| < draft-ietf-netmod-syslog-model-26.txt | draft-ietf-netmod-syslog-model-27.txt > | |||
|---|---|---|---|---|
| NETMOD WG C. Wildes, Ed. | NETMOD WG J. Clarke, Ed. | |||
| Internet-Draft Cisco Systems Inc. | Internet-Draft Cisco | |||
| Intended status: Standards Track K. Koushik, Ed. | Intended status: Standards Track M. Jethanandani, Ed. | |||
| Expires: September 14, 2018 Verizon Wireless | Expires: 7 October 2022 Kloud Services | |||
| March 15, 2018 | C. Wildes, Ed. | |||
| Cisco Systems Inc. | ||||
| K. Koushik, Ed. | ||||
| Verizon Wireless | ||||
| 5 April 2022 | ||||
| A YANG Data Model for Syslog Configuration | A YANG Data Model for Syslog Configuration | |||
| draft-ietf-netmod-syslog-model-26 | draft-ietf-netmod-syslog-model-27 | |||
| Abstract | Abstract | |||
| This document defines a YANG data model for the configuration of a | This document defines a YANG data model for the configuration of a | |||
| syslog process. It is intended this model be used by vendors who | syslog process. It is intended this model be used by vendors who | |||
| implement syslog in their systems. | implement syslog in their systems. | |||
| Status of this Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 14, 2018. | This Internet-Draft will expire on 7 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (http://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Revised BSD License text as | |||
| as described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Revised BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 | 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.3. NDMA Compliance . . . . . . . . . . . . . . . . . . . . . 3 | 3. NDMA Compliance . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 1.4. Editorial Note (To be removed by RFC Editor) . . . . . . . 3 | 4. Editorial Note (To be removed by RFC Editor) . . . . . . . . 4 | |||
| 2. Design of the Syslog Model . . . . . . . . . . . . . . . . . . 3 | 5. Design of the Syslog Model . . . . . . . . . . . . . . . . . 4 | |||
| 2.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 5 | 5.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 3. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . . 7 | 6. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 3.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . . 8 | 6.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . 14 | |||
| 4. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . . 25 | 7. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 32 | |||
| 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 | 7.1. Syslog Configuration for Severity Critical . . . . . . . 32 | |||
| 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | 7.2. Remote Syslog Configuration . . . . . . . . . . . . . . . 33 | |||
| 6.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 26 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 6.2. The YANG Module Names Registry . . . . . . . . . . . . . . 26 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 26 | 9.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 34 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 27 | 9.2. The YANG Module Names Registry . . . . . . . . . . . . . 35 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . . 27 | 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . . 29 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 | |||
| Appendix A. Implementer Guidelines . . . . . . . . . . . . . . . . 29 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 36 | |||
| Appendix A.1. Extending Facilities . . . . . . . . . . . . . . 29 | 11.2. Informative References . . . . . . . . . . . . . . . . . 37 | |||
| Appendix A.2. Syslog Terminal Output . . . . . . . . . . . . . 30 | Appendix A. Implementer Guidelines . . . . . . . . . . . . . . . 38 | |||
| Appendix A.3. Syslog File Naming Convention . . . . . . . . . . 30 | A.1. Extending Facilities . . . . . . . . . . . . . . . . . . 38 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31 | A.2. Syslog Terminal Output . . . . . . . . . . . . . . . . . 39 | |||
| A.3. Syslog File Naming Convention . . . . . . . . . . . . . . 40 | ||||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 | ||||
| 1. Introduction | 1. Introduction | |||
| This document defines a YANG [RFC7950] configuration data model that | This document defines a YANG [RFC7950] configuration data model that | |||
| may be used to configure the syslog feature running on a system. | may be used to configure the syslog feature running on a system. | |||
| YANG models can be used with network management protocols such as | YANG models can be used with network management protocols such as | |||
| NETCONF [RFC6241] to install, manipulate, and delete the | NETCONF [RFC6241] to install, manipulate, and delete the | |||
| configuration of network devices. | configuration of network devices. | |||
| The data model makes use of the YANG "feature" construct which allows | The data model makes use of the YANG "feature" construct which allows | |||
| skipping to change at page 2, line 51 ¶ | skipping to change at page 3, line 20 ¶ | |||
| them. The processing may involve logging to a local file, and/or | them. The processing may involve logging to a local file, and/or | |||
| displaying on console, and/or relaying to syslog processes on other | displaying on console, and/or relaying to syslog processes on other | |||
| machines. The processing is determined by the "facility" that | machines. The processing is determined by the "facility" that | |||
| originated the message and the "severity" assigned to the message by | originated the message and the "severity" assigned to the message by | |||
| the facility. | the facility. | |||
| Such definitions of syslog protocol are defined in [RFC5424], and are | Such definitions of syslog protocol are defined in [RFC5424], and are | |||
| used in this RFC. | used in this RFC. | |||
| The YANG model in this document conforms to the Network Management | The YANG model in this document conforms to the Network Management | |||
| Datastore Architecture defined in [draft-ietf-netmod-revised- | Datastore Architecture defined in [RFC8342]. | |||
| datastores]. | ||||
| 1.1. Requirements Language | 1.1. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 1.2. Terminology | 2. Terminology | |||
| The term "originator" is defined in [RFC5424]: an "originator" | The term "originator" is defined in [RFC5424]: an "originator" | |||
| generates syslog content to be carried in a message. | generates syslog content to be carried in a message. | |||
| The term "relay" is defined in [RFC5424]: a "relay" forwards | The term "relay" is defined in [RFC5424]: a "relay" forwards | |||
| messages, accepting messages from originators or other relays and | messages, accepting messages from originators or other relays and | |||
| sending them to collectors or other relays | sending them to collectors or other relays | |||
| The term "collectors" is defined in [RFC5424]: a "collector" gathers | The term "collectors" is defined in [RFC5424]: a "collector" gathers | |||
| syslog content for further analysis. | syslog content for further analysis. | |||
| The term "action" refers to the processing that takes place for each | The term "action" refers to the processing that takes place for each | |||
| syslog message received. | syslog message received. | |||
| 1.3. NDMA Compliance | 3. NDMA Compliance | |||
| The YANG model in this document conforms to the Network Management | The YANG model in this document conforms to the Network Management | |||
| Datastore Architecture defined in I-D.ietf-netmod-revised-datastores | Datastore Architecture defined in [RFC8342]. | |||
| [I-D.ietf-netmod-revised-datastores]. | ||||
| 1.4. Editorial Note (To be removed by RFC Editor) | 4. Editorial Note (To be removed by RFC Editor) | |||
| This document contains many placeholder values that need to be | This document contains many placeholder values that need to be | |||
| replaced with finalized values at the time of publication. This note | replaced with finalized values at the time of publication. This note | |||
| summarizes all of the substitutions that are needed. No other RFC | summarizes all of the substitutions that are needed. No other RFC | |||
| Editor instructions are specified elsewhere in this document. | Editor instructions are specified elsewhere in this document. | |||
| Artwork in this document contains shorthand references to drafts in | Artwork in this document contains shorthand references to drafts in | |||
| progress. Please apply the following replacements: | progress. Please apply the following replacements: | |||
| o "I-D.ietf-netconf-keystore" --> the assigned RFC value for draft- | * I-D.ietf-netconf-crypto-types --> the assigned RFC value for | |||
| ietf-netconf-keystore | draft-ietf-netconf-crypto-types | |||
| o "I-D.ietf-netconf-tls-client-server" --> the assigned RFC value | ||||
| for draft-ietf-netconf-tls-client-server | ||||
| o "zzzz" --> the assigned RFC value for this draft | * I-D.ietf-netconf-tls-client-server --> the assigned RFC value for | |||
| draft-ietf-netconf-tls-client-server | ||||
| o I-D.ietf-netmod-revised-datastores --> the assigned RFC value for | * zzzz --> the assigned RFC value for this draft | |||
| draft-ietf-netmod-revised-datastores | ||||
| 2. Design of the Syslog Model | 5. Design of the Syslog Model | |||
| The syslog model was designed by comparing various syslog features | The syslog model was designed by comparing various syslog features | |||
| implemented by various vendors' in different implementations. | implemented by various vendors' in different implementations. | |||
| This document addresses the common leafs between implementations and | This document addresses the common leafs between implementations and | |||
| creates a common model, which can be augmented with proprietary | creates a common model, which can be augmented with proprietary | |||
| features, if necessary. This model is designed to be very simple for | features, if necessary. This model is designed to be very simple for | |||
| maximum flexibility. | maximum flexibility. | |||
| Some optional features are defined in this document to specify | Some optional features are defined in this document to specify | |||
| skipping to change at page 4, line 44 ¶ | skipping to change at page 5, line 31 ¶ | |||
| | | | | |||
| +-------------+--------------+ | +-------------+--------------+ | |||
| | | | | | | | | |||
| v v v | v v v | |||
| Collectors | Collectors | |||
| +----------+ +----------+ +----------------+ | +----------+ +----------+ +----------------+ | |||
