idnits 2.17.1 draft-ietf-netmod-syslog-model-19.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 1 character in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 352 has weird spacing: '...gorithm ide...' -- The document date (January 12, 2018) is 2296 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-netconf-keystore' is defined on line 1386, but no explicit reference was found in the text == Unused Reference: 'RFC7895' is defined on line 1456, but no explicit reference was found in the text == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-04 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-05 ** Downref: Normative reference to an Historic RFC: RFC 6587 ** Obsolete normative reference: RFC 7223 (Obsoleted by RFC 8343) -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) -- Obsolete informational reference (is this intentional?): RFC 7895 (Obsoleted by RFC 8525) Summary: 3 errors (**), 0 flaws (~~), 6 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD WG C. Wildes, Ed. 3 Internet-Draft Cisco Systems Inc. 4 Intended status: Standards Track K. Koushik, Ed. 5 Expires: July 16, 2018 Verizon Wireless 6 January 12, 2018 8 A YANG Data Model for Syslog Configuration 9 draft-ietf-netmod-syslog-model-19 11 Abstract 13 This document defines a YANG data model for the configuration of a 14 syslog process. It is intended this model be used by vendors who 15 implement syslog in their systems. 17 Editorial Note (To be removed by RFC Editor) 19 This draft contains many placeholder values that need to be replaced 20 with finalized values at the time of publication. This note 21 summarizes all of the substitutions that are needed. No other RFC 22 Editor instructions are specified elsewhere in this document. 24 Artwork in this document contains shorthand references to drafts in 25 progress. Please apply the following replacements: 27 o "I-D.ietf-netconf-keystore" --> the assigned RFC value for draft- 28 ietf-netconf-keystore 30 o "I-D.ietf-netconf-tls-client-server" --> the assigned RFC value 31 for draft-ietf-netconf-tls-client-server 33 o "zzzz" --> the assigned RFC value for this draft 35 Status of This Memo 37 This Internet-Draft is submitted in full conformance with the 38 provisions of BCP 78 and BCP 79. 40 Internet-Drafts are working documents of the Internet Engineering 41 Task Force (IETF). Note that other groups may also distribute 42 working documents as Internet-Drafts. The list of current Internet- 43 Drafts is at https://datatracker.ietf.org/drafts/current/. 45 Internet-Drafts are draft documents valid for a maximum of six months 46 and may be updated, replaced, or obsoleted by other documents at any 47 time. It is inappropriate to use Internet-Drafts as reference 48 material or to cite them other than as "work in progress." 50 This Internet-Draft will expire on July 16, 2018. 52 Copyright Notice 54 Copyright (c) 2018 IETF Trust and the persons identified as the 55 document authors. All rights reserved. 57 This document is subject to BCP 78 and the IETF Trust's Legal 58 Provisions Relating to IETF Documents 59 (https://trustee.ietf.org/license-info) in effect on the date of 60 publication of this document. Please review these documents 61 carefully, as they describe your rights and restrictions with respect 62 to this document. Code Components extracted from this document must 63 include Simplified BSD License text as described in Section 4.e of 64 the Trust Legal Provisions and are provided without warranty as 65 described in the Simplified BSD License. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 70 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 71 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 72 1.3. Tree Diagram Notation . . . . . . . . . . . . . . . . . . 4 73 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 74 3. Design of the Syslog Model . . . . . . . . . . . . . . . . . 5 75 3.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 6 76 4. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . 9 77 4.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . 9 78 5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 27 79 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 28 80 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 81 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 29 82 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 29 83 8. Security Considerations . . . . . . . . . . . . . . . . . . . 29 84 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 85 9.1. Normative References . . . . . . . . . . . . . . . . . . 30 86 9.2. Informative References . . . . . . . . . . . . . . . . . 31 87 Appendix A. Implementor Guidelines . . . . . . . . . . . . . . . 33 88 A.1. Extending Facilities . . . . . . . . . . . . . . . . . . 33 89 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 91 1. Introduction 93 Operating systems, processes and applications generate messages 94 indicating their own status or the occurrence of events. These 95 messages are useful for managing and/or debugging the network and its 96 services. The BSD syslog protocol is a widely adopted protocol that 97 is used for transmission and processing of the message. 99 Since each process, application and operating system was written 100 somewhat independently, there is little uniformity to the content of 101 syslog messages. For this reason, no assumption is made upon the 102 formatting or contents of the messages. The protocol is simply 103 designed to transport these event messages. No acknowledgement of 104 the receipt is made. 106 Essentially, a syslog process receives messages (from the kernel, 107 processes, applications or other syslog processes) and processes 108 them. The processing may involve logging to a local file, and/or 109 displaying on console, and/or relaying to syslog processes on other 110 machines. The processing is determined by the "facility" that 111 originated the message and the "severity" assigned to the message by 112 the facility. 