Why does CEE separate the data from the syntax, does not this introduce further complexity? How does CEE differ from current log standards?
CEE believes that the biggest hurdle with the adoption of current log standardization efforts, such as IDMEF and XDAS, is that they integrate the log data into their XML syntaxes. In doing so, they force all adopters to use XML. While many believe that XML is the best way to express log data, CEE takes the position that this limitation is unnecessary and prevents the log community from using such standards as a base for their log architectures. Additionally, system and network administrators may not want the overhead of such logs consuming bandwidth. By viewing each of these components separately, CEE maximizes the flexibility while making the standard more easily adoptable. It is easier to manage discussion, encourage community feedback, and come to a consensus on the event taxonomy, data dictionary elements, and transport syntax as individual topics instead of presenting them with a 100+ page document to review and implement.