| | | | Log | |Remote Relay(s)/| | | | | Log | |Remote Relay(s)/| | |||
| | Console | | File(s) | |Collector(s) | | | Console | | File(s) | |Collector(s) | | |||
| +----------+ +----------+ +----------------+ | +----------+ +----------+ +----------------+ | |||
| Figure 1. Syslog Processing Flow | Figure 1. Syslog Processing Flow | |||
| Collectors are configured using the leaves in the syslog model | Collectors are configured using the leaves in the syslog model | |||
| "actions" container which correspond to each message collector: | "actions" container which correspond to each message collector: | |||
| console | console | |||
| log file(s) | log file(s) | |||
| remote relay(s)/collector(s) | remote relay(s)/collector(s) | |||
| Within each action, a selector is used to filter syslog messages. A | Within each action, a selector is used to filter syslog messages. A | |||
| selector consists of a list of one or more filters specified by | selector consists of a list of one or more filters specified by | |||
| facility-severity pairs, and, if supported via the select-match | facility-severity pairs, and, if supported via the select-match | |||
| feature, an optional regular expression pattern match that is | feature, an optional regular expression pattern match that is | |||
| performed on the [RFC5424] field. | performed on the [RFC5424] field. | |||
| A syslog message is processed if: | A syslog message is processed if: | |||
| There is an element of facility-list (F, S) where | There is an element of facility-list (F, S) where | |||
| the message facility matches F | the message facility matches F | |||
| and the message severity matches S | and the message severity matches S | |||
| and/or the message text matches the regex pattern (if it | and/or the message text matches the regex pattern (if it | |||
| is present) | is present) | |||
| The facility is one of a specific syslog-facility, or all facilities. | The facility is one of a specific syslog-facility, or all facilities. | |||
| The severity is one of type syslog-severity, all severities, or none. | The severity is one of type syslog-severity, all severities, or none. | |||
| None is a special case that can be used to disable a filter. When | None is a special case that can be used to disable a filter. When | |||
| filtering severity, the default comparison is that messages of the | filtering severity, the default comparison is that messages of the | |||
| specified severity and higher are selected to be logged. This is | specified severity and higher are selected to be logged. This is | |||
| shown in the model as "default equals-or-higher". This behavior can | shown in the model as "default equals-or-higher". This behavior can | |||
| be altered if the select-adv-compare feature is enabled to specify a | be altered if the select-adv-compare feature is enabled to specify a | |||
| compare operation and an action. Compare operations are: "equals" to | compare operation and an action. Compare operations are: "equals" to | |||
| select messages with this single severity, or "equals-or-higher" to | select messages with this single severity, or "equals-or-higher" to | |||
| select messages of the specified severity and higher. Actions are | select messages of the specified severity and higher. Actions are | |||
| used to log the message or block the message from being logged. | used to log the message or block the message from being logged. | |||
| Many vendors extend the list of facilities available for logging in | Many vendors extend the list of facilities available for logging in | |||
| their implementation. An example is included in Extending Facilities | their implementation. An example is included in Extending Facilities | |||
| (Appendix A.1). | (Appendix A.1). | |||
| 2.1. Syslog Module | 5.1. Syslog Module | |||
| A simplified graphical representation of the data model is used in | A simplified graphical representation of the data model is used in | |||
| this document. Please see [I-D.ietf-netmod-yang-tree-diagrams] for | this document. Please see [RFC8340] for tree diagram notation. | |||
| tree diagram notation. | ||||
| module: ietf-syslog | module: ietf-syslog | |||
| +--rw syslog! | +--rw syslog! | |||
| +--rw actions | +--rw actions | |||
| +--rw console! {console-action}? | +--rw console! {console-action}? | |||
| | +--rw facility-filter | | +--rw facility-filter | |||
| | | +--rw facility-list* [facility severity] | | | +--rw facility-list* [facility severity] | |||
| | | +--rw facility union | | | +--rw facility union | |||
| | | +--rw severity union | | | +--rw severity union | |||
| | | +--rw advanced-compare {select-adv-compare}? | | | +--rw advanced-compare {select-adv-compare}? | |||
| | | +--rw compare? enumeration | | | +--rw compare? enumeration | |||
| | | +--rw action? enumeration | | | +--rw action? enumeration | |||
| | +--rw pattern-match? string {select-match}? | | +--rw pattern-match? string {select-match}? | |||
| +--rw file {file-action}? | +--rw file {file-action}? | |||
| | +--rw log-file* [name] | | +--rw log-file* [name] | |||
| | +--rw name inet:uri | | +--rw name inet:uri | |||
| | +--rw facility-filter | | +--rw facility-filter | |||
| | | +--rw facility-list* [facility severity] | | | +--rw facility-list* [facility severity] | |||
| | | +--rw facility union | | | +--rw facility union | |||
| | | +--rw severity union | | | +--rw severity union | |||
| | | +--rw advanced-compare {select-adv-compare}? | | | +--rw advanced-compare {select-adv-compare}? | |||
| | | +--rw compare? enumeration | | | +--rw compare? enumeration | |||
| | | +--rw action? enumeration | | | +--rw action? enumeration | |||
| | +--rw pattern-match? string {select-match}? | | +--rw pattern-match? string {select-match}? | |||
| | +--rw structured-data? boolean {structured-data}? | | +--rw structured-data? boolean {structured-data}? | |||
| | +--rw file-rotation | | +--rw file-rotation | |||
| | +--rw number-of-files? uint32 {file-limit-size}? | | +--rw number-of-files? uint32 {file-limit-size}? | |||
| | +--rw max-file-size? uint32 {file-limit-size}? | | +--rw max-file-size? uint32 {file-limit-size}? | |||
| | +--rw rollover? uint32 | | +--rw rollover? uint32 | |||
| | | {file-limit-duration}? | | | {file-limit-duration}? | |||
| | +--rw retention? uint32 | | +--rw retention? uint32 | |||
| | {file-limit-duration}? | | {file-limit-duration}? | |||
| +--rw remote {remote-action}? | +--rw remote {remote-action}? | |||
| +--rw destination* [name] | +--rw destination* [name] | |||
| +--rw name string | +--rw name string | |||
| +--rw (transport) | +--rw (transport) | |||
| | +--:(udp) | | +--:(udp) | |||
| | | +--rw udp | | | +--rw udp | |||
| | | +--rw address? inet:host | | | +--rw address? inet:host | |||
| | | +--rw port? inet:port-number | | | +--rw port? inet:port-number | |||
| | +--:(tls) | | +--:(tls) | |||
| | +--rw tls | | +--rw tls | |||
| | +--rw address? inet:host | | +--rw address? inet:host | |||
| | +--rw port? inet:port-number | | +--rw port? | |||
| | +--rw client-auth | | | inet:port-number | |||
| | | +--rw (auth-type)? | | +--rw client-identity! | |||
| | | +--:(certificate) | | | +--rw (auth-type) | |||
| | | +--rw certificate? leafref | | | +--:(certificate) | |||
| | +--rw server-auth | | | | {client-ident-x509-cert}? | |||
| | | +--rw pinned-ca-certs? leafref | | | | +--rw certificate | |||
| | | +--rw pinned-server-certs? leafref | | | | +--rw (local-or-keystore) | |||
| | +--rw hello-params | | | | +--:(local) | |||
| | {tls-client-hello-params-config}? | | | | | {local-definitions-suppo | |||
| | +--rw tls-versions | rted,asymmetric-keys}? | |||
| | | +--rw tls-version* identityref | | | | | +--rw local-definition | |||
| | +--rw cipher-suites | | | | | +--rw public-key-format | |||
| | +--rw cipher-suite* identityref | | | | | | identityref | |||
| +--rw facility-filter | | | | | +--rw public-key | |||
| | +--rw facility-list* [facility severity] | | | | | | binary | |||
| | +--rw facility union | | | | | +--rw private-key-format? | |||
| | +--rw severity union | | | | | | identityref | |||
| | +--rw advanced-compare {select-adv-compare}? | | | | | +--rw (private-key-type) | |||
| | +--rw compare? enumeration | | | | | | +--:(cleartext-private-k | |||
| | +--rw action? enumeration | ey) | |||
| +--rw pattern-match? string {select-match}? | | | | | | | +--rw cleartext-priva | |||
| +--rw structured-data? boolean {structured-data}? | te-key? | |||
| +--rw facility-override? identityref | | | | | | | binary | |||
| +--rw source-interface? if:interface-ref | | | | | | +--:(hidden-private-key) | |||
| | {remote-source-interface}? | | | | | | | {hidden-keys}? | |||
| +--rw signing! {signed-messages}? | | | | | | | +--rw hidden-private- | |||
| +--rw cert-signers | key? | |||
| +--rw cert-signer* [name] | | | | | | | empty | |||
| | +--rw name string | | | | | | +--:(encrypted-private-k | |||
| | +--rw cert | ey) | |||
| | | +--rw algorithm? | | | | | | {private-key-en | |||
| | | | identityref | cryption}? | |||
| | | +--rw private-key? | | | | | | +--rw encrypted-priva | |||
| | | | union | te-key | |||
| | | +--rw public-key? | | | | | | +--rw encrypted-by | |||
| | | | binary | | | | | | +--rw encrypted-va | |||
| | | +---x generate-private-key | lue-format | |||
| | | | +---w input | | | | | | | identityre | |||
| | | | +---w algorithm? | f | |||
| | | | identityref | | | | | | +--rw encrypted-va | |||
| | | +--rw certificates | lue | |||
| | | | +--rw certificate* [name] | | | | | | binary | |||
| | | | +--rw name string | | | | | +--rw cert-data? | |||
| | | | +--rw value? binary | | | | | | end-entity-cert-cms | |||
| | | +---x generate-certificate-signing-request | | | | | +---n certificate-expiratio | |||
| | | +---w input | n | |||
| | | | +---w subject binary | | | | | | {certificate-expira | |||
| | | | +---w attributes? binary | tion-notification}? | |||
| | | +--ro output | | | | | | +-- expiration-date | |||
| | | +--ro certificate-signing-request | | | | | | yang:date-and-ti | |||
| | | binary | me | |||
| | +--rw hash-algorithm? enumeration | | | | | +---x generate-certificate- | |||
| +--rw cert-initial-repeat? uint32 | signing-request | |||
| +--rw cert-resend-delay? uint32 | | | | | {certificate-signin | |||
| +--rw cert-resend-count? uint32 | g-request-generation}? | |||
| +--rw sig-max-delay? uint32 | | | | | +---w input | |||
| +--rw sig-number-resends? uint32 | | | | | | +---w csr-info | |||
| +--rw sig-resend-delay? uint32 | | | | | | ct:csr-info | |||
| +--rw sig-resend-count? uint32 | | | | | +--ro output | |||