114 We are using definitions of syslog protocol from [RFC5424] in this 115 RFC. 117 1.1. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 121 "OPTIONAL" in this document are to be interpreted as described in BCP 122 14 [RFC2119] [RFC8174] when, and only when, they appear in all 123 capitals, as shown here. 125 1.2. Terminology 127 The term "originator" is defined in [RFC5424]: an "originator" 128 generates syslog content to be carried in a message. 130 The term "relay" is defined in [RFC5424]: a "relay" forwards 131 messages, accepting messages from originators or other relays and 132 sending them to collectors or other relays 134 The term "collectors" is defined in [RFC5424]: a "collector" gathers 135 syslog content for further analysis. 137 The term "action" refers to the processing that takes place for each 138 syslog message received. 140 1.3. Tree Diagram Notation 142 A simplified graphical representation of the data models is used in 143 this document. The meaning of the symbols in these diagrams is as 144 follows: 146 o Brackets "[" and "]" enclose list keys. 148 o Braces "{" and "}" enclose feature names, and indicate that the 149 named feature must be present for the subtree to be present. 151 o Abbreviations before data node names: "rw" means configuration 152 (read-write) and "ro" state data (read-only). 154 o Symbols after data node names: "?" means an optional node, "!" 155 means a presence container, and "*" denotes a list and leaf-list. 157 o Parentheses enclose choice and case nodes, and case nodes are also 158 marked with a colon (":"). 160 o Ellipsis ("...") stands for contents of subtrees that are not 161 shown. 163 2. Problem Statement 165 This document defines a YANG [RFC7950] configuration data model that 166 may be used to configure the syslog feature running on a system. 167 YANG models can be used with network management protocols such as 168 NETCONF [RFC6241] to install, manipulate, and delete the 169 configuration of network devices. 171 The data model makes use of the YANG "feature" construct which allows 172 implementations to support only those syslog features that lie within 173 their capabilities. 175 This module can be used to configure the syslog application 176 conceptual layers as implemented on the target system. 178 3. Design of the Syslog Model 180 The syslog model was designed by comparing various syslog features 181 implemented by various vendors' in different implementations. 183 This draft addresses the common leafs between implementations and 184 creates a common model, which can be augmented with proprietary 185 features, if necessary. This model is designed to be very simple for 186 maximum flexibility. 188 Some optional features are defined in this document to specify 189 functionality that is present in specific vendor configurations. 191 Syslog consists of originators and collectors. The following diagram 192 shows syslog messages flowing from originators, to collectors where 193 filtering can take place. 195 Originators 196 +-------------+ +-------------+ +-------------+ +-------------+ 197 | Various | | OS | | | | Remote | 198 | Components | | Kernel | | Line Cards | | Servers | 199 +-------------+ +-------------+ +-------------+ +-------------+ 201 +-------------+ +-------------+ +-------------+ +-------------+ 202 | SNMP | | Interface | | Standby | | Syslog | 203 | Events | | Events | | Supervisor | | Itself | 204 +-------------+ +-------------+ +-------------+ +-------------+ 206 | | 207 +----------------------------------------------------------------+ 208 | 209 | 210 | 211 | 212 +-------------+--------------+ 213 | | | 214 v v v 215 Collectors 216 +----------+ +----------+ +----------------+ 217 | | | Log | |Remote Relay(s)/| 218 | Console | | File(s) | |Collector(s) | 219 +----------+ +----------+ +----------------+ 221 Figure 1. Syslog Processing Flow 223 Collectors are configured using the leaves in the syslog model 224 "actions" container which correspond to each message collector: 226 console 228 log file(s) 230 remote relay(s)/collector(s) 232 Within each action, a selector is used to filter syslog messages. A 233 selector consists of a list of one or more facility-severity matches, 234 and, if supported via the select-match feature, an optional regular 235 expression pattern match that is performed on the [RFC5424] field. 237 A syslog message is processed if: 239 There is an element of facility-list (F, S) where 240 the message facility matches F 241 and the message severity matches S 242 and/or the message text matches the regex pattern (if it 243 is present) 245 The facility is one of a specific syslog-facility, or all facilities. 247 The severity is one of type syslog-severity, all severities, or none. 248 None is a special case that can be used to disable a filter. When 249 filtering severity, the default comparison is that messages of the 250 specified severity and higher are selected to be logged. This is 251 shown in the model as "default equals-or-higher". This behavior can 252 be altered if the select-adv-compare feature is enabled to specify a 253 compare operation and an action. Compare operations are: "equals" to 254 select messages with this single severity, or "equals-or-higher" to 255 select messages of the specified severity and higher. Actions are 256 used to log the message or block the message from being logged. 258 Many vendors extend the list of facilities available for logging in 259 their implementation. An example is included in Extending Facilities 260 (Appendix A.1). 