[Syslog] Facilities - normative or informative label

To: syslog at ietf.org
Subject: [Syslog] Facilities - normative or informative label
From: Chris Lonvick <clonvick at cisco.com>
Date: Tue, 2 Oct 2007 08:57:39 -0700 (PDT)
Authentication-results: sj-dkim-4; header.From=clonvick@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc:
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2268; t=1191340662; x=1192204662; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=clonvick@cisco.com; z=From:=20Chris=20Lonvick=20<clonvick@cisco.com> |Subject:=20Facilities=20-=20normative=20or=20informative=20label |Sender:=20; bh=bjESGlIE7oyVS2RNPeofnT9sGR2WzA5/Q9sTTkV6GoA=; b=k2fcGoKccc5djyfnBIHkQweLHmkdisAZ9h2q4tqaqesLBhcmbfS7zQBUb4frLEe5amTd4obd 0WZIlsPkUYVPBoUtkshbdvnN13UDVsTd+CVIKEfAslfZoVqNjojxlswb;
List-archive: <http://www1.ietf.org/pipermail/syslog>
List-help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-post: <mailto:syslog@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>

Hi Folks,

This is adding to the note that David sent out about syslog-tc-mib-02 and a discussion we've had about the Facilities. David and I have reviewed the mailing list discussion and have concluded that the labels are normative, but irrelevant.

For interoperability and backwards compatibility reasons, the values and labels are normative, so the mapping from a label configured by operators in syslog.conf or equivalent consistently maps to the same Facility number regardless of implementation, but the label itself is often semantically meaningless, because there are not enough numbers to cover all possible facilities, and the enumeration (label and value) that is used by an actual facility is, and has historically been, implementation-dependent.

For example, the foobar application might log messages as having come from local7, even though there is no "local" process on the device, and the operator can configure syslog.conf to have local7.critical messages be relayed, even though there might be multiple facilities using Facility local7. This is typical current practice, and originators, relays and collectors know how to handle this situation. For improved accuracy, the foobar application can also include an APPNAME SDE in the message identifying itself as the "foobar" application."

Also, I believe it is the intent of the WG that _all_ processes have the ability to use the syslog transport to send their messages to a device that might care. My concern is that we'll never have enough Facilities to distincly identify all possible processes that might want to send messages. I think that we had a discussion a long time ago about trying to associate a number with each process, with enough expansion to cover the future. It didn't work out then and it won't work now.

Another way to say what I'm thinking is that that some policy may be enacted at my company to say that my foo.log or my virusscan.log (as examples) be forwarded from my machine to some central repository. Neither of these things are going to be able to use a defined Facility but they could both use local7 simultaneously. Some process at the receiver would have to separate them based upon APPNAME.

_______________________________________________
Syslog mailing list
Syslog at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog

Prev by Date: [Syslog] RE: syslog-tc-mib-02
Next by Date: [Syslog] Authentication, certificates, trust anchor, cipher suite and deployability for syslog/tls
Previous by thread: [Syslog] syslog-tc-mib-02
Next by thread: [Syslog] Authentication, certificates, trust anchor, cipher suite and deployability for syslog/tls
Index(es):
- Date
- Thread

[Syslog] Facilities - normative or informative label

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.