| | | | | +--ro certificate-sig | ||||
| ning-request | ||||
| | | | | ct:csr | ||||
| | | | +--:(keystore) | ||||
| | | | {central-keystore-suppor | ||||
| ted,asymmetric-keys}? | ||||
| | | | +--rw keystore-reference | ||||
| | | | +--rw asymmetric-key? | ||||
| | | | | ks:asymmetric-key-r | ||||
| ef | ||||
| | | | | {central-keystore-s | ||||
| upported,asymmetric-keys}? | ||||
| | | | +--rw certificate? lea | ||||
| fref | ||||
| | | +--:(raw-public-key) | ||||
| | | | {client-ident-raw-public-key}? | ||||
| | | | +--rw raw-private-key | ||||
| | | | +--rw (local-or-keystore) | ||||
| | | | +--:(local) | ||||
| | | | | {local-definitions-suppo | ||||
| rted,asymmetric-keys}? | ||||
| | | | | +--rw local-definition | ||||
| | | | | +--rw public-key-format | ||||
| | | | | | identityref | ||||
| | | | | +--rw public-key | ||||
| | | | | | binary | ||||
| | | | | +--rw private-key-format? | ||||
| | | | | | identityref | ||||
| | | | | +--rw (private-key-type) | ||||
| | | | | +--:(cleartext-private-k | ||||
| ey) | ||||
| | | | | | +--rw cleartext-priva | ||||
| te-key? | ||||
| | | | | | binary | ||||
| | | | | +--:(hidden-private-key) | ||||
| | | | | | {hidden-keys}? | ||||
| | | | | | +--rw hidden-private- | ||||
| key? | ||||
| | | | | | empty | ||||
| | | | | +--:(encrypted-private-k | ||||
| ey) | ||||
| | | | | {private-key-en | ||||
| cryption}? | ||||
| | | | | +--rw encrypted-priva | ||||
| te-key | ||||
| | | | | +--rw encrypted-by | ||||
| | | | | +--rw encrypted-va | ||||
| lue-format | ||||
| | | | | | identityre | ||||
| f | ||||
| | | | | +--rw encrypted-va | ||||
| lue | ||||
| | | | | binary | ||||
| | | | +--:(keystore) | ||||
| | | | {central-keystore-suppor | ||||
| ted,asymmetric-keys}? | ||||
| | | | +--rw keystore-reference? | ||||
| | | | ks:asymmetric-key-ref | ||||
| | | +--:(tls12-psk) | ||||
| | | | {client-ident-tls12-psk}? | ||||
| | | | +--rw tls12-psk | ||||
| | | | +--rw (local-or-keystore) | ||||
| | | | | +--:(local) | ||||
| | | | | | {local-definitions-suppo | ||||
| rted,symmetric-keys}? | ||||
| | | | | | +--rw local-definition | ||||
| | | | | | +--rw key-format? | ||||
| | | | | | | identityref | ||||
| | | | | | +--rw (key-type) | ||||
| | | | | | +--:(cleartext-key) | ||||
| | | | | | | +--rw cleartext-key? | ||||
| | | | | | | binary | ||||
| | | | | | +--:(hidden-key) | ||||
| | | | | | | {hidden-keys}? | ||||
| | | | | | | +--rw hidden-key? | ||||
| | | | | | | empty | ||||
| | | | | | +--:(encrypted-key) | ||||
| | | | | | {symmetric-key- | ||||
| encryption}? | ||||
| | | | | | +--rw encrypted-key | ||||
| | | | | | +--rw encrypted-by | ||||
| | | | | | +--rw encrypted-va | ||||
| lue-format | ||||
| | | | | | | identityre | ||||
| f | ||||
| | | | | | +--rw encrypted-va | ||||
| lue | ||||
| | | | | | binary | ||||
| | | | | +--:(keystore) | ||||
| | | | | {central-keystore-suppor | ||||
| ted,symmetric-keys}? | ||||
| | | | | +--rw keystore-reference? | ||||
| | | | | ks:symmetric-key-ref | ||||
| | | | +--rw id? | ||||
| | | | string | ||||
| | | +--:(tls13-epsk) | ||||
| | | {client-ident-tls13-epsk}? | ||||
| | | +--rw tls13-epsk | ||||
| | | +--rw (local-or-keystore) | ||||
| | | | +--:(local) | ||||
| | | | | {local-definitions-suppo | ||||
| rted,symmetric-keys}? | ||||
| | | | | +--rw local-definition | ||||
| | | | | +--rw key-format? | ||||
| | | | | | identityref | ||||
| | | | | +--rw (key-type) | ||||
| | | | | +--:(cleartext-key) | ||||
| | | | | | +--rw cleartext-key? | ||||
| | | | | | binary | ||||
| | | | | +--:(hidden-key) | ||||
| | | | | | {hidden-keys}? | ||||
| | | | | | +--rw hidden-key? | ||||
| | | | | | empty | ||||
| | | | | +--:(encrypted-key) | ||||
| | | | | {symmetric-key- | ||||
| encryption}? | ||||
| | | | | +--rw encrypted-key | ||||
| | | | | +--rw encrypted-by | ||||
| | | | | +--rw encrypted-va | ||||
| lue-format | ||||
| | | | | | identityre | ||||
| f | ||||
| | | | | +--rw encrypted-va | ||||
| lue | ||||
| | | | | binary | ||||
| | | | +--:(keystore) | ||||
| | | | {central-keystore-suppor | ||||
| ted,symmetric-keys}? | ||||
| | | | +--rw keystore-reference? | ||||
| | | | ks:symmetric-key-ref | ||||
| | | +--rw external-identity | ||||
| | | | string | ||||
| | | +--rw hash | ||||
| | | | tlscmn:epsk-supported-hash | ||||
| | | +--rw context? | ||||
| | | | string | ||||
| | | +--rw target-protocol? | ||||
| | | | uint16 | ||||
| | | +--rw target-kdf? | ||||
| | | uint16 | ||||
| | +--rw server-authentication | ||||
| | | +--rw ca-certs! {server-auth-x509-cert}? | ||||
| | | | +--rw (local-or-truststore) | ||||
| | | | +--:(local) | ||||
| | | | | {local-definitions-supported}? | ||||
| | | | | +--rw local-definition | ||||
| | | | | +--rw certificate* [name] | ||||
| | | | | +--rw name | ||||
| | | | | | string | ||||
| | | | | +--rw cert-data | ||||
| | | | | | trust-anchor-cert-cms | ||||
| | | | | +---n certificate-expiration | ||||
| | | | | {certificate-expiratio | ||||
| n-notification}? | ||||
| | | | | +-- expiration-date | ||||
| | | | | yang:date-and-time | ||||
| | | | +--:(truststore) | ||||
| | | | {central-truststore-supported, | ||||
| Figure 2. ietf-syslog Module Tree | certificates}? | |||
| | | | +--rw truststore-reference? | ||||
| | | | ts:certificate-bag-ref | ||||
| | | +--rw ee-certs! {server-auth-x509-cert}? | ||||
| | | | +--rw (local-or-truststore) | ||||
| | | | +--:(local) | ||||
| | | | | {local-definitions-supported}? | ||||
| | | | | +--rw local-definition | ||||
| | | | | +--rw certificate* [name] | ||||
| | | | | +--rw name | ||||
| | | | | | string | ||||
| | | | | +--rw cert-data | ||||
| | | | | | trust-anchor-cert-cms | ||||
| | | | | +---n certificate-expiration | ||||
| | | | | {certificate-expiratio | ||||
| n-notification}? | ||||
| | | | | +-- expiration-date | ||||
| | | | | yang:date-and-time | ||||
| | | | +--:(truststore) | ||||
| | | | {central-truststore-supported, | ||||
| certificates}? | ||||
| | | | +--rw truststore-reference? | ||||
| | | | ts:certificate-bag-ref | ||||
| | | +--rw raw-public-keys! | ||||
| | | | {server-auth-raw-public-key}? | ||||
| | | | +--rw (local-or-truststore) | ||||
| | | | +--:(local) | ||||
| | | | | {local-definitions-supported}? | ||||
| | | | | +--rw local-definition | ||||
| | | | | +--rw public-key* [name] | ||||
| | | | | +--rw name | ||||
| | | | | | string | ||||
| | | | | +--rw public-key-format | ||||
| | | | | | identityref | ||||
| | | | | +--rw public-key | ||||
| | | | | binary | ||||
| | | | +--:(truststore) | ||||
| | | | {central-truststore-supported, | ||||
| public-keys}? | ||||
| | | | +--rw truststore-reference? | ||||
| | | | ts:public-key-bag-ref | ||||
| | | +--rw tls12-psks? empty | ||||
| | | | {server-auth-tls12-psk}? | ||||
| | | +--rw tls13-epsks? empty | ||||
| | | {server-auth-tls13-epsk}? | ||||
| | +--rw hello-params {tlscmn:hello-params}? | ||||
| | | +--rw tls-versions | ||||
| | | | +--rw tls-version* identityref | ||||
| | | +--rw cipher-suites | ||||
| | | +--rw cipher-suite* identityref | ||||
| | +--rw keepalives {tls-client-keepalives}? | ||||
| | +--rw peer-allowed-to-send? empty | ||||
| | +--rw test-peer-aliveness! | ||||
| | +--rw max-wait? uint16 | ||||
| | +--rw max-attempts? uint8 | ||||
| +--rw facility-filter | ||||
| | +--rw facility-list* [facility severity] | ||||
| | +--rw facility union | ||||
| | +--rw severity union | ||||
| | +--rw advanced-compare {select-adv-compare}? | ||||
| | +--rw compare? enumeration | ||||
| | +--rw action? enumeration | ||||
| +--rw pattern-match? string {select-match}? | ||||
| +--rw structured-data? boolean {structured-data}? | ||||
| +--rw facility-override? identityref | ||||
| +--rw source-interface? if:interface-ref | ||||
| | {remote-source-interface}? | ||||
| +--rw signing! {signed-messages}? | ||||
| +--rw cert-signers | ||||
| +--rw cert-signer* [name] | ||||
| | +--rw name string | ||||
| | +--rw cert | ||||
| | | +--rw public-key-format | ||||
| | | | identityref | ||||
| | | +--rw public-key | ||||
| | | | binary | ||||
| | | +--rw private-key-format? | ||||
| | | | identityref | ||||
| | | +--rw (private-key-type) | ||||
| | | | +--:(cleartext-private-key) | ||||
| | | | | +--rw cleartext-private-key? | ||||
| | | | | binary | ||||
| | | | +--:(hidden-private-key) {hidden-keys}? | ||||
| | | | | +--rw hidden-private-key? | ||||
| | | | | empty | ||||
| | | | +--:(encrypted-private-key) | ||||
| | | | {private-key-encryption}? | ||||
| | | | +--rw encrypted-private-key | ||||
| | | | +--rw encrypted-by | ||||
| | | | +--rw encrypted-value-format | ||||
| | | | | identityref | ||||
| | | | +--rw encrypted-value | ||||
| | | | binary | ||||
| | | +--rw certificates | ||||
| | | | +--rw certificate* [name] | ||||
| | | | +--rw name | ||||
| | | | | string | ||||
| | | | +--rw cert-data | ||||
| | | | | end-entity-cert-cms | ||||
| | | | +---n certificate-expiration | ||||
| | | | {certificate-expiration-notific | ||||
| ation}? | ||||
| | | | +-- expiration-date | ||||
| | | | yang:date-and-time | ||||
| | | +---x generate-certificate-signing-request | ||||
| | | {certificate-signing-request-generati | ||||
| on}? | ||||
| | | +---w input | ||||
| | | | +---w csr-info ct:csr-info | ||||
| | | +--ro output | ||||
| | | +--ro certificate-signing-request | ||||
| | | ct:csr | ||||
| | +--rw hash-algorithm? enumeration | ||||
| +--rw cert-initial-repeat? uint32 | ||||
| +--rw cert-resend-delay? uint32 | ||||
| +--rw cert-resend-count? uint32 | ||||
| +--rw sig-max-delay? uint32 | ||||
| +--rw sig-number-resends? uint32 | ||||
| +--rw sig-resend-delay? uint32 | ||||
| +--rw sig-resend-count? uint32 | ||||
| 3. Syslog YANG Module | Figure 1: Tree Diagram for Syslog Model | |||
| 3.1. The ietf-syslog Module | ||||
| This module imports typedefs from [RFC6991], | 6. Syslog YANG Module | |||
| [I-D.ietf-netmod-rfc7223bis], groupings from | ||||
| [I-D.ietf-netconf-keystore], and | 6.1. The ietf-syslog Module | |||
| This module imports typedefs from [RFC6991], [RFC8343], groupings | ||||
| from [I-D.ietf-netconf-crypto-types], and | ||||
| [I-D.ietf-netconf-tls-client-server], and it references [RFC5424], | [I-D.ietf-netconf-tls-client-server], and it references [RFC5424], | |||
| [RFC5425], [RFC5426], [RFC5848], [RFC8089], [RFC8174], and | [RFC5425], [RFC5426], and [RFC5848], [RFC8089], [RFC8174], and | |||
| [Std-1003.1-2008]. | [Std-1003.1-2008]. | |||
| <CODE BEGINS> file "ietf-syslog@2018-03-15.yang" | <CODE BEGINS> file "ietf-syslog@2022-04-05.yang" | |||
| module ietf-syslog { | module ietf-syslog { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; | namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; | |||