262 3.1. Syslog Module 264 A simplified graphical representation of the data model is used in 265 this document. Please see Section 1.3 for tree diagram notation. 267 module: ietf-syslog 268 +--rw syslog! 269 +--rw actions 270 +--rw console! {console-action}? 271 | +--rw facility-filter 272 | | +--rw facility-list* [facility severity] 273 | | +--rw facility union 274 | | +--rw severity union 275 | | +--rw advanced-compare {select-adv-compare}? 276 | | +--rw compare? enumeration 277 | | +--rw action? enumeration 278 | +--rw pattern-match? string {select-match}? 279 +--rw file {file-action}? 280 | +--rw log-file* [name] 281 | +--rw name inet:uri 282 | +--rw facility-filter 283 | | +--rw facility-list* [facility severity] 284 | | +--rw facility union 285 | | +--rw severity union 286 | | +--rw advanced-compare {select-adv-compare}? 287 | | +--rw compare? enumeration 288 | | +--rw action? enumeration 289 | +--rw pattern-match? string {select-match}? 290 | +--rw structured-data? boolean {structured-data}? 291 | +--rw file-rotation 292 | +--rw number-of-files? uint32 {file-limit-size}? 293 | +--rw max-file-size? uint32 {file-limit-size}? 294 | +--rw rollover? uint32 295 | | {file-limit-duration}? 296 | +--rw retention? uint32 297 | {file-limit-duration}? 298 +--rw remote {remote-action}? 299 +--rw destination* [name] 300 +--rw name string 301 +--rw (transport) 302 | +--:(tcp) 303 | | +--rw tcp 304 | | +--rw address? inet:host 305 | | +--rw port? inet:port-number 306 | +--:(udp) 307 | | +--rw udp 308 | | +--rw address? inet:host 309 | | +--rw port? inet:port-number 310 | +--:(tls) 311 | +--rw tls 312 | +--rw address? inet:host 313 | +--rw port? inet:port-number 314 | +--rw client-auth 315 | | +--rw (auth-type)? 316 | | +--:(certificate) 317 | | +--rw certificate? leafref 318 | +--rw server-auth 319 | | +--rw pinned-ca-certs? leafref 320 | | +--rw pinned-server-certs? leafref 321 | +--rw hello-params 322 | {tls-client-hello-params-config}? 323 | +--rw tls-versions 324 | | +--rw tls-version* identityref 325 | +--rw cipher-suites 326 | +--rw cipher-suite* identityref 327 +--rw facility-filter 328 | +--rw facility-list* [facility severity] 329 | +--rw facility union 330 | +--rw severity union 331 | +--rw advanced-compare {select-adv-compare}? 332 | +--rw compare? enumeration 333 | +--rw action? enumeration 334 +--rw pattern-match? string {select-match}? 335 +--rw structured-data? boolean {structured-data}? 336 +--rw facility-override? identityref 337 +--rw source-interface? if:interface-ref 338 | {remote-source-interface}? 339 +--rw signing-options! {signed-messages}? 340 +--rw cert-signers 341 +--rw cert-signer* [name] 342 | +--rw name string 343 | +--rw cert 344 | | +--rw algorithm? 345 | | | identityref 346 | | +--rw private-key? 347 | | | union 348 | | +--rw public-key? 349 | | | binary 350 | | +---x generate-private-key 351 | | | +---w input 352 | | | +---w algorithm identityref 353 | | +--rw certificates 354 | | | +--rw certificate* [name] 355 | | | +--rw name string 356 | | | +--rw value? binary 357 | | +---x generate-certificate-signing-request 358 | | +---w input 359 | | | +---w subject binary 360 | | | +---w attributes? binary 361 | | +--ro output 362 | | +--ro certificate-signing-request 363 | | binary 364 | +--rw hash-algorithm? enumeration 365 +--rw cert-initial-repeat? uint32 366 +--rw cert-resend-delay? uint32 367 +--rw cert-resend-count? uint32 368 +--rw sig-max-delay? uint32 369 +--rw sig-number-resends? uint32 370 +--rw sig-resend-delay? uint32 371 +--rw sig-resend-count? uint32 373 Figure 2. ietf-syslog Module Tree 375 4. Syslog YANG Module 377 4.1. The ietf-syslog Module 379 This module imports typedefs from [RFC7223], groupings from [I- 380 D.ietf-netconf-keystore], and [I-D.ietf-netconf-tls-client-server], 381 and it references [RFC5424], [RFC5425], [RFC5426], [RFC6587], and 382 [RFC5848] and [Std-1003.1-2008]. 384 file "ietf-syslog@2018-01-12.yang" 385 module ietf-syslog { 386 yang-version 1.1; 388 namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; 389 prefix syslog; 391 import ietf-inet-types { 392 prefix inet; 393 reference 394 "RFC 6991: INET Types Model"; 395 } 397 import ietf-interfaces { 398 prefix if; 399 reference 400 "RFC 7223: Interfaces Model"; 401 } 403 import ietf-tls-client { 404 prefix tlsc; 405 reference 406 "I-D.ietf-netconf-tls-client-server: TLS Client and Server Models"; 407 } 409 import ietf-keystore { 410 prefix ks; 411 reference 412 "I-D.ietf-netconf-keystore: Keystore Model"; 413 } 415 organization 416 "IETF NETMOD (Network Modeling) Working Group"; 418 contact 419 "WG Web: 420 WG List: 422 Editor: Kiran Agrahara Sreenivasa 423 426 Editor: Clyde Wildes 427 "; 428 description 429 "This module contains a collection of YANG definitions 430 for syslog configuration. 432 Copyright (c) 2018 IETF Trust and the persons identified as 433 authors of the code. All rights reserved. 435 Redistribution and use in source and binary forms, with or 436 without modification, is permitted pursuant to, and subject to 437 the license terms contained in, the Simplified BSD License set 438 forth in Section 4.c of the IETF Trust's Legal Provisions 439 Relating to IETF Documents 440 (http://trustee.ietf.org/license-info). 442 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL 443 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 444 'OPTIONAL' in the module text are to be interpreted as 445 described in RFC 2119 (http://tools.ietf.org/html/rfc2119). 