Current Meeting Report
Slides
Jabber Logs


2.6.11 Security Issues in Network Event Logging (syslog)


In addition to this official charter maintained by the IETF Secretariat, there is additional information about this working group on the Web at:

       http://www.employees.org/~lonvick/index.shtml -- Additional SYSLOG Page
NOTE: This charter is a snapshot of the 55th IETF Meeting in Altanta, Georgia USA. It may now be out-of-date.

Last Modifield: 04/04/2002

Chair(s):
Chris Lonvick <clonvick@cisco.com>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Steve Bellovin <smb@research.att.com>
Security Area Advisor:
Steve Bellovin <smb@research.att.com>
Mailing Lists:
General Discussion: syslog-sec@employees.org
To Subscribe: majordomo@employees.org
In Body: subscribe syslog-sec your_email_address
Archive: http://www.mail-archive.com/syslog-sec@employees.org/
Description of Working Group:
Syslog is a de-facto standard for logging system events. However, the protocol component of this event logging system has not been formally documented. While the protocol has been very useful and scalable, it has some known but undocumented security problems. For instance, the messages are unauthenticated and there is no mechanism to provide verified delivery and message integrity.

The goal of this working group is to document and address the security and integrity problems of the existing Syslog mechanism. In order to accomplish this task we will document the existing protocol. The working group will also explore and develop a standard to address the security problems.

Beyond documenting the Syslog protocol and its problems, the working group will work on ways to secure the Syslog protocol. At a minimum this group will address providing authenticity, integrity and confidentiality of Syslog messages as they traverse the network. The belief being that we can provide mechanisms that can be utilized in existing programs with few modifications to the protocol while providing significant security enhancements.

Goals and Milestones:
Done  Post as an Internet Draft the observed behavior of the Syslog protocol for consideration as an Informational Document.
Done  Submit Syslog protocol document to IESG for consideration as an INFORMATIONAL RFC.
Done  Post as an Internet Draft the specification for an authenticated Syslog for consideration as a Standards Track RFC.
AUG 00  Submit Syslog Authentication Protocol to IESG for consideration as a PROPOSED STANDARD.
Done  Post an Internet Draft describing enhancements to the Syslog authentication protocol to add verification of delivery and other security services.
Done  Submit Syslog Authentication Protocol Enhancement to IESG for consideration as a PROPOSED STANDARD.
DEC 00  Revise drafts as necessary to advance these Internet-Drafts to Standards Track RFCs.
Internet-Drafts:
  • - draft-ietf-syslog-sign-07.txt
  • - draft-ietf-syslog-device-mib-01.txt
  • Request For Comments:
    RFCStatusTitle
    RFC3164 I The BSD Syslog Protocol
    RFC3195 PS Reliable Delivery for Syslog

    Current Meeting Report

    MagnusSecurity Issues in Network Event Logging WG (syslog)
    
    Tuesday, November 19 at 1415-1515
    =================================
    
    CHAIR: Chris Lonvick <clonvick@cisco.com>
    
    Agenda Bashing
        
        No changes.
        
        Marshall Rose to take minutes.
        
        
    Review of Charter and Status Update
        
        Reminder: the goal is *not* about defining/changing the content of 
    syslog messages.
    
        RFCs so far:
        
        RFC 3164 - "The BSD syslog Protocol"
        
        RFC 3195 - "Reliable Delivery for syslog"
        
    
    Review of draft-ietf-syslog-sign-07.txt (kelsey)
        
        Basic idea: insert extra messages into a log stream along with a 
    sliding window.
        
        Document status: finalizing for RFC submission
        
        Two changes: renaming one of the "PRI" fields to "Signature Pri" to 
    avoid confusion; and, transport agnosticism
        
        
    Plea for New Author of 
    draft-ietf-syslog-device-mib-01.txt
        
        two folks are interested in helping out on the syslog mib.
        
        
    Wrap Up                                      
    
        we know of two implementations of syslog-reliable.
    
    

    Slides

    Agenda