idnits 2.17.1 draft-ietf-netmod-syslog-model-21.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-netmod-revised-datastores]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (February 14, 2018) is 2260 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-netmod-revised-datastores' is defined on line 1407, but no explicit reference was found in the text == Outdated reference: A later version (-35) exists of draft-ietf-netconf-keystore-04 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-05 ** Obsolete normative reference: RFC 7223 (Obsoleted by RFC 8343) ** Obsolete normative reference: RFC 7895 (Obsoleted by RFC 8525) == Outdated reference: A later version (-06) exists of draft-ietf-netmod-yang-tree-diagrams-05 -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD WG C. Wildes, Ed. 3 Internet-Draft Cisco Systems Inc. 4 Intended status: Standards Track K. Koushik, Ed. 5 Expires: August 18, 2018 Verizon Wireless 6 February 14, 2018 8 A YANG Data Model for Syslog Configuration 9 draft-ietf-netmod-syslog-model-21 11 Abstract 13 This document defines a YANG data model for the configuration of a 14 syslog process. It is intended this model be used by vendors who 15 implement syslog in their systems. 17 The YANG model in this document conforms to the Network Management 18 Datastore Architecture defined in [I-D.ietf-netmod-revised- 19 datastores]. 21 Editorial Note (To be removed by RFC Editor) 23 This document contains many placeholder values that need to be 24 replaced with finalized values at the time of publication. This note 25 summarizes all of the substitutions that are needed. No other RFC 26 Editor instructions are specified elsewhere in this document. 28 Artwork in this document contains shorthand references to drafts in 29 progress. Please apply the following replacements: 31 o "I-D.ietf-netconf-keystore" --> the assigned RFC value for draft- 32 ietf-netconf-keystore 34 o "I-D.ietf-netconf-tls-client-server" --> the assigned RFC value 35 for draft-ietf-netconf-tls-client-server 37 o "zzzz" --> the assigned RFC value for this draft 39 Status of This Memo 41 This Internet-Draft is submitted in full conformance with the 42 provisions of BCP 78 and BCP 79. 44 Internet-Drafts are working documents of the Internet Engineering 45 Task Force (IETF). Note that other groups may also distribute 46 working documents as Internet-Drafts. The list of current Internet- 47 Drafts is at https://datatracker.ietf.org/drafts/current/. 49 Internet-Drafts are draft documents valid for a maximum of six months 50 and may be updated, replaced, or obsoleted by other documents at any 51 time. It is inappropriate to use Internet-Drafts as reference 52 material or to cite them other than as "work in progress." 54 This Internet-Draft will expire on August 18, 2018. 56 Copyright Notice 58 Copyright (c) 2018 IETF Trust and the persons identified as the 59 document authors. All rights reserved. 61 This document is subject to BCP 78 and the IETF Trust's Legal 62 Provisions Relating to IETF Documents 63 (https://trustee.ietf.org/license-info) in effect on the date of 64 publication of this document. Please review these documents 65 carefully, as they describe your rights and restrictions with respect 66 to this document. Code Components extracted from this document must 67 include Simplified BSD License text as described in Section 4.e of 68 the Trust Legal Provisions and are provided without warranty as 69 described in the Simplified BSD License. 71 Table of Contents 73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 74 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 75 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 76 1.3. NDMA Compliance . . . . . . . . . . . . . . . . . . . . . 4 77 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 4 78 3. Design of the Syslog Model . . . . . . . . . . . . . . . . . 4 79 3.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 6 80 4. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . 8 81 4.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . 8 82 5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 27 83 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 27 84 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 85 7.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 28 86 7.2. The YANG Module Names Registry . . . . . . . . . . . . . 28 87 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28 88 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 29 89 9.1. Normative References . . . . . . . . . . . . . . . . . . 29 90 9.2. Informative References . . . . . . . . . . . . . . . . . 30 91 Appendix A. Implementor Guidelines . . . . . . . . . . . . . . . 32 92 A.1. Extending Facilities . . . . . . . . . . . . . . . . . . 32 93 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 33 95 1. Introduction 97 Operating systems, processes and applications generate messages 98 indicating their own status or the occurrence of events. These 99 messages are useful for managing and/or debugging the network and its 100 services. The BSD syslog protocol is a widely adopted protocol that 101 is used for transmission and processing of the message. 103 Since each process, application and operating system was written 104 somewhat independently, there is little uniformity to the content of 105 syslog messages. For this reason, no assumption is made upon the 106 formatting or contents of the messages. The protocol is simply 107 designed to transport these event messages. No acknowledgement of 108 the receipt is made. 110 Essentially, a syslog process receives messages (from the kernel, 111 processes, applications or other syslog processes) and processes 112 them. The processing may involve logging to a local file, and/or 113 displaying on console, and/or relaying to syslog processes on other 114 machines. The processing is determined by the "facility" that 115 originated the message and the "severity" assigned to the message by 116 the facility. 