447 This version of this YANG module is part of RFC zzzz 448 (http://tools.ietf.org/html/rfczzzz); see the RFC itself for 449 full legal notices."; 451 revision 2018-01-12 { 452 description 453 "Initial Revision"; 454 reference 455 "RFC zzzz: Syslog YANG Model"; 456 } 458 feature console-action { 459 description 460 "This feature indicates that the local console action is 461 supported."; 462 } 464 feature file-action { 465 description 466 "This feature indicates that the local file action is 467 supported."; 468 } 470 feature file-limit-size { 471 description 472 "This feature indicates that file logging resources 473 are managed using size and number limits."; 474 } 476 feature file-limit-duration { 477 description 478 "This feature indicates that file logging resources 479 are managed using time based limits."; 480 } 482 feature remote-action { 483 description 484 "This feature indicates that the remote server action is 485 supported."; 486 } 488 feature remote-source-interface { 489 description 490 "This feature indicates that source-interface is supported 491 supported for the remote-action."; 492 } 494 feature select-adv-compare { 495 description 496 "This feature represents the ability to select messages 497 using the additional comparison operators when comparing 498 the syslog message severity."; 499 } 501 feature select-match { 502 description 503 "This feature represents the ability to select messages 504 based on a Posix 1003.2 regular expression pattern match."; 505 } 507 feature structured-data { 508 description 509 "This feature represents the ability to log messages 510 in structured-data format."; 511 reference 512 "RFC 5424: The Syslog Protocol"; 513 } 514 feature signed-messages { 515 description 516 "This feature represents the ability to configure signed 517 syslog messages."; 518 reference 519 "RFC 5848: Signed Syslog Messages"; 520 } 522 typedef syslog-severity { 523 type enumeration { 524 enum "emergency" { 525 value 0; 526 description 527 "The severity level 'Emergency' indicating that the 528 system is unusable."; 529 } 530 enum "alert" { 531 value 1; 532 description 533 "The severity level 'Alert' indicating that an action 534 must be taken immediately."; 535 } 536 enum "critical" { 537 value 2; 538 description 539 "The severity level 'Critical' indicating a critical 540 condition."; 541 } 542 enum "error" { 543 value 3; 544 description 545 "The severity level 'Error' indicating an error 546 condition."; 547 } 548 enum "warning" { 549 value 4; 550 description 551 "The severity level 'Warning' indicating a warning 552 condition."; 553 } 554 enum "notice" { 555 value 5; 556 description 557 "The severity level 'Notice' indicating a normal but 558 significant condition."; 559 } 560 enum "info" { 561 value 6; 562 description 563 "The severity level 'Info' indicating an informational 564 message."; 565 } 566 enum "debug" { 567 value 7; 568 description 569 "The severity level 'Debug' indicating a debug-level 570 message."; 571 } 572 } 573 description 574 "The definitions for Syslog message severity."; 575 reference 576 "RFC 5424: The Syslog Protocol"; 577 } 579 identity syslog-facility { 580 description 581 "This identity is used as a base for all syslog facilities."; 582 reference 583 "RFC 5424: The Syslog Protocol"; 584 } 586 identity kern { 587 base syslog-facility; 588 description 589 "The facility for kernel messages (0)."; 590 reference 591 "RFC 5424: The Syslog Protocol"; 592 } 594 identity user { 595 base syslog-facility; 596 description 597 "The facility for user-level messages (1)."; 598 reference 599 "RFC 5424: The Syslog Protocol"; 600 } 602 identity mail { 603 base syslog-facility; 604 description 605 "The facility for the mail system (2)."; 606 reference 607 "RFC 5424: The Syslog Protocol"; 608 } 609 identity daemon { 610 base syslog-facility; 611 description 612 "The facility for the system daemons (3)."; 613 reference 614 "RFC 5424: The Syslog Protocol"; 615 } 617 identity auth { 618 base syslog-facility; 619 description 620 "The facility for security/authorization messages (4)."; 621 reference 622 "RFC 5424: The Syslog Protocol"; 623 } 625 identity syslog { 626 base syslog-facility; 627 description 628 "The facility for messages generated internally by syslogd 629 facility (5)."; 630 reference 631 "RFC 5424: The Syslog Protocol"; 632 } 634 identity lpr { 635 base syslog-facility; 636 description 637 "The facility for the line printer subsystem (6)."; 638 reference 639 "RFC 5424: The Syslog Protocol"; 640 } 642 identity news { 643 base syslog-facility; 644 description 645 "The facility for the network news subsystem (7)."; 646 reference 647 "RFC 5424: The Syslog Protocol"; 648 } 650 identity uucp { 651 base syslog-facility; 652 description 653 "The facility for the UUCP subsystem (8)."; 654 reference 655 "RFC 5424: The Syslog Protocol"; 656 } 657 identity cron { 658 base syslog-facility; 659 description 660 "The facility for the clock daemon (9)."; 661 reference 662 "RFC 5424: The Syslog Protocol"; 663 } 665 identity authpriv { 666 base syslog-facility; 667 description 668 "The facility for privileged security/authorization messages 669 (10)."; 670 reference 671 "RFC 5424: The Syslog Protocol"; 672 } 674 identity ftp { 675 base syslog-facility; 676 description 677 "The facility for the FTP daemon (11)."; 678 reference 679 "RFC 5424: The Syslog Protocol"; 680 } 682 identity ntp { 683 base syslog-facility; 684 description 685 "The facility for the NTP subsystem (12)."; 686 reference 687 "RFC 5424: The Syslog Protocol"; 688 } 690 identity audit { 691 base syslog-facility; 692 description 693 "The facility for log audit messages (13)."; 694 reference 695 "RFC 5424: The Syslog Protocol"; 696 } 698 identity console { 699 base syslog-facility; 700 description 701 "The facility for log alert messages (14)."; 702 reference 703 "RFC 5424: The Syslog Protocol"; 704 } 705 identity cron2 { 706 base syslog-facility; 707 description 708 "The facility for the