idnits 2.17.1 draft-ietf-opsawg-syslog-msg-mib-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 146 has weird spacing: '...acility syslo...' == Line 147 has weird spacing: '...everity syslo...' == Line 150 has weird spacing: '...yString sysl...' == Line 151 has weird spacing: '...yString sysl...' == Line 152 has weird spacing: '...yString sysl...' == (2 more instances...) == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (August 13, 2009) is 5360 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'RFC3629' is defined on line 1008, but no explicit reference was found in the text -- No information found for draft-ietf-opsawg-syslog-snmp - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-opsawg-syslog-snmp' Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Intended status: Standards Track A. Clemm 5 Expires: February 14, 2010 A. Karmakar 6 Cisco Systems 7 August 13, 2009 9 Definitions of Managed Objects for Mapping SYSLOG Messages to Simple 10 Network Management Protocol (SNMP) Notifications 11 draft-ietf-opsawg-syslog-msg-mib-06.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on February 14, 2010. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents in effect on the date of 43 publication of this document (http://trustee.ietf.org/license-info). 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. 47 Abstract 49 This memo defines a portion of the Management Information Base (MIB) 50 for use with network management protocols in the Internet community. 51 In particular, it defines a mapping of SYSLOG messages to Simple 52 Network Management Protocol (SNMP) notifications. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. The Internet-Standard Management Framework . . . . . . . . . . 3 58 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 5 61 6. Relationship to the SNMP Notification to SYSLOG Mapping . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 8. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 19 64 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 65 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 66 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 67 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 22 68 12.1. Normative References . . . . . . . . . . . . . . . . . . 22 69 12.2. Informative References . . . . . . . . . . . . . . . . . 22 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 23 72 1. Introduction 74 SNMP [RFC3410] [RFC3411] and SYSLOG [RFC5424] are two widely used 75 protocols to communicate event notifications. Although co-existence 76 of several management protocols in one operational environment is 77 possible, certain environments require that all event notifications 78 are collected by a single system daemon such as a SYSLOG collector or 79 an SNMP notification receiver via a single management protocol. In 80 such environments, it is necessary to translate event notifications 81 between management protocols. 83 This document defines an SNMP MIB module to represent SYSLOG messages 84 and to send SYSLOG messages as SNMP notifications to SNMP 85 notification receivers. 87 2. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 RFC 3410 [RFC3410] 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 100 [RFC2580] . 102 3. Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 4. Overview 110 SYSLOG messages are translated to SNMP by a SYSLOG-to-SNMP 111 translator. Such a translator acts as a SYSLOG collector [RFC5424] 112 and implements a MIB module according to the SNMP architecture 113 [RFC3411]. The translator might be tightly coupled to an SNMP agent 114 or it might interface with an SNMP agent via a subagent protocol. 116 After initialization, the SYSLOG-to-SNMP translator will listen for 117 SYSLOG messages. On receiving a message, the message will be parsed 118 to extract information as described in the MIB module. A conceptual 119 table is populated with information extracted from the SYSLOG message 120 and finally a notification may be generated. 122 The MIB module is organized into a group of scalars and two tables. 123 The syslogMsgControl group contains two scalars controlling the 124 maximum size of SYSLOG messages recorded in the tables and whether 125 SNMP notifications are generated for SYSLOG messages. 127 --syslogMsgObjects(1) 128 | 129 +--syslogMsgControl(1) 130 | 131 +-- Unsigned32 syslogMsgTableMaxSize(1) 132 +-- TruthValue syslogMsgEnableNotifications(2) 134 The syslogMsgTable contains one entry for each recorded SYSLOG 135 message. The basic fields of SYSLOG messages as well as message 136 properties are represented in different columns of the conceptual 137 table. 