idnits 2.17.1 draft-ietf-netmod-syslog-model-27.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 3 characters in excess of 72. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 614 has weird spacing: '...sr-info ct:...' -- The document date (5 April 2022) is 751 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-34) exists of draft-ietf-netconf-crypto-types-22 == Outdated reference: A later version (-41) exists of draft-ietf-netconf-tls-client-server-27 ** Obsolete normative reference: RFC 7895 (Obsoleted by RFC 8525) -- Obsolete informational reference (is this intentional?): RFC 6536 (Obsoleted by RFC 8341) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETMOD WG J. Clarke, Ed. 3 Internet-Draft Cisco 4 Intended status: Standards Track M. Jethanandani, Ed. 5 Expires: 7 October 2022 Kloud Services 6 C. Wildes, Ed. 7 Cisco Systems Inc. 8 K. Koushik, Ed. 9 Verizon Wireless 10 5 April 2022 12 A YANG Data Model for Syslog Configuration 13 draft-ietf-netmod-syslog-model-27 15 Abstract 17 This document defines a YANG data model for the configuration of a 18 syslog process. It is intended this model be used by vendors who 19 implement syslog in their systems. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on 7 October 2022. 38 Copyright Notice 40 Copyright (c) 2022 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 45 license-info) in effect on the date of publication of this document. 46 Please review these documents carefully, as they describe your rights 47 and restrictions with respect to this document. Code Components 48 extracted from this document must include Revised BSD License text as 49 described in Section 4.e of the Trust Legal Provisions and are 50 provided without warranty as described in the Revised BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 56 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. NDMA Compliance . . . . . . . . . . . . . . . . . . . . . . . 3 58 4. Editorial Note (To be removed by RFC Editor) . . . . . . . . 4 59 5. Design of the Syslog Model . . . . . . . . . . . . . . . . . 4 60 5.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 6 61 6. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . 14 62 6.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . 14 63 7. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . 32 64 7.1. Syslog Configuration for Severity Critical . . . . . . . 32 65 7.2. Remote Syslog Configuration . . . . . . . . . . . . . . . 33 66 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 67 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 68 9.1. The IETF XML Registry . . . . . . . . . . . . . . . . . . 34 69 9.2. The YANG Module Names Registry . . . . . . . . . . . . . 35 70 10. Security Considerations . . . . . . . . . . . . . . . . . . . 35 71 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 36 72 11.1. Normative References . . . . . . . . . . . . . . . . . . 36 73 11.2. Informative References . . . . . . . . . . . . . . . . . 37 74 Appendix A. Implementer Guidelines . . . . . . . . . . . . . . . 38 75 A.1. Extending Facilities . . . . . . . . . . . . . . . . . . 38 76 A.2. Syslog Terminal Output . . . . . . . . . . . . . . . . . 39 77 A.3. Syslog File Naming Convention . . . . . . . . . . . . . . 40 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 80 1. Introduction 82 This document defines a YANG [RFC7950] configuration data model that 83 may be used to configure the syslog feature running on a system. 84 YANG models can be used with network management protocols such as 85 NETCONF [RFC6241] to install, manipulate, and delete the 86 configuration of network devices. 88 The data model makes use of the YANG "feature" construct which allows 89 implementations to support only those syslog features that lie within 90 their capabilities. 92 This module can be used to configure the syslog application 93 conceptual layers as implemented on the target system. 