Syslog Working Group Glenn Mansfield Keeni INTERNET-DRAFT Cyber Solutions Inc. Expires: August 15, 2005 B. Pape Enterasys Networks February 16, 2005 Syslog Management Information Base Status of this Memo By submitting this Internet-Draft, we certify that any applicable patent or other IPR claims of which we are aware have been disclosed, or will be disclosed, and any of which we become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This document is a product of the syslog Working Group. Comments should be addressed to the authors or the mailing list at syslog-sec@employees.org This Internet-Draft will expire on August 15, 2005. Copyright Notice Copyright (C) The Internet Society (2005). All Rights Reserved. Expires: August 15, 2005 [Page 1] Internet Draft February 16, 2005 Abstract This memo provides a MIB module that can be used to monitor and manage syslog processes. It defines objects that allow the collection of information related to syslog processes, it also defines objects that can be used to monitor and/or control syslog processes. Table of Contents 1. The Internet-Standard Management Framework .... 3 2. Overview ...................................... 3 3. The MIB Design ................................ 5 4. The Syslog MIB ................................ 6 5. Security Considerations ....................... 30 6. IANA Considerations ........................... 31 7. References .................................... 32 8 Acknowledgments ............................... 32 9. Authors Address ............................... 33 10. Full Copyright Statement ...................... 34 Appendix: History of Changes ...................... 36 Expires: August 15, 2005 [Page 2] Internet Draft February 16, 2005 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. 2. Overview 2.1 The syslog process model Operating systems, processes and applications generate messages indicating their own status or the occurance of events. These messages are useful for managing and/or debugging the network and its services. The BSD Syslog protocol is a widely adopted protocol that is used for transmission and processing of the messages. Essentially, a syslog process receives messages (from the kernel, processes, applications or other syslog processes) and processes those. The processing involves logging to a local file, displaying on console, user terminal, and/or relaying to syslog processes on other machines. The processing is determined by the "facility" that originated the message and the "severity" assigned to the message by the facility. This document defines a generic MIB that may be used to monitor and control one or more syslog processes running on a system. The syslogMIB will be used in conjunction with other MIBs - in particular the Host Resources MIB and the script MIB. The generic process related matters e.g. process control, status, resource usage etc. will be serviced by the corresponding entries in the Host Resources MIB. The configuration of the syslog process is not directly supported. The configuration process can be serviced by an implementation of a script MIB in which the configuration file is treated as the script which is interpreted by the syslog process, Expires: August 15, 2005 [Page 3] Internet Draft February 16, 2005 / +------+ / | SP-1 |------> SP-R1 /+------+ \ Facility-1-->| / -->| / +------+ / Facility-N-->|+---| SP-2 |------> SP-R2 -->| \ +------+ \ SyslogHost-N-->| \ \+------+ / | SP-N |------> SP-RN +------+ \ \ Facility: Facility originating the message (locally) SyslogHost: Remote SyslogHost relaying a message SP: Syslog Process Fig.1 Syslog Process Model The syslog process modelled by the MIB is shown in Fig.1. One or more syslog processes running on a system receive syslog messages from the local facilities and from other syslog processes on other hosts. The syslog process receives the message and processes it depending on the processing mandated for the facility and severity of the message in its local message-process configuration table. 2.2 Terminology. The terminology used in this document is consistent with the definitions used in The BSD Syslog Protocol specification[RFC3164]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. Expires: August 15, 2005 [Page 4] Internet Draft February 16, 2005 3. The MIB Design. The purpose of the SyslogMIB is to allow monitoring and control of the syslog process(es) on a system. This requires MOs representing o Statistics on messages, received, processed locally, relayed, o Syslog system wide parameters that are available to all syslog processes. o Syslog run time parameters for each syslog process e.g. - maximum message size, - sockets and/or type of transport, port numbers on which the process will listen for messages, etc. - etc. The SYSLOG-MIB uses the textual conventions defined in the INET- ADDRESS-MIB [RFC3291bis]. The MIB comprises of four groups