139 --syslogMsgObjects(1) 140 | 141 +--syslogMsgTable(2) 142 | 143 +--syslogMsgEntry(1) [syslogMsgIndex] 144 | 145 +-- Unsigned32 syslogMsgIndex(1) 146 +-- SyslogFacility syslogMsgFacility(2) 147 +-- SyslogSeverity syslogMsgSeverity(3) 148 +-- Unsigned32 syslogMsgVersion(4) 149 +-- SyslogTimeStamp syslogMsgTimeStamp(5) 150 +-- DisplayString syslogMsgHostName(6) 151 +-- DisplayString syslogMsgAppName(7) 152 +-- DisplayString syslogMsgProcID(8) 153 +-- DisplayString syslogMsgMsgID(9) 154 +-- Unsigned32 syslogMsgSDParams(10) 155 +-- OctetString syslogMsgMsg(11) 157 The syslogMsgSDTable contains one entry for each structured data 158 element parameter contained in a SYSLOG message. Since structured 159 data elements are optional, the relationship between the 160 syslogMsgTable and the syslogMsgSDTable ranges from one-to-zero to 161 one-to-many. 163 --syslogMsgObjects(1) 164 | 165 +--syslogMsgSDTable(3) 166 | 167 +--syslogMsgSDEntry(1) [syslogMsgIndex, 168 | syslogMsgSDParamIndex, 169 | syslogMsgSDID, 170 | syslogMsgSDParamName] 171 | 172 +-- Unsigned32 syslogMsgSDParamIndex(1) 173 +-- DisplayString syslogMsgSDID(2) 174 +-- DisplayString syslogMsgSDParamName(3) 175 +-- SyslogParamValueString syslogMsgSDParamValue(4) 177 5. Relationship to Other MIB Modules 179 The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for 180 logging SNMP notifications in order to deal with lost SNMP 181 notifications, e.g., due to transient communication problems. 182 Applications can poll the notification log to verify that they have 183 not missed important SNMP notifications. 185 The MIB module defined in this memo provides a mechanism for logging 186 SYSLOG notifications. This additional SYSLOG notification log is 187 provided because (a) SYSLOG messages might not lead to SNMP 188 notification (this is configurable) and (b) SNMP notifications might 189 not carry all information associated with a SYSLOG notification. 191 The MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], SNMPv2-TC 192 [RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB [RFC3411], and 193 SYSLOG-TC-MIB [RFC5427]. 195 6. Relationship to the SNMP Notification to SYSLOG Mapping 197 A companion document defines a mapping of SNMP notifications to 198 SYSLOG messages [I-D.ietf-opsawg-syslog-snmp]. This section 199 discusses the possibilities of using both specifications in 200 combination. 202 A SYSLOG collector implementing the SYSLOG-MSG-MIB module and the 203 mapping of SNMP notifications to SYSLOG messages may be configured to 204 translate received SYSLOG messages containing SNMP notifications back 205 into the original SNMP notification. In this case, the relevant 206 tables of the SYSLOG-MSG-MIB will not be populated for SYSLOG 207 messages carrying SNMP notifications. This configuration allows 208 operators to build a forwarding chain where SNMP notifications are 209 "tunneled" through SYSLOG messages. Due to size restrictions of the 210 SYSLOG transports and the more verbose textual encoding used by 211 SYSLOG, there is a possibility that SNMP notification content gets 212 truncated while tunneled through SYSLOG and thus the resulting SNMP 213 notification may be incomplete. 215 An SNMP management application supporting the SYSLOG-MSG-MIB and the 216 mapping of SNMP notifications to SYSLOG messages may process 217 information from the SYSLOG-MSG-MIB in order to emit a SYSLOG message 218 representing the SYSLOG message recorded in the SYSLOG-MSG-MIB 219 module. This configuration allows operators to build a forwarding 220 chain where SYSLOG messages are "tunneled" through SNMP messages. A 221 notification receiver can determine whether a syslogMsgNotification 222 contained all structured data element parameters of a SYSLOG message. 223 In case parameters are missing, a forwarding application MUST 224 retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular 225 polling of the SYSLOG-MSG-MIB can be used to take care of any lost 226 SNMP notifications. 228 7. Definitions 230 SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN 232 IMPORTS 233 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 234 FROM SNMPv2-SMI 235 TEXTUAL-CONVENTION, DisplayString, TruthValue 236 FROM SNMPv2-TC 237 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 238 FROM SNMPv2-CONF 239 SyslogFacility, SyslogSeverity 240 FROM SYSLOG-TC-MIB; 242 syslogMsgMib MODULE-IDENTITY 243 LAST-UPDATED "200908130800Z" 244 ORGANIZATION "IETF OPSAWG Working Group" 245 CONTACT-INFO 246 "Juergen Schoenwaelder 247 248 Jacobs University Bremen 249 Campus Ring 1 250 28757 Bremen 251 Germany 253 Alexander Clemm 254 255 Cisco Systems 256 170 West Tasman Drive 257 San Jose, CA 95134-1706 258 USA 260 Anirban Karmakar 261 262 Cisco Systems 263 170 West Tasman Drive 264 San Jose, CA 95134-1706 265 USA" 266 DESCRIPTION 267 "This MIB module represent SYSLOG messages as SNMP objects. 