Skip to content

Instantly share code, notes, and snippets.

@jordansissel jordansissel/

Created Mar 6, 2012
What would you like to do?
So, I read over most of CEE, and it is a failure.


MITRE has this thing called "CEE" - Common Event Expression.

CEE is a failure because, while claiming to be a standards effort, it maximizes incompatibility between implementations by doing the following:

  • poorly describes multiple serialization formats, requires none of them. This ensures maximum incompatibility in event serialization
  • defines requirements for log transport protocols, but does not describe an actual protocol. This ensures maximum protocol incompatibility
  • naming style inconsistencies This ensures confusion

In general, the goal of CEE sounds like, but is actually not, creating a standard for common event expression. Instead, CEE is aimed at ensuring consulting dollars through obfuscation, complexity, and inconsistency.


No consistency in naming. Some names are abbreviations like 'crit', some are prefixed abbreviations ("p_" prefix), some are full english words like 'action'.

If the goal was to be inconsistent, CEE has succeeded.

  • Mysterious 'p_' prefix. Base fields are abbreviated names like "crit", "id", "pri", yet others are called "p_app", "p_proc", and "p_proc_id". The mysterious 'p_'

  • Some fields are abbreviated, like "crit" and "pri", but others are full english words, like "action" and "domain"

  • there's "id" which marks the "event type" by identifier, but "uuid" which marks the event instance identifier. You are confusing. I'm still not sure what the purpose of 'uuid' is.


  • Serializations: JSON, RFC3164, RFC5424, and XML serializations
  • 4 conformance levels.

Pick one serialization and one transport ("conformance") requirements list. Describe those two. Drop all the others.

If I pick JSON, and you pick XML, we can both be CEE-conforming and have zero interoperability between our tools. Nice!

Serialization underspecified

JSON for event serialization is fine, but no message framing is defined. Newline terminated? Length prefixed? You don't know :(


  • "Reserved Characters" - I don't think you have read the JSON spec. Most (all?) of the 'escaping' detailed in CEE JSON is already specified in JSON:

Specific comments on the 'json' format inline as comments, this example was copied verbatim from the CEE :

    # Forget this "Event" crap, just move everything up a level.
    "Event": {
        "p_proc": "proc1",
        "p_sys": "",
        "time": "2012-01-18T05:55:12.4321-05:00",
        "Type": {
            # Action is like, edge-trigger information.
            # Status is like, line-trigger information.
            # You don't usually have both edge and line triggers in the
            # same event. Confusing.
            "action": "login",
            "status": "ongoing",

            # Custom tag values also MUST start with a colon? It's silly to make
            # the common case (custom tags) the longer form.
            # Also, tags is a plural word, but the value is a string. What?
            "tags": ":hipaa"
        "Profile": {
            # This is a *huge* bloat, seriously. Stop making JSON into XML, guys.
            "CustomProfile": {
                "schema": "",
                "new_field": "a string value",
                "new_val": 1234,
                "product_host": ""

If you include the schema (CEE calls it a Profile) in every message, you're just funding companies who's business model relies on you paying them per-byte of log input.

Prior art here for sharing schema can be observed in the Apache Avro project.

CLT Protocol

Just define the protocol, all these requirements and conformance levels make things more confusing and harder to write tooling for.

If you don't define the protocol, there's no incentive for vendors to use prior art and are just as likely to invent their own protocols.

Combining this incentive-to-invent with the whole of CEE that underspecifies just about every feature, this guarantees incompatibilities in implementations.


This comment has been minimized.

Copy link

dinomite commented Mar 6, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.