o The syslogSystem group handles the system wide parameters that applies to all the syslog processes served by the SNMP agent. o The syslog process group consisting of the - syslogStatsTable which deals with statistical information about the syslog processes. - syslogParamsTable for monitoring and controlling syslog processes. It contains MOs representing the run-time parameters of the syslog processes. o The conformance group that defines the compliance statements. Expires: August 15, 2005 [Page 5] Internet Draft February 16, 2005 4. The Syslog MIB SYSLOG-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Counter32, Integer32, mib-2 FROM SNMPv2-SMI RowStatus, TEXTUAL-CONVENTION, TimeStamp, TruthValue, StorageType FROM SNMPv2-TC InetAddressType, InetAddress, InetAddressPrefixLength FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB; syslogMIB MODULE-IDENTITY LAST-UPDATED "200502160000Z" -- Wed February 16 00:00 GMT 2005 ORGANIZATION "IETF Syslog Working Group" CONTACT-INFO " Glenn Mansfield Keeni Postal: Cyber Solutions Inc. 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Japan 989-3204. Tel: +81-22-303-4012 Fax: +81-22-303-4015 E-mail: glenn@cysols.com Support Group E-mail: mip6@ietf.org " DESCRIPTION "The MIB module pertaining to the reception and processing of Syslog compatible messages. Copyright (C) The Internet Society 2005. This version of this MIB module is part of RFC XXXX; see the RFC itself for full legal notices. " -- RFC Ed.: replace XXXX with actual RFC number & remove this note REVISION "200502160000Z" -- Wed February 16 00:00 GMT 2005 DESCRIPTION "Initial version, published as RFC XXXX." Expires: August 15, 2005 [Page 6] Internet Draft February 16, 2005 -- RFC Ed.: replace XXXX with actual RFC number & remove this note ::= { mib-2 YYY } -- Will be assigned by IANA -- IANA Reg.: Please assign a value for "YYY" under the 'mib-2' -- subtree and record the assignment in the SMI Numbers registry. -- RFC Ed.: When the above assignment has been made, please -- remove the above note -- replace "YYY" here with the assigned value and -- remove this note. -- ------------------------------------------------------------- -- Textual Conventions -- ------------------------------------------------------------- Expires: August 15, 2005 [Page 7] Internet Draft February 16, 2005 SyslogFacility ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the facilities that originate syslog messages. The value noMap(99) indicates that the appropriate facility will be provided by the application on the managed entity. If this option is not available on a particular entity, attempts to set the facillity to this value will fail with an error-status of wrongValue. " REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 1). " SYNTAX INTEGER { kernel (0), -- kernel messages user (1), -- user-level messages mail (2), -- mail system daemon (3), -- system daemons auth (4), -- authorization messages syslog (5), -- messages generated by syslogd lpr (6), -- line printer subsystem news (7), -- network news subsystem uucp (8), -- UUCP subsystem cron (9), -- clock daemon authPriv (10),-- authorization messages -- (private) ftp (11),-- ftp daemon ntp (12),-- NTP subsystem security (13),-- security subsystems -- (firewalling, etc.) console (14),-- /dev/console output local0 (16), local1 (17), local2 (18), local3 (19), local4 (20), local5 (21), local6 (22), local7 (23), noMap (99) } Expires: August 15, 2005 [Page 8] Internet Draft February 16, 2005 SyslogSeverity ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the severity levels of syslog messages. The syslog protocol uses the values 0 (emergency), to 7 (debug)." REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 2) " SYNTAX INTEGER { emergency (0), -- system is unusable alert (1), -- action must be taken -- immediately critical (2), -- critical conditions error (3), -- error conditions warning (4), -- warning conditions notice (5), -- normal but significant -- condition info (6), -- informational debug (7), -- debug-level messages other (99) -- none of the above } SyslogSeverityCompOP ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The operator that will be applied to the severity before the selection for an action takes place. " SYNTAX INTEGER { none (1), greaterThanOrEqual (2), lessThanOrEqual (3), greaterThan (4), lessThan (5), notGreaterThanOrEqual (6), notLessThanOrEqual (7), notGreaterThan (8), notLessThan (9), equal (10), notEqual (11) } Expires: August 15, 2005 [Page 9] Internet Draft February 16, 2005 SyslogTransport ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The Transport that will be used to send and/or receive messages. " REFERENCE "The The BSD syslog Protocol RFC 3164 Sec. 2. " SYNTAX INTEGER { any (1), udp (2), tcp (3) } SyslogService ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The service name or port number that will be used to