| prefix syslog; | prefix syslog; | |||
| import ietf-inet-types { | import ietf-inet-types { | |||
| prefix inet; | prefix inet; | |||
| reference | reference | |||
| "RFC 6991: Common YANG Data Types"; | "RFC 6991: Common YANG Data Types"; | |||
| } | } | |||
| import ietf-interfaces { | import ietf-interfaces { | |||
| prefix if; | prefix if; | |||
| reference | reference | |||
| "I-D.ietf-netmod-rfc7223bis: A YANG Data Model | "RFC 8343: A YANG Data Model for Interface Management"; | |||
| for Interface Management"; | ||||
| } | } | |||
| import ietf-tls-client { | import ietf-tls-client { | |||
| prefix tlsc; | prefix tlsc; | |||
| reference | reference | |||
| "I-D.ietf-netconf-tls-client-server: | "I-D.ietf-netconf-tls-client-server: | |||
| YANG Groupings for TLS Clients and TLS Servers"; | YANG Groupings for TLS Clients and TLS Servers"; | |||
| } | } | |||
| import ietf-crypto-types { | ||||
| import ietf-keystore { | prefix ct; | |||
| prefix ks; | ||||
| reference | reference | |||
| "I-D.ietf-netconf-keystore: YANG Data Model for a | "I-D.ietf-netconf-crypto-types: YANG Data Types for | |||
| Keystore Mechanism"; | Cryptography"; | |||
| } | } | |||
| organization | organization | |||
| "IETF NETMOD (Network Modeling) Working Group"; | "IETF NETMOD (Network Modeling) Working Group"; | |||
| contact | contact | |||
| "WG Web: <http://tools.ietf.org/wg/netmod/> | "WG Web: <https://datatracker.ietf.org/wg/netmod/> | |||
| WG List: <mailto:netmod@ietf.org> | WG List: <mailto:netmod@ietf.org> | |||
| Editor: Mahesh Jethanandani | ||||
| <mailto:mjethanandani@gmail.com> | ||||
| Editor: Joe Clarke | ||||
| <mailto:jclarke@cisco.com> | ||||
| Editor: Kiran Agrahara Sreenivasa | Editor: Kiran Agrahara Sreenivasa | |||
| <mailto:kirankoushik.agraharasreenivasa@ | <mailto:kirankoushik.agraharasreenivasa@ | |||
| verizonwireless.com> | verizonwireless.com> | |||
| Editor: Clyde Wildes | Editor: Clyde Wildes | |||
| <mailto:cwildes@cisco.com>"; | <mailto:cwildes@cisco.com>"; | |||
| description | description | |||
| "This module contains a collection of YANG definitions | "This module contains a collection of YANG definitions | |||
| for syslog configuration. | for syslog configuration. | |||
| Copyright (c) 2018 IETF Trust and the persons identified as | Copyright (c) 2022 IETF Trust and the persons identified as | |||
| authors of the code. All rights reserved. | authors of the code. All rights reserved. | |||
| Redistribution and use in source and binary forms, with or | Redistribution and use in source and binary forms, with or | |||
| without modification, is permitted pursuant to, and subject to | without modification, is permitted pursuant to, and subject to | |||
| the license terms contained in, the Simplified BSD License set | the license terms contained in, the Revised BSD License set | |||
| forth in Section 4.c of the IETF Trust's Legal Provisions | forth in Section 4.c of the IETF Trust's Legal Provisions | |||
| Relating to IETF Documents | Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info). | (https://trustee.ietf.org/license-info). | |||
| The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | This version of this YANG module is part of RFC zzzz | |||
| NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and | (https://www.rfc-editor.org/info/rfczzzz); see the RFC itself | |||
| 'OPTIONAL' in the module text are to be interpreted as | for full legal notices. | |||
| described in RFC 2119 (http://tools.ietf.org/html/rfc2119). | ||||
| This version of this YANG module is part of RFC zzzz | The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL | |||
| (http://tools.ietf.org/html/rfczzzz); see the RFC itself for | NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', | |||
| full legal notices."; | 'MAY', and 'OPTIONAL' in this document are to be interpreted as | |||
| described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, | ||||
| they appear in all capitals, as shown here."; | ||||
| revision 2018-03-15 { | revision 2022-04-05 { | |||
| description | description | |||
| "Initial Revision"; | "Initial Revision"; | |||
| reference | reference | |||
| "RFC zzzz: Syslog YANG Model"; | "RFC zzzz: Syslog YANG Model"; | |||
| } | } | |||
| feature console-action { | feature console-action { | |||
| description | description | |||
| "This feature indicates that the local console action is | "This feature indicates that the local console action is | |||
| supported."; | supported."; | |||
| skipping to change at page 11, line 40 ¶ | skipping to change at page 17, line 40 ¶ | |||
| feature signed-messages { | feature signed-messages { | |||
| description | description | |||
| "This feature represents the ability to configure signed | "This feature represents the ability to configure signed | |||
| syslog messages."; | syslog messages."; | |||
| reference | reference | |||
| "RFC 5848: Signed Syslog Messages"; | "RFC 5848: Signed Syslog Messages"; | |||
| } | } | |||
| typedef syslog-severity { | typedef syslog-severity { | |||
| type enumeration { | type enumeration { | |||
| enum "emergency" { | enum emergency { | |||
| value 0; | value 0; | |||
| description | description | |||
| "The severity level 'Emergency' indicating that the | "The severity level 'Emergency' indicating that the | |||
| system is unusable."; | system is unusable."; | |||
| } | } | |||
| enum "alert" { | enum alert { | |||
| value 1; | value 1; | |||
| description | description | |||
| "The severity level 'Alert' indicating that an action | "The severity level 'Alert' indicating that an action | |||
| must be taken immediately."; | must be taken immediately."; | |||
| } | } | |||
| enum "critical" { | enum critical { | |||
| value 2; | value 2; | |||
| description | description | |||
| "The severity level 'Critical' indicating a critical | "The severity level 'Critical' indicating a critical | |||
| condition."; | condition."; | |||
| } | } | |||
| enum "error" { | enum error { | |||
| value 3; | value 3; | |||
| description | description | |||
| "The severity level 'Error' indicating an error | "The severity level 'Error' indicating an error | |||
| condition."; | condition."; | |||
| } | } | |||
| enum "warning" { | enum warning { | |||
| value 4; | value 4; | |||
| description | description | |||
| "The severity level 'Warning' indicating a warning | "The severity level 'Warning' indicating a warning | |||
| condition."; | condition."; | |||
| } | } | |||
| enum "notice" { | enum notice { | |||
| value 5; | value 5; | |||
| description | description | |||
| "The severity level 'Notice' indicating a normal but | "The severity level 'Notice' indicating a normal but | |||
| significant condition."; | significant condition."; | |||
| } | } | |||
| enum "info" { | enum info { | |||
| value 6; | value 6; | |||
| description | description | |||
| "The severity level 'Info' indicating an informational | "The severity level 'Info' indicating an informational | |||
| message."; | message."; | |||
| } | } | |||
| enum "debug" { | enum debug { | |||
| value 7; | value 7; | |||
| description | description | |||
| "The severity level 'Debug' indicating a debug-level | "The severity level 'Debug' indicating a debug-level | |||
| message."; | message."; | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "The definitions for Syslog message severity. | "The definitions for Syslog message severity. | |||
| Note that a lower value is a higher severity. Comparisons of | Note that a lower value is a higher severity. Comparisons of | |||
| equal-or-higher severity mean equal or lower numeric value"; | equal-or-higher severity mean equal or lower numeric value"; | |||
| skipping to change at page 13, line 26 ¶ | skipping to change at page 19, line 39 ¶ | |||
| reference | reference | |||
| "RFC 5424: The Syslog Protocol"; | "RFC 5424: The Syslog Protocol"; | |||
| } | } | |||
| identity daemon { | identity daemon { | |||
| base syslog-facility; | base syslog-facility; | |||
| description | description | |||
| "The facility for the system daemons (3)."; | "The facility for the system daemons (3)."; | |||
| reference | reference | |||
| "RFC 5424: The Syslog Protocol"; | "RFC 5424: The Syslog Protocol"; | |||
| } | } | |||
| identity auth { | identity auth { | |||
| base syslog-facility; | base syslog-facility; | |||
| description | description | |||
| "The facility for security/authorization messages (4)."; | "The facility for security/authorization messages (4)."; | |||
| reference | reference | |||
| "RFC 5424: The Syslog Protocol"; | "RFC 5424: The Syslog Protocol"; | |||
| } | } | |||
| identity syslog { | identity syslog { | |||
| skipping to change at page 17, line 4 ¶ | skipping to change at page 23, line 40 ¶ | |||
| "This enum describes the case where no severities | "This enum describes the case where no severities | |||
| are selected."; | are selected."; | |||
| } | } | |||
| enum all { | enum all { | |||
| value -2147483648; | value -2147483648; | |||
| description | description | |||
| "This enum describes the case where all severities | "This enum describes the case where all severities | |||
| are selected."; | are selected."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| mandatory true; | mandatory true; | |||
| description | description | |||
| "This leaf specifies the syslog message severity."; | "This leaf specifies the syslog message severity."; | |||
| } | } | |||
| container advanced-compare { | container advanced-compare { | |||
| when '../severity != "all" and | when "../severity != \"all\" and | |||
| ../severity != "none"' { | ../severity != \"none\"" { | |||
| description | description | |||
| "The advanced compare container is not applicable for | "The advanced compare container is not applicable for | |||
| severity 'all' or severity 'none'"; | severity 'all' or severity 'none'"; | |||
| } | } | |||
| if-feature select-adv-compare; | if-feature "select-adv-compare"; | |||
| leaf compare { | leaf compare { | |||
| type enumeration { | type enumeration { | |||
| enum equals { | enum equals { | |||
| description | description | |||
| "This enum specifies that the severity comparison | "This enum specifies that the severity comparison | |||
| operation will be equals."; | operation will be equals."; | |||
| } | } | |||
| enum equals-or-higher { | enum equals-or-higher { | |||
| description | description | |||
| "This enum specifies that the severity comparison | "This enum specifies that the severity comparison | |||
| operation will be equals or higher."; | operation will be equals or higher."; | |||
| } | } | |||