95 Essentially, a syslog process receives messages (from the kernel, 96 processes, applications or other syslog processes) and processes 97 them. The processing may involve logging to a local file, and/or 98 displaying on console, and/or relaying to syslog processes on other 99 machines. The processing is determined by the "facility" that 100 originated the message and the "severity" assigned to the message by 101 the facility. 103 Such definitions of syslog protocol are defined in [RFC5424], and are 104 used in this RFC. 106 The YANG model in this document conforms to the Network Management 107 Datastore Architecture defined in [RFC8342]. 109 1.1. Requirements Language 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 113 "OPTIONAL" in this document are to be interpreted as described in BCP 114 14 [RFC2119] [RFC8174] when, and only when, they appear in all 115 capitals, as shown here. 117 2. Terminology 119 The term "originator" is defined in [RFC5424]: an "originator" 120 generates syslog content to be carried in a message. 122 The term "relay" is defined in [RFC5424]: a "relay" forwards 123 messages, accepting messages from originators or other relays and 124 sending them to collectors or other relays 126 The term "collectors" is defined in [RFC5424]: a "collector" gathers 127 syslog content for further analysis. 129 The term "action" refers to the processing that takes place for each 130 syslog message received. 132 3. NDMA Compliance 134 The YANG model in this document conforms to the Network Management 135 Datastore Architecture defined in [RFC8342]. 137 4. Editorial Note (To be removed by RFC Editor) 139 This document contains many placeholder values that need to be 140 replaced with finalized values at the time of publication. This note 141 summarizes all of the substitutions that are needed. No other RFC 142 Editor instructions are specified elsewhere in this document. 144 Artwork in this document contains shorthand references to drafts in 145 progress. Please apply the following replacements: 147 * I-D.ietf-netconf-crypto-types --> the assigned RFC value for 148 draft-ietf-netconf-crypto-types 150 * I-D.ietf-netconf-tls-client-server --> the assigned RFC value for 151 draft-ietf-netconf-tls-client-server 153 * zzzz --> the assigned RFC value for this draft 155 5. Design of the Syslog Model 157 The syslog model was designed by comparing various syslog features 158 implemented by various vendors' in different implementations. 160 This document addresses the common leafs between implementations and 161 creates a common model, which can be augmented with proprietary 162 features, if necessary. This model is designed to be very simple for 163 maximum flexibility. 165 Some optional features are defined in this document to specify 166 functionality that is present in specific vendor configurations. 168 Syslog consists of originators and collectors. The following diagram 169 shows syslog messages flowing from originators, to collectors where 170 filtering can take place. 172 Originators 173 +-------------+ +-------------+ +-------------+ +-------------+ 174 | Various | | OS | | | | Remote | 175 | Components | | Kernel | | Line Cards | | Servers | 176 +-------------+ +-------------+ +-------------+ +-------------+ 178 +-------------+ +-------------+ +-------------+ +-------------+ 179 | SNMP | | Interface | | Standby | | Syslog | 180 | Events | | Events | | Supervisor | | Itself | 181 +-------------+ +-------------+ +-------------+ +-------------+ 183 | | 184 +----------------------------------------------------------------+ 185 | 186 | 187 | 188 | 189 +-------------+--------------+ 190 | | | 191 v v v 192 Collectors 193 +----------+ +----------+ +----------------+ 194 | | | Log | |Remote Relay(s)/| 195 | Console | | File(s) | |Collector(s) | 196 +----------+ +----------+ +----------------+ 198 Figure 1. Syslog Processing Flow 200 Collectors are configured using the leaves in the syslog model 201 "actions" container which correspond to each message collector: 203 console 205 log file(s) 207 remote relay(s)/collector(s) 209 Within each action, a selector is used to filter syslog messages. A 210 selector consists of a list of one or more filters specified by 211 facility-severity pairs, and, if supported via the select-match 212 feature, an optional regular expression pattern match that is 213 performed on the [RFC5424] field. 