118 We are using definitions of syslog protocol from [RFC5424] in this 119 RFC. 121 1.1. Requirements Language 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 125 "OPTIONAL" in this document are to be interpreted as described in BCP 126 14 [RFC2119] [RFC8174] when, and only when, they appear in all 127 capitals, as shown here. 129 1.2. Terminology 131 The term "originator" is defined in [RFC5424]: an "originator" 132 generates syslog content to be carried in a message. 134 The term "relay" is defined in [RFC5424]: a "relay" forwards 135 messages, accepting messages from originators or other relays and 136 sending them to collectors or other relays 138 The term "collectors" is defined in [RFC5424]: a "collector" gathers 139 syslog content for further analysis. 141 The term "action" refers to the processing that takes place for each 142 syslog message received. 144 1.3. NDMA Compliance 146 The YANG model in this document conforms to the Network Management 147 Datastore Architecture defined in [I-D.ietf-netmod-revised- 148 datastores]. 150 2. Problem Statement 152 This document defines a YANG [RFC7950] configuration data model that 153 may be used to configure the syslog feature running on a system. 154 YANG models can be used with network management protocols such as 155 NETCONF [RFC6241] to install, manipulate, and delete the 156 configuration of network devices. 158 The data model makes use of the YANG "feature" construct which allows 159 implementations to support only those syslog features that lie within 160 their capabilities. 162 This module can be used to configure the syslog application 163 conceptual layers as implemented on the target system. 165 3. Design of the Syslog Model 167 The syslog model was designed by comparing various syslog features 168 implemented by various vendors' in different implementations. 170 This document addresses the common leafs between implementations and 171 creates a common model, which can be augmented with proprietary 172 features, if necessary. This model is designed to be very simple for 173 maximum flexibility. 175 Some optional features are defined in this document to specify 176 functionality that is present in specific vendor configurations. 178 Syslog consists of originators and collectors. The following diagram 179 shows syslog messages flowing from originators, to collectors where 180 filtering can take place. 182 Originators 183 +-------------+ +-------------+ +-------------+ +-------------+ 184 | Various | | OS | | | | Remote | 185 | Components | | Kernel | | Line Cards | | Servers | 186 +-------------+ +-------------+ +-------------+ +-------------+ 188 +-------------+ +-------------+ +-------------+ +-------------+ 189 | SNMP | | Interface | | Standby | | Syslog | 190 | Events | | Events | | Supervisor | | Itself | 191 +-------------+ +-------------+ +-------------+ +-------------+ 193 | | 194 +----------------------------------------------------------------+ 195 | 196 | 197 | 198 | 199 +-------------+--------------+ 200 | | | 201 v v v 202 Collectors 203 +----------+ +----------+ +----------------+ 204 | | | Log | |Remote Relay(s)/| 205 | Console | | File(s) | |Collector(s) | 206 +----------+ +----------+ +----------------+ 208 Figure 1. Syslog Processing Flow 210 Collectors are configured using the leaves in the syslog model 211 "actions" container which correspond to each message collector: 213 console 215 log file(s) 217 remote relay(s)/collector(s) 219 Within each action, a selector is used to filter syslog messages. A 220 selector consists of a list of one or more facility-severity matches, 221 and, if supported via the select-match feature, an optional regular 222 expression pattern match that is performed on the [RFC5424] field. 224 A syslog message is processed if: 226 There is an element of facility-list (F, S) where 227 the message facility matches F 228 and the message severity matches S 229 and/or the message text matches the regex pattern (if it 230 is present) 232 The facility is one of a specific syslog-facility, or all facilities. 234 The severity is one of type syslog-severity, all severities, or none. 235 None is a special case that can be used to disable a filter. When 236 filtering severity, the default comparison is that messages of the 237 specified severity and higher are selected to be logged. This is 238 shown in the model as "default equals-or-higher". This behavior can 239 be altered if the select-adv-compare feature is enabled to specify a 240 compare operation and an action. Compare operations are: "equals" to 241 select messages with this single severity, or "equals-or-higher" to 242 select messages of the specified severity and higher. Actions are 243 used to log the message or block the message from being logged. 245 Many vendors extend the list of facilities available for logging in 246 their implementation. An example is included in Extending Facilities 247 (Appendix A.1). 249 3.1. Syslog Module 251 A simplified graphical representation of the data model is used in 252 this document. Please see [I-D.ietf-netmod-yang-tree-diagrams] for 253 tree diagram notation. 255 module: ietf-syslog 256 +--rw syslog! 257 +--rw actions 258 +--rw console! {console-action}? 