second clock daemon (15)."; 709 reference 710 "RFC 5424: The Syslog Protocol"; 711 } 713 identity local0 { 714 base syslog-facility; 715 description 716 "The facility for local use 0 messages (16)."; 717 reference 718 "RFC 5424: The Syslog Protocol"; 719 } 721 identity local1 { 722 base syslog-facility; 723 description 724 "The facility for local use 1 messages (17)."; 725 reference 726 "RFC 5424: The Syslog Protocol"; 727 } 729 identity local2 { 730 base syslog-facility; 731 description 732 "The facility for local use 2 messages (18)."; 733 reference 734 "RFC 5424: The Syslog Protocol"; 735 } 737 identity local3 { 738 base syslog-facility; 739 description 740 "The facility for local use 3 messages (19)."; 741 reference 742 "RFC 5424: The Syslog Protocol"; 743 } 745 identity local4 { 746 base syslog-facility; 747 description 748 "The facility for local use 4 messages (20)."; 749 reference 750 "RFC 5424: The Syslog Protocol"; 751 } 752 identity local5 { 753 base syslog-facility; 754 description 755 "The facility for local use 5 messages (21)."; 756 reference 757 "RFC 5424: The Syslog Protocol"; 758 } 760 identity local6 { 761 base syslog-facility; 762 description 763 "The facility for local use 6 messages (22)."; 764 reference 765 "RFC 5424: The Syslog Protocol"; 766 } 768 identity local7 { 769 base syslog-facility; 770 description 771 "The facility for local use 7 messages (23)."; 772 reference 773 "RFC 5424: The Syslog Protocol"; 774 } 776 grouping severity-filter { 777 description 778 "This grouping defines the processing used to select 779 log messages by comparing syslog message severity using 780 the following processing rules: 781 - if 'none', do not match. 782 - if 'all', match. 783 - else compare message severity with the specified severity 784 according to the default compare rule (all messages of the 785 specified severity and greater match) or if the 786 select-adv-compare feature is present, the advance-compare 787 rule."; 788 leaf severity { 789 type union { 790 type syslog-severity; 791 type enumeration { 792 enum none { 793 value 2147483647; 794 description 795 "This enum describes the case where no severities 796 are selected."; 797 } 798 enum all { 799 value -2147483648; 800 description 801 "This enum describes the case where all severities 802 are selected."; 803 } 804 } 805 } 806 mandatory true; 807 description 808 "This leaf specifies the syslog message severity."; 809 } 810 container advanced-compare { 811 when '../severity != "all" and 812 ../severity != "none"' { 813 description 814 "The advanced compare container is not applicable for 815 severity 'all' or severity 'none'"; 816 } 817 if-feature select-adv-compare; 818 leaf compare { 819 type enumeration { 820 enum equals { 821 description 822 "This enum specifies that the severity comparison 823 operation will be equals."; 824 } 825 enum equals-or-higher { 826 description 827 "This enum specifies that the severity comparison 828 operation will be equals or higher."; 829 } 830 } 831 default equals-or-higher; 832 description 833 "The compare can be used to specify the comparison 834 operator that should be used to compare the syslog message 835 severity with the specified severity."; 836 } 837 leaf action { 838 type enumeration { 839 enum log { 840 description 841 "This enum specifies that if the compare operation is 842 true the message will be logged."; 843 } 844 enum block { 845 description 846 "This enum specifies that if the compare operation is 847 true the message will not be logged."; 849 } 850 } 851 default log; 852 description 853 "The action can be used to spectify if the message should 854 be logged or blocked based on the outcome of the compare 855 operation."; 856 } 857 description 858 "This container describes additional severity compare 859 operations that can be used in place of the default 860 severity comparison. The compare leaf specifies the type of 861 the compare that is done and the action leaf specifies the 862 intended result. 863 Example: compare->equals and action->no-match means 864 messages that have a severity that is not equal to the 865 specified severity will be logged."; 866 } 867 } 869 grouping selector { 870 description 871 "This grouping defines a syslog selector which is used to 872 select log messages for the log-actions (console, file, 873 remote, etc.). Choose one or both of the following: 874 facility [ ...] 875 pattern-match regular-expression-match-string 876 If both facility and pattern-match are specified, both must 877 match in order for a log message to be selected."; 878 container facility-filter { 879 description 880 "This container describes the syslog filter parameters."; 881 list facility-list { 882 key "facility severity"; 883 ordered-by user; 884 description 885 "This list describes a collection of syslog 886 facilities and severities."; 887 leaf facility { 888 type union { 889 type identityref { 890 base syslog-facility; 891 } 892 type enumeration { 893 enum all { 894 description 895 "This enum describes the case where all 896 facilities are requested."; 898 } 899 } 900 } 901 description 902 "The leaf uniquely identifies a syslog facility."; 903 } 904 uses severity-filter; 905 } 906 } 907 leaf pattern-match { 908 if-feature select-match; 909 type string; 910 description 911 "This leaf describes a Posix 1003.2 regular expression 912 string that can be used to select a syslog message for 913 logging. The match is performed on the SYSLOG-MSG field."; 914 reference 915 "RFC 5424: The Syslog Protocol 916 Std-1003.1-2008 Regular Expressions"; 917 } 918 } 920 grouping structured-data { 921 description 922 "This grouping defines the syslog structured data option 923 which is used to select the format used to write log 924 messages."; 925 leaf structured-data { 926 if-feature structured-data; 927 type boolean; 928 default false; 929 description 930 "This leaf describes how log messages are written. 