Network Working Group Glenn Mansfield Keeni INTERNET-DRAFT Cyber Solutions Inc. Expires: July 2, 2003 B. Pape Enterasys Networks January 3, 2003 Syslog MIB Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on July 2, 2003. Copyright Notice Copyright (C) The Internet Society (2003). All Rights Reserved. Abstract This memo provides a MIB module that can be used to monitor and manage syslog processes. In addition it defines objects that allow the collection of statistics related to the generation of syslog messages. And finally it provides a means for controlling the messages that individual applications on a device will generate. Expires: July 2, 2003 [Page 1] Internet Draft January 3, 2003 Table of Contents 1. The SNMP Management Framework .................. 3 2. Background ..................................... 3 3. The MIB Design ................................. 4 4. The Syslog MIB ................................. 6 5. Intellectual Property Notice ...................42 6 Acknowledgments ................................42 7. Security Considerations ........................42 8. References .....................................44 9. Full Copyright Statement .......................47 10. Authors Address ................................48 Expires: July 2, 2003 [Page 2] Internet Draft January 3, 2003 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. This document defines a portion of the Management Information Base (MIB) for use with management protocols in the Internet community. In particular, this document describes managed objects used for configuring and monitoring syslog processes that handle syslog messages. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. 2. Background Operating systems, processes and applications generate messages indicating their own status or the occurance of events. These messages are useful for managing and/or debugging the network and its services. The BSD Syslog protocol is a widely adopted protocol that is used for transmission and processing of the messages. Essentially, a syslog process receive messages (from the kernel, processes, applications or other syslog processes) and processes those. The processing involves logging to a local file, displaying on console, user terminal, and/or relaying to syslog processes on other machines. The processing is determined by the "facility" that originated the message and the "severity" assigned to the message by the facility. This document defines a generic MIB that may be used to monitor and control one or more syslog processes running on a system. Expires: July 2, 2003 [Page 3] Internet Draft January 3, 2003 / +------+ / | SP-1 |------> SP-R1 /+------+ \ Facility-1-->| / -->| / +------+ / Facility-N-->|+---| SP-2 |------> SP-R2 -->| \ +------+ \ SyslogHost-N-->| \ \+------+ / | SP-N |------> SP-RN +------+ \ \ Facility: Facility originating the message (locally) SyslogHost: Remote SyslogHost relaying a message SP: Syslog Process Fig.1 Syslog Process Model The syslog process modelled by the MIB is shown in Fig.1. One or more syslog processes running on a system receive syslog messages from the local facilities and from other syslog processes on other hosts. The syslog process receives the message and processes it depending on the processing mandated for the facility and severity of the message in its local message-process configuration table. 3. The MIB Design. The purpose of the SyslogMIB is to allow the monitoring and control of the syslog process(es) on a system. This requires MOs representing o Statistics on messages, received, processed locally, relayed, o Syslog system wide parameters that are available to all syslog processes. o Syslog run time parameters for each syslog process e.g. - maximum message size, - sockets and/or type of transport, port numbers on which the process will listen for messages, etc. - etc. o Rules for selecting messages and applying the corresponding specified actions for each syslog process The MIB comprises of four groups o The syslogSystem group handles the system wide parameters Expires: July 2, 2003 [Page 4] Internet Draft January 3, 2003 that applies to all the syslog processes served by the SNMP agent. o The syslog process group consisting of the - syslogStatsTable which deals with statistical information about the syslog processes. - syslogParamsTable for monitoring and controlling syslog processes. It contains MOs representing the run-time parameters of the syslog processes. o The syslog control group which handles the definition of the rules for message selection and action(s) that will be carried out on the selected message. The tables in this group represent the rules that would generally be present in the syslog.conf file of traditional syslogd process. The control group consists of - a syslogCtlSelectionTable which defines the message selection rule. - several action tables viz. + syslogCtlLogActionTable defining the logging actions + syslogCtlUserActionTable defining the users on whose console the message will need to be displayed. + syslogCtlFwdActionTable defining destinations to which a message will be forwarded o The conformance group that defines the compliance statements. Expires: July 2, 2003 [Page 5] Internet Draft January 3, 2003 4. The Syslog MIB SYSLOG-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Counter32, Integer32, mib-2 FROM SNMPv2-SMI RowStatus, TEXTUAL-CONVENTION, TimeStamp, TruthValue, StorageType FROM SNMPv2-TC InetAddressType, InetAddress FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB; syslogMIB MODULE-IDENTITY LAST-UPDATED "200212252343Z" -- Wed December 25 23:43 GMT 2002 ORGANIZATION "IETF Syslog Working Group" CONTACT-INFO " Glenn Mansfield Keeni Postal: Cyber Solutions Inc. 