259 | +--rw facility-filter 260 | | +--rw facility-list* [facility severity] 261 | | +--rw facility union 262 | | +--rw severity union 263 | | +--rw advanced-compare {select-adv-compare}? 264 | | +--rw compare? enumeration 265 | | +--rw action? enumeration 266 | +--rw pattern-match? string {select-match}? 267 +--rw file {file-action}? 268 | +--rw log-file* [name] 269 | +--rw name inet:uri 270 | +--rw facility-filter 271 | | +--rw facility-list* [facility severity] 272 | | +--rw facility union 273 | | +--rw severity union 274 | | +--rw advanced-compare {select-adv-compare}? 275 | | +--rw compare? enumeration 276 | | +--rw action? enumeration 277 | +--rw pattern-match? string {select-match}? 278 | +--rw structured-data? boolean {structured-data}? 279 | +--rw file-rotation 280 | +--rw number-of-files? uint32 {file-limit-size}? 281 | +--rw max-file-size? uint32 {file-limit-size}? 282 | +--rw rollover? uint32 283 | | {file-limit-duration}? 284 | +--rw retention? uint32 285 | {file-limit-duration}? 286 +--rw remote {remote-action}? 287 +--rw destination* [name] 288 +--rw name string 289 +--rw (transport) 290 | +--:(udp) 291 | | +--rw udp 292 | | +--rw address? inet:host 293 | | +--rw port? inet:port-number 294 | +--:(tls) 295 | +--rw tls 296 | +--rw address? inet:host 297 | +--rw port? inet:port-number 298 | +--rw client-auth 299 | | +--rw (auth-type)? 300 | | +--:(certificate) 301 | | +--rw certificate? leafref 302 | +--rw server-auth 303 | | +--rw pinned-ca-certs? leafref 304 | | +--rw pinned-server-certs? leafref 305 | +--rw hello-params 306 | {tls-client-hello-params-config}? 307 | +--rw tls-versions 308 | | +--rw tls-version* identityref 309 | +--rw cipher-suites 310 | +--rw cipher-suite* identityref 311 +--rw facility-filter 312 | +--rw facility-list* [facility severity] 313 | +--rw facility union 314 | +--rw severity union 315 | +--rw advanced-compare {select-adv-compare}? 316 | +--rw compare? enumeration 317 | +--rw action? enumeration 318 +--rw pattern-match? string {select-match}? 319 +--rw structured-data? boolean {structured-data}? 320 +--rw facility-override? identityref 321 +--rw source-interface? if:interface-ref 322 | {remote-source-interface}? 323 +--rw signing! {signed-messages}? 324 +--rw cert-signers 325 +--rw cert-signer* [name] 326 | +--rw name string 327 | +--rw cert 328 | | +--rw algorithm? 329 | | | identityref 330 | | +--rw private-key? 331 | | | union 332 | | +--rw public-key? 333 | | | binary 334 | | +---x generate-private-key 335 | | | +---w input 336 | | | +---w algorithm? 337 | | | identityref 338 | | +--rw certificates 339 | | | +--rw certificate* [name] 340 | | | +--rw name string 341 | | | +--rw value? binary 342 | | +---x generate-certificate-signing-request 343 | | +---w input 344 | | | +---w subject binary 345 | | | +---w attributes? binary 346 | | +--ro output 347 | | +--ro certificate-signing-request 348 | | binary 349 | +--rw hash-algorithm? enumeration 350 +--rw cert-initial-repeat? uint32 351 +--rw cert-resend-delay? uint32 352 +--rw cert-resend-count? uint32 353 +--rw sig-max-delay? uint32 354 +--rw sig-number-resends? uint32 355 +--rw sig-resend-delay? uint32 356 +--rw sig-resend-count? uint32 358 Figure 2. ietf-syslog Module Tree 360 4. Syslog YANG Module 362 4.1. The ietf-syslog Module 364 This module imports typedefs from [RFC7223], groupings from 365 [I-D.ietf-netconf-keystore], and 366 [I-D.ietf-netconf-tls-client-server], and it references [RFC5424], 367 [RFC5425], [RFC5426], and [RFC5848] and [Std-1003.1-2008]. 369 file "ietf-syslog@2018-02-14.yang" 370 module ietf-syslog { 371 yang-version 1.1; 373 namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; 374 prefix syslog; 376 import ietf-inet-types { 377 prefix inet; 378 reference 379 "RFC 6991: INET Types Model"; 380 } 382 import ietf-interfaces { 383 prefix if; 384 reference 385 "RFC 7223: Interfaces Model"; 386 } 388 import ietf-tls-client { 389 prefix tlsc; 390 reference 391 "I-D.ietf-netconf-tls-client-server: 392 TLS Client and Server Models"; 393 } 395 import ietf-keystore { 396 prefix ks; 397 reference 398 "I-D.ietf-netconf-keystore: Keystore Model"; 399 } 401 organization 402 "IETF NETMOD (Network Modeling) Working Group"; 404 contact 405 "WG Web: 406 WG List: 408 Editor: Kiran Agrahara Sreenivasa 409 412 Editor: Clyde Wildes 413 "; 414 description 415 "This module contains a collection of YANG definitions 416 for syslog configuration. 418 Copyright (c) 2018 IETF Trust and the persons identified as 419 authors of the code. All rights reserved. 421 Redistribution and use in source and binary forms, with or 422 without modification, is permitted pursuant to, and subject to 423 the license terms contained in, the Simplified BSD License set 424 forth in Section 4.c of the IETF Trust's Legal Provisions 425 Relating to IETF Documents 426 (http://trustee.ietf.org/license-info). 428 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL 429 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 430 'OPTIONAL' in the module text are to be interpreted as 431 described in RFC 2119 (http://tools.ietf.org/html/rfc2119). 