| } | } | |||
| default equals-or-higher; | default "equals-or-higher"; | |||
| description | description | |||
| "The compare can be used to specify the comparison | "The compare can be used to specify the comparison | |||
| operator that should be used to compare the syslog message | operator that should be used to compare the syslog message | |||
| severity with the specified severity."; | severity with the specified severity."; | |||
| } | } | |||
| leaf action { | leaf action { | |||
| type enumeration { | type enumeration { | |||
| enum log { | enum log { | |||
| description | description | |||
| "This enum specifies that if the compare operation is | "This enum specifies that if the compare operation is | |||
| true the message will be logged."; | true the message will be logged."; | |||
| } | } | |||
| enum block { | enum block { | |||
| description | description | |||
| "This enum specifies that if the compare operation is | "This enum specifies that if the compare operation is | |||
| true the message will not be logged."; | true the message will not be logged."; | |||
| } | } | |||
| } | } | |||
| default log; | default "log"; | |||
| description | description | |||
| "The action can be used to specify if the message should | "The action can be used to specify if the message should | |||
| be logged or blocked based on the outcome of the compare | be logged or blocked based on the outcome of the compare | |||
| operation."; | operation."; | |||
| } | } | |||
| description | description | |||
| "This container describes additional severity compare | "This container describes additional severity compare | |||
| operations that can be used in place of the default | operations that can be used in place of the default | |||
| severity comparison. The compare leaf specifies the type of | severity comparison. The compare leaf specifies the type of | |||
| the compare that is done and the action leaf specifies the | the compare that is done and the action leaf specifies the | |||
| skipping to change at page 18, line 51 ¶ | skipping to change at page 25, line 46 ¶ | |||
| } | } | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "The leaf uniquely identifies a syslog facility."; | "The leaf uniquely identifies a syslog facility."; | |||
| } | } | |||
| uses severity-filter; | uses severity-filter; | |||
| } | } | |||
| } | } | |||
| leaf pattern-match { | leaf pattern-match { | |||
| if-feature select-match; | if-feature "select-match"; | |||
| type string; | type string; | |||
| description | description | |||
| "This leaf describes a Posix 1003.2 regular expression | "This leaf describes a Posix 1003.2 regular expression | |||
| string that can be used to select a syslog message for | string that can be used to select a syslog message for | |||
| logging. The match is performed on the SYSLOG-MSG field."; | logging. The match is performed on the SYSLOG-MSG field."; | |||
| reference | reference | |||
| "RFC 5424: The Syslog Protocol | "RFC 5424: The Syslog Protocol | |||
| Std-1003.1-2008 Regular Expressions"; | Std-1003.1-2008 Regular Expressions"; | |||
| } | } | |||
| } | } | |||
| grouping structured-data { | grouping structured-data { | |||
| description | description | |||
| "This grouping defines the syslog structured data option | "This grouping defines the syslog structured data option | |||
| which is used to select the format used to write log | which is used to select the format used to write log | |||
| messages."; | messages."; | |||
| leaf structured-data { | leaf structured-data { | |||
| if-feature structured-data; | if-feature "structured-data"; | |||
| type boolean; | type boolean; | |||
| default false; | default "false"; | |||
| description | description | |||
| "This leaf describes how log messages are written. | "This leaf describes how log messages are written. | |||
| If true, messages will be written with one or more | If true, messages will be written with one or more | |||
| STRUCTURED-DATA elements; if false, messages will be | STRUCTURED-DATA elements; if false, messages will be | |||
| written with STRUCTURED-DATA = NILVALUE."; | written with STRUCTURED-DATA = NILVALUE."; | |||
| reference | reference | |||
| "RFC 5424: The Syslog Protocol"; | "RFC 5424: The Syslog Protocol"; | |||
| } | } | |||
| } | } | |||
| container syslog { | container syslog { | |||
| presence "Enables logging."; | presence "Enables logging."; | |||
| description | description | |||
| "This container describes the configuration parameters for | "This container describes the configuration parameters for | |||
| syslog."; | syslog."; | |||
| container actions { | container actions { | |||
| description | description | |||
| "This container describes the log-action parameters | "This container describes the log-action parameters | |||
| for syslog."; | for syslog."; | |||
| container console { | container console { | |||
| if-feature console-action; | if-feature "console-action"; | |||
| presence "Enables logging to the console"; | presence "Enables logging to the console"; | |||
| description | description | |||
| "This container describes the configuration parameters | "This container describes the configuration parameters | |||
| for console logging."; | for console logging."; | |||
| uses selector; | uses selector; | |||
| } | } | |||
| container file { | container file { | |||
| if-feature file-action; | if-feature "file-action"; | |||
| description | description | |||
| "This container describes the configuration parameters for | "This container describes the configuration parameters for | |||
| file logging. If file-archive limits are not supplied, it | file logging. If file-archive limits are not supplied, it | |||
| is assumed that the local implementation defined limits | is assumed that the local implementation defined limits | |||
| will be used."; | will be used."; | |||
| list log-file { | list log-file { | |||
| key "name"; | key "name"; | |||
| description | description | |||
| "This list describes a collection of local logging | "This list describes a collection of local logging | |||
| files."; | files."; | |||
| leaf name { | leaf name { | |||
| type inet:uri { | type inet:uri { | |||
| pattern 'file:.*'; | pattern 'file:.*'; | |||
| } | } | |||
| description | description | |||
| "This leaf specifies the name of the log file which | "This leaf specifies the name of the log file which | |||
| MUST use the uri scheme file:."; | MUST use the uri scheme file:."; | |||
| reference | reference | |||
| "RFC 8089: The file URI Scheme"; | "RFC 8089: The file URI Scheme"; | |||
| } | } | |||
| uses selector; | uses selector; | |||
| uses structured-data; | uses structured-data; | |||
| container file-rotation { | container file-rotation { | |||
| description | description | |||
| "This container describes the configuration | "This container describes the configuration | |||
| parameters for log file rotation."; | parameters for log file rotation."; | |||
| leaf number-of-files { | leaf number-of-files { | |||
| if-feature file-limit-size; | if-feature "file-limit-size"; | |||
| type uint32; | type uint32; | |||
| default 1; | default "1"; | |||
| description | description | |||
| "This leaf specifies the maximum number of log | "This leaf specifies the maximum number of log | |||
| files retained. Specify 1 for implementations | files retained. Specify 1 for implementations | |||
| that only support one log file."; | that only support one log file."; | |||
| } | } | |||
| leaf max-file-size { | leaf max-file-size { | |||
| if-feature file-limit-size; | if-feature "file-limit-size"; | |||
| type uint32; | type uint32; | |||
| units "megabytes"; | units "megabytes"; | |||
| description | description | |||
| "This leaf specifies the maximum log file size."; | "This leaf specifies the maximum log file size."; | |||
| } | } | |||
| leaf rollover { | leaf rollover { | |||
| if-feature file-limit-duration; | if-feature "file-limit-duration"; | |||
| type uint32; | type uint32; | |||
| units "minutes"; | units "minutes"; | |||
| description | description | |||
| "This leaf specifies the length of time that log | "This leaf specifies the length of time that log | |||
| events should be written to a specific log file. | events should be written to a specific log file. | |||
| Log events that arrive after the rollover period | Log events that arrive after the rollover period | |||
| cause the current log file to be closed and a new | cause the current log file to be closed and a new | |||
| log file to be opened."; | log file to be opened."; | |||
| } | } | |||
| leaf retention { | leaf retention { | |||
| if-feature file-limit-duration; | if-feature "file-limit-duration"; | |||
| type uint32; | type uint32; | |||
| units "minutes"; | units "minutes"; | |||
| description | description | |||
| "This leaf specifies the length of time that | "This leaf specifies the length of time that | |||
| completed/closed log event files should be stored | completed/closed log event files should be stored | |||
| in the file system before they are removed."; | in the file system before they are removed."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| container remote { | container remote { | |||
| if-feature remote-action; | if-feature "remote-action"; | |||
| description | description | |||
| "This container describes the configuration parameters | "This container describes the configuration parameters | |||
| for forwarding syslog messages to remote relays or | for forwarding syslog messages to remote relays or | |||
| collectors."; | collectors."; | |||
| list destination { | list destination { | |||
| key "name"; | key "name"; | |||
| description | description | |||
| "This list describes a collection of remote logging | "This list describes a collection of remote logging | |||
| destinations."; | destinations."; | |||
| leaf name { | leaf name { | |||
| skipping to change at page 21, line 42 ¶ | skipping to change at page 29, line 6 ¶ | |||
| leaf address { | leaf address { | |||
| type inet:host; | type inet:host; | |||
| description | description | |||
| "The leaf uniquely specifies the address of | "The leaf uniquely specifies the address of | |||
| the remote host. One of the following must be | the remote host. One of the following must be | |||
| specified: an ipv4 address, an ipv6 address, | specified: an ipv4 address, an ipv6 address, | |||
| or a host name."; | or a host name."; | |||
| } | } | |||
| leaf port { | leaf port { | |||
| type inet:port-number; | type inet:port-number; | |||
| default 514; | default "514"; | |||
| description | description | |||
