Specifications

118 MDS Orbit MCR-4G Technical Manual MDS 05-6628A01, Rev. A

APPENDIX D – Common Event Expression (CEE)

Events will be categorized using a taxonomy based on the Common Event Expression (CEE) event

profile (1). These events will be encoded using JavaScript Object Notation (JSON), and placed into the

standard message body of a syslog message.

From the CEE website:

CommonEventExpression(CEE™)improvestheauditprocessandtheabilityofuserstoeffectively

interpretandanalyzeeventlogandauditdata.Thisisaccomplishedbydefininganextensibleunified

eventstructure,whichusersanddeveloperscanleveragetodescribe,encode,andexchangetheirCEE

EventRecords.(2)

CEE defines the

structure of event messages via an XML schema referred to as the CEE Core Profile.

The Core Profile consists of 3 reusable components: (2)

· Event Taxonomy — provides a listing of Event Tags that can be used to classify and identify

events. The taxonomy supports common event categorization methods and identification of

records that pertain to similar types of events.

· Field Dictionary — a listing of event record fields and field value types used to represent

common event data. Selected fields and value types become associated with properties of a

specific event instance.

· CEE Event Schema — defines the structure of an event record, including the minimum set of

required fields. Event Extensions provide a mechanism for capturing additional data about an

event.

One of the key features of the CEE Core Profile is that it can be extended by an organization so that

they can add additional taxonomy categories and fields that describe vendor specific events.

Event Taxonomy

The CEE Core Profile defines the following taxonomy categories:

Action — The primary type of action that was undertaken as part of the event. The status or

result of the action should be detailed in the status field.

Domain — The environment or domain of the event. Typical event domains include network

(net), operating system (os), and application (app).

Object — The type of object that is targeted or otherwise affected by the event

Service — The service the event involves. The service field value provides context to the event

action or more precision to the event domain.

Status — The end result or status of the event action identified by the action field.

Subject — The type of object that initiated or started the event action identified by the action

field.