269 Copyright (c) 2009 IETF Trust and the persons identified as 270 the document authors. All rights reserved. 272 Redistribution and use in source and binary forms, with or 273 without modification, are permitted provided that the 274 following conditions are met: 276 - Redistributions of source code must retain the above 277 copyright notice, this list of conditions and the 278 following disclaimer. 280 - Redistributions in binary form must reproduce the above 281 copyright notice, this list of conditions and the 282 following disclaimer in the documentation and/or other 283 materials provided with the distribution. 285 - Neither the name of Internet Society, IETF or IETF 286 Trust, nor the names of specific contributors, may be 287 used to endorse or promote products derived from this 288 software without specific prior written permission. 290 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 291 CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED 292 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 293 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 294 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 295 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 296 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 297 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 298 GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 299 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 300 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 301 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 302 OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 303 POSSIBILITY OF SUCH DAMAGE. 305 This version of this MIB module is part of RFC XXXX; see 306 the RFC itself for full legal notices." 307 REVISION "200908130800Z" 308 DESCRIPTION 309 "Initial version issued as part of RFC XXXX." 310 -- RFC Ed.: replace XXXX with actual RFC number & remove this note 311 ::= { mib-2 XXX } 312 -- RFC Ed.: replace XXX with IANA-assigned number & remove this note 314 -- textual convention definitions 316 SyslogTimeStamp ::= TEXTUAL-CONVENTION 317 DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d" 318 STATUS current 319 DESCRIPTION 320 "A date-time specification. This type is similar to the 321 DateAndTime type defined in the SNMPv2-TC except that 322 the subsecond granulation is microseconds instead of 323 deciseconds and that a zero-length string can be used 324 to indicate a missing value. 326 field octets contents range 327 ----- ------ -------- ----- 328 1 1-2 year* 0..65536 329 2 3 month 1..12 330 3 4 day 1..31 331 4 5 hour 0..23 332 5 6 minutes 0..59 333 6 7 seconds 0..60 334 (use 60 for leap-second) 335 7 8-10 microseconds 0..999999 336 8 11 direction from UTC '+' / '-' 337 9 12 hours from UTC* 0..13 338 10 13 minutes from UTC 0..59 340 * Notes: 341 - the value of year is in network-byte order 342 - the value of microseconds is in network-byte order 343 - daylight saving time in New Zealand is +13 345 For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be 346 displayed as: 348 1992-5-26,13:30:15.0,-4:0 350 Note that if only local time is known, then timezone 351 information (fields 11-13) is not present." 352 SYNTAX OCTET STRING (SIZE (0 | 10 | 13)) 354 SyslogParamValueString ::= TEXTUAL-CONVENTION 355 DISPLAY-HINT "65535t" 356 STATUS current 357 DESCRIPTION 358 "The value of a SYSLOG SD-PARAM is represented using the 359 ISO/IEC IS 10646-1 character set, encoded as an octet string 360 using the UTF-8 transformation format described in RFC3629. 362 Since additional code points are added by amendments to the 363 10646 standard from time to time, implementations must be 364 prepared to encounter any code point from 0x00000000 to 365 0x7fffffff. Byte sequences that do not correspond to the 366 valid UTF-8 encoding of a code point or are outside this 367 range are prohibited. Similarly, overlong UTF-8 sequences 368 are prohibited. 370 UTF-8 may require multiple bytes to represent a single 371 character / code point; thus the length of this object in 372 octets may be different from the number of characters 373 encoded. Similarly, size constraints refer to the number of 374 encoded octets, not the number of characters represented by 375 an encoding." 