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Japan 989-3204. Tel: +81-22-303-4012 Fax: +81-22-303-4015 E-mail: glenn@cysols.com " DESCRIPTION "The MIB module pertaining to the reception and processing of Syslog compatible messages." REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003 DESCRIPTION "Fixing of nits in descriptions, addition of references, addition of the following MOs syslogProcMsgsIllFormed Counter32, syslogProcStartTime TimeStamp, syslogProcLastError Integer32, syslogProcLastErrorTime TimeStamp, syslogParamsStorageType StorageType, syslogCtlFwdActionSrcAddrType InetAddressType, syslogCtlFwdActionSrcAddr InetAddress, added enumeration ''suspended(2)'' to Expires: July 2, 2003 [Page 6] Internet Draft January 3, 2003 syslogParamsProcessStatus. " REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002 DESCRIPTION "Radical revision of the MIB structure and design." REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002 DESCRIPTION "The initial version of this MIB module." ::= { mib-2 999999 } -- Will be assigned by IANA -- ------------------------------------------------------------- -- Textual Conventions -- ------------------------------------------------------------- SyslogFacility ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the facilities that originate syslog messages. The value noMap(24) indicates that the appropriate facility will be provided by the individual applications on the managed entity. If this option is not available on a particular entity attempt set the facillity to this value will fail with an error-status of wrongValue." REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 1). " SYNTAX INTEGER { kernel (0), -- kernel messages user (1), -- user-level messages mail (2), -- mail system daemon (3), -- system daemons auth (4), -- authorization messages syslog (5), -- messages generated by syslogd lpr (6), -- line printer subsystem news (7), -- network news subsystem uucp (8), -- UUCP subsystem cron (9), -- clock daemon authPriv (10),-- authorization messages -- (private) ftp (11),-- ftp daemon ntp (12),-- NTP subsystem security (13),-- security subsystems -- (firewalling, etc.) console (14),-- /dev/console output Expires: July 2, 2003 [Page 7] Internet Draft January 3, 2003 local0 (16), local1 (17), local2 (18), local3 (19), local4 (20), local5 (21), local6 (22), local7 (23), noMap (99) } SyslogSeverity ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the severity levels of syslog messages. The syslog protocol uses the values 0 (emergency), to 7 (debug)." REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 2) " SYNTAX INTEGER { emergency (0), -- system is unusable alert (1), -- action must be taken -- immediately critical (2), -- critical conditions error (3), -- error conditions warning (4), -- warning conditions notice (5), -- normal but significant -- condition info (6), -- informational debug (7), -- debug-level messages other (99) -- None of the above } Expires: July 2, 2003 [Page 8] Internet Draft January 3, 2003 SyslogSeverityCompOP ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The operator that will be applied to the severity in before the selection for an action takes place. " SYNTAX INTEGER { none (1), greaterThanOrEqual (2), lessThanOrEqual (3), greaterThan (4), lessThan (5), notGreaterThanOrEqual (6), notLessThanOrEqual (7), notGreaterThan (8), notLessThan (9), equal (10), notEqual (11) } SyslogTransport ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The Transport that will be used to send and/or receive messages. " REFERENCE "The The BSD syslog Protocol RFC 3164 Sec. 2. " SYNTAX INTEGER { any (1), udp (2), tcp (3) } SyslogService ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The service name or port number that will be used to send and/or receive messages. The special name ''any'' is reserved. It denotes all ports and is applicable only in the context of message reception. In case the service name is given, and it is not ''any'', the service name must resolve to a port number on the local host. " SYNTAX OCTET STRING (SIZE (0..255)) Expires: July 2, 2003 [Page 9] Internet Draft January 3, 2003 -- ------------------------------------------------------------- -- syslogMIB - the main groups -- ------------------------------------------------------------- syslogSystem OBJECT IDENTIFIER ::= { syslogMIB 1 } syslogProc OBJECT IDENTIFIER ::= { syslogMIB 2 } syslogControl OBJECT IDENTIFIER ::= { syslogMIB 3 } -- ------------------------------------------------------------- -- syslogSystem -- ------------------------------------------------------------- -- The system wide parameters syslogDefaultTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-write STATUS current DESCRIPTION "The default transport that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL {udp} ::= { syslogSystem 1 } syslogDefaultService OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-write STATUS current DESCRIPTION "The default service name or port number that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL { "514" } ::= { syslogSystem 2 } Expires: July 2, 2003 [Page 10] Internet Draft January 3, 2003 syslogDefaultFacility OBJECT-TYPE SYNTAX SyslogFacility MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog facility that will be added to syslog messages when the message needs to be relayed and does not have priority specified. " ::= { syslogSystem 3 } syslogDefaultSeverity OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog severity that will be added to syslog messages when the message needs to be relayed and does not have priority specified. " ::= { syslogSystem 4 } syslogMaxMessageSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The the maximum size of the syslog messages in bytes. " DEFVAL { 1024 } ::= { syslogSystem 5 } -- ------------------------------------------------------------- -- syslogProc -- ------------------------------------------------------------- syslogProcTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogProcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the syslog processes serviced by an SNMP agent. " ::= { syslogProc 1 } Expires: July 2, 2003 [Page 11] Internet Draft January 3, 2003 syslogProcEntry OBJECT-TYPE SYNTAX SyslogProcEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The information pertaining to a syslog process. " INDEX { syslogProcIndex } ::= { syslogProcTable 1 } SyslogProcEntry ::= SEQUENCE { syslogProcIndex Integer32, syslogProcMsgsReceived Counter32, syslogProcMsgsRelayed Counter32, syslogProcMsgsDropped Counter32, syslogProcMsgsIllFormed Counter32, syslogProcMsgsIgnored Counter32, syslogProcMsgsRejected Counter32, syslogProcLastMsgRecdTime TimeStamp, syslogProcLastMsgDeliveredTime