send and/or receive messages. The special name ''any'' is reserved. It denotes all ports and is applicable only in the context of message reception. In case the service name is given, and it is not ''any'', the service name must resolve to a port number on the local host. " SYNTAX OCTET STRING (SIZE (0..255)) -- ------------------------------------------------------------- -- syslogMIB - the main groups -- ------------------------------------------------------------- syslogSystem OBJECT IDENTIFIER ::= { syslogMIB 1 } syslogProc OBJECT IDENTIFIER ::= { syslogMIB 2 } Expires: August 15, 2005 [Page 10] Internet Draft February 16, 2005 -- ------------------------------------------------------------- -- syslogSystem -- ------------------------------------------------------------- -- The system wide parameters syslogDefaultTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-write STATUS current DESCRIPTION "The default transport that a syslog process will use to send syslog messages. The value of this object SHOULD remain unchanged across reboots of the managed entity. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL {udp} ::= { syslogSystem 1 } syslogDefaultService OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-write STATUS current DESCRIPTION "The default service name or port number that a syslog process will use to send syslog messages. The value of this object SHOULD remain unchanged across reboots of the managed entity. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL { "514" } ::= { syslogSystem 2 } Expires: August 15, 2005 [Page 11] Internet Draft February 16, 2005 syslogDefaultFacility OBJECT-TYPE SYNTAX SyslogFacility MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog facility that will be added to syslog messages when the message needs to be relayed and does not have priority specified. The value of this object SHOULD remain unchanged across reboots of the managed entity. " ::= { syslogSystem 3 } syslogDefaultSeverity OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog severity that will be added to syslog messages when the message needs to be relayed and does not have priority specified. The value of this object SHOULD remain unchanged across reboots of the managed entity. " ::= { syslogSystem 4 } syslogMaxMessageSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum size of the syslog messages in bytes. The value of this object SHOULD remain unchanged across reboots of the managed entity. " DEFVAL { 1024 } ::= { syslogSystem 5 } Expires: August 15, 2005 [Page 12] Internet Draft February 16, 2005 -- ------------------------------------------------------------- -- syslogProc -- ------------------------------------------------------------- syslogProcTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogProcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the syslog processes serviced by an SNMP agent. " ::= { syslogProc 1 } syslogProcEntry OBJECT-TYPE SYNTAX SyslogProcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The information pertaining to a syslog process. " INDEX { syslogProcIndex } ::= { syslogProcTable 1 } SyslogProcEntry ::= SEQUENCE { syslogProcIndex Unsigned32, syslogProcMsgsReceived Counter32, syslogProcMsgsRelayed Counter32, syslogProcMsgsDropped Counter32, syslogProcMsgsIllFormed Counter32, syslogProcMsgsIgnored Counter32, syslogProcMsgsRejected Counter32, syslogProcLastMsgRecdTime TimeStamp, syslogProcLastMsgDeliveredTime TimeStamp, syslogProcStartTime TimeStamp, syslogProcLastError SnmpAdminString, syslogProcLastErrorTime Expires: August 15, 2005 [Page 13] Internet Draft February 16, 2005 TimeStamp, syslogProcReference Integer32 } -- option for allowed peers needs to be added syslogProcIndex OBJECT-TYPE SYNTAX Unsigned32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Index that uniquely identifies the syslog process in the syslogProcess table. " ::= { syslogProcEntry 1 } syslogProcMsgsReceived OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages received by the syslog process. This includes messages that were ignored. " ::= { syslogProcEntry 2 } syslogProcMsgsRelayed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages relayed by the syslog process to other syslog processes. " ::= { syslogProcEntry 3 } syslogProcMsgsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that could not be relayed (could not be queued for transmitting)." ::= { syslogProcEntry 4 } Expires: August 15, 2005 [Page 14] Internet Draft February 16, 2005 syslogProcMsgsIllFormed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were rejected by the syslog process because these were not well-formed. " ::= { syslogProcEntry 5 } syslogProcMsgsIgnored OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were not processed by the syslog process because the message did not meet the message selection criteria for the syslog process. For example, in the case of BSD syslog