376 REFERENCE 377 "RFC3629: UTF-8, a transformation format of ISO 10646" 378 SYNTAX OCTET STRING 380 -- object definitions 382 syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 } 383 syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 } 384 syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 } 386 syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 } 388 syslogMsgTableMaxSize OBJECT-TYPE 389 SYNTAX Unsigned32 390 MAX-ACCESS read-write 391 STATUS current 392 DESCRIPTION 393 "The maximum number of syslog messages that may be held in 394 syslogMsgTable. A particular setting does not guarantee that 395 there is sufficient memory available for the maximum number 396 of table entries indicated by this object. A value of 0 means 397 no fixed limit. 399 If an application reduces the limit while there are syslog 400 messages in the syslogMsgTable, the syslog messages that are 401 in the syslogMsgTable for the longest time MUST be discarded 402 to bring the table down to the new limit. 404 The value of this object should be kept in nonvolatile 405 memory." 406 DEFVAL { 0 } 407 ::= { syslogMsgControl 1 } 409 syslogMsgEnableNotifications OBJECT-TYPE 410 SYNTAX TruthValue 411 MAX-ACCESS read-write 412 STATUS current 413 DESCRIPTION 414 "Indicates whether syslogMsgNotification notifications are 415 generated. 417 The value of this object should be kept in nonvolatile 418 memory." 419 DEFVAL { false } 420 ::= { syslogMsgControl 2 } 422 syslogMsgTable OBJECT-TYPE 423 SYNTAX SEQUENCE OF SyslogMsgEntry 424 MAX-ACCESS not-accessible 425 STATUS current 426 DESCRIPTION 427 "A table containing recent syslog messages. The size of the 428 table is controlled by the syslogMsgTableMaxSize object." 429 ::= { syslogMsgObjects 2 } 431 syslogMsgEntry OBJECT-TYPE 432 SYNTAX SyslogMsgEntry 433 MAX-ACCESS not-accessible 434 STATUS current 435 DESCRIPTION 436 "An entry of the syslogMsgTable." 437 INDEX { syslogMsgIndex } 438 ::= { syslogMsgTable 1 } 440 SyslogMsgEntry ::= SEQUENCE { 441 syslogMsgIndex Unsigned32, 442 syslogMsgFacility SyslogFacility, 443 syslogMsgSeverity SyslogSeverity, 444 syslogMsgVersion Unsigned32, 445 syslogMsgTimeStamp SyslogTimeStamp, 446 syslogMsgHostName DisplayString, 447 syslogMsgAppName DisplayString, 448 syslogMsgProcID DisplayString, 449 syslogMsgMsgID DisplayString, 450 syslogMsgSDParams Unsigned32, 451 syslogMsgMsg OCTET STRING 452 } 454 syslogMsgIndex OBJECT-TYPE 455 SYNTAX Unsigned32 (1..4294967295) 456 MAX-ACCESS not-accessible 457 STATUS current 458 DESCRIPTION 459 "A monotonically increasing number used to identify entries in 460 the syslogMsgTable. When syslogMsgIndex reaches the maximum 461 value (4294967295) the value wraps back to 1. 463 Applications periodically polling the syslogMsgTable for new 464 entries should take into account that a complete rollover of 465 syslogMsgIndex will happen if more than 4294967294 messages 466 are received during a poll interval." 467 ::= { syslogMsgEntry 1 } 469 syslogMsgFacility OBJECT-TYPE 470 SYNTAX SyslogFacility 471 MAX-ACCESS read-only 472 STATUS current 473 DESCRIPTION 474 "The facility of the syslog message." 475 REFERENCE 476 "RFC5424: The Syslog Protocol (section 6.2.1) 477 RFC5427: Textual Conventions for Syslog Management" 478 ::= { syslogMsgEntry 2 } 480 syslogMsgSeverity OBJECT-TYPE 481 SYNTAX SyslogSeverity 482 MAX-ACCESS read-only 483 STATUS current 484 DESCRIPTION 485 "The severity of the syslog message" 486 REFERENCE 487 "RFC5424: The Syslog Protocol (section 6.2.1) 488 RFC5427: Textual Conventions for Syslog Management" 489 ::= { syslogMsgEntry 3 } 491 syslogMsgVersion OBJECT-TYPE 492 SYNTAX Unsigned32 (0..999) 493 MAX-ACCESS read-only 494 STATUS current 495 DESCRIPTION 496 "The version of the syslog message. A value of 0 indicates 497 that the version is unknown." 499 REFERENCE 500 "RFC5424: The Syslog Protocol (section 6.2.2)" 501 ::= { syslogMsgEntry 4 } 503 syslogMsgTimeStamp OBJECT-TYPE 504 SYNTAX SyslogTimeStamp 505 MAX-ACCESS read-only 506 STATUS current 507 DESCRIPTION 508 "The timestamp of the syslog message. A zero length 509 string is returned if the timestamp is unknown." 510 REFERENCE 511 "RFC5424: The Syslog Protocol (section 6.2.3)" 512 ::= { syslogMsgEntry 5 } 514 syslogMsgHostName OBJECT-TYPE 515 SYNTAX DisplayString (SIZE (0..255)) 516 MAX-ACCESS read-only 517 STATUS current 518 DESCRIPTION 519 "The hostname and the (optional) domain name of the syslog 520 message. A zero-length string indicates an unknown hostname. 521 The SYSLOG protocol specification constrains this string to 522 printable US-ASCII code points." 