« Three SOX Learnings | Main | Join LogLogic »
The Case for a Vendor-Neutral Open Log Standard
Using standards for defining the log output from common types of devices and applications is a good way to improve interoperability, eliminate vendor lock-in and generally improve business as a whole. That is, if the standards are created through an open, collaborative effort.
Over the past few months we have discussed this very challenge here at LogLogic with our customers, our partners and external parties such as the SANS Institute, NIST, Gartner, Mitre and others with the aim of thoroughly vetting what an Open Log Standard and Initiative would look like. It is a conversation many have been leading.
Mary-Ann Davidson, CISO of Oracle, has been promoting an audit log standard for years. Others include a spring initiative by NIST to launch Common Logging Interchange Format. SANS deserves credit for picking up the ball where NIST left off. They brought together a wide range of users and "loggies" to debate standards at the recent log management summit. And, Amrit Williams from Gartner also published on the topic - such as his May 2006 Gartner publication #G00139205 on log output standards.
With so much interest, there are inevitable proprietary vendor announcements that are - like most things with the vendor label - closed in nature. Initiatives such as these typically fail for a simple reason - they depend on a company rather than the community to succeed. The last thing coders, technology inventors or enterprises need is a vendor specific common event format. What in fact is created is "uncommon event formats". These "uncommon event formats" only bring another layer of complexity to an already complex problem by driving the customer to adopt a vendor centric, rather than neutral, solution. Take IBM's uncommon "Common Base Event" - also for logging, tracing, management and business events. At least IBM claims theirs is an implementation of the OASIS "WSDM Event Format".
There is a bigger and more important point though that is missing from conversations related to log standards. That is, any conversation related to standards for log output should start with a discussion about the use cases for log data - a discussion about the best practices of using information contained in logs for operational excellence, IT control and compliance. That is a customer discussion about best practices and use cases - not a vendor discussion. A standard should be defined top-down with the customer in mind - perhaps by using frameworks such as ISO 17799, COBIT and ITIL as a starting point to deduce logging requirements - rather than bottom-up, using a random vendor's architecture for security event reduction (note: not an architecture envisioned for operational excellence, IT control or compliance in the first place ...) as an unnatural starting point.
At LogLogic, we envision a broad initiative to create a Open Log Community with participation in defining key standards, best practices and techniques that benefit all stakeholders. Tackling the log standard conundrum from the perspective of the broader community will benefit our common key constituent -- our customers.
Posted August 22, 2006 in LogMatters | Permalink
TrackBack
TrackBack URL for this entry:
http://www.loglogic.com/mt/mt-tb.cgi/75
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005