433 This version of this YANG module is part of RFC zzzz 434 (http://tools.ietf.org/html/rfczzzz); see the RFC itself for 435 full legal notices."; 437 revision 2018-02-14 { 438 description 439 "Initial Revision"; 440 reference 441 "RFC zzzz: Syslog YANG Model"; 442 } 444 feature console-action { 445 description 446 "This feature indicates that the local console action is 447 supported."; 448 } 450 feature file-action { 451 description 452 "This feature indicates that the local file action is 453 supported."; 454 } 456 feature file-limit-size { 457 description 458 "This feature indicates that file logging resources 459 are managed using size and number limits."; 460 } 462 feature file-limit-duration { 463 description 464 "This feature indicates that file logging resources 465 are managed using time based limits."; 467 } 469 feature remote-action { 470 description 471 "This feature indicates that the remote server action is 472 supported."; 473 } 475 feature remote-source-interface { 476 description 477 "This feature indicates that source-interface is supported 478 supported for the remote-action."; 479 } 481 feature select-adv-compare { 482 description 483 "This feature represents the ability to select messages 484 using the additional comparison operators when comparing 485 the syslog message severity."; 486 } 488 feature select-match { 489 description 490 "This feature represents the ability to select messages 491 based on a Posix 1003.2 regular expression pattern match."; 492 } 494 feature structured-data { 495 description 496 "This feature represents the ability to log messages 497 in structured-data format."; 498 reference 499 "RFC 5424: The Syslog Protocol"; 500 } 502 feature signed-messages { 503 description 504 "This feature represents the ability to configure signed 505 syslog messages."; 506 reference 507 "RFC 5848: Signed Syslog Messages"; 508 } 510 typedef syslog-severity { 511 type enumeration { 512 enum "emergency" { 513 value 0; 514 description 515 "The severity level 'Emergency' indicating that the 516 system is unusable."; 517 } 518 enum "alert" { 519 value 1; 520 description 521 "The severity level 'Alert' indicating that an action 522 must be taken immediately."; 523 } 524 enum "critical" { 525 value 2; 526 description 527 "The severity level 'Critical' indicating a critical 528 condition."; 529 } 530 enum "error" { 531 value 3; 532 description 533 "The severity level 'Error' indicating an error 534 condition."; 535 } 536 enum "warning" { 537 value 4; 538 description 539 "The severity level 'Warning' indicating a warning 540 condition."; 541 } 542 enum "notice" { 543 value 5; 544 description 545 "The severity level 'Notice' indicating a normal but 546 significant condition."; 547 } 548 enum "info" { 549 value 6; 550 description 551 "The severity level 'Info' indicating an informational 552 message."; 553 } 554 enum "debug" { 555 value 7; 556 description 557 "The severity level 'Debug' indicating a debug-level 558 message."; 559 } 560 } 561 description 562 "The definitions for Syslog message severity."; 564 reference 565 "RFC 5424: The Syslog Protocol"; 566 } 568 identity syslog-facility { 569 description 570 "This identity is used as a base for all syslog facilities."; 571 reference 572 "RFC 5424: The Syslog Protocol"; 573 } 575 identity kern { 576 base syslog-facility; 577 description 578 "The facility for kernel messages (0)."; 579 reference 580 "RFC 5424: The Syslog Protocol"; 581 } 583 identity user { 584 base syslog-facility; 585 description 586 "The facility for user-level messages (1)."; 587 reference 588 "RFC 5424: The Syslog Protocol"; 589 } 591 identity mail { 592 base syslog-facility; 593 description 594 "The facility for the mail system (2)."; 595 reference 596 "RFC 5424: The Syslog Protocol"; 597 } 599 identity daemon { 600 base syslog-facility; 601 description 602 "The facility for the system daemons (3)."; 603 reference 604 "RFC 5424: The Syslog Protocol"; 605 } 607 identity auth { 608 base syslog-facility; 609 description 610 "The facility for security/authorization messages (4)."; 611 reference 612 "RFC 5424: The Syslog Protocol"; 613 } 615 identity syslog { 616 base syslog-facility; 617 description 618 "The facility for messages generated internally by syslogd 619 facility (5)."; 620 reference 621 "RFC 5424: The Syslog Protocol"; 622 } 624 identity lpr { 625 base syslog-facility; 626 description 627 "The facility for the line printer subsystem (6)."; 628 reference 629 "RFC 5424: The Syslog Protocol"; 630 } 632 identity news { 633 base syslog-facility; 634 description 635 "The facility for the network news subsystem (7)."; 636 reference 637 "RFC 5424: The Syslog Protocol"; 638 } 640 identity uucp { 641 base syslog-facility; 642 description 643 "The facility for the UUCP subsystem (8)."; 644 reference 645 "RFC 5424: The Syslog Protocol"; 646 } 648 identity cron { 649 base syslog-facility; 650 description 651 "The facility for the clock daemon (9)."; 652 reference 653 "RFC 5424: The Syslog Protocol"; 654 } 656 identity authpriv { 657 base syslog-facility; 658 description 659 "The facility for privileged security/authorization messages 660 (10)."; 661 reference 662 "RFC 5424: The Syslog Protocol"; 663 } 665 identity ftp { 666 base syslog-facility; 667 description 668 "The facility for the FTP daemon (11)."; 669 reference 670 "RFC 5424: The Syslog Protocol"; 671 } 673 identity ntp { 674 base syslog-facility; 675 description 676 "The facility for the NTP subsystem (12)."; 677 reference 678 "RFC 5424: The Syslog Protocol"; 679 } 681 identity audit { 682 base syslog-facility; 683 description 684 "The facility for log audit messages (13)."; 685 reference 686 "RFC 5424: The Syslog Protocol"; 687 } 689 identity console { 690 base syslog-facility; 691 description 692 "The facility for log alert messages (14)."; 693 reference 694 "RFC 5424: The Syslog Protocol"; 695 } 697 identity cron2 { 698 base syslog-facility; 699 description 700 "The facility for the second clock daemon (15)."; 701 reference 702 "RFC 5424: The Syslog Protocol"; 703 } 705 identity local0 { 706 base syslog-facility; 707 description 708 "The facility for