523 REFERENCE 524 "RFC5424: The Syslog Protocol (section 6.2.4)" 525 ::= { syslogMsgEntry 6 } 527 syslogMsgAppName OBJECT-TYPE 528 SYNTAX DisplayString (SIZE (0..48)) 529 MAX-ACCESS read-only 530 STATUS current 531 DESCRIPTION 532 "The app-name of the syslog message. A zero-length string 533 indicates an unknown app-name. The SYSLOG protocol 534 specification constrains this string to printable US-ASCII 535 code points." 536 REFERENCE 537 "RFC5424: The Syslog Protocol (section 6.2.5)" 538 ::= { syslogMsgEntry 7 } 540 syslogMsgProcID OBJECT-TYPE 541 SYNTAX DisplayString (SIZE (0..128)) 542 MAX-ACCESS read-only 543 STATUS current 544 DESCRIPTION 545 "The procid of the syslog message. A zero-length string 546 indicates an unknown procid. The SYSLOG protocol specification 547 constrains this string to printable US-ASCII code points." 548 REFERENCE 549 "RFC5424: The Syslog Protocol (section 6.2.6)" 550 ::= { syslogMsgEntry 8 } 552 syslogMsgMsgID OBJECT-TYPE 553 SYNTAX DisplayString (SIZE (0..32)) 554 MAX-ACCESS read-only 555 STATUS current 556 DESCRIPTION 557 "The msgid of the syslog message. A zero-length string 558 indicates an unknown msgid. The SYSLOG protocol specification 559 constrains this string to printable US-ASCII code points." 560 REFERENCE 561 "RFC5424: The Syslog Protocol (section 6.2.7)" 562 ::= { syslogMsgEntry 9 } 564 syslogMsgSDParams OBJECT-TYPE 565 SYNTAX Unsigned32 566 MAX-ACCESS read-only 567 STATUS current 568 DESCRIPTION 569 "The total number of structured data element parameters 570 carried in the syslog message. This number effectively 571 indicates the number of entries in the syslogMsgSDTable. 572 It can be used, for example, by a notification receiver 573 to determine whether a notification carried all 574 structured data element parameters of a syslog message." 575 ::= { syslogMsgEntry 10 } 577 syslogMsgMsg OBJECT-TYPE 578 SYNTAX OCTET STRING 579 MAX-ACCESS read-only 580 STATUS current 581 DESCRIPTION 582 "The message part of the syslog message. The syntax does not 583 impose a size restriction. Implementations of this MIB module 584 may truncate the message part of the syslog message such that 585 it fits into the size constraints imposed by the implementation 586 environment. Such truncations can also happen elsewhere in the 587 syslog forwarding chain. 589 If the first octets contain the value 'EFBBBF'h, then the rest 590 of the message is a UTF-8 string. Since syslog messages may be 591 truncated at arbitrary octet boundaries during forwarding, the 592 message may contain invalid UTF-8 encodings at the end." 593 REFERENCE 594 "RFC5424: The Syslog Protocol (sections 6.1 and 6.4)" 596 ::= { syslogMsgEntry 11 } 598 syslogMsgSDTable OBJECT-TYPE 599 SYNTAX SEQUENCE OF SyslogMsgSDEntry 600 MAX-ACCESS not-accessible 601 STATUS current 602 DESCRIPTION 603 "A table containing structured data elements of syslog 604 messages." 605 ::= { syslogMsgObjects 3 } 607 syslogMsgSDEntry OBJECT-TYPE 608 SYNTAX SyslogMsgSDEntry 609 MAX-ACCESS not-accessible 610 STATUS current 611 DESCRIPTION 612 "An entry of the syslogMsgSDTable." 613 INDEX { syslogMsgIndex, syslogMsgSDParamIndex, 614 syslogMsgSDID, syslogMsgSDParamName } 615 ::= { syslogMsgSDTable 1 } 617 SyslogMsgSDEntry ::= SEQUENCE { 618 syslogMsgSDParamIndex Unsigned32, 619 syslogMsgSDID DisplayString, 620 syslogMsgSDParamName DisplayString, 621 syslogMsgSDParamValue SyslogParamValueString 622 } 624 syslogMsgSDParamIndex OBJECT-TYPE 625 SYNTAX Unsigned32 (1..4294967295) 626 MAX-ACCESS not-accessible 627 STATUS current 628 DESCRIPTION 629 "This object indexes the structured data element parameters 630 contained in a SYSLOG message. The first structured data 631 element parameter has the index value 1 and subsequent 632 parameters are indexed by incrementing the index of the 633 previous parameter. The index increases across structured 634 data element boundaries so that the value reflects the 635 position of a structured data element parameter in a 636 SYSLOG message." 637 REFERENCE 638 "RFC5424: The Syslog Protocol (section 6.3.3)" 639 ::= { syslogMsgSDEntry 1 } 641 syslogMsgSDID OBJECT-TYPE 642 SYNTAX DisplayString (SIZE (1..32)) 643 MAX-ACCESS not-accessible 644 STATUS current 645 DESCRIPTION 646 "The name (SD-ID) of a structured data element. The SYSLOG 647 protocol specification constrains this string to printable 648 US-ASCII code points." 