messages, either the program name or the priority level of the message or both did not match any selection specified for this process in the syslog process' configuration file " ::= { syslogProcEntry 6 } syslogProcMsgsRejected OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were rejected by the syslog process because the messsage was from a host/service that did not match any selection specified for this process and was not on the allowed host/services list. " ::= { syslogProcEntry 7 } syslogProcLastMsgRecdTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was received by the syslog process locally or from a remote syslog process. " ::= { syslogProcEntry 8 } Expires: August 15, 2005 [Page 15] Internet Draft February 16, 2005 syslogProcLastMsgDeliveredTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was delivered by the syslog process. " ::= { syslogProcEntry 9 } syslogProcStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when this process was started. " ::= { syslogProcEntry 10 } syslogProcLastError OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A description of the last error that was encountered by this process. " ::= { syslogProcEntry 11 } syslogProcLastErrorTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last error was encountered. " ::= { syslogProcEntry 12 } syslogProcReference OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "If the Host resource MIB is serviced on the host then this will entry will have the value of the hrSWRunIndex of the corresponding entry in the hrSWRunTable. Otherwise this object will be inaccessible, Expires: August 15, 2005 [Page 16] Internet Draft February 16, 2005 " ::= { syslogProcEntry 13 } syslogParamsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the parameters that control the syslog processes. " ::= { syslogProc 2 } syslogParamsEntry OBJECT-TYPE SYNTAX SyslogParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The parameters pertaining to a syslog process." INDEX { syslogProcIndex } ::= { syslogParamsTable 1 } Expires: August 15, 2005 [Page 17] Internet Draft February 16, 2005 SyslogParamsEntry ::= SEQUENCE { syslogParamsProcDescr SnmpAdminString, syslogParamsBindAddrType InetAddressType, syslogParamsBindAddr InetAddress, syslogParamsSendToAllAddresses TruthValue, syslogParamsCompression INTEGER, syslogParamsConfFileName SnmpAdminString, syslogParamsFacilityTranslation INTEGER, syslogParamsPIDFileName SnmpAdminString, syslogParamsDNSLookup INTEGER, syslogParamsSeverityCompOP SyslogSeverityCompOP, syslogParamsSecuritySpecs INTEGER, syslogParamsProcessStatus INTEGER, syslogParamsStorageType StorageType, syslogParamsRowStatus RowStatus } syslogParamsProcDescr OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable description of the syslog process. " ::= { syslogParamsEntry 1 } Expires: August 15, 2005 [Page 18] Internet Draft February 16, 2005 syslogParamsBindAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogParamsBindAddr. " ::= { syslogParamsEntry 2 } syslogParamsBindAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The specific IP address or hostname the syslog process will bind to. If a hostname is specified, the IPv4 or IPv6 address corresponding to the hostname will be used. " ::= { syslogParamsEntry 3 } syslogParamsSendToAllAddresses OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "If the destination host, for a message to be forwarded, has more than one A or AAAA record process, Send the message to all the addresses (true) else send to only one of the addresses. " DEFVAL { false } ::= { syslogParamsEntry 4 } Expires: August 15, 2005 [Page 19] Internet Draft February 16, 2005 syslogParamsCompression OBJECT-TYPE SYNTAX INTEGER { off (1), offIfPipe (2), on (3) } MAX-ACCESS read-write STATUS current DESCRIPTION "If 'off', disable the compression of repeated instances of the same line into a single line of the form ``last message repeated N times''. If 'offIfPipe' disable the compression when the output is a pipe to another program. Otherwise the compression is enabled. The value of this object SHOULD remain unchanged across reboots of the managed entity. " DEFVAL { on } ::= { syslogParamsEntry 5 } syslogParamsConfFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the configuration file where the syslog process's message selection and corresponding action rules will be read from. The syslog process reads its configuration information from this file. If the system does not support the specification of a configuration file this field will not be accessible. " DEFVAL { "/etc/syslog.conf" } ::= { syslogParamsEntry 6 } Expires: August 15, 2005 [Page 20] Internet Draft February 16, 2005 syslogParamsFacilityTranslation OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-write STATUS current DESCRIPTION "If false(2), disable the translation of messages received with facility ``kern'' to facility ``user''. Usually