| "This leaf specifies the port number used to | "This leaf specifies the port number used to | |||
| deliver messages to the remote server."; | deliver messages to the remote server."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| case tls { | case tls { | |||
| container tls { | container tls { | |||
| description | description | |||
| "This container describes the TLS transport | "This container describes the TLS transport | |||
| skipping to change at page 22, line 13 ¶ | skipping to change at page 29, line 31 ¶ | |||
| leaf address { | leaf address { | |||
| type inet:host; | type inet:host; | |||
| description | description | |||
| "The leaf uniquely specifies the address of | "The leaf uniquely specifies the address of | |||
| the remote host. One of the following must be | the remote host. One of the following must be | |||
| specified: an ipv4 address, an ipv6 address, | specified: an ipv4 address, an ipv6 address, | |||
| or a host name."; | or a host name."; | |||
| } | } | |||
| leaf port { | leaf port { | |||
| type inet:port-number; | type inet:port-number; | |||
| default 6514; | default "6514"; | |||
| description | description | |||
| "TCP port 6514 has been allocated as the default | "TCP port 6514 has been allocated as the default | |||
| port for syslog over TLS."; | port for syslog over TLS."; | |||
| } | } | |||
| uses tlsc:tls-client-grouping; | uses tlsc:tls-client-grouping; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| uses selector; | uses selector; | |||
| uses structured-data; | uses structured-data; | |||
| leaf facility-override { | leaf facility-override { | |||
| type identityref { | type identityref { | |||
| base syslog-facility; | base syslog-facility; | |||
| } | } | |||
| description | description | |||
| "If specified, this leaf specifies the facility used | "If specified, this leaf specifies the facility used | |||
| to override the facility in messages delivered to | to override the facility in messages delivered to | |||
| the remote server."; | the remote server."; | |||
| } | } | |||
| leaf source-interface { | leaf source-interface { | |||
| if-feature remote-source-interface; | if-feature "remote-source-interface"; | |||
| type if:interface-ref; | type if:interface-ref; | |||
| description | description | |||
| "This leaf sets the source interface to be used to | "This leaf sets the source interface to be used to | |||
| send messages to the remote syslog server. If not | send messages to the remote syslog server. If not | |||
| set, messages can be sent on any interface."; | set, messages can be sent on any interface."; | |||
| } | } | |||
| container signing { | container signing { | |||
| if-feature signed-messages; | if-feature "signed-messages"; | |||
| presence | presence "If present, syslog-signing options is activated."; | |||
| "If present, syslog-signing options is activated."; | ||||
| description | description | |||
| "This container describes the configuration | "This container describes the configuration | |||
| parameters for signed syslog messages."; | parameters for signed syslog messages."; | |||
| reference | reference | |||
| "RFC 5848: Signed Syslog Messages"; | "RFC 5848: Signed Syslog Messages"; | |||
| container cert-signers { | container cert-signers { | |||
| description | description | |||
| "This container describes the signing certificate | "This container describes the signing certificate | |||
| configuration for Signature Group 0 which covers | configuration for Signature Group 0 which covers | |||
| the case for administrators who want all Signature | the case for administrators who want all Signature | |||
| skipping to change at page 23, line 14 ¶ | skipping to change at page 30, line 37 ¶ | |||
| description | description | |||
| "This list describes a collection of syslog | "This list describes a collection of syslog | |||
| message signers."; | message signers."; | |||
| leaf name { | leaf name { | |||
| type string; | type string; | |||
| description | description | |||
| "This leaf specifies the name of the syslog | "This leaf specifies the name of the syslog | |||
| message signer."; | message signer."; | |||
| } | } | |||
| container cert { | container cert { | |||
| uses ks:private-key-grouping; | uses ct:asymmetric-key-pair-with-certs-grouping; | |||
| uses ks:certificate-grouping; | ||||
| description | description | |||
| "This is the certificate that is periodically | "This is the certificate that is periodically | |||
| sent to the remote receiver. Selection of the | sent to the remote receiver. The certificate | |||
| certificate also implicitly selects the private | is inherintly associated with its private | |||
| key used to sign the syslog messages."; | and public keys."; | |||
| } | } | |||
| leaf hash-algorithm { | leaf hash-algorithm { | |||
| type enumeration { | type enumeration { | |||
| enum SHA1 { | enum SHA1 { | |||
| value 1; | value 1; | |||
| description | description | |||
| "This enum describes the SHA1 algorithm."; | "This enum describes the SHA1 algorithm."; | |||
| } | } | |||
| enum SHA256 { | enum SHA256 { | |||
| value 2; | value 2; | |||
| skipping to change at page 23, line 42 ¶ | skipping to change at page 31, line 16 ¶ | |||
| "This enum describes the SHA256 algorithm."; | "This enum describes the SHA256 algorithm."; | |||
| } | } | |||
| } | } | |||
| description | description | |||
| "This leaf describes the syslog signer hash | "This leaf describes the syslog signer hash | |||
| algorithm used."; | algorithm used."; | |||
| } | } | |||
| } | } | |||
| leaf cert-initial-repeat { | leaf cert-initial-repeat { | |||
| type uint32; | type uint32; | |||
| default 3; | default "3"; | |||
| description | description | |||
| "This leaf specifies the number of times each | "This leaf specifies the number of times each | |||
| Certificate Block should be sent before the first | Certificate Block should be sent before the first | |||
| message is sent."; | message is sent."; | |||
| } | } | |||
| leaf cert-resend-delay { | leaf cert-resend-delay { | |||
| type uint32; | type uint32; | |||
| units "seconds"; | units "seconds"; | |||
| default 3600; | default "3600"; | |||
| description | description | |||
| "This leaf specifies the maximum time delay in | "This leaf specifies the maximum time delay in | |||
| seconds until resending the Certificate Block."; | seconds until resending the Certificate Block."; | |||
| } | } | |||
| leaf cert-resend-count { | leaf cert-resend-count { | |||
| type uint32; | type uint32; | |||
| default 0; | default "0"; | |||
| description | description | |||
| "This leaf specifies the maximum number of other | "This leaf specifies the maximum number of other | |||
| syslog messages to send until resending the | syslog messages to send until resending the | |||
| Certificate Block."; | Certificate Block."; | |||
| } | } | |||
| leaf sig-max-delay { | leaf sig-max-delay { | |||
| type uint32; | type uint32; | |||
| units "seconds"; | units "seconds"; | |||
| default 60; | default "60"; | |||
| description | description | |||
| "This leaf specifies when to generate a new | "This leaf specifies when to generate a new | |||
| Signature Block. If this many seconds have | Signature Block. If this many seconds have | |||
| elapsed since the message with the first message | elapsed since the message with the first message | |||
| number of the Signature Block was sent, a new | number of the Signature Block was sent, a new | |||
| Signature Block should be generated."; | Signature Block should be generated."; | |||
| } | } | |||
| leaf sig-number-resends { | leaf sig-number-resends { | |||
| type uint32; | type uint32; | |||
| default 0; | default "0"; | |||
| description | description | |||
| "This leaf specifies the number of times a | "This leaf specifies the number of times a | |||
| Signature Block is resent. (It is recommended to | Signature Block is resent. (It is recommended to | |||
| select a value of greater than 0 in particular | select a value of greater than 0 in particular | |||
| when the UDP transport RFC 5426 is used.)."; | when the UDP transport RFC 5426 is used.)."; | |||
| } | } | |||
| leaf sig-resend-delay { | leaf sig-resend-delay { | |||
| type uint32; | type uint32; | |||
| units "seconds"; | units "seconds"; | |||
| default 5; | default "5"; | |||
| description | description | |||
| "This leaf specifies when to send the next | "This leaf specifies when to send the next | |||
| Signature Block transmission based on time. If | Signature Block transmission based on time. If | |||
| this many seconds have elapsed since the previous | this many seconds have elapsed since the previous | |||
| sending of this Signature Block, resend it."; | sending of this Signature Block, resend it."; | |||
| } | } | |||
| leaf sig-resend-count { | leaf sig-resend-count { | |||
| type uint32; | type uint32; | |||
| default 0; | default "0"; | |||
| description | description | |||
| "This leaf specifies when to send the next | "This leaf specifies when to send the next | |||
| Signature Block transmission based on a count. | Signature Block transmission based on a count. | |||
| If this many other syslog messages have been | If this many other syslog messages have been | |||
| sent since the previous sending of this | sent since the previous sending of this | |||
| Signature Block, resend it. A value of 0 means | Signature Block, resend it. A value of 0 means | |||
| that you don't resend based on the number of | that you don't resend based on the number of | |||
| messages."; | messages."; | |||
| } | } | |||
| } | } | |||
| skipping to change at page 25, line 4 ¶ | skipping to change at page 32, line 38 ¶ | |||
| Signature Block, resend it. A value of 0 means | Signature Block, resend it. A value of 0 means | |||
| that you don't resend based on the number of | that you don't resend based on the number of | |||
| messages."; | messages."; | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| } | } | |||
| <CODE ENDS> | <CODE ENDS> | |||
| Figure 3. ietf-syslog Module | Figure 2: Sylog YANG Model | |||
| 4. Usage Examples | 7. Usage Examples | |||
| Requirement: | 7.1. Syslog Configuration for Severity Critical | |||
| Enable console logging of syslogs of severity critical | ||||
| <syslog xmlns="urn:ietf:params:xml:ns:yang:ietf-syslog"> | [note: '\' line wrapping for formatting only] | |||
| <actions> | ||||
| <console> | ||||
| <facility-filter> | ||||
| <facility-list> | ||||
| <facility>all</facility> | ||||
| <severity>critical</severity> | ||||
| </facility-list> | ||||
| </facility-filter> | ||||