649 REFERENCE 650 "RFC5424: The Syslog Protocol (section 6.3.2)" 651 ::= { syslogMsgSDEntry 2 } 653 syslogMsgSDParamName OBJECT-TYPE 654 SYNTAX DisplayString (SIZE (1..32)) 655 MAX-ACCESS not-accessible 656 STATUS current 657 DESCRIPTION 658 "The name of a parameter of the structured data element. The 659 SYSLOG protocol specification constrains this string to 660 printable US-ASCII code points." 661 REFERENCE 662 "RFC5424: The Syslog Protocol (section 6.3.3)" 663 ::= { syslogMsgSDEntry 3 } 665 syslogMsgSDParamValue OBJECT-TYPE 666 SYNTAX SyslogParamValueString 667 MAX-ACCESS read-only 668 STATUS current 669 DESCRIPTION 670 "The value of the parameter of a syslog message identified by 671 the index of this table. The value is stored in the unescaped 672 format." 673 REFERENCE 674 "RFC5424: The Syslog Protocol (section 6.3.3)" 675 ::= { syslogMsgSDEntry 4 } 677 -- notification definitions 679 syslogMsgNotification NOTIFICATION-TYPE 680 OBJECTS { syslogMsgFacility, syslogMsgSeverity, 681 syslogMsgVersion, syslogMsgTimeStamp, 682 syslogMsgHostName, syslogMsgAppName, 683 syslogMsgProcID, syslogMsgMsgID, 684 syslogMsgSDParams, syslogMsgMsg } 685 STATUS current 686 DESCRIPTION 687 "The syslogMsgNotification is generated when a new syslog 688 message is received and the value of 689 syslogMsgGenerateNotifications is true. 691 Implementations may add syslogMsgSDParamValue objects as long 692 as the resulting notification fits into the size constraints 693 imposed by the implementation environment and the notification 694 message size constraints imposed by maxMessageSize [RFC3412] 695 and SNMP transport mappings." 696 ::= { syslogMsgNotifications 1 } 698 -- conformance statements 700 syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 } 701 syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 } 703 syslogMsgFullCompliance MODULE-COMPLIANCE 704 STATUS current 705 DESCRIPTION 706 "The compliance statement for implementations of the 707 SYSLOG-MSG-MIB." 708 MODULE -- this module 709 MANDATORY-GROUPS { 710 syslogMsgGroup, 711 syslogMsgSDGroup, 712 syslogMsgControlGroup, 713 syslogMsgNotificationGroup 714 } 715 ::= { syslogMsgCompliances 1 } 717 syslogMsgReadOnlyCompliance MODULE-COMPLIANCE 718 STATUS current 719 DESCRIPTION 720 "The compliance statement for implementations of the 721 SYSLOG-MSG-MIB that do not support read-write access." 722 MODULE -- this module 723 MANDATORY-GROUPS { 724 syslogMsgGroup, 725 syslogMsgSDGroup, 726 syslogMsgControlGroup, 727 syslogMsgNotificationGroup 728 } 729 OBJECT syslogMsgTableMaxSize 730 MIN-ACCESS read-only 731 DESCRIPTION 732 "Write access is not required." 733 OBJECT syslogMsgEnableNotifications 734 MIN-ACCESS read-only 735 DESCRIPTION 736 "Write access is not required." 737 ::= { syslogMsgCompliances 2 } 739 syslogMsgNotificationCompliance MODULE-COMPLIANCE 740 STATUS current 741 DESCRIPTION 742 "The compliance statement for implementations of the 743 SYSLOG-MSG-MIB that do only generate notifications and not 744 provide a table to allow read access to syslog message 745 details." 746 MODULE -- this module 747 MANDATORY-GROUPS { 748 syslogMsgGroup, 749 syslogMsgSDGroup, 750 syslogMsgNotificationGroup 751 } 752 OBJECT syslogMsgFacility 753 MIN-ACCESS accessible-for-notify 754 DESCRIPTION 755 "Read access is not required." 756 OBJECT syslogMsgSeverity 757 MIN-ACCESS accessible-for-notify 758 DESCRIPTION 759 "Read access is not required." 760 OBJECT syslogMsgVersion 761 MIN-ACCESS accessible-for-notify 762 DESCRIPTION 763 "Read access is not required." 764 OBJECT syslogMsgTimeStamp 765 MIN-ACCESS accessible-for-notify 766 DESCRIPTION 767 "Read access is not required." 768 OBJECT syslogMsgHostName 769 MIN-ACCESS accessible-for-notify 770 DESCRIPTION 771 "Read access is not required." 772 OBJECT syslogMsgAppName 773 MIN-ACCESS accessible-for-notify 774 DESCRIPTION 775 "Read access is not required." 776 OBJECT syslogMsgProcID 777 MIN-ACCESS accessible-for-notify 778 DESCRIPTION 779 "Read access is not required." 780 OBJECT syslogMsgMsgID 781 MIN-ACCESS accessible-for-notify 782 DESCRIPTION 783 "Read access is not required." 784 OBJECT syslogMsgSDParams 785 MIN-ACCESS accessible-for-notify 786 DESCRIPTION 787 "Read access is not required." 789 OBJECT syslogMsgMsg 790 MIN-ACCESS accessible-for-notify 791 DESCRIPTION 792 "Read access is not required." 793 OBJECT syslogMsgSDParamValue 794 MIN-ACCESS accessible-for-notify 795 DESCRIPTION 796 "Read access is not required." 797 ::= { syslogMsgCompliances 3 } 799 syslogMsgNotificationGroup NOTIFICATION-GROUP 800 NOTIFICATIONS { 801 syslogMsgNotification 802 } 803 STATUS current 804 DESCRIPTION 805 "The notifications emitted by this MIB module." 