215 A syslog message is processed if: 217 There is an element of facility-list (F, S) where 218 the message facility matches F 219 and the message severity matches S 220 and/or the message text matches the regex pattern (if it 221 is present) 223 The facility is one of a specific syslog-facility, or all facilities. 225 The severity is one of type syslog-severity, all severities, or none. 226 None is a special case that can be used to disable a filter. When 227 filtering severity, the default comparison is that messages of the 228 specified severity and higher are selected to be logged. This is 229 shown in the model as "default equals-or-higher". This behavior can 230 be altered if the select-adv-compare feature is enabled to specify a 231 compare operation and an action. Compare operations are: "equals" to 232 select messages with this single severity, or "equals-or-higher" to 233 select messages of the specified severity and higher. Actions are 234 used to log the message or block the message from being logged. 236 Many vendors extend the list of facilities available for logging in 237 their implementation. An example is included in Extending Facilities 238 (Appendix A.1). 240 5.1. Syslog Module 242 A simplified graphical representation of the data model is used in 243 this document. Please see [RFC8340] for tree diagram notation. 245 module: ietf-syslog 246 +--rw syslog! 247 +--rw actions 248 +--rw console! {console-action}? 249 | +--rw facility-filter 250 | | +--rw facility-list* [facility severity] 251 | | +--rw facility union 252 | | +--rw severity union 253 | | +--rw advanced-compare {select-adv-compare}? 254 | | +--rw compare? enumeration 255 | | +--rw action? enumeration 256 | +--rw pattern-match? string {select-match}? 257 +--rw file {file-action}? 258 | +--rw log-file* [name] 259 | +--rw name inet:uri 260 | +--rw facility-filter 261 | | +--rw facility-list* [facility severity] 262 | | +--rw facility union 263 | | +--rw severity union 264 | | +--rw advanced-compare {select-adv-compare}? 265 | | +--rw compare? enumeration 266 | | +--rw action? enumeration 267 | +--rw pattern-match? string {select-match}? 268 | +--rw structured-data? boolean {structured-data}? 269 | +--rw file-rotation 270 | +--rw number-of-files? uint32 {file-limit-size}? 271 | +--rw max-file-size? uint32 {file-limit-size}? 272 | +--rw rollover? uint32 273 | | {file-limit-duration}? 274 | +--rw retention? uint32 275 | {file-limit-duration}? 276 +--rw remote {remote-action}? 277 +--rw destination* [name] 278 +--rw name string 279 +--rw (transport) 280 | +--:(udp) 281 | | +--rw udp 282 | | +--rw address? inet:host 283 | | +--rw port? inet:port-number 284 | +--:(tls) 285 | +--rw tls 286 | +--rw address? inet:host 287 | +--rw port? 288 | | inet:port-number 289 | +--rw client-identity! 290 | | +--rw (auth-type) 291 | | +--:(certificate) 292 | | | {client-ident-x509-cert}? 293 | | | +--rw certificate 294 | | | +--rw (local-or-keystore) 295 | | | +--:(local) 296 | | | | {local-definitions-suppo 297 rted,asymmetric-keys}? 298 | | | | +--rw local-definition 299 | | | | +--rw public-key-format 300 | | | | | identityref 301 | | | | +--rw public-key 302 | | | | | binary 303 | | | | +--rw private-key-format? 304 | | | | | identityref 305 | | | | +--rw (private-key-type) 306 | | | | | +--:(cleartext-private-k 307 ey) 308 | | | | | | +--rw cleartext-priva 309 te-key? 310 | | | | | | binary 311 | | | | | +--:(hidden-private-key) 312 | | | | | | {hidden-keys}? 