TimeStamp, syslogProcStartTime TimeStamp, syslogProcLastError Integer32, syslogProcLastErrorTime TimeStamp } -- option for allowed peers needs to be added Expires: July 2, 2003 [Page 12] Internet Draft January 3, 2003 syslogProcIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Index that uniquely identifies the syslog process in the syslogProcess table. " ::= { syslogProcEntry 1 } syslogProcMsgsReceived OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages received by the syslog process. This includes messages that were ignored. " ::= { syslogProcEntry 2 } syslogProcMsgsRelayed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages relayed by the syslog process to other syslog processes. " ::= { syslogProcEntry 3 } syslogProcMsgsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that could not be relayed (could not be queued for transmitting)." ::= { syslogProcEntry 4 } Expires: July 2, 2003 [Page 13] Internet Draft January 3, 2003 syslogProcMsgsIllFormed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were rejected by the syslog process because these were badly formed. " ::= { syslogProcEntry 5 } syslogProcMsgsIgnored OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were not processed by the syslog process because the message did not meet the specification of 'allowed specifications' ( either the program name or the priority level of the message or both did not match any selection specified for this process in the syslogCtlSelectionTable). " ::= { syslogProcEntry 6 } syslogProcMsgsRejected OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were rejected by the syslog process because the messsage was from a host/service that did not match any selection specified for this process in the syslogCtlSelectionTable and was not on the allowed host/services list. " ::= { syslogProcEntry 7 } syslogProcLastMsgRecdTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was received by the syslog process locally or from a remote syslog process. " ::= { syslogProcEntry 8 } Expires: July 2, 2003 [Page 14] Internet Draft January 3, 2003 syslogProcLastMsgDeliveredTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was delivered by the syslog process. " ::= { syslogProcEntry 9 } syslogProcStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when this process was started. " ::= { syslogProcEntry 10 } syslogProcLastError OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "The last error that was encountered by this process. " ::= { syslogProcEntry 11 } syslogProcLastErrorTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last error was encountered. " ::= { syslogProcEntry 12 } syslogParamsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the parameters that control the syslog processes. " ::= { syslogProc 2 } Expires: July 2, 2003 [Page 15] Internet Draft January 3, 2003 syslogParamsEntry OBJECT-TYPE SYNTAX SyslogParamsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The parameters pertaining to a syslog process." INDEX { syslogProcIndex } ::= { syslogParamsTable 1 } SyslogParamsEntry ::= SEQUENCE { syslogParamsProcDescr SnmpAdminString, syslogParamsBindAddrType InetAddressType, syslogParamsBindAddr InetAddress, syslogParamsSendToAllAddresses TruthValue, syslogParamsCompression INTEGER, syslogParamsConfFileName SnmpAdminString, syslogParamsFacilityTranslation INTEGER, syslogParamsPIDFileName SnmpAdminString, syslogParamsDNSLookup INTEGER, syslogParamsSeverityCompOP SyslogSeverityCompOP, syslogParamsSecuritySpecs INTEGER, syslogParamsProcessStatus INTEGER, syslogParamsStorageType StorageType, syslogParamsRowStatus RowStatus } Expires: July 2, 2003 [Page 16] Internet Draft January 3, 2003 syslogParamsProcDescr OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable description of the syslog process. " ::= { syslogParamsEntry 1 } syslogParamsBindAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogParamsBindAddr. " ::= { syslogParamsEntry 2 } syslogParamsBindAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The specific IP address or hostname the syslog process will bind to. If a hostname is specified, the IPv4 or IPv6 address which corresponds to will be used. " ::= { syslogParamsEntry 3 } syslogParamsSendToAllAddresses OBJECT-TYPE SYNTAX TruthValue MAX-ACCESS read-create STATUS current DESCRIPTION "If the destination host, for a message to be forwarded, has more than one A or AAAA record process, Send the message to all the addresses (true) else send to only one of the addresses. " DEFVAL { false } ::= { syslogParamsEntry 4 } Expires: July 2, 2003 [Page 17] Internet Draft January 3, 2003 syslogParamsCompression OBJECT-TYPE SYNTAX INTEGER { off (1), offIfPipe (2), on (3) } MAX-ACCESS read-write STATUS current DESCRIPTION "If 'off', disable the compression of repeated instances of the same line into a single line of the form ``last message repeated N times''. If 'offIfPipe' disable the compression when the output is a pipe to another program. Otherwise the compression is enabled. " DEFVAL { on } ::= { syslogParamsEntry 5 } syslogParamsConfFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the configuration file where the syslog process's message selection and corresponding action rules will be read from. Data is loaded from this file into the syslogCtlSelectionTable and the syslogCtlLogActionTable. If the objects loaded from the file specified by this object have an access level of read-create this file MUST be be writable so that modifications to the corresponding objects, if any, will be effected in this file. If the system does not support the specification of a configuration file this field will not be accessible. " DEFVAL { "/etc/syslog.conf" } ::= { syslogParamsEntry 6 } Expires: July 2, 2003 [Page 18] Internet Draft January 3, 2003 syslogParamsFacilityTranslation OBJECT-TYPE SYNTAX INTEGER { off (1), on (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If off, disable Disable the translation of messages received with facility ``kern'' to facility ``user''. Usually the ``kern'' facility is reserved for messages read directly from /dev/klog. " DEFVAL { on } ::= { syslogParamsEntry 7 } syslogParamsPIDFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the file where the syslog process ID will be