the ``kern'' facility is reserved for messages read directly from /dev/klog. The value of this object SHOULD remain unchanged across reboots of the managed entity. " DEFVAL { true } ::= { syslogParamsEntry 7 } syslogParamsPIDFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the file where the syslog process ID will be recorded. In case the system does not support the feature of recording syslog's process ID - this object will not be accessible. " DEFVAL { "/etc/syslog.pid" } ::= { syslogParamsEntry 8 } syslogParamsDNSLookup OBJECT-TYPE SYNTAX INTEGER { useLocalCache (1), doNotUseLocalCache (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If doNotUseLocalCache is on, fresh DNS lookups will be carried out everytime a hostname is encountered. Else, DNS lookups will be carried out only once for each hostname. The value of this object SHOULD remain unchanged across reboots of the managed entity. " DEFVAL { useLocalCache } ::= { syslogParamsEntry 9 } Expires: August 15, 2005 [Page 21] Internet Draft February 16, 2005 syslogParamsSeverityCompOP OBJECT-TYPE SYNTAX SyslogSeverityCompOP MAX-ACCESS read-create STATUS current DESCRIPTION "The default value of the operator that should be applied to the syslogCtlSelectionSeverity before the selection takes place. " DEFVAL { greaterThanOrEqual } ::= { syslogParamsEntry 10 } syslogParamsSecuritySpecs OBJECT-TYPE SYNTAX INTEGER { none (1), doNotRecvFromRemoteHosts (2), doNotOpenNetworkSockets (3) } MAX-ACCESS read-create STATUS current DESCRIPTION "If doNotRecvFromRemoteHosts is selected then the corresponding syslog process will not receive messages from remote hosts. If doNotOpenNetworkSockets is selected then the syslog process will not receive from or forward to remote hosts. " DEFVAL { none } ::= { syslogParamsEntry 11 } syslogParamsProcessStatus OBJECT-TYPE SYNTAX INTEGER { unknown (1), started (2), suspended(3), stopped (4) } MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the process. " DEFVAL { unknown } ::= { syslogParamsEntry 12 } Expires: August 15, 2005 [Page 22] Internet Draft February 16, 2005 syslogParamsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether the parameters defined in this row are kept in volatile storage and lost upon reboot or are backed up by non-volatile (permanent) storage. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " ::= { syslogParamsEntry 13 } syslogParamsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify and delete rows in the syslogParamsTable. Objects in a row can be modified only when the value of this object in the corresponding conceptual row is not ''active''. Thus to modify one or more of the objects in this conceptual row, a. change the row status to ''notInService'', b. change the values of the row c. change the row status to ''active'' The syslogParamsRowStatus may be changed to ''active'' iff all the MOs in the conceptual row have been assigned valid values. " ::= { syslogParamsEntry 14 } syslogAllowedHostsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogAllowedHostsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the Hosts from which messages will be accepted. " ::= { syslogProc 3 } Expires: August 15, 2005 [Page 23] Internet Draft February 16, 2005 syslogAllowedHostsEntry OBJECT-TYPE SYNTAX SyslogAllowedHostsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The host information." INDEX { syslogProcIndex } ::= { syslogAllowedHostsTable 1 } SyslogAllowedHostsEntry ::= SEQUENCE { syslogAllowedHostsAddressType InetAddressType, syslogAllowedHostsAddress InetAddress, syslogAllowedHostsMaskLen InetAddressPrefixLength, syslogAllowedHostsTransport SyslogTransport, syslogAllowedHostsPort SyslogService, syslogAllowedHostsStorageType StorageType, syslogAllowedHostsRowStatus RowStatus } syslogAllowedHostsAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogAllowedHostsAddress. " ::= { syslogAllowedHostsEntry 1 } syslogAllowedHostsAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP address or hostname specification of the host from which the syslog process will accept messages. " ::= { syslogAllowedHostsEntry 2 } Expires: August 15, 2005 [Page 24] Internet Draft February 16, 2005 syslogAllowedHostsMaskLen OBJECT-TYPE SYNTAX InetAddressPrefixLength MAX-ACCESS read-create STATUS current DESCRIPTION "If the syslogAllowedHostsAddressType is ipv4(1), ipv6(2) this object represents the number of bits that will be taken into account when the address of the originating is being compared with syslogAllowedHostsAddress. The default value of this MO will be the length of the corresponding syslogAllowedHostsAddress. If the syslogAllowedHostsAddressType is not ipv4(1) or ipv6(2) this object is not used. A value of 0 indicates that the prefix is not used or is not applicable. " DEFVAL { 0 } ::= { syslogAllowedHostsEntry 3 } syslogAllowedHostsTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-create