local use 0 messages (16)."; 709 reference 710 "RFC 5424: The Syslog Protocol"; 711 } 713 identity local1 { 714 base syslog-facility; 715 description 716 "The facility for local use 1 messages (17)."; 717 reference 718 "RFC 5424: The Syslog Protocol"; 719 } 721 identity local2 { 722 base syslog-facility; 723 description 724 "The facility for local use 2 messages (18)."; 725 reference 726 "RFC 5424: The Syslog Protocol"; 727 } 729 identity local3 { 730 base syslog-facility; 731 description 732 "The facility for local use 3 messages (19)."; 733 reference 734 "RFC 5424: The Syslog Protocol"; 735 } 737 identity local4 { 738 base syslog-facility; 739 description 740 "The facility for local use 4 messages (20)."; 741 reference 742 "RFC 5424: The Syslog Protocol"; 743 } 745 identity local5 { 746 base syslog-facility; 747 description 748 "The facility for local use 5 messages (21)."; 749 reference 750 "RFC 5424: The Syslog Protocol"; 751 } 753 identity local6 { 754 base syslog-facility; 755 description 756 "The facility for local use 6 messages (22)."; 757 reference 758 "RFC 5424: The Syslog Protocol"; 759 } 761 identity local7 { 762 base syslog-facility; 763 description 764 "The facility for local use 7 messages (23)."; 765 reference 766 "RFC 5424: The Syslog Protocol"; 767 } 769 grouping severity-filter { 770 description 771 "This grouping defines the processing used to select 772 log messages by comparing syslog message severity using 773 the following processing rules: 774 - if 'none', do not match. 775 - if 'all', match. 776 - else compare message severity with the specified severity 777 according to the default compare rule (all messages of the 778 specified severity and greater match) or if the 779 select-adv-compare feature is present, the advance-compare 780 rule."; 781 leaf severity { 782 type union { 783 type syslog-severity; 784 type enumeration { 785 enum none { 786 value 2147483647; 787 description 788 "This enum describes the case where no severities 789 are selected."; 790 } 791 enum all { 792 value -2147483648; 793 description 794 "This enum describes the case where all severities 795 are selected."; 796 } 797 } 798 } 799 mandatory true; 800 description 801 "This leaf specifies the syslog message severity."; 802 } 803 container advanced-compare { 804 when '../severity != "all" and 805 ../severity != "none"' { 806 description 807 "The advanced compare container is not applicable for 808 severity 'all' or severity 'none'"; 809 } 810 if-feature select-adv-compare; 811 leaf compare { 812 type enumeration { 813 enum equals { 814 description 815 "This enum specifies that the severity comparison 816 operation will be equals."; 817 } 818 enum equals-or-higher { 819 description 820 "This enum specifies that the severity comparison 821 operation will be equals or higher."; 822 } 823 } 824 default equals-or-higher; 825 description 826 "The compare can be used to specify the comparison 827 operator that should be used to compare the syslog message 828 severity with the specified severity."; 829 } 830 leaf action { 831 type enumeration { 832 enum log { 833 description 834 "This enum specifies that if the compare operation is 835 true the message will be logged."; 836 } 837 enum block { 838 description 839 "This enum specifies that if the compare operation is 840 true the message will not be logged."; 841 } 842 } 843 default log; 844 description 845 "The action can be used to spectify if the message should 846 be logged or blocked based on the outcome of the compare 847 operation."; 848 } 849 description 850 "This container describes additional severity compare 851 operations that can be used in place of the default 852 severity comparison. The compare leaf specifies the type of 853 the compare that is done and the action leaf specifies the 854 intended result. 855 Example: compare->equals and action->no-match means 856 messages that have a severity that is not equal to the 857 specified severity will be logged."; 858 } 859 } 861 grouping selector { 862 description 863 "This grouping defines a syslog selector which is used to 864 select log messages for the log-actions (console, file, 865 remote, etc.). Choose one or both of the following: 866 facility [ ...] 867 pattern-match regular-expression-match-string 868 If both facility and pattern-match are specified, both must 869 match in order for a log message to be selected."; 870 container facility-filter { 871 description 872 "This container describes the syslog filter parameters."; 873 list facility-list { 874 key "facility severity"; 875 ordered-by user; 876 description 877 "This list describes a collection of syslog 878 facilities and severities."; 879 leaf facility { 880 type union { 881 type identityref { 882 base syslog-facility; 883 } 884 type enumeration { 885 enum all { 886 description 887 "This enum describes the case where all 888 facilities are requested."; 889 } 890 } 891 } 892 description 893 "The leaf uniquely identifies a syslog facility."; 894 } 895 uses severity-filter; 896 } 897 } 898 leaf pattern-match { 899 if-feature select-match; 900 type string; 901 description 902 "This leaf describes a Posix 1003.2 regular expression 903 string that can be used to select a syslog message for 904 logging. The match is performed on the SYSLOG-MSG field."; 905 reference 906 "RFC 5424: The Syslog Protocol 907 Std-1003.1-2008 Regular Expressions"; 908 } 909 } 911 grouping structured-data { 912 description 913 "This grouping defines the syslog structured data option 914 which is used to select the format used to write log 915 messages."; 916 leaf structured-data { 917 if-feature structured-data; 918 type boolean; 919 default false; 920 description 921 "This leaf describes how log messages are written. 