931 If true, messages will be written with one or more 932 STRUCTURED-DATA elements; if false, messages will be 933 written with STRUCTURED-DATA = NILVALUE."; 934 reference 935 "RFC 5424: The Syslog Protocol"; 936 } 937 } 939 container syslog { 940 presence "Enables logging."; 941 description 942 "This container describes the configuration parameters for 943 syslog."; 944 container actions { 945 description 946 "This container describes the log-action parameters 947 for syslog."; 948 container console { 949 if-feature console-action; 950 presence "Enables logging to the console"; 951 description 952 "This container describes the configuration parameters 953 for console logging."; 954 uses selector; 955 } 956 container file { 957 if-feature file-action; 958 description 959 "This container describes the configuration parameters for 960 file logging. If file-archive limits are not supplied, it 961 is assumed that the local implementation defined limits 962 will be used."; 963 list log-file { 964 key "name"; 965 description 966 "This list describes a collection of local logging 967 files."; 968 leaf name { 969 type inet:uri { 970 pattern 'file:.*'; 971 } 972 description 973 "This leaf specifies the name of the log file which 974 MUST use the uri scheme file:."; 975 } 976 uses selector; 977 uses structured-data; 978 container file-rotation { 979 description 980 "This container describes the configuration 981 parameters for log file rotation."; 982 leaf number-of-files { 983 if-feature file-limit-size; 984 type uint32; 985 default 1; 986 description 987 "This leaf specifies the maximum number of log 988 files retained. Specify 1 for implementations 989 that only support one log file."; 990 } 991 leaf max-file-size { 992 if-feature file-limit-size; 993 type uint32; 994 units "megabytes"; 995 description 996 "This leaf specifies the maximum log file size."; 997 } 998 leaf rollover { 999 if-feature file-limit-duration; 1000 type uint32; 1001 units "minutes"; 1002 description 1003 "This leaf specifies the length of time that log 1004 events should be written to a specific log file. 1005 Log events that arrive after the rollover period 1006 cause the current log file to be closed and a new 1007 log file to be opened."; 1008 } 1009 leaf retention { 1010 if-feature file-limit-duration; 1011 type uint32; 1012 units "hours"; 1013 description 1014 "This leaf specifies the length of time that 1015 completed/closed log event files should be stored 1016 in the file system before they are deleted."; 1017 } 1018 } 1019 } 1020 } 1021 container remote { 1022 if-feature remote-action; 1023 description 1024 "This container describes the configuration parameters 1025 for forwarding syslog messages to remote relays or 1026 collectors."; 1027 list destination { 1028 key "name"; 1029 description 1030 "This list describes a collection of remote logging 1031 destinations."; 1032 leaf name { 1033 type string; 1034 description 1035 "An arbitrary name for the endpoint to connect to."; 1036 } 1037 choice transport { 1038 mandatory true; 1039 description 1040 "This choice describes the transport option."; 1041 case tcp { 1042 container tcp { 1043 description 1044 "This container describes the TCP transport 1045 options."; 1046 reference 1047 "RFC 6587: Transmission of Syslog Messages over 1048 TCP"; 1049 leaf address { 1050 type inet:host; 1051 description 1052 "The leaf uniquely specifies the address of 1053 the remote host. One of the following must 1054 be specified: an ipv4 address, an ipv6 1055 address, or a host name."; 1056 } 1057 leaf port { 1058 type inet:port-number; 1059 default 514; 1060 description 1061 "This leaf specifies the port number used to 1062 deliver messages to the remote server."; 1063 } 1064 } 1065 } 1066 case udp { 1067 container udp { 1068 description 1069 "This container describes the UDP transport 1070 options."; 1071 reference 1072 "RFC 5426: Transmission of Syslog Messages over 1073 UDP"; 1074 leaf address { 1075 type inet:host; 1076 description 1077 "The leaf uniquely specifies the address of 1078 the remote host. One of the following must be 1079 specified: an ipv4 address, an ipv6 address, 1080 or a host name."; 1081 } 1082 leaf port { 1083 type inet:port-number; 1084 default 514; 1085 description 1086 "This leaf specifies the port number used to 1087 deliver messages to the remote server."; 1088 } 1089 } 1091 } 1092 case tls { 1093 container tls { 1094 description 1095 "This container describes the TLS transport 1096 options."; 1097 reference 1098 "RFC 5425: Transport Layer Security (TLS) 1099 Transport Mapping for Syslog "; 1100 leaf address { 1101 type inet:host; 1102 description 1103 "The leaf uniquely specifies the address of 1104 the remote host. One of the following must be 1105 specified: an ipv4 address, an ipv6 address, 1106 or a host name."; 1107 } 1108 leaf port { 1109 type inet:port-number; 1110 default 6514; 1111 description 1112 "TCP port 6514 has been allocated as the default 1113 port for syslog over TLS."; 1114 } 1115 uses tlsc:tls-client-grouping; 1116 } 1117 } 1118 } 1119 uses selector; 1120 uses structured-data; 1121 leaf facility-override { 1122 type identityref { 1123 base syslog-facility; 1124 } 1125 description 1126 "If specified, this leaf specifies the facility used 1127 to override the facility in messages delivered to 1128 the remote server."; 1129 } 1130 leaf source-interface { 1131 if-feature remote-source-interface; 1132 type if:interface-ref; 1133 description 1134 "This leaf sets the source interface to be used to 1135 send messages to the remote syslog