STATUS current DESCRIPTION "The Transport specification that will be used to decide whether the messsage will be accepted from a host or not. " DEFVAL { udp } ::= { syslogAllowedHostsEntry 4 } syslogAllowedHostsPort OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-create STATUS current DESCRIPTION "The port specification that will be used to decide whether the messsage will be accepted from a host or not. " DEFVAL { "any" } ::= { syslogAllowedHostsEntry 5 } Expires: August 15, 2005 [Page 25] Internet Draft February 16, 2005 syslogAllowedHostsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether the parameters defined in this row are kept in volatile storage and lost upon reboot or are backed up by non-volatile (permanent) storage. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " ::= { syslogAllowedHostsEntry 6 } syslogAllowedHostsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogAllowedHostsTable. All the columns in this conceptual row MUST have valid values before this column can be assigned the value ''active''. " ::= { syslogAllowedHostsEntry 7 } -- ------------------------------------------------------------- -- Conformance Information -- ------------------------------------------------------------- syslogConformance OBJECT IDENTIFIER ::= { syslogMIB 4 } syslogGroups OBJECT IDENTIFIER ::= { syslogConformance 1 } syslogCompliances OBJECT IDENTIFIER ::= { syslogConformance 2 } Expires: August 15, 2005 [Page 26] Internet Draft February 16, 2005 -- ------------------------------------------------------------- -- units of conformance -- ------------------------------------------------------------- syslogSystemGroup OBJECT-GROUP OBJECTS { syslogDefaultTransport, syslogDefaultService, syslogDefaultFacility, syslogDefaultSeverity, syslogMaxMessageSize } STATUS current DESCRIPTION "A collection of objects providing system-wide parameters for syslog processes. " ::= { syslogGroups 1} syslogStatsGroup OBJECT-GROUP OBJECTS { -- syslogProcIndex, syslogProcMsgsReceived, syslogProcMsgsRelayed, syslogProcMsgsDropped, syslogProcMsgsIllFormed, syslogProcMsgsIgnored, syslogProcMsgsRejected, syslogProcLastMsgRecdTime, syslogProcLastMsgDeliveredTime, syslogProcStartTime, syslogProcLastError, syslogProcLastErrorTime, syslogProcReference } STATUS current DESCRIPTION "A collection of objects providing message related statistics." ::= { syslogGroups 2} Expires: August 15, 2005 [Page 27] Internet Draft February 16, 2005 syslogParamsGroup OBJECT-GROUP OBJECTS { syslogParamsProcDescr, syslogParamsBindAddrType, syslogParamsBindAddr, syslogParamsSendToAllAddresses, syslogParamsCompression, syslogParamsConfFileName, syslogParamsFacilityTranslation, syslogParamsPIDFileName, syslogParamsDNSLookup, syslogParamsSeverityCompOP, syslogParamsSecuritySpecs, syslogParamsProcessStatus, syslogParamsStorageType, syslogParamsRowStatus, syslogAllowedHostsAddressType, syslogAllowedHostsAddress, syslogAllowedHostsMaskLen, syslogAllowedHostsTransport, syslogAllowedHostsPort, syslogAllowedHostsStorageType, syslogAllowedHostsRowStatus } STATUS current DESCRIPTION "A collection of objects representing the run time parameters for the syslog processes. " ::= { syslogGroups 3} Expires: August 15, 2005 [Page 28] Internet Draft February 16, 2005 -- ------------------------------------------------------------- -- compliance statements -- ------------------------------------------------------------- syslogCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for for SNMP entities which implement the SYSLOG-MIB. " MODULE -- this module MANDATORY-GROUPS { syslogStatsGroup } GROUP syslogSystemGroup DESCRIPTION "The syslogSystemGroup group is mandatory only for agents which support monitoring and control of the syslog system wide parameters. If only monitoring is supported then the corresponding objects MUST have access read-only. " GROUP syslogParamsGroup DESCRIPTION "The syslogParamsGroup group is mandatory only for agents which support monitoring and/or control of syslog processes. If only monitoring is supported then the corresponding objects MUST have access read-only. " ::= { syslogCompliances 1 } END Expires: August 15, 2005 [Page 29] Internet Draft February 16, 2005 4. Security Considerations Syslog plays a very important role in the computer and network security of an organization. SyslogMIB defines several managed objects that may be used to monitor configure and control syslog processes. As such improper manipulation of the objects represented by this MIB may lead to an attack on an important component of the computer and network security infrastructure. The objects in syslogParamsTable, syslogAllowedHostsTable may be misconfigured to cause syslog messages to be diverted or lost. A misconfiguration may also result in a DoS attack on a user or service. There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: o syslogParamsTable: the objects in this table describe the configuration of the syslog processes. o syslogAllowedHostsTable: the objects in this table describe the hosts from which syslog messages will be accepted. Improper configuration may lead to loss of messages from an important source or a flood of messages from a potentially rogue, source. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: o syslogProcTable: objects in this table carry sensitive information. The counters may reveal information about the deployment and effectiveness of the relevant security systems. The counters may be analyzed to tell whether the security systems are able to detect an event or not. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. Expires: August 15, 2005 [Page 30] Internet Draft February 16, 2005 It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 5. IANA Considerations IANA should assign a base arc in the 'mib-2' (standards track) OID tree for the 'syslogMIB' MODULE-IDENTITY defined in the Syslog-MIB. Expires: August 15, 2005 [Page 31] Internet Draft February 16, 2005 6. References: 6.1 Normative References [RFC2119] Bradner, S., Key words for use in RFCs to Indicate Requirements Levels, BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, Structure of Management Information Version 2 (SMIv2), STD 58, RFC 2578, April 1999. [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, Textual Conventions for SMIv2, STD 58, RFC 2579, April 1999. [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M. and S. Waldbusser, Conformance Statements for SMIv2, STD 58, RFC 2580, April 1999. [RFC3775] Johnson, D., Perkins, C. and Arkko J., Mobility Support in IPv6 RFC 3775, June 2004. [RFC2011bis] Routhier, S., Management Information Base for the Internet Protocol (IP), work in progress (currently ). [RFC3291bis] Daniele, M., Haberman, B., Routhier, S. and Schoenwaelder, J., Textual Conventions for Internet Network Addresses, work in progress (currently ). 6.2 Informative References [RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart, Introduction and Applicability Statements for Internet-Standard Management Framework, RFC 3410, December 2002. [RFC3164] C. Lonvick, "The BSD Syslog Protocol", RFC 3164, August 2001. 7. Acknowledgments The authors would like to thank David Harrington, Mark Ellison, Mike MacFaden, Dave T Perkins and members of the WIDE-netman group for their comments and suggestions. Expires: August 15, 2005 [Page 32] Internet Draft February 16, 2005 8. Authors Address Glenn Mansfield Keeni Cyber Solutions Inc. 6-6-3 Minami Yoshinari Aoba-ku, Sendai 989-3204 Japan Phone: +81-22-303-4012 EMail: glenn@cysols.com Bruno Pape Enterasys Networks, Inc. 35 Industrial Way Rochester, NH 03867 USA Email: bpape@enterasys.com" Tel: +1 603 337 0446 Expires: August 15, 2005 [Page 33] Internet Draft February 16, 2005 9. Full Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expires: August 15, 2005 [Page 34] Internet Draft February 16, 2005 Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Expires: August 15, 2005 [Page 35] Internet Draft February 16, 2005 APPENDIX This section documents the development of the draft. It will be deleted when the draft bvecomes an RFC. Revision History: REVISION "200502160000Z" -- Wed February 16 00:00 GMT 2005 DESCRIPTION "Major editorial change - synched with latest mib boiler-plate requirement - synched with latest I-D requirements - references fixed Editorial nits fixed. " REVISION "200406160000Z" -- Mon Feb 16 00:00 GMT 2004 DESCRIPTION "Major change. The configuration parts have been removed. Updated the description clauses. Editorial nits fixed. " REVISION "200306250000Z" -- Wed June 25 00:00 GMT 2003 DESCRIPTION "Changed the type of syslogProcLastError SnmpAdminString, from Integer32. DEFVAL { 0 ] is added to syslogAllowedHostsMaskLen MO name changed from syslogCtlSelectionHostname to syslogCtlSelectionHostName Updated the description clauses. Fixed nits pointed out in Bert's mails of 20030319 and revised the document wrt the guidelines in draft-ietf-ops-mib-review-guidelines-01.txt Editorial nits fixed. " REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003 Expires: August 15, 2005 [Page 36] Internet Draft February 16, 2005 DESCRIPTION "Fixing of nits in descriptions, addition of references, addition of the following MOs syslogProcMsgsIllFormed Counter32, syslogProcStartTime TimeStamp, syslogProcLastError Integer32, syslogProcLastErrorTime TimeStamp, syslogParamsStorageType StorageType, syslogCtlFwdActionSrcAddrType InetAddressType, syslogCtlFwdActionSrcAddr InetAddress, added enumeration ''suspended(2)'' to syslogParamsProcessStatus. " REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002 DESCRIPTION "Radical revision of the MIB structure and design." REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002 DESCRIPTION "The initial version of this MIB module." Expires: August 15, 2005 [Page 37]