| </console> | ||||
| </actions> | ||||
| </syslog> | ||||
| Enable remote logging of syslogs to udp destination | <!-- | |||
| foo.example.com for facility auth, severity error | Enable console logging of syslogs of severity critical | |||
| --> | ||||
| <syslog xmlns="urn:ietf:params:xml:ns:yang:ietf-syslog"> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <actions> | <syslog xmlns="urn:ietf:params:xml:ns:yang:ietf-syslog"> | |||
| <remote> | <actions> | |||
| <destination> | <console> | |||
| <name>remote1</name> | <facility-filter> | |||
| <udp> | <facility-list> | |||
| <address>foo.example.com</address> | <facility>all</facility> | |||
| </udp> | <severity>critical</severity> | |||
| <facility-filter> | </facility-list> | |||
| <facility-list> | </facility-filter> | |||
| <facility>auth</facility> | </console> | |||
| <severity>error</severity> | </actions> | |||
| </facility-list> | </syslog> | |||
| </facility-filter> | ||||
| </destination> | ||||
| </remote> | ||||
| </actions> | ||||
| </syslog> | ||||
| Figure 4. ietf-syslog Examples | Figure 3: Syslog Configuration for Severity Critical | |||
| 5. Acknowledgements | 7.2. Remote Syslog Configuration | |||
| [note: '\' line wrapping for formatting only] | ||||
| <!-- | ||||
| Enable remote logging of syslogs to udp destination | ||||
| foo.example.com for facility auth, severity error | ||||
| --> | ||||
| <?xml version="1.0" encoding="UTF-8"?> | ||||
| <syslog xmlns="urn:ietf:params:xml:ns:yang:ietf-syslog"> | ||||
| <actions> | ||||
| <remote> | ||||
| <destination> | ||||
| <name>remote1</name> | ||||
| <udp> | ||||
| <address>foo.example.com</address> | ||||
| </udp> | ||||
| <facility-filter> | ||||
| <facility-list> | ||||
| <facility>auth</facility> | ||||
| <severity>error</severity> | ||||
| </facility-list> | ||||
| </facility-filter> | ||||
| </destination> | ||||
| </remote> | ||||
| </actions> | ||||
| </syslog> | ||||
| Figure 4: Remote Syslog Configuration | ||||
| 8. Acknowledgements | ||||
| The authors wish to thank the following who commented on this | The authors wish to thank the following who commented on this | |||
| proposal: | proposal: | |||
| Andy Bierman, Martin Bjorklund, Alex Campbell, Alex Clemm, Francis | Andy Bierman, Martin Bjorklund, Alex Campbell, Alex Clemm, Francis | |||
| Dupont, Jim Gibson, Jeffrey Haas, Bob Harold, John Heasley, Giles | Dupont, Jim Gibson, Jeffrey Haas, Bob Harold, John Heasley, Giles | |||
| Heron, Lisa Huang, Mahesh Jethanandani, Warren Kumari, Jeffrey K | Heron, Lisa Huang, Mahesh Jethanandani, Warren Kumari, Jeffrey K | |||
| Lange, Jan Lindblad, Chris Lonvick, Alexey Melnikov, Kathleen | Lange, Jan Lindblad, Chris Lonvick, Alexey Melnikov, Kathleen | |||
| Moriarty, Tom Petch, Adam Roach, Juergen Schoenwaelder, Phil Shafer, | Moriarty, Tom Petch, Adam Roach, Juergen Schoenwaelder, Phil Shafer, | |||
| Yaron Sheffer, Jason Sterne, Peter Van Horne, Kent Watsen, Bert | Yaron Sheffer, Jason Sterne, Peter Van Horne, Kent Watsen, Bert | |||
| Wijnen, Dale R Worley, and Aleksandr Zhdankin. | Wijnen, Dale R Worley, and Aleksandr Zhdankin. | |||
| 6. IANA Considerations | 9. IANA Considerations | |||
| 6.1. The IETF XML Registry | 9.1. The IETF XML Registry | |||
| This document registers one URI in the IETF XML registry [RFC3688]. | This document registers one URI in the IETF XML registry [RFC3688] . | |||
| Following the format in [RFC3688], the following registration is | Following the format in [RFC3688], the following registration is | |||
| requested: | requested: | |||
| URI: urn:ietf:params:xml:ns:yang:ietf-syslog | URI: urn:ietf:params:xml:ns:yang:ietf-syslog | |||
| Registrant Contact: The IESG. | Registrant Contact: The IESG. | |||
| XML: N/A, the requested URI is an XML namespace. | XML: N/A, the requested URI is an XML namespace. | |||
| 6.2. The YANG Module Names Registry | 9.2. The YANG Module Names Registry | |||
| This document registers one YANG module in the YANG Module Names | This document registers one YANG module in the YANG Module Names | |||
| registry [RFC7895]. Following the format in [RFC7950], the following | registry [RFC7895]. Following the format in [RFC7950], the following | |||
| registration is requested: | registration is requested: | |||
| name: ietf-syslog | name: ietf-syslog | |||
| namespace: urn:ietf:params:xml:ns:yang:ietf-syslog | namespace: urn:ietf:params:xml:ns:yang:ietf-syslog | |||
| prefix: ietf-syslog | prefix: ietf-syslog | |||
| reference: RFC zzzz | reference: RFC zzzz | |||
| 7. Security Considerations | 10. Security Considerations | |||
| The YANG module defined in this document is designed to be accessed | The YANG module defined in this document is designed to be accessed | |||
| via YANG based management protocols, such as NETCONF [RFC6241] and | via YANG based management protocols, such as NETCONF [RFC6241] and | |||
| RESTCONF [RFC8040]. Both of these protocols have mandatory-to- | RESTCONF [RFC8040]. Both of these protocols have mandatory-to- | |||
| implement secure transport layers (e.g., SSH, TLS) with mutual | implement secure transport layers (e.g., SSH, TLS) with mutual | |||
| authentication. | authentication. | |||
| The NETCONF access control model (NACM) [RFC6536] provides the means | The NETCONF access control model (NACM) [RFC6536] provides the means | |||
| to restrict access for particular users to a pre-configured subset of | to restrict access for particular users to a pre-configured subset of | |||
| all available protocol operations and content. | all available protocol operations and content. | |||
| skipping to change at page 27, line 20 ¶ | skipping to change at page 35, line 47 ¶ | |||
| network compromise. If logging were to be disabled through malicious | network compromise. If logging were to be disabled through malicious | |||
| means, attacks may not be readily detectable. Therefore write | means, attacks may not be readily detectable. Therefore write | |||
| operations (e.g., edit-config) to these data nodes without proper | operations (e.g., edit-config) to these data nodes without proper | |||
| protection can have a negative effect on network operations and on | protection can have a negative effect on network operations and on | |||
| network security. | network security. | |||
| In addition there are data nodes that require careful analysis and | In addition there are data nodes that require careful analysis and | |||
| review. These are the subtrees and data nodes and their sensitivity/ | review. These are the subtrees and data nodes and their sensitivity/ | |||
| vulnerability: | vulnerability: | |||
| facility-filter/pattern-match: When writing this node, | facility-filter/pattern-match: When writing this node, | |||
| implementations MUST ensure that the regular expression pattern | implementations MUST ensure that the regular expression pattern | |||
| match is not constructed to cause a regular expression denial | match is not constructed to cause a regular expression denial | |||
| of service attack due to a pattern that causes the regular | of service attack due to a pattern that causes the regular | |||
| expression implementation to work very slowly (exponentially | expression implementation to work very slowly (exponentially | |||
| related to input size). | related to input size). | |||
| remote/destination/signing/cert-signer: When writing this subtree, | remote/destination/signing/cert-signer: When writing this subtree, | |||
| implementations MUST NOT specify a private key that is used for | implementations MUST NOT specify a private key that is used for | |||
| any other purpose. | any other purpose. | |||
| Some of the readable data nodes in this YANG module may be considered | Some of the readable data nodes in this YANG module may be considered | |||
| sensitive or vulnerable in some network environments. It is thus | sensitive or vulnerable in some network environments. It is thus | |||
| important to control read access (e.g., via get, get-config, or | important to control read access (e.g., via get, get-config, or | |||
| notification) to these data nodes. These are the subtrees and data | notification) to these data nodes. These are the subtrees and data | |||
| nodes and their sensitivity/vulnerability: | nodes and their sensitivity/vulnerability: | |||
| remote/destination/transport: This subtree contains information | remote/destination/transport: This subtree contains information | |||
| about other hosts in the network, and the TLS transport | about other hosts in the network, and the TLS transport | |||
| certificate properties if TLS is selected as the transport | certificate properties if TLS is selected as the transport | |||
| protocol. | protocol. | |||
| remote/destination/signing: This subtree contains information | remote/destination/signing: This subtree contains information about | |||
| about the syslog message signing properties including signing | the syslog message signing properties including signing | |||
| certificate information. | certificate information. | |||
| There are no RPC operations defined in this YANG module. | There are no RPC operations defined in this YANG module. | |||
| 8. References | 11. References | |||
| 8.1. Normative References | 11.1. Normative References | |||
| [I-D.ietf-netconf-keystore] | [I-D.ietf-netconf-crypto-types] | |||
| Watsen, K., "YANG Data Model for a "Keystore" Mechanism", | Watsen, K., "YANG Data Types and Groupings for | |||
| Internet-Draft draft-ietf-netconf-keystore-04, October | Cryptography", Work in Progress, Internet-Draft, draft- | |||
| 2017. | ietf-netconf-crypto-types-22, 7 March 2022, | |||
| <https://www.ietf.org/archive/id/draft-ietf-netconf- | ||||
| crypto-types-22.txt>. | ||||
| [I-D.ietf-netconf-tls-client-server] | [I-D.ietf-netconf-tls-client-server] | |||
| Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and | Watsen, K., "YANG Groupings for TLS Clients and TLS | |||
| TLS Servers", Internet-Draft draft-ietf-netconf-tls- | Servers", Work in Progress, Internet-Draft, draft-ietf- | |||
| client-server-05, October 2017. | netconf-tls-client-server-27, 7 March 2022, | |||
| <https://www.ietf.org/archive/id/draft-ietf-netconf-tls- | ||||
| [I-D.ietf-netmod-rfc7223bis] | client-server-27.txt>. | |||
| Bjorklund, M., "A YANG Data Model for Interface | ||||
| Management", Internet-Draft draft-ietf-netmod- | ||||
| rfc7223bis-03, January 2018. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ | Requirement Levels", BCP 14, RFC 2119, | |||
| RFC2119, March 1997, <http://www.rfc-editor.org/info/ | DOI 10.17487/RFC2119, March 1997, | |||
| rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, DOI | [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, | |||
| 10.17487/RFC5424, March 2009, <http://www.rfc-editor.org/ | DOI 10.17487/RFC5424, March 2009, | |||
| info/rfc5424>. | <https://www.rfc-editor.org/info/rfc5424>. | |||
| [RFC5425] Miao, F., Ed., Ma, Y.Ed., and J. Salowey, Ed., "Transport | [RFC5425] Miao, F., Ed., Ma, Y., Ed., and J. Salowey, Ed., | |||
| Layer Security (TLS) Transport Mapping for Syslog", RFC | "Transport Layer Security (TLS) Transport Mapping for | |||
| 5425, DOI 10.17487/RFC5425, March 2009, <https://www.rfc- | Syslog", RFC 5425, DOI 10.17487/RFC5425, March 2009, | |||
| editor.org/info/rfc5425>. | <https://www.rfc-editor.org/info/rfc5425>. | |||
| [RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP", | [RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP", | |||
| RFC 5426, DOI 10.17487/RFC5426, March 2009, <http://www | RFC 5426, DOI 10.17487/RFC5426, March 2009, | |||
| .rfc-editor.org/info/rfc5426>. | <https://www.rfc-editor.org/info/rfc5426>. | |||
| [RFC5848] Kelsey, J., Callas, J. and A. Clemm, "Signed Syslog | [RFC5848] Kelsey, J., Callas, J., and A. Clemm, "Signed Syslog | |||
| Messages", RFC 5848, DOI 10.17487/RFC5848, May 2010, | Messages", RFC 5848, DOI 10.17487/RFC5848, May 2010, | |||
| <http://www.rfc-editor.org/info/rfc5848>. | <https://www.rfc-editor.org/info/rfc5848>. | |||
| [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC | [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", | |||
| 6991, DOI 10.17487/RFC6991, July 2013, <https://www.rfc- | RFC 6991, DOI 10.17487/RFC6991, July 2013, | |||
| editor.org/info/rfc6991>. | <https://www.rfc-editor.org/info/rfc6991>. | |||
| [RFC7895] Bierman, A., Bjorklund, M. and K. Watsen, "YANG Module | [RFC7895] Bierman, A., Bjorklund, M., and K. Watsen, "YANG Module | |||
| Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, | Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, | |||
| <http://www.rfc-editor.org/info/rfc7895>. | <https://www.rfc-editor.org/info/rfc7895>. | |||
| [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", | |||
| RFC 7950, DOI 10.17487/RFC7950, August 2016, <http://www | RFC 7950, DOI 10.17487/RFC7950, August 2016, | |||
| .rfc-editor.org/info/rfc7950>. | <https://www.rfc-editor.org/info/rfc7950>. | |||
| [RFC8089] Kerwin, M., "The "file" URI Scheme", RFC 8089, DOI | [RFC8089] Kerwin, M., "The "file" URI Scheme", RFC 8089, | |||
| 10.17487/RFC8089, February 2017, <https://www.rfc- | DOI 10.17487/RFC8089, February 2017, | |||
| editor.org/info/rfc8089>. | <https://www.rfc-editor.org/info/rfc8089>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <http://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8343] Bjorklund, M., "A YANG Data Model for Interface | ||||
| Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8343>. | ||||
| [Std-1003.1-2008] | [Std-1003.1-2008] | |||
| The Open Group, ""Chapter 9: Regular Expressions". The | Group, I. A. T. O., ""Chapter 9: Regular Expressions". The | |||
| Open Group Base Specifications Issue 6, IEEE Std | Open Group Base Specifications Issue 6, IEEE Std | |||
| 1003.1-2008, 2016 Edition.", September 2016, <http:// | 1003.1-2008, 2016 Edition.", September 2016, | |||
| pubs.opengroup.org/onlinepubs/9699919799/>. | <http://pubs.opengroup.org/onlinepubs/9699919799/>. | |||
| 8.2. Informative References | ||||
| [I-D.ietf-netmod-revised-datastores] | ||||
| Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K. | ||||
| and R. Wilton, "Network Management Datastore | ||||
| Architecture", Internet-Draft draft-ietf-netmod-revised- | ||||
| datastores-10, January 2018. | ||||
| [I-D.ietf-netmod-yang-tree-diagrams] | 11.2. Informative References | |||
| Bjorklund, M. and L. Berger, "YANG Tree Diagrams", | ||||
| Internet-Draft draft-ietf-netmod-yang-tree-diagrams-06, | ||||
| February 2018. | ||||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, <http://www.rfc- | DOI 10.17487/RFC3688, January 2004, | |||
| editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J.Ed., | [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., | |||
| and A. Bierman, Ed., "Network Configuration Protocol | and A. Bierman, Ed., "Network Configuration Protocol | |||
| (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, | |||
| <http://www.rfc-editor.org/info/rfc6241>. | <https://www.rfc-editor.org/info/rfc6241>. | |||
| [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration | |||
| Protocol (NETCONF) Access Control Model", RFC 6536, DOI | Protocol (NETCONF) Access Control Model", RFC 6536, | |||
| 10.17487/RFC6536, March 2012, <https://www.rfc-editor.org/ | DOI 10.17487/RFC6536, March 2012, | |||
| info/rfc6536>. | <https://www.rfc-editor.org/info/rfc6536>. | |||
| [RFC8040] Bierman, A., Bjorklund, M. and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
| Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, | |||
| <https://www.rfc-editor.org/info/rfc8040>. | <https://www.rfc-editor.org/info/rfc8040>. | |||
| [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", | ||||
| BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8340>. | ||||
| [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., | ||||
| and R. Wilton, "Network Management Datastore Architecture | ||||
| (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, | ||||
| <https://www.rfc-editor.org/info/rfc8342>. | ||||
| Appendix A. Implementer Guidelines | Appendix A. Implementer Guidelines | |||
| Appendix A.1. Extending Facilities | A.1. Extending Facilities | |||
| Many vendors extend the list of facilities available for logging in | Many vendors extend the list of facilities available for logging in | |||
| their implementation. Additional facilities may not work with the | their implementation. Additional facilities may not work with the | |||
| syslog protocol as defined in [RFC5424] and hence such facilities | syslog protocol as defined in [RFC5424] and hence such facilities | |||
| apply for local syslog-like logging functionality. | apply for local syslog-like logging functionality. | |||
| The following is an example that shows how additional facilities | The following is an example that shows how additional facilities | |||
| could be added to the list of available facilities (in this example | could be added to the list of available facilities (in this example | |||
| two facilities are added): | two facilities are added): | |||
| skipping to change at page 30, line 44 ¶ | skipping to change at page 39, line 44 ¶ | |||
| "Adding vendor specific type 1 to syslog-facility"; | "Adding vendor specific type 1 to syslog-facility"; | |||
| } | } | |||
| identity vendor_specific_type_2 { | identity vendor_specific_type_2 { | |||
| base syslogtypes:syslog-facility; | base syslogtypes:syslog-facility; | |||
| description | description | |||
| "Adding vendor specific type 2 to syslog-facility"; | "Adding vendor specific type 2 to syslog-facility"; | |||
| } | } | |||
| } | } | |||
| Appendix A.2. Syslog Terminal Output | A.2. Syslog Terminal Output | |||
| Terminal output with requirements more complex than the console | Terminal output with requirements more complex than the console | |||
| subtree currently provides, are expected to be supported via vendor | subtree currently provides, are expected to be supported via vendor | |||
| extensions rather than handled via the file subtree. | extensions rather than handled via the file subtree. | |||
| Appendix A.3. Syslog File Naming Convention | A.3. Syslog File Naming Convention | |||
| The syslog/file/log-file/file-rotation container contains | The syslog/file/log-file/file-rotation container contains | |||
| configuration parameters for syslog file rotation. This section | configuration parameters for syslog file rotation. This section | |||
| describes how these fields might be used by an implementer to name | describes how these fields might be used by an implementer to name | |||
| syslog files in a rotation process. This information is offered as | syslog files in a rotation process. This information is offered as | |||
| an informative guide only. | an informative guide only. | |||
| When an active syslog file with a name specified by log-file/name, | When an active syslog file with a name specified by log-file/name, | |||
| reaches log-file/max-file-size and/or syslog events arrive after the | reaches log-file/max-file-size and/or syslog events arrive after the | |||
| period specified by log-file/rollover, the logging system can close | period specified by log-file/rollover, the logging system can close | |||
| skipping to change at page 31, line 32 ¶ | skipping to change at page 40, line 40 ¶ | |||
| up to log-file/number-of-files syslog archive files after which, the | up to log-file/number-of-files syslog archive files after which, the | |||
| contents of the oldest archived file could be overwritten. | contents of the oldest archived file could be overwritten. | |||
| - log-file/retention specified - the logging system can remove those | - log-file/retention specified - the logging system can remove those | |||
| syslog archive files whose file expiration time (file creation time | syslog archive files whose file expiration time (file creation time | |||
| plus the specified log-file/retention time) is prior to the current | plus the specified log-file/retention time) is prior to the current | |||
| time. | time. | |||
| Authors' Addresses | Authors' Addresses | |||
| Clyde Wildes, editor | Joe Clarke (editor) | |||
| Cisco | ||||
| United States of America | ||||
| Email: jclarke@cisco.com | ||||
| Mahesh Jethanandani (editor) | ||||
| Kloud Services | ||||
| United States of America | ||||
| Email: mjethanandai@gmail.com | ||||
| Clyde Wildes (editor) | ||||
| Cisco Systems Inc. | Cisco Systems Inc. | |||
| 170 West Tasman Drive | 170 West Tasman Drive | |||
| San Jose, CA 95134 | San Jose, CA 95134 | |||
| US | United States of America | |||
| Phone: +1 408 527-2672 | Phone: +1 408 527-2672 | |||
| Email: cwildes@cisco.com | Email: cwildes@cisco.com | |||
| Kiran Koushik, editor | Kiran Koushik (editor) | |||
| Verizon Wireless | Verizon Wireless | |||
| 500 W Dove Rd. | 500 W Dove Rd. | |||
| Southlake, TX 76092 | Southlake, TX 76092 | |||
| US | United States of America | |||
| Phone: +1 512 650-0210 | Phone: +1 512 650-0210 | |||
| Email: kirankoushik.agraharasreenivasa@verizonwireless.com | Email: kirankoushik.agraharasreenivasa@verizonwireless.com | |||
| End of changes. 139 change blocks. | ||||
| 377 lines changed or deleted | 677 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||