recorded. In case the system does not support the feature of recording syslog's process ID - this object will not be accessible. " DEFVAL { "/etc/syslog.pid" } ::= { syslogParamsEntry 8 } syslogParamsDNSLookup OBJECT-TYPE SYNTAX INTEGER { useLocalCache (1), doNotUseLocalCache (2) } MAX-ACCESS read-write STATUS current DESCRIPTION "If doNotUseLocalCache is on, fresh DNS lookups will be carried out everytime a hostname is encountered. Else, DNS lookups will be carried it only once for each hostname. " DEFVAL { useLocalCache } ::= { syslogParamsEntry 9 } Expires: July 2, 2003 [Page 19] Internet Draft January 3, 2003 syslogParamsSeverityCompOP OBJECT-TYPE SYNTAX SyslogSeverityCompOP MAX-ACCESS read-create STATUS current DESCRIPTION "The default value of the operator that should apply to the syslogCtlSelectionSeverity in before the selection takes place. " DEFVAL { greaterThanOrEqual } ::= { syslogParamsEntry 10 } syslogParamsSecuritySpecs OBJECT-TYPE SYNTAX INTEGER { none (0), doNotRecvFromRemoteHosts (1), doNotOpenNetworkSockets (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "If doNotRecvFromRemoteHosts is selected then the corresponding syslog process will receive messages from remote hosts. If doNotOpenNetworkSockets is selected then the syslog process will not receive from or forward to remote hosts. " DEFVAL { none } ::= { syslogParamsEntry 11 } syslogParamsProcessStatus OBJECT-TYPE SYNTAX INTEGER { unknown (0), started (1), suspended(2), stopped (3) } MAX-ACCESS read-create STATUS current DESCRIPTION "The status of the process. The status of the process can be controlled by setting this object to the appropriate value. ''started'' indicates that the process should be started if it is not already running. ''suspended'' indicates that the process should be suspended if it is running. ''stopped'' indicates that the process should be stopped Expires: July 2, 2003 [Page 20] Internet Draft January 3, 2003 if it is running. The following are the allowed state changes started -> suspended started -> stopped suspended -> started suspended -> stopped Attempts to carry out any other state changes will result in in an error. The status can be set to ''started'' only when the rowStatus of the corresponding conceptual row is ''valid''. " DEFVAL { unknown } ::= { syslogParamsEntry 12 } syslogParamsStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether the parameters defined in this row are kept in volatile storage and lost upon reboot or are backed up by non-volatile (permanent) storage. " ::= { syslogParamsEntry 13 } syslogParamsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify and delete rows in the syslogParamsTable. Objects in a row can be modified only when the value of this object in the corresponding conceptual row is not ''active''. Thus to modify the one or more of the objects in this conceptual row, a. change the row status to ''invalid'', causing its deletion b. create a new conceptual row with the desired values. " ::= { syslogParamsEntry 14 } Expires: July 2, 2003 [Page 21] Internet Draft January 3, 2003 syslogAllowedHostsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogAllowedHostsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the Hosts from which messages will be accepted (rejected). " ::= { syslogProc 3 } syslogAllowedHostsEntry OBJECT-TYPE SYNTAX SyslogAllowedHostsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The host information." INDEX { syslogProcIndex } ::= { syslogAllowedHostsTable 1 } SyslogAllowedHostsEntry ::= SEQUENCE { syslogAllowedHostsAddressType InetAddressType, syslogAllowedHostsAddress InetAddress, syslogAllowedHostsMaskLen Integer32, syslogAllowedHostsTransport SyslogTransport, syslogAllowedHostsPort SyslogService, syslogAllowedHostsRowStatus RowStatus } syslogAllowedHostsAddressType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogAllowedHostsAddress. " ::= { syslogAllowedHostsEntry 1 } Expires: July 2, 2003 [Page 22] Internet Draft January 3, 2003 syslogAllowedHostsAddress OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The IP address or hostname specification of the host from which the syslog process will accept messages. " ::= { syslogAllowedHostsEntry 2 } syslogAllowedHostsMaskLen OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-create STATUS current DESCRIPTION "If the syslogAllowedHostsAddressType is ipv4(1), ipv6(2) this object represents the number of bits that will be taken into account when the address of the originating is being compared with syslogAllowedHostsAddress. The default value of this MO will be the length of the corresponding syslogAllowedHostsAddress. If the syslogAllowedHostsAddressType is not ipv4(1) or ipv6(2) this object is not used. " ::= { syslogAllowedHostsEntry 3 } syslogAllowedHostsTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-create STATUS current DESCRIPTION "The Transport specification that will be used to decide whether the messsage will be accepted from a host or not. " DEFVAL { udp } ::= { syslogAllowedHostsEntry 4 } Expires: July 2, 2003 [Page 23] Internet Draft January 3, 2003 syslogAllowedHostsPort OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-create STATUS current DESCRIPTION "The Port specification that will be used to decide whether the messsage will be accepted from a host or not. " DEFVAL { "any" } ::= { syslogAllowedHostsEntry 5 } syslogAllowedHostsRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogAllowedHostsTable. " ::= { syslogAllowedHostsEntry 6 } -- ------------------------------------------------------------- -- syslogControl -- ------------------------------------------------------------- -- This group defines the rules for message selection and the -- action that will be carried out on the selected messages. -- The tables in this group represent the rules that would -- generally be present in the syslog.conf -- syslogCtlSelectionTable: -- This table defines the message selection rules for an action -- Each row maps a part of the "selector" field in the syslogd.conf -- that is traditionally input to the syslogd process syslogCtlSelectionTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogCtlSelectionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table which defines the rules for