806 ::= { syslogMsgGroups 1 } 808 syslogMsgGroup OBJECT-GROUP 809 OBJECTS { 810 -- syslogMsgIndex, 811 syslogMsgFacility, 812 syslogMsgSeverity, 813 syslogMsgVersion, 814 syslogMsgTimeStamp, 815 syslogMsgHostName, 816 syslogMsgAppName, 817 syslogMsgProcID, 818 syslogMsgMsgID, 819 syslogMsgSDParams, 820 syslogMsgMsg 821 } 822 STATUS current 823 DESCRIPTION 824 "A collection of objects representing a syslog message 825 excluding structured data elements." 826 ::= { syslogMsgGroups 2 } 828 syslogMsgSDGroup OBJECT-GROUP 829 OBJECTS { 830 -- syslogMsgSDParamIndex, 831 -- syslogMsgSDID, 832 -- syslogMsgSDParamName, 833 syslogMsgSDParamValue 834 } 835 STATUS current 836 DESCRIPTION 837 "A collection of objects representing the structured data 838 elements of a syslog message." 839 ::= { syslogMsgGroups 3 } 841 syslogMsgControlGroup OBJECT-GROUP 842 OBJECTS { 843 syslogMsgTableMaxSize, 844 syslogMsgEnableNotifications 845 } 846 STATUS current 847 DESCRIPTION 848 "A collection of control objects to control the size of the 849 syslogMsgTable and to enable / disable notifications." 850 ::= { syslogMsgGroups 4 } 852 END 854 8. Usage Example 856 The following example shows a valid syslog message including 857 structured data. The otherwise-unprintable Unicode BOM is 858 represented as "BOM" in the example. 860 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com 861 evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" 862 eventID="1011"] BOMAn application event log entry... 864 This syslog message leads to the following entries in the 865 syslogMsgTable and the syslogMsgSDTable (note that string indexes are 866 written as strings for readability reasons): 868 syslogMsgIndex.1 = 1 869 syslogMsgFacility.1 = 20 870 syslogMsgSeverity.1 = 5 871 syslogMsgVersion.1 = 1 872 syslogMsgTimeStamp.1 = 2003-10-11,22:14:15.003,+0:0 873 syslogMsgHostName.1 = "mymachine.example.com" 874 syslogMsgAppName.1 = "evntslog" 875 syslogMsgProcID.1 = "-" 876 syslogMsgMsgID.1 = "ID47" 877 syslogMsgMsg.1 = "BOMAn application event log entry..." 878 syslogMsgSDParamValue.1.1."exampleSDID@32473"."iut" 879 = "3" 880 syslogMsgSDParamValue.1.2."exampleSDID@32473"."eventSource" 881 = "Application" 882 syslogMsgSDParamValue.1.3."exampleSDID@32473"."eventID" 883 = "1011" 885 9. IANA Considerations 887 The IANA is requested to assign a value for "XXX" under the 'mib-2' 888 subtree and to record the assignment in the SMI Numbers registry. 889 When the assignment has been made, the RFC Editor is asked to replace 890 "XXX" (here and in the MIB module) with the assigned value. 892 10. Security Considerations 894 There are a number of management objects defined in this MIB module 895 with a MAX-ACCESS clause of read-write and/or read-create. Such 896 objects may be considered sensitive or vulnerable in some network 897 environments. The support for SET operations in a non-secure 898 environment without proper protection can have a negative effect on 899 network operations. These are the tables and objects and their 900 sensitivity/vulnerability: 902 o syslogMsgTableMaxSize: This object controls how many entries are 903 kept in the syslogMsgTable. Unauthorized modifications may either 904 cause increased memory consumption (by setting this object to a 905 large value) or turn off the capability to retrieve notifications 906 using GET class operations (by setting this object to zero). This 907 might be used to hide traces of an attack. 908 o syslogMsgEnableNotifications: This object enables notifications. 909 Unauthorized modifications to disable notification generation can 910 be used to hide an attack by preventing management applications 911 that use SNMP from receiving real-time notifications about events 912 carried in syslog messages. Unauthorized modifications to enable 913 notification generation may be used as part of a denial of service 914 attack against a network management system if for example the 915 SYSLOG-to-SNMP translator accepts unauthorized syslog messages. 917 Some of the readable objects in this MIB module (i.e., objects with a 918 MAX-ACCESS other than not-accessible) may be considered sensitive or 919 vulnerable in some network environments. It is thus important to 920 control even GET and/or NOTIFY access to these objects and possibly 921 to even encrypt the values of these objects when sending them over 922 the network via SNMP. These are the tables and objects and their 923 sensitivity/vulnerability: 925 o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects 926 provide information whether SYSLOG messages are forwarded as SNMP 927 notifications and how many messages will be maintained in the 928 syslogMsgTable. This information might be exploited by an 929 attacker in order to plan actions with the goal of hiding attack 930 activities. 