922 If true, messages will be written with one or more 923 STRUCTURED-DATA elements; if false, messages will be 924 written with STRUCTURED-DATA = NILVALUE."; 925 reference 926 "RFC 5424: The Syslog Protocol"; 927 } 928 } 930 container syslog { 931 presence "Enables logging."; 932 description 933 "This container describes the configuration parameters for 934 syslog."; 935 container actions { 936 description 937 "This container describes the log-action parameters 938 for syslog."; 939 container console { 940 if-feature console-action; 941 presence "Enables logging to the console"; 942 description 943 "This container describes the configuration parameters 944 for console logging."; 945 uses selector; 946 } 947 container file { 948 if-feature file-action; 949 description 950 "This container describes the configuration parameters for 951 file logging. If file-archive limits are not supplied, it 952 is assumed that the local implementation defined limits 953 will be used."; 954 list log-file { 955 key "name"; 956 description 957 "This list describes a collection of local logging 958 files."; 959 leaf name { 960 type inet:uri { 961 pattern 'file:.*'; 962 } 963 description 964 "This leaf specifies the name of the log file which 965 MUST use the uri scheme file:."; 966 } 967 uses selector; 968 uses structured-data; 969 container file-rotation { 970 description 971 "This container describes the configuration 972 parameters for log file rotation."; 973 leaf number-of-files { 974 if-feature file-limit-size; 975 type uint32; 976 default 1; 977 description 978 "This leaf specifies the maximum number of log 979 files retained. Specify 1 for implementations 980 that only support one log file."; 981 } 982 leaf max-file-size { 983 if-feature file-limit-size; 984 type uint32; 985 units "megabytes"; 986 description 987 "This leaf specifies the maximum log file size."; 988 } 989 leaf rollover { 990 if-feature file-limit-duration; 991 type uint32; 992 units "minutes"; 993 description 994 "This leaf specifies the length of time that log 995 events should be written to a specific log file. 997 Log events that arrive after the rollover period 998 cause the current log file to be closed and a new 999 log file to be opened."; 1000 } 1001 leaf retention { 1002 if-feature file-limit-duration; 1003 type uint32; 1004 units "hours"; 1005 description 1006 "This leaf specifies the length of time that 1007 completed/closed log event files should be stored 1008 in the file system before they are deleted."; 1009 } 1010 } 1011 } 1012 } 1013 container remote { 1014 if-feature remote-action; 1015 description 1016 "This container describes the configuration parameters 1017 for forwarding syslog messages to remote relays or 1018 collectors."; 1019 list destination { 1020 key "name"; 1021 description 1022 "This list describes a collection of remote logging 1023 destinations."; 1024 leaf name { 1025 type string; 1026 description 1027 "An arbitrary name for the endpoint to connect to."; 1028 } 1029 choice transport { 1030 mandatory true; 1031 description 1032 "This choice describes the transport option."; 1033 case udp { 1034 container udp { 1035 description 1036 "This container describes the UDP transport 1037 options."; 1038 reference 1039 "RFC 5426: Transmission of Syslog Messages over 1040 UDP"; 1041 leaf address { 1042 type inet:host; 1043 description 1044 "The leaf uniquely specifies the address of 1045 the remote host. One of the following must be 1046 specified: an ipv4 address, an ipv6 address, 1047 or a host name."; 1048 } 1049 leaf port { 1050 type inet:port-number; 1051 default 514; 1052 description 1053 "This leaf specifies the port number used to 1054 deliver messages to the remote server."; 1055 } 1056 } 1057 } 1058 case tls { 1059 container tls { 1060 description 1061 "This container describes the TLS transport 1062 options."; 1063 reference 1064 "RFC 5425: Transport Layer Security (TLS) 1065 Transport Mapping for Syslog "; 1066 leaf address { 1067 type inet:host; 1068 description 1069 "The leaf uniquely specifies the address of 1070 the remote host. One of the following must be 1071 specified: an ipv4 address, an ipv6 address, 1072 or a host name."; 1073 } 1074 leaf port { 1075 type inet:port-number; 1076 default 6514; 1077 description 1078 "TCP port 6514 has been allocated as the default 1079 port for syslog over TLS."; 1080 } 1081 uses tlsc:tls-client-grouping; 1082 } 1083 } 1084 } 1085 uses selector; 1086 uses structured-data; 1087 leaf facility-override { 1088 type identityref { 1089 base syslog-facility; 1090 } 1091 description 1092 "If specified, this leaf specifies the facility used 1093 to override the facility in messages delivered to 1094 the remote server."; 1095 } 1096 leaf source-interface { 1097 if-feature remote-source-interface; 1098 type if:interface-ref; 1099 description 1100 "This leaf sets the source interface to be used to 1101 send messages to the remote syslog server. If not 1102 set, messages sent to a remote syslog server will 1103 contain the IP address of the interface the syslog 1104 message uses to exit the network element"; 1105 } 1106 container signing { 1107 if-feature signed-messages; 1108 presence 1109 "If present, syslog-signing options is activated."; 1110 description 1111 "This container describes the configuration 1112 parameters for signed syslog messages."; 1113 reference 1114 "RFC 5848: Signed Syslog Messages"; 1115 container cert-signers { 1116 description 1117 "This container