313 | | | | | | +--rw hidden-private- 314 key? 315 | | | | | | empty 316 | | | | | +--:(encrypted-private-k 317 ey) 318 | | | | | {private-key-en 319 cryption}? 320 | | | | | +--rw encrypted-priva 321 te-key 322 | | | | | +--rw encrypted-by 323 | | | | | +--rw encrypted-va 324 lue-format 325 | | | | | | identityre 326 f 327 | | | | | +--rw encrypted-va 328 lue 329 | | | | | binary 330 | | | | +--rw cert-data? 331 | | | | | end-entity-cert-cms 332 | | | | +---n certificate-expiratio 333 n 334 | | | | | {certificate-expira 335 tion-notification}? 336 | | | | | +-- expiration-date 337 | | | | | yang:date-and-ti 338 me 339 | | | | +---x generate-certificate- 340 signing-request 341 | | | | {certificate-signin 342 g-request-generation}? 343 | | | | +---w input 344 | | | | | +---w csr-info 345 | | | | | ct:csr-info 346 | | | | +--ro output 347 | | | | +--ro certificate-sig 348 ning-request 349 | | | | ct:csr 350 | | | +--:(keystore) 351 | | | {central-keystore-suppor 352 ted,asymmetric-keys}? 353 | | | +--rw keystore-reference 354 | | | +--rw asymmetric-key? 355 | | | | ks:asymmetric-key-r 356 ef 357 | | | | {central-keystore-s 358 upported,asymmetric-keys}? 359 | | | +--rw certificate? lea 360 fref 361 | | +--:(raw-public-key) 362 | | | {client-ident-raw-public-key}? 363 | | | +--rw raw-private-key 364 | | | +--rw (local-or-keystore) 365 | | | +--:(local) 366 | | | | {local-definitions-suppo 367 rted,asymmetric-keys}? 368 | | | | +--rw local-definition 369 | | | | +--rw public-key-format 370 | | | | | identityref 371 | | | | +--rw public-key 372 | | | | | binary 373 | | | | +--rw private-key-format? 374 | | | | | identityref 375 | | | | +--rw (private-key-type) 376 | | | | +--:(cleartext-private-k 377 ey) 378 | | | | | +--rw cleartext-priva 379 te-key? 380 | | | | | binary 381 | | | | +--:(hidden-private-key) 382 | | | | | {hidden-keys}? 383 | | | | | +--rw hidden-private- 384 key? 385 | | | | | empty 386 | | | | +--:(encrypted-private-k 387 ey) 388 | | | | {private-key-en 389 cryption}? 390 | | | | +--rw encrypted-priva 391 te-key 392 | | | | +--rw encrypted-by 393 | | | | +--rw encrypted-va 394 lue-format 395 | | | | | identityre 396 f 397 | | | | +--rw encrypted-va 398 lue 399 | | | | binary 400 | | | +--:(keystore) 401 | | | {central-keystore-suppor 402 ted,asymmetric-keys}? 403 | | | +--rw keystore-reference? 404 | | | ks:asymmetric-key-ref 405 | | +--:(tls12-psk) 406 | | | {client-ident-tls12-psk}? 407 | | | +--rw tls12-psk 408 | | | +--rw (local-or-keystore) 409 | | | | +--:(local) 410 | | | | | {local-definitions-suppo 411 rted,symmetric-keys}? 412 | | | | | +--rw local-definition 413 | | | | | +--rw key-format? 414 | | | | | | identityref 415 | | | | | +--rw (key-type) 416 | | | | | +--:(cleartext-key) 417 | | | | | | +--rw cleartext-key? 418 | | | | | | binary 419 | | | | | +--:(hidden-key) 420 | | | | | | {hidden-keys}? 421 | | | | | | +--rw hidden-key? 422 | | | | | | empty 423 | | | | | +--:(encrypted-key) 424 | | | | | {symmetric-key- 425 encryption}? 426 | | | | | +--rw encrypted-key 427 | | | | | +--rw encrypted-by 428 | | | | | +--rw encrypted-va 429 lue-format 430 | | | | | | identityre 431 f 432 | | | | | +--rw encrypted-va 433 lue 434 | | | | | binary 435 | | | | +--:(keystore) 436 | | | | {central-keystore-suppor 437 ted,symmetric-keys}? 438 | | | | +--rw keystore-reference? 439 | | | | ks:symmetric-key-ref 440 | | | +--rw id? 441 | | | string 442 | | +--:(tls13-epsk) 443 | | {client-ident-tls13-epsk}? 444 | | +--rw tls13-epsk 445 | | +--rw (local-or-keystore) 446 | | | +--:(local) 447 | | | | {local-definitions-suppo 448 rted,symmetric-keys}? 449 | | | | +--rw local-definition 450 | | | | +--rw key-format? 451 | | | | | identityref 452 | | | | +--rw (key-type) 453 | | | | +--:(cleartext-key) 454 | | | | | +--rw cleartext-key? 455 | | | | | binary 456 | | | | +--:(hidden-key) 457 | | | | | {hidden-keys}? 