Table of Contents
Advertisement
- time – Event start time
It may appear that having the time field is redundant, as the time is already in the syslog message; this is
false for 2 reasons:
1.
RFC 3164 (3) Syslog timestamps do not contain the year, and only have second resolution, whereas
the CEE timestamps have microsecond resolution with full year. RFC 5424 (4) Syslog messages do
include the year and support for microsecond resolution
2.
Syslog timestamps reflect the time that the event was sent to syslog, not necessarily the time that
the event occurred. Depending on the situation, these times may be different
8.3 Event Encoding & Transport
CEE defines two different methods for encoding events for transport and storage, XML and JSON. CEE
also explicitly defines how CEE messages are to be transported over syslog (5). The following
requirements are stated:
Syslog Header – The standard Syslog header MUST be used.
Syslog Body – The CEE Event MUST be represented using the CLS (CEE common Log Syntax)
JSON Encoding.
CEE Event Flag – The beginning of the encoded CEE Event MUST be identified by the CEE Event
Flag. Within Syslog, the CEE Event Flag is @cee:
Character Encoding – If the syslog implementation is only 7-bit, all characters not in the ASCII
character set MUST be escaped.
8.3.1
Examples
A valid CEE JSON Event Record embedded within an RFC5424 Syslog transport:
<165>1 2011-12-20T12:38:06Z 10.10.0.1 process - example-event-1
@cee:{"pname":"auth","host":"system.example.com","time":"2011-12-20T12:38:05.123456-
05:00"}
A valid CEE JSON Event Record used with a "legacy" Syslog transport:
<0>Dec 20 12:42:20 syslog-relay process[35]: @cee:
{"crit":123,"id":"abc","appname":"application","pname":"auth","pid":123,"host":"system.exam
ple.com","pri":10,"time":"2011-12-20T12:38:05.123456-
05:00","action":"login","domain":"app","object":"account","service":"web","status":"success"}
The following example shows a series of events that may be generated by a host requesting an IP for its
eth0 interface from a DHCP server (Syslog header left off for brevity, and formatted for clarity):
DHCP Request sent to the server:
@cee: {
"host":"stout",
"pname":" my_appname ",
"time":"2012-08-22T11:20:10.559227-04:00",
"action":"request",
"domain":"net",
"object":"interface",
"service":"dhcp_client",
"status":"ongoing",
"event":"dhcp_client",
"interface_name":"eth0",
"profile":�http://gemds.com/cee_profile/1.0beta1.xsd
}
412
MDS Orbit MCR/ECR Technical Manual
MDS 05-6632A01, Rev. F
Advertisement
Table of Contents
Troubleshooting