describes the signing certificate 1118 configuration for Signature Group 0 which covers 1119 the case for administrators who want all Signature 1120 Blocks to be sent to a single destination."; 1121 list cert-signer { 1122 key "name"; 1123 description 1124 "This list describes a collection of syslog 1125 message signers."; 1126 leaf name { 1127 type string; 1128 description 1129 "This leaf specifies the name of the syslog 1130 message signer."; 1131 } 1132 container cert { 1133 uses ks:private-key-grouping; 1134 uses ks:certificate-grouping; 1135 description 1136 "This is the certificate that is periodically 1137 sent to the remote receiver. Selection of the 1138 certificate also implicitly selects the private 1139 key used to sign the syslog messages."; 1140 } 1141 leaf hash-algorithm { 1142 type enumeration { 1143 enum SHA1 { 1144 value 1; 1145 description 1146 "This enum describes the SHA1 algorithm."; 1147 } 1148 enum SHA256 { 1149 value 2; 1150 description 1151 "This enum describes the SHA256 algorithm."; 1152 } 1153 } 1154 description 1155 "This leaf describes the syslog signer hash 1156 algorithm used."; 1157 } 1158 } 1159 leaf cert-initial-repeat { 1160 type uint32; 1161 default 3; 1162 description 1163 "This leaf specifies the number of times each 1164 Certificate Block should be sent before the first 1165 message is sent."; 1166 } 1167 leaf cert-resend-delay { 1168 type uint32; 1169 units "seconds"; 1170 default 3600; 1171 description 1172 "This leaf specifies the maximum time delay in 1173 seconds until resending the Certificate Block."; 1174 } 1175 leaf cert-resend-count { 1176 type uint32; 1177 default 0; 1178 description 1179 "This leaf specifies the maximum number of other 1180 syslog messages to send until resending the 1181 Certificate Block."; 1182 } 1183 leaf sig-max-delay { 1184 type uint32; 1185 units "seconds"; 1186 default 60; 1187 description 1188 "This leaf specifies when to generate a new 1189 Signature Block. If this many seconds have 1190 elapsed since the message with the first message 1191 number of the Signature Block was sent, a new 1192 Signature Block should be generated."; 1193 } 1194 leaf sig-number-resends { 1195 type uint32; 1196 default 0; 1197 description 1198 "This leaf specifies the number of times a 1199 Signature Block is resent. (It is recommended to 1200 select a value of greater than 0 in particular 1201 when the UDP transport RFC 5426 is used.)."; 1202 } 1203 leaf sig-resend-delay { 1204 type uint32; 1205 units "seconds"; 1206 default 5; 1207 description 1208 "This leaf specifies when to send the next 1209 Signature Block transmission based on time. If 1210 this many seconds have elapsed since the previous 1211 sending of this Signature Block, resend it."; 1212 } 1213 leaf sig-resend-count { 1214 type uint32; 1215 default 0; 1216 description 1217 "This leaf specifies when to send the next 1218 Signature Block transmission based on a count. 1219 If this many other syslog messages have been 1220 sent since the previous sending of this 1221 Signature Block, resend it. A value of 0 means 1222 that you don't resend based on the number of 1223 messages."; 1224 } 1225 } 1226 } 1227 } 1228 } 1229 } 1230 } 1231 } 1232 1234 Figure 3. ietf-syslog Module 1236 5. Usage Examples 1238 Requirement: 1239 Enable console logging of syslogs of severity critical 1241 Here is the example syslog configuration xml: 1242 1243 1244 1245 1246 1247 all 1248 critical 1249 1250 1251 1252 1253 1255 Enable remote logging of syslogs to udp destination 1256 2001:db8:a0b:12f0::1 for facility auth, severity error 1258 1259 1260 1261 1262 remote1 1263 1264
foo.eample.com
1265 1266 1267 1268 auth 1269 error 1270 1271 1272 1273 1274 1275 1277 Figure 4. ietf-syslog Examples 1279 6. Acknowledgements 1281 The authors wish to thank the following who commented on this 1282 proposal: 1284 Andy Bierman, Martin Bjorklund, Alex Campbell, Alex Clemm, Jim 1285 Gibson, Jeffrey Haas, John Heasley, Giles Heron, Lisa Huang, Mahesh 1286 Jethanandani, Jeffrey K Lange, Jan Lindblad, Chris Lonvick, Tom 1287 Petch, Juergen Schoenwaelder, Phil Shafer, Jason Sterne, Peter Van 1288 Horne, Kent Watsen, Bert Wijnen, Dale R Worley, Aleksandr Zhdankin 1290 7. IANA Considerations 1292 7.1. The IETF XML Registry 1294 This document registers one URI in the IETF XML registry [RFC3688]. 1295 Following the format in [RFC3688], the following registration is 1296 requested: 1298 URI: urn:ietf:params:xml:ns:yang:ietf-syslog 1299 Registrant Contact: The IESG. 1300 XML: N/A, the requested URI is an XML namespace. 1302 7.2. The YANG Module Names Registry 1304 This document registers one YANG module in the YANG Module Names 1305 registry [RFC7895]. Following the format in [RFC7950], the following 1306 registration is requested: 1308 name: ietf-syslog 1309 namespace: urn:ietf:params:xml:ns:yang:ietf-syslog 1310 prefix: ietf-syslog 1311 reference: RFC zzzz 1313 8. Security Considerations 1315 The YANG module defined in this document is designed to be accessed 1316 via YANG based management protocols, such as NETCONF [RFC6241] and 1317 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1318 implement secure transport layers (e.g., SSH, TLS) with mutual 1319 authentication. 1321 The NETCONF access control model (NACM) [RFC6536] provides the means 1322 to restrict access for particular users to a pre-configured subset of 1323 all available protocol operations and content. 