <xsd:element minOccurs="0" name="loggerID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="loggerIDDirectory" type="xsd:anyURI" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="credentialID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="credentialsDirectory" type="xsd:anyURI" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="sourceID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="sourceDirectory" type="xsd:anyURI" use="required" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element name="resourceID"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType"> <xsd:attribute name="resourceDirectory" type="xsd:anyURI" use="required" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element name="access"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute name="RequestType" use="required"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:enumeration value="login" />
  8. 8. 8 <xsd:enumeration value="logout" /> <xsd:enumeration value="suspend" /> <xsd:enumeration value="resume" /> <xsd:enumeration value="send" /> <xsd:enumeration value="receive" /> <xsd:enumeration value="retain" /> <xsd:enumeration value="forward" /> <xsd:enumeration value="create" /> <xsd:enumeration value="delete" /> <xsd:enumeration value="block" /> <xsd:enumeration value="unblock" /> <xsd:enumeration value="read" /> <xsd:enumeration value="write" /> <xsd:enumeration value="connect" /> <xsd:enumeration value="disconnect" /> <xsd:enumeration value="interrupt" /> <xsd:enumeration value="continue" /> <xsd:enumeration value="open" /> <xsd:enumeration value="close" /> <xsd:enumeration value="hold" /> <xsd:enumeration value="release" /> <xsd:enumeration value="start" /> <xsd:enumeration value="stop" /> <xsd:enumeration value="pause" /> <xsd:enumeration value="resume" /> <xsd:enumeration value="disconnect" /> <xsd:enumeration value="enable" /> <xsd:enumeration value="disable" /> <xsd:enumeration value="open" /> <xsd:enumeration value="close" /> </xsd:restriction> </xsd:simpleType> </xsd:attribute> <xsd:attribute name="Result"> <xsd:simpleType> <xsd:restriction base="xsd:string"> <xsd:enumeration value="success" /> <xsd:enumeration value="failure" /> <xsd:enumeration value="error" /> <xsd:enumeration value="source error" /> </xsd:restriction> </xsd:simpleType> </xsd:attribute> <xsd:attribute name="ResultText" type="xsd:string" /> </xsd:extension> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="payload"> <xsd:complexType> <xsd:simpleContent> <xsd:extension base="xsd:anySimpleType" /> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="dateTime"> <xsd:complexType>
  9. 9. 9 <xsd:simpleContent> <xsd:extension base="xsd:dateTime" /> </xsd:simpleContent> </xsd:complexType> </xsd:element> <xsd:element minOccurs="0" name="signature" type="xsd:base64Binary" /> <xsd:element minOccurs="0" name="hash" type="xsd:base64Binary" /> </xsd:sequence> </xsd:complexType> <xsd:element name="Log" type="ism3:Record" /> </xsd:schema>

×