server. If not 1136 set, messages sent to a remote syslog server will 1137 contain the IP address of the interface the syslog 1138 message uses to exit the network element"; 1140 } 1141 container signing-options { 1142 if-feature signed-messages; 1143 presence 1144 "If present, syslog-signing options is activated."; 1145 description 1146 "This container describes the configuration 1147 parameters for signed syslog messages."; 1148 reference 1149 "RFC 5848: Signed Syslog Messages"; 1150 container cert-signers { 1151 description 1152 "This container describes the signing certificate 1153 configuration for Signature Group 0 which covers 1154 the case for administrators who want all Signature 1155 Blocks to be sent to a single destination."; 1156 list cert-signer { 1157 key "name"; 1158 description 1159 "This list describes a collection of syslog 1160 message signers."; 1161 leaf name { 1162 type string; 1163 description 1164 "This leaf specifies the name of the syslog 1165 message signer."; 1166 } 1167 container cert { 1168 uses ks:private-key-grouping; 1169 uses ks:certificate-grouping; 1170 description 1171 "This is the certificate that is periodically 1172 sent to the remote receiver. Selection of the 1173 certificate also implicitly selects the private 1174 key used to sign the syslog messages."; 1175 } 1176 leaf hash-algorithm { 1177 type enumeration { 1178 enum SHA1 { 1179 value 1; 1180 description 1181 "This enum describes the SHA1 algorithm."; 1182 } 1183 enum SHA256 { 1184 value 2; 1185 description 1186 "This enum describes the SHA256 algorithm."; 1187 } 1189 } 1190 description 1191 "This leaf describes the syslog signer hash 1192 algorithm used."; 1193 } 1194 } 1195 leaf cert-initial-repeat { 1196 type uint32; 1197 default 3; 1198 description 1199 "This leaf specifies the number of times each 1200 Certificate Block should be sent before the first 1201 message is sent."; 1202 } 1203 leaf cert-resend-delay { 1204 type uint32; 1205 units "seconds"; 1206 default 3600; 1207 description 1208 "This leaf specifies the maximum time delay in 1209 seconds until resending the Certificate Block."; 1210 } 1211 leaf cert-resend-count { 1212 type uint32; 1213 default 0; 1214 description 1215 "This leaf specifies the maximum number of other 1216 syslog messages to send until resending the 1217 Certificate Block."; 1218 } 1219 leaf sig-max-delay { 1220 type uint32; 1221 units "seconds"; 1222 default 60; 1223 description 1224 "This leaf specifies when to generate a new 1225 Signature Block. If this many seconds have 1226 elapsed since the message with the first message 1227 number of the Signature Block was sent, a new 1228 Signature Block should be generated."; 1229 } 1230 leaf sig-number-resends { 1231 type uint32; 1232 default 0; 1233 description 1234 "This leaf specifies the number of times a 1235 Signature Block is resent. (It is recommended to 1236 select a value of greater than 0 in particular 1237 when the UDP transport RFC 5426 is used.)."; 1238 } 1239 leaf sig-resend-delay { 1240 type uint32; 1241 units "seconds"; 1242 default 5; 1243 description 1244 "This leaf specifies when to send the next 1245 Signature Block transmission based on time. If 1246 this many seconds have elapsed since the previous 1247 sending of this Signature Block, resend it."; 1248 } 1249 leaf sig-resend-count { 1250 type uint32; 1251 default 0; 1252 description 1253 "This leaf specifies when to send the next 1254 Signature Block transmission based on a count. 1255 If this many other syslog messages have been 1256 sent since the previous sending of this 1257 Signature Block, resend it. A value of 0 means 1258 that you don't resend based on the number of 1259 messages."; 1260 } 1261 } 1262 } 1263 } 1264 } 1265 } 1266 } 1267 } 1268 1270 Figure 3. ietf-syslog Module 1272 5. Usage Examples 1273 Requirement: 1274 Enable console logging of syslogs of severity critical 1276 Here is the example syslog configuration xml: 1277 1278 1279 1280 1281 1282 all 1283 critical 1284 1285 1286 1287 1288 1290 Enable remote logging of syslogs to udp destination 1291 2001:db8:a0b:12f0::1 for facility auth, severity error 1293 1294 1295 1296 1297 remote1 1298 1299
foo.eample.com
1300 1301 1302 1303 auth 1304 error 1305 1306 1307 1308 1309 1310 1312 Figure 4. ietf-syslog Examples 1314 6. Acknowledgements 1316 The authors wish to thank the following who commented on this 1317 proposal: 1319 Andy Bierman, Martin Bjorklund, Alex Campbell, Alex Clemm, Jim 1320 Gibson, Jeffrey Haas, John Heasley, Giles Heron, Lisa Huang, Mahesh 1321 Jethanandani, Jeffrey K Lange, Jan Lindblad, Chris Lonvick, Tom 1322 Petch, Juergen Schoenwaelder, Phil Shafer, Jason Sterne, Peter Van 1323 Horne, Kent Watsen, Bert Wijnen, Dale R Worley, Aleksandr Zhdankin 1325 7. IANA Considerations 1327 7.1. The IETF XML Registry 1329 This document registers one URI in the IETF XML registry [RFC3688]. 1330 Following the format in [RFC3688], the following registration is 1331 requested: 1333 URI: urn:ietf:params:xml:ns:yang:ietf-syslog 1334 Registrant Contact: The IESG. 1335 XML: N/A, the requested URI is an XML namespace. 1337 7.2. The YANG Module Names Registry 1339 This document registers one YANG module in the YANG Module Names 1340 registry [RFC7895]/>. Following the format in [RFC7950]/>, the 1341 following registration is requested: 1343 name: ietf-syslog 1344 namespace: urn:ietf:params:xml:ns:yang:ietf-syslog 1345 prefix: ietf-syslog 1346 reference: RFC zzzz 1348 8. Security Considerations 1350 The YANG module defined in this document is designed to be accessed 1351 via YANG based management protocols, such as NETCONF [RFC6241] and 1352 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1353 implement secure transport layers (e.g., SSH, TLS) with mutual 1354 authentication. 