1325 There are a number of data nodes defined in this YANG module that are 1326 writable/creatable/deletable (i.e., config true, which is the 1327 default). These data nodes may be considered sensitive or vulnerable 1328 in some network environments. Write operations (e.g., edit-config) 1329 to these data nodes without proper protection can have a negative 1330 effect on network operations. These are the subtrees and data nodes 1331 and their sensitivity/vulnerability: 1333 facility-filter/pattern-match: When writing this node, 1334 implementations MUST ensure that the regular expression pattern 1335 match is not constructed to cause a regular expression denial 1336 of service attack due to a pattern that causes the regular 1337 expression implementation to work very slowly (exponentially 1338 related to input size). 1340 Some of the readable data nodes in this YANG module may be considered 1341 sensitive or vulnerable in some network environments. It is thus 1342 important to control read access (e.g., via get, get-config, or 1343 notification) to these data nodes. 1345 There are no RPC operations defined in this YANG module. 1347 9. References 1349 9.1. Normative References 1351 [I-D.ietf-netconf-keystore] 1352 Watsen, K., "YANG Data Model for a "Keystore" Mechanism", 1353 draft-ietf-netconf-keystore-04 (work in progress), October 1354 2017. 1356 [I-D.ietf-netconf-tls-client-server] 1357 Watsen, K. and G. Wu, "YANG Groupings for TLS Clients and 1358 TLS Servers", draft-ietf-netconf-tls-client-server-05 1359 (work in progress), October 2017. 1361 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1362 Requirement Levels", BCP 14, RFC 2119, 1363 DOI 10.17487/RFC2119, March 1997, 1364 . 1366 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 1367 DOI 10.17487/RFC5424, March 2009, 1368 . 1370 [RFC5425] Miao, F., Ed., Ma, Y., Ed., and J. Salowey, Ed., 1371 "Transport Layer Security (TLS) Transport Mapping for 1372 Syslog", RFC 5425, DOI 10.17487/RFC5425, March 2009, 1373 . 1375 [RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP", 1376 RFC 5426, DOI 10.17487/RFC5426, March 2009, 1377 . 1379 [RFC5848] Kelsey, J., Callas, J., and A. Clemm, "Signed Syslog 1380 Messages", RFC 5848, DOI 10.17487/RFC5848, May 2010, 1381 . 1383 [RFC7223] Bjorklund, M., "A YANG Data Model for Interface 1384 Management", RFC 7223, DOI 10.17487/RFC7223, May 2014, 1385 . 1387 [RFC7895] Bierman, A., Bjorklund, M., and K. Watsen, "YANG Module 1388 Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, 1389 . 1391 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1392 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1393 . 1395 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1396 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1397 May 2017, . 1399 [Std-1003.1-2008] 1400 The Open Group, ""Chapter 9: Regular Expressions". The 1401 Open Group Base Specifications Issue 6, IEEE Std 1402 1003.1-2008, 2016 Edition.", September 2016, 1403 . 1405 9.2. Informative References 1407 [I-D.ietf-netmod-revised-datastores] 1408 Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1409 and R. Wilton, "Network Management Datastore 1410 Architecture", draft-ietf-netmod-revised-datastores-10 1411 (work in progress), January 2018. 1413 [I-D.ietf-netmod-yang-tree-diagrams] 1414 Bjorklund, M. and L. Berger, "YANG Tree Diagrams", draft- 1415 ietf-netmod-yang-tree-diagrams-05 (work in progress), 1416 January 2018. 1418 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1419 DOI 10.17487/RFC3688, January 2004, 1420 . 1422 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1423 and A. Bierman, Ed., "Network Configuration Protocol 1424 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1425 . 1427 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1428 Protocol (NETCONF) Access Control Model", RFC 6536, 1429 DOI 10.17487/RFC6536, March 2012, 1430 . 1432 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1433 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1434 . 1436 Appendix A. Implementor Guidelines 1438 A.1. Extending Facilities 1440 Many vendors extend the list of facilities available for logging in 1441 their implementation. Additional facilities may not work with the 1442 syslog protocol as defined in [RFC5424] and hence such facilities 1443 apply for local syslog-like logging functionality. 1445 The following is an example that shows how additional facilities 1446 could be added to the list of available facilities (in this example 1447 two facilities are added): 1449 module example-vendor-syslog-types { 1450 namespace "http://example.com/ns/vendor-syslog-types"; 1451 prefix vendor-syslogtypes; 1453 import ietf-syslog { 1454 prefix syslogtypes; 1455 } 1457 organization "Example, Inc."; 1458 contact 1459 "Example, Inc. 1460 Customer Service 1462 E-mail: syslog-yang@example.com"; 1464 description 1465 "This module contains a collection of vendor-specific YANG type 1466 definitions for SYSLOG."; 1468 revision 2017-08-11 { 1469 description 1470 "Version 1.0"; 1471 reference 1472 "Vendor SYSLOG Types: SYSLOG YANG Model"; 1473 } 1475 identity vendor_specific_type_1 { 1476 base syslogtypes:syslog-facility; 1477 description 1478 "Adding vendor specific type 1 to syslog-facility"; 1479 } 1481 identity vendor_specific_type_2 { 1482 base syslogtypes:syslog-facility; 1483 description 1484 "Adding vendor specific type 2 to syslog-facility"; 1485 } 1486 } 1488 Authors' Addresses 1489 Clyde Wildes (editor) 1490 Cisco Systems Inc. 1491 170 West Tasman Drive 1492 San Jose, CA 95134 1493 US 1495 Phone: +1 408 527-2672 1496 EMail: cwildes@cisco.com 1498 Kiran Koushik (editor) 1499 Verizon Wireless 1500 500 W Dove Rd. 1501 Southlake, TX 76092 1502 US 1504 Phone: +1 512 650-0210 1505 EMail: kirankoushik.agraharasreenivasa@verizonwireless.com