selection of syslog messages for some specified actions. " ::= { syslogControl 1 } Expires: July 2, 2003 [Page 24] Internet Draft January 3, 2003 syslogCtlSelectionEntry OBJECT-TYPE SYNTAX SyslogCtlSelectionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines the information to generate syslog messages to an aggregating agent or collector. Entries within this table with an access level of read- create MUST be considered non-volatile and MUST be maintained across entity resets." INDEX { syslogProcIndex, syslogCtlActionIndex, syslogCtlSelectionIndex } ::= { syslogCtlSelectionTable 1 } SyslogCtlSelectionEntry ::= SEQUENCE { syslogCtlActionIndex Integer32, syslogCtlSelectionIndex Integer32, syslogCtlSelectionDescr SnmpAdminString, syslogCtlSelectionHostNameIncl INTEGER, syslogCtlSelectionHostname SnmpAdminString, syslogCtlSelectionProgNameIncl INTEGER, syslogCtlSelectionProgName SnmpAdminString, syslogCtlSelectionPriorityIncl INTEGER, syslogCtlSelectionFacility SyslogFacility, syslogCtlSelectionSeverity SyslogSeverity, syslogCtlSelectionSeverityCompOP SyslogSeverityCompOP, syslogCtlSelectionRowStatus RowStatus } Expires: July 2, 2003 [Page 25] Internet Draft January 3, 2003 syslogCtlActionIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies an action group in the Table. " ::= { syslogCtlSelectionEntry 1 } syslogCtlSelectionIndex OBJECT-TYPE SYNTAX Integer32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index that uniquely identifies the row within the set of rows belonging to the same action group. " ::= { syslogCtlSelectionEntry 2 } syslogCtlSelectionDescr OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A description of the Selection " ::= { syslogCtlSelectionEntry 3 } syslogCtlSelectionHostNameIncl OBJECT-TYPE SYNTAX INTEGER { included (1), excluded (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the corresponding instance of syslogCtlSelectionHostName define a hostname which is included or excluded from the selection for the action. " DEFVAL { included } ::= { syslogCtlSelectionEntry 4 } Expires: July 2, 2003 [Page 26] Internet Draft January 3, 2003 syslogCtlSelectionHostname OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The hostname represented by the row. An asterisk indicates all hosts. " DEFVAL { "*" } ::= { syslogCtlSelectionEntry 5 } syslogCtlSelectionProgNameIncl OBJECT-TYPE SYNTAX INTEGER { included (1), excluded (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the corresponding instance of syslogCtlSelectionProgName define a program name which is included or excluded from the selection for the action. " DEFVAL { included } ::= { syslogCtlSelectionEntry 6 } syslogCtlSelectionProgName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The program name represented by the row. An asterisk indicates all hosts. " DEFVAL { "*" } ::= { syslogCtlSelectionEntry 7 } Expires: July 2, 2003 [Page 27] Internet Draft January 3, 2003 syslogCtlSelectionPriorityIncl OBJECT-TYPE SYNTAX INTEGER { included (1), excluded (2) } MAX-ACCESS read-create STATUS current DESCRIPTION "Indicates whether the corresponding instances of syslogCtlSelectionFacility and syslogCtlSelectionSeverity define a priority which is included or excluded from the selection for the action. " DEFVAL { included } ::= { syslogCtlSelectionEntry 8 } syslogCtlSelectionFacility OBJECT-TYPE SYNTAX SyslogFacility MAX-ACCESS read-create STATUS current DESCRIPTION "The facility represented by the row. " ::= { syslogCtlSelectionEntry 9 } syslogCtlSelectionSeverityCompOP OBJECT-TYPE SYNTAX SyslogSeverityCompOP MAX-ACCESS read-create STATUS current DESCRIPTION "Represents the operator that should apply to the syslogCtlSelectionSeverity MO before the selection takes place. " DEFVAL { greaterThanOrEqual } ::= { syslogCtlSelectionEntry 10 } syslogCtlSelectionSeverity OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-create STATUS current DESCRIPTION "The severity represented by the row. " ::= { syslogCtlSelectionEntry 11 } Expires: July 2, 2003 [Page 28] Internet Draft January 3, 2003 syslogCtlSelectionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogCtlSelectionTable. " ::= { syslogCtlSelectionEntry 12 } -- ------------------------------------------------------------- -- syslogCtlActionTable -- ------------------------------------------------------------- -- This table defines the Logging action for a selection from -- syslogCtlSelectionTable (group of rows having the same -- syslogCtlActionIndex). syslogCtlLogActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogCtlLogActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing Syslog LogAction Entries." ::= { syslogControl 2 } syslogCtlLogActionEntry OBJECT-TYPE SYNTAX SyslogCtlLogActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines the information to generate syslog messages to an aggregating agent or collector. Entries within this table with an access level of read- create MUST be considered non-volatile and MUST be maintained across entity resets." INDEX { syslogProcIndex, syslogCtlActionIndex} ::= { syslogCtlLogActionTable 1 } SyslogCtlLogActionEntry ::= SEQUENCE { syslogCtlLogActionFileName SnmpAdminString, syslogCtlLogActionRowStatus RowStatus } Expires: July 2, 2003 [Page 29] Internet Draft January 3, 2003 syslogCtlLogActionFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the file in which the message will be logged. This file should be existing before the syslog process attempts to append messages to it. " ::= { syslogCtlLogActionEntry 1 } syslogCtlLogActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogCtlLogTable." ::= { syslogCtlLogActionEntry 2 } -- ------------------------------------------------------------- -- syslogUserActionTable -- ------------------------------------------------------------- -- This table defines the user notification action for a selection -- from syslogCtlSelectionTable (group of rows having the same -- syslogCtlActionIndex). syslogCtlUserActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogCtlUserActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing list of users to whom a notification will be sent (by displaying the message on the users' console, if the user is logged in. " ::= { syslogControl 3 } Expires: July 2, 2003 [Page 30] Internet Draft January 3, 2003 syslogCtlUserActionEntry OBJECT-TYPE SYNTAX SyslogCtlUserActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user to whom the message should be notified. " INDEX { syslogProcIndex, syslogCtlActionIndex, syslogCtlUserActionIndex} ::= { syslogCtlUserActionTable 1 } SyslogCtlUserActionEntry ::= SEQUENCE { syslogCtlUserActionIndex Unsigned32, syslogCtlUserActionUserID SnmpAdminString, syslogCtlUserActionRowStatus RowStatus } syslogCtlUserActionIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "An index to uniquely identify the userID among the group of userIDs. " ::= { syslogCtlUserActionEntry 1 } syslogCtlUserActionUserID OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The userid of the user to whom the message will be displayed on the console if, the user is logged in. Note: the userid ''*'' denotes all users. " ::= { syslogCtlUserActionEntry 2 } Expires: July 2, 2003 [Page 31] Internet Draft January 3, 2003 syslogCtlUserActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogCtlUserActionTable. " ::= { syslogCtlUserActionEntry 3 } -- ------------------------------------------------------------- -- syslogCtlFwdAction Table -- ------------------------------------------------------------- -- Each row in this table defines a destination to which the -- message will be forwarded syslogCtlFwdActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogCtlFwdActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing Syslog collector information." ::= { syslogControl 4 } syslogCtlFwdActionEntry OBJECT-TYPE SYNTAX SyslogCtlFwdActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "Defines the information pertaining to a syslog collector to which a syslog messages will be relayed. Entries within this table with an access level of read- create MUST be considered non-volatile and MUST be maintained across entity resets." INDEX { syslogProcIndex, syslogCtlActionIndex, syslogCtlFwdActionIndex } ::= { syslogCtlFwdActionTable 1 } Expires: July 2, 2003 [Page 32] Internet Draft January 3, 2003 SyslogCtlFwdActionEntry ::= SEQUENCE { syslogCtlFwdActionIndex Unsigned32, syslogCtlFwdActionDescr SnmpAdminString, syslogCtlFwdActionSrcAddrType InetAddressType, syslogCtlFwdActionSrcAddr InetAddress, syslogCtlFwdActionDstAddrType InetAddressType, syslogCtlFwdActionDstAddr InetAddress, syslogCtlFwdActionTransport SyslogTransport, syslogCtlFwdActionPort SyslogService, syslogCtlFwdActionFacility SyslogFacility, syslogCtlFwdActionSeverity SyslogSeverity, syslogCtlFwdActionRowStatus RowStatus } syslogCtlFwdActionIndex OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS not-accessible STATUS current DESCRIPTION "A unique identifier for this syslogForwardAction entry." ::= { syslogCtlFwdActionEntry 1 } syslogCtlFwdActionDescr OBJECT-TYPE SYNTAX SnmpAdminString (SIZE(1..64)) MAX-ACCESS read-create STATUS current DESCRIPTION "Administratively assigned textual description of this syslogForwardAction." ::= { syslogCtlFwdActionEntry 2 } Expires: July 2, 2003 [Page 33] Internet Draft January 3, 2003 syslogCtlFwdActionSrcAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogCtlFwdActionSrcAddr. " ::= { syslogCtlFwdActionEntry 3 } syslogCtlFwdActionSrcAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The Internet address that will be used as the source address in the message to the collector. The type of the address is specified in the preceeding syslogCtlFwdActionSrcAddrType object. The use of DNS domain names is discouraged, and agent support for them is optional. Deciding when, and how often, to resolve them is an issue. Not resolving them often enough could lead to loss synchronization with the associated entry in the DNS server, and resolving them too often might lead to significant overhead during critical network events. " ::= { syslogCtlFwdActionEntry 4 } syslogCtlFwdActionDstAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslogCtlFwdActionDstAddr. " ::= { syslogCtlFwdActionEntry 5 } Expires: July 2, 2003 [Page 34] Internet Draft January 3, 2003 syslogCtlFwdActionDstAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The Internet address for the Syslog message collector. The type of the address is specified in the preceeding syslogCtlFwdActionAddrDstType object. The use of DNS domain names is discouraged, and agent support for them is optional. Deciding when, and how often, to resolve them is an issue. Not resolving them often enough could lead to loss synchronization with the associated entry in the DNS server, and resolving them too often might lead to significant overhead during critical network events. " ::= { syslogCtlFwdActionEntry 6 } syslogCtlFwdActionTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-create STATUS current DESCRIPTION "The Transport that will be used to forward the message. " DEFVAL { udp } ::= { syslogCtlFwdActionEntry 7 } syslogCtlFwdActionPort OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-create STATUS current DESCRIPTION "The port number on the destination to which the syslog message will be forwarded over the transport specified by syslogCtlFwdActionTransport. " DEFVAL { "514" } ::= { syslogCtlFwdActionEntry 8 } Expires: July 2, 2003 [Page 35] Internet Draft January 3, 2003 syslogCtlFwdActionFacility OBJECT-TYPE SYNTAX SyslogFacility MAX-ACCESS read-create STATUS current DESCRIPTION "The syslog facility code that will added to messages forwarded to this collector, if, a priority level is not defined in the received message. " ::= { syslogCtlFwdActionEntry 9 } syslogCtlFwdActionSeverity OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-create STATUS current DESCRIPTION "The syslog severity code that will added to messages forwarded to this collector, if, a priority level is not defined in the received message. " ::= { syslogCtlFwdActionEntry 10 } syslogCtlFwdActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogCtlFwdActionTable. " ::= { syslogCtlFwdActionEntry 11 } -- ------------------------------------------------------------- -- syslogPipeActionTable -- ------------------------------------------------------------- -- This table defines the 'pipe' action for a selection -- from syslogCtlSelectionTable (group of rows having the same -- syslogCtlActionIndex). -- The selected message is piped to the command given in -- the corresponding syslogCtlPipeActionCmd Expires: July 2, 2003 [Page 36] Internet Draft January 3, 2003 syslogCtlPipeActionTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogCtlPipeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing commands to which selected messages will be piped. " ::= { syslogControl 5 } syslogCtlPipeActionEntry OBJECT-TYPE SYNTAX SyslogCtlPipeActionEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A user to whom the message should be notified. " INDEX { syslogProcIndex, syslogCtlActionIndex} ::= { syslogCtlPipeActionTable 1 } SyslogCtlPipeActionEntry ::= SEQUENCE { syslogCtlPipeActionCmd SnmpAdminString, syslogCtlPipeActionRowStatus RowStatus } syslogCtlPipeActionCmd OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The command to which the selected message will be piped. " ::= { syslogCtlPipeActionEntry 1 } syslogCtlPipeActionRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create and delete rows in the syslogCtlPipeActionTable. " ::= { syslogCtlPipeActionEntry 2 } Expires: July 2, 2003 [Page 37] Internet Draft January 3, 2003 -- ------------------------------------------------------------- -- Conformance Information -- ------------------------------------------------------------- syslogConformance OBJECT IDENTIFIER ::= { syslogMIB 4 } syslogGroups OBJECT IDENTIFIER ::= { syslogConformance 1 } syslogCompliances OBJECT IDENTIFIER ::= { syslogConformance 2 } -- ------------------------------------------------------------- -- units of conformance -- ------------------------------------------------------------- syslogSystemGroup OBJECT-GROUP OBJECTS { syslogDefaultTransport, syslogDefaultService, syslogDefaultFacility, syslogDefaultSeverity, syslogMaxMessageSize } STATUS current DESCRIPTION "A collection of objects providing system-wide parameters for syslog processes. " ::= { syslogGroups 1} Expires: July 2, 2003 [Page 38] Internet Draft January 3, 2003 syslogStatsGroup OBJECT-GROUP OBJECTS { -- syslogProcIndex, syslogProcMsgsReceived, syslogProcMsgsRelayed, syslogProcMsgsDropped, syslogProcMsgsIllFormed, syslogProcMsgsIgnored, syslogProcMsgsRejected, syslogProcLastMsgRecdTime, syslogProcLastMsgDeliveredTime, syslogProcStartTime, syslogProcLastError, syslogProcLastErrorTime } STATUS current DESCRIPTION "A collection of objects providing message related statistics." ::= { syslogGroups 2} syslogParamsGroup OBJECT-GROUP OBJECTS { syslogParamsProcDescr, syslogParamsBindAddrType, syslogParamsBindAddr, syslogParamsSendToAllAddresses, syslogParamsCompression, syslogParamsConfFileName, syslogParamsFacilityTranslation, syslogParamsPIDFileName, syslogParamsDNSLookup, syslogParamsSeverityCompOP, syslogParamsSecuritySpecs, syslogParamsProcessStatus, syslogParamsStorageType, syslogParamsRowStatus, syslogAllowedHostsAddressType, syslogAllowedHostsAddress, syslogAllowedHostsMaskLen, syslogAllowedHostsTransport, syslogAllowedHostsPort, syslogAllowedHostsRowStatus } STATUS current DESCRIPTION "A collection of objects representing the run time parameters for the syslog processes. Expires: July 2, 2003 [Page 39] Internet Draft January 3, 2003 " ::= { syslogGroups 3} syslogControlGroup OBJECT-GROUP OBJECTS { syslogCtlSelectionDescr, syslogCtlSelectionHostNameIncl, syslogCtlSelectionHostname, syslogCtlSelectionProgNameIncl, syslogCtlSelectionProgName, syslogCtlSelectionPriorityIncl, syslogCtlSelectionFacility, syslogCtlSelectionSeverity, syslogCtlSelectionSeverityCompOP, syslogCtlSelectionRowStatus, syslogCtlLogActionFileName, syslogCtlLogActionRowStatus, syslogCtlUserActionUserID, syslogCtlUserActionRowStatus, syslogCtlFwdActionDescr, syslogCtlFwdActionSrcAddrType, syslogCtlFwdActionSrcAddr, syslogCtlFwdActionDstAddrType, syslogCtlFwdActionDstAddr, syslogCtlFwdActionTransport, syslogCtlFwdActionPort, syslogCtlFwdActionFacility, syslogCtlFwdActionSeverity, syslogCtlFwdActionRowStatus, syslogCtlPipeActionCmd, syslogCtlPipeActionRowStatus } STATUS current DESCRIPTION "A collection of objects that represent the rules that describe how a message will be selected, and the action(s) that will be carried out on the selected message. " ::= { syslogGroups 4} Expires: July 2, 2003 [Page 40] Internet Draft January 3, 2003 -- ------------------------------------------------------------- -- compliance statements -- ------------------------------------------------------------- syslogCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for an agent implememting the syslog MIB. " MODULE -- this module MANDATORY-GROUPS { syslogStatsGroup } GROUP syslogSystemGroup DESCRIPTION "The syslogSystemGroup group is mandatory only for agents which support monitoring and control of the syslog system wide parameters. If only monitoring is supported then the corresponding objects must have access read-only. " GROUP syslogParamsGroup DESCRIPTION "The syslogParamsGroup group is mandatory only for agents which support monitoring and/or control of syslog processes. If only monitoring is supported then the corresponding objects must have access read-only. " GROUP syslogControlGroup DESCRIPTION "The syslogControlGroup group is mandatory only for agents which support monitoring and/or control of the rules that describe how a message will be selected and, the action(s) that will be carried out on the selected message. If only monitoring is supported then the corresponding objects must have access read-only. " ::= { syslogCompliances 1 } END Expires: July 2, 2003 [Page 41] Internet Draft January 3, 2003 5. Intellectual Property Notice The IETF takes no position regarding the validity or scope of any intellectual property or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; neither does it represent that it has made any effort to identify any such rights. Information on the IETF's procedures with respect to rights in standards-track and standards-related documentation can be found in BCP-11. Copies of claims of rights made available for publication and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementors or users of this specification can be obtained from the IETF Secretariat. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights which may cover technology that may be required to practice this standard. Please address the information to the IETF Executive Director. 6. Acknowledgments The authors would like to thank David Harrington, Mark Ellison, Mike MacFaden, Dave T Perkins and members of the WIDE-netman group for their comments and suggestions. 7. Security Considerations Syslog plays a very important role in the computer and network security of an organization. SyslogMIB defines several managed objects that may be used to monitor configure and control syslog processes. As such improper manipulation of the objects represented by this MIB may lead to an attack on an important component of the computer and network security infrastructure. The objects in syslogParamsTable, syslogAllowedHostsTable, syslogCtlSelectionTable, syslogCtlLogActionTable, syslogCtlUserActionTable syslogCtlFwdActionTable, syslogCtlPipeActionTable may be misconfigured to cause syslog messages to be diverted, lost or result in a DoS attack on a user or service. There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: o syslogParamsTable: the objects in this table describe the Expires: July 2, 2003 [Page 42] Internet Draft January 3, 2003 configuration of the syslog processes. The syslogParamsProcessStatus may be used to start stop or suspend the syslog process itself. o syslogAllowedHostsTable: the objects in this table describe the hosts from which syslog messages will be accepted. Improper configuration may lead to loss of messages from an important source or a flood of messages from a, potentially rogue, source. o syslogCtlSelectionTable: the objects in this table describe selection rules for messages. Improper configuration may lead to loss of relevant messages or the collection of useless, potentially ill-intentioned, messages. o syslogCtlLogActionTable: the objects in this table describe the actions that will be carried on a received syslog message. Misconfiguration may lead to loss of important messages or misdirection of messages. o syslogCtlUserActionTable: Objects in this table describe the users that will be notified. It may be misconfigured to prevent a user from receiving an important message or to spam a user's console. o syslogCtlFwdActionTable: Objects in this table describe the forwarding action that will carried out on messages. It may be misconfigured to prevent important messages from reaching their destinations or to direct a DoS attack on a specific destination. It may also be misconfigured to send syslog messages to an improper destination - resulting in a breach of user's privacy. o syslogCtlPipeActionTable: objects in this table describe the commands that will be invoked to process a log message. This may be misconfigured to cause arbitrary programs to be invoked on the syslog receiver. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: o syslogProcTable: objects in this table carry sensitive information. The counters may reveal information about the deployment and effectiveness of the relevant security systems. The counters may be analyzed to tell whether the security systems are able to detect an event or not. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to Expires: July 2, 2003 [Page 43] Internet Draft January 3, 2003 enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. 8. References: [Normative References] [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999 [Informative References] [ODC-Dft] Schoenwaelder, J. "SNMP Payload Compression", Work In Progress http://www.ietf.org/internet-drafts/internet-draft draft- irtf- nmrg-snmp-compression-01.txt, April, 2001. [RFC2571] Harrington, D., Presuhn, R., and B. Wijnen, "An Architecture for Describing SNMP Management Frameworks", RFC 2571, April 1999 [RFC1155] Rose, M., and K. McCloghrie, "Structure and Identification of Management Information for TCP/IP-based Internets", STD 16, RFC 1155, May 1990 [RFC1212] Rose, M., and K. McCloghrie, "Concise MIB Definitions", STD 16, RFC 1212, March 1991 Expires: July 2, 2003 [Page 44] Internet Draft January 3, 2003 [RFC1215] M. Rose, "A Convention for Defining Traps for use with the SNMP", RFC 1215, March 1991 [RFC1157] Case, J., Fedor, M., Schoffstall, M., and J. Davin, "Simple Network Management Protocol", STD 15, RFC 1157, May 1990. [RFC1901] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Introduction to Community-based SNMPv2", RFC 1901, January 1996. [RFC1906] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Transport Mappings for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1906, January 1996. [RFC2572] Case, J., Harrington D., Presuhn R., and B. Wijnen, "Message Processing and Dispatching for the Simple Network Management Protocol (SNMP)", RFC 2572, April 1999 [RFC2574] Blumenthal, U., and B. Wijnen, "User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3)", RFC 2574, April 1999 [RFC1905] Case, J., McCloghrie, K., Rose, M., and S. Waldbusser, "Protocol Operations for Version 2 of the Simple Network Management Protocol (SNMPv2)", RFC 1905, January 1996. [RFC2573] Levi, D., Meyer, P., and B. Stewart, "SNMPv3 Applications", RFC 2573, April 1999 [RFC2575] Wijnen, B., Presuhn, R., and K. McCloghrie, "View-based Access Control Model (VACM) for the Simple Network Management Protocol (SNMP)", RFC 2575, April 1999. [RFC2570] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction to Version 3 of the Internet-standard Network Management Framework", RFC 2570, April 1999 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for the Internet-Standard Management Framework", RFC 3410, December 2002. Expires: July 2, 2003 [Page 45] Internet Draft January 3, 2003 [RFC3164] C. Lonvick, "The BSD Syslog Protocol", RFC 3164, August 2001. Expires: July 2, 2003 [Page 46] Internet Draft January 3, 2003 9. Full Copyright Statement Copyright (C) The Internet Society (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expires: July 2, 2003 [Page 47] Internet Draft January 3, 2003 10. Authors Address Glenn Mansfield Keeni Cyber Solutions Inc. 6-6-3 Minami Yoshinari Aoba-ku, Sendai 989-3204 Japan Phone: +81-22-303-4012 EMail: glenn@cysols.com Bruno Pape Enterasys Networks, Inc. 35 Industrial Way Rochester, NH 03867 USA Email: bpape@enterasys.com" Tel: +1 603 337 0446 Expires: July 2, 2003 [Page 48]