1356 The NETCONF access control model (NACM) [RFC6536] provides the means 1357 to restrict access for particular users to a pre-configured subset of 1358 all available protocol operations and content. 1360 There are a number of data nodes defined in this YANG module that are 1361 writable/creatable/deletable (i.e., config true, which is the 1362 default). These data nodes may be considered sensitive or vulnerable 1363 in some network environments. Write operations (e.g., edit-config) 1364 to these data nodes without proper protection can have a negative 1365 effect on network operations. These are the subtrees and data nodes 1366 and their sensitivity/vulnerability: 1368 facility-filter/pattern-match: When writing this node, 1369 implementations MUST ensure that the regular expression pattern 1370 match is not constructed to cause a regular expression denial 1371 of service attack due to a pattern that causes the regular 1372 expression implementation to work very slowly (exponentially 1373 related to input size). 1375 Some of the readable data nodes in this YANG module may be considered 1376 sensitive or vulnerable in some network environments. It is thus 1377 important to control read access (e.g., via get, get-config, or 1378 notification) to these data nodes. 1380 There are no RPC operations defined in this YANG module. 1382 9. References 1384 9.1. Normative References 1386 [I-D.ietf-netconf-keystore] 1387 Watsen, K., "YANG Data Model for a "Keystore" Mechanism", 1388 draft-ietf-netconf-keystore-04 (work in progress), October 1389 2017. 1391 [I-D.ietf-netconf-tls-client-server] 1392 Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and 1393 TLS Servers", draft-ietf-netconf-tls-client-server-05 1394 (work in progress), October 2017. 1396 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1397 Requirement Levels", BCP 14, RFC 2119, 1398 DOI 10.17487/RFC2119, March 1997, 1399 . 1401 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 1402 DOI 10.17487/RFC5424, March 2009, 1403 . 1405 [RFC5425] Miao, F., Ed., Ma, Y., Ed., and J. Salowey, Ed., 1406 "Transport Layer Security (TLS) Transport Mapping for 1407 Syslog", RFC 5425, DOI 10.17487/RFC5425, March 2009, 1408 . 1410 [RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP", 1411 RFC 5426, DOI 10.17487/RFC5426, March 2009, 1412 . 1414 [RFC5848] Kelsey, J., Callas, J., and A. Clemm, "Signed Syslog 1415 Messages", RFC 5848, DOI 10.17487/RFC5848, May 2010, 1416 . 1418 [RFC6587] Gerhards, R. and C. Lonvick, "Transmission of Syslog 1419 Messages over TCP", RFC 6587, DOI 10.17487/RFC6587, April 1420 2012, . 1422 [RFC7223] Bjorklund, M., "A YANG Data Model for Interface 1423 Management", RFC 7223, DOI 10.17487/RFC7223, May 2014, 1424 . 1426 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1427 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1428 . 1430 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1431 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1432 May 2017, . 1434 [Std-1003.1-2008] 1435 The Open Group, ""Chapter 9: Regular Expressions". The 1436 Open Group Base Specifications Issue 6, IEEE Std 1437 1003.1-2008, 2016 Edition.", September 2016, 1438 . 1440 9.2. Informative References 1442 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1443 DOI 10.17487/RFC3688, January 2004, 1444 . 1446 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1447 and A. Bierman, Ed., "Network Configuration Protocol 1448 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1449 . 1451 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1452 Protocol (NETCONF) Access Control Model", RFC 6536, 1453 DOI 10.17487/RFC6536, March 2012, 1454 . 1456 [RFC7895] Bierman, A., Bjorklund, M., and K. Watsen, "YANG Module 1457 Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, 1458 . 1460 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1461 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1462 . 1464 Appendix A. Implementor Guidelines 1466 A.1. Extending Facilities 1468 Many vendors extend the list of facilities available for logging in 1469 their implementation. Additional facilities may not work with the 1470 syslog protocol as defined in [RFC5424] and hence such facilities 1471 apply for local syslog-like logging functionality. 1473 The following is an example that shows how additional facilities 1474 could be added to the list of available facilities (in this example 1475 two facilities are added): 1477 module example-vendor-syslog-types { 1478 namespace "http://example.com/ns/vendor-syslog-types"; 1479 prefix vendor-syslogtypes; 1481 import ietf-syslog { 1482 prefix syslogtypes; 1483 } 1485 organization "Example, Inc."; 1486 contact 1487 "Example, Inc. 1488 Customer Service 1490 E-mail: syslog-yang@example.com"; 1492 description 1493 "This module contains a collection of vendor-specific YANG type 1494 definitions for SYSLOG."; 1496 revision 2017-08-11 { 1497 description 1498 "Version 1.0"; 1499 reference 1500 "Vendor SYSLOG Types: SYSLOG YANG Model"; 1501 } 1503 identity vendor_specific_type_1 { 1504 base syslogtypes:syslog-facility; 1505 description 1506 "Adding vendor specific type 1 to syslog-facility"; 1507 } 1509 identity vendor_specific_type_2 { 1510 base syslogtypes:syslog-facility; 1511 description 1512 "Adding vendor specific type 2 to syslog-facility"; 1513 } 1514 } 1516 Authors' Addresses 1517 Clyde Wildes (editor) 1518 Cisco Systems Inc. 1519 170 West Tasman Drive 1520 San Jose, CA 95134 1521 US 1523 Phone: +1 408 527-2672 1524 EMail: cwildes@cisco.com 1526 Kiran Koushik (editor) 1527 Verizon Wireless 1528 500 W Dove Rd. 1529 Southlake, TX 76092 1530 US 1532 Phone: +1 512 650-0210 1533 EMail: kirankoushik.agraharasreenivasa@verizonwireless.com