932 o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion, 933 syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, 934 syslogMsgProcID, syslogMsgMsgID, syslogMsgSDParams, syslogMsgMsg, 935 syslogMsgSDParamValue: These objects carry the content of syslog 936 messags and the syslog message oriented security considerations of 937 [RFC5424] apply. In particular, an attacker who gains access to 938 SYSLOG messages via SNMP may use the knowledge gained from SYSLOG 939 messages to compromise a machine or do other damage. It is 940 therefore desirable to configure SNMP access control rules 941 enforcing a consistent security policy for SYSLOG messages. 943 SNMP versions prior to SNMPv3 did not include adequate security. 944 Even if the network itself is secure (for example by using IPsec), 945 even then, there is no control as to who on the secure network is 946 allowed to access and GET/SET (read/change/create/delete) the objects 947 in this MIB module. 949 It is RECOMMENDED that implementers consider the security features as 950 provided by the SNMPv3 framework (see [RFC3410], section 8), 951 including full support for the SNMPv3 cryptographic mechanisms (for 952 authentication and privacy). 954 Further, deployment of SNMP versions prior to SNMPv3 is NOT 955 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 956 enable cryptographic security. It is then a customer/operator 957 responsibility to ensure that the SNMP entity giving access to an 958 instance of this MIB module is properly configured to give access to 959 the objects only to those principals (users) that have legitimate 960 rights to indeed GET or SET (change/create/delete) them. 962 Using the security features of the SNMPv3 framework secures the 963 transport of SYSLOG data via SNMP only. It is therefore RECOMMENDED 964 that deployments use SYSLOG security mechanisms in order to prevent 965 attackers from adding malicious SYSLOG data to the MIB tables. 967 11. Acknowledgments 969 The editors wish to thank the following individuals for providing 970 helpful comments on various versions of this document: Martin 971 Bjorklund, Washam Fan, Rainer Gerhards, Wes Hardacker, David 972 Harrington, Tom Petch, Juergen Quittek, Dan Romascanu, and Bert 973 Wijnen. 975 12. References 976 12.1. Normative References 978 [I-D.ietf-opsawg-syslog-snmp] 979 Marinov, V. and J. Schoenwaelder, "Mapping Simple Network 980 Management Protocol (SNMP) Notifications to SYSLOG 981 Messages", Internet Draft (work in progress), March 2009. 983 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 984 Requirement Levels", BCP 14, RFC 2119, March 1997. 986 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 987 "Structure of Management Information Version 2 (SMIv2)", 988 RFC 2578, STD 58, April 1999. 990 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 991 "Textual Conventions for SMIv2", RFC 2579, STD 58, 992 April 1999. 994 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 995 "Conformance Statements for SMIv2", RFC 2580, STD 58, 996 April 1999. 998 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 999 Architecture for Describing Simple Network Management 1000 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 1001 December 2002. 1003 [RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen, 1004 "Message Processing and Dispatching for the Simple Network 1005 Management Protocol (SNMP)", STD 62, RFC 3412, 1006 December 2002. 1008 [RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO 1009 10646", STD 63, RFC 3629, November 2003. 1011 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. 1013 [RFC5427] Keeni, G., "Textual Conventions for Syslog Management", 1014 RFC 5427, March 2009. 1016 12.2. Informative References 1018 [RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014, 1019 November 2002. 1021 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 1022 "Introduction and Applicability Statements for Internet- 1023 Standard Management Framework", RFC 3410, December 2002. 1025 Authors' Addresses 1027 Juergen Schoenwaelder 1028 Jacobs University Bremen 1029 Campus Ring 1 1030 28725 Bremen 1031 Germany 1033 Email: j.schoenwaelder@jacobs-university.de 1035 Alexander Clemm 1036 Cisco Systems 1037 170 West Tasman Drive 1038 San Jose, CA 95134-1706 1039 USA 1041 Email: alex@cisco.com 1043 Anirban Karmakar 1044 Cisco Systems 1045 170 West Tasman Drive 1046 San Jose, CA 95134-1706 1047 USA 1049 Email: akarmaka@cisco.com