458 | | | | | +--rw hidden-key? 459 | | | | | empty 460 | | | | +--:(encrypted-key) 461 | | | | {symmetric-key- 462 encryption}? 463 | | | | +--rw encrypted-key 464 | | | | +--rw encrypted-by 465 | | | | +--rw encrypted-va 466 lue-format 467 | | | | | identityre 468 f 469 | | | | +--rw encrypted-va 470 lue 471 | | | | binary 472 | | | +--:(keystore) 473 | | | {central-keystore-suppor 474 ted,symmetric-keys}? 475 | | | +--rw keystore-reference? 476 | | | ks:symmetric-key-ref 477 | | +--rw external-identity 478 | | | string 479 | | +--rw hash 480 | | | tlscmn:epsk-supported-hash 481 | | +--rw context? 482 | | | string 483 | | +--rw target-protocol? 484 | | | uint16 485 | | +--rw target-kdf? 486 | | uint16 487 | +--rw server-authentication 488 | | +--rw ca-certs! {server-auth-x509-cert}? 489 | | | +--rw (local-or-truststore) 490 | | | +--:(local) 491 | | | | {local-definitions-supported}? 492 | | | | +--rw local-definition 493 | | | | +--rw certificate* [name] 494 | | | | +--rw name 495 | | | | | string 496 | | | | +--rw cert-data 497 | | | | | trust-anchor-cert-cms 498 | | | | +---n certificate-expiration 499 | | | | {certificate-expiratio 500 n-notification}? 501 | | | | +-- expiration-date 502 | | | | yang:date-and-time 503 | | | +--:(truststore) 504 | | | {central-truststore-supported, 506 certificates}? 507 | | | +--rw truststore-reference? 508 | | | ts:certificate-bag-ref 509 | | +--rw ee-certs! {server-auth-x509-cert}? 510 | | | +--rw (local-or-truststore) 511 | | | +--:(local) 512 | | | | {local-definitions-supported}? 513 | | | | +--rw local-definition 514 | | | | +--rw certificate* [name] 515 | | | | +--rw name 516 | | | | | string 517 | | | | +--rw cert-data 518 | | | | | trust-anchor-cert-cms 519 | | | | +---n certificate-expiration 520 | | | | {certificate-expiratio 521 n-notification}? 522 | | | | +-- expiration-date 523 | | | | yang:date-and-time 524 | | | +--:(truststore) 525 | | | {central-truststore-supported, 526 certificates}? 527 | | | +--rw truststore-reference? 528 | | | ts:certificate-bag-ref 529 | | +--rw raw-public-keys! 530 | | | {server-auth-raw-public-key}? 531 | | | +--rw (local-or-truststore) 532 | | | +--:(local) 533 | | | | {local-definitions-supported}? 534 | | | | +--rw local-definition 535 | | | | +--rw public-key* [name] 536 | | | | +--rw name 537 | | | | | string 538 | | | | +--rw public-key-format 539 | | | | | identityref 540 | | | | +--rw public-key 541 | | | | binary 542 | | | +--:(truststore) 543 | | | {central-truststore-supported, 544 public-keys}? 545 | | | +--rw truststore-reference? 546 | | | ts:public-key-bag-ref 547 | | +--rw tls12-psks? empty 548 | | | {server-auth-tls12-psk}? 549 | | +--rw tls13-epsks? empty 550 | | {server-auth-tls13-epsk}? 551 | +--rw hello-params {tlscmn:hello-params}? 552 | | +--rw tls-versions 553 | | | +--rw tls-version* identityref 554 | | +--rw cipher-suites 555 | | +--rw cipher-suite* identityref 556 | +--rw keepalives {tls-client-keepalives}? 557 | +--rw peer-allowed-to-send? empty 558 | +--rw test-peer-aliveness! 559 | +--rw max-wait? uint16 560 | +--rw max-attempts? uint8 561 +--rw facility-filter 562 | +--rw facility-list* [facility severity] 563 | +--rw facility union 564 | +--rw severity union 565 | +--rw advanced-compare {select-adv-compare}? 566 | +--rw compare? enumeration 567 | +--rw action? enumeration 568 +--rw pattern-match? string {select-match}? 569 +--rw structured-data? boolean {structured-data}? 570 +--rw facility-override? identityref 571 +--rw source-interface? if:interface-ref 572 | {remote-source-interface}? 573 +--rw signing! {signed-messages}? 574 +--rw cert-signers 575 +--rw cert-signer* [name] 576 | +--rw name string 577 | +--rw cert 578 | | +--rw public-key-format 579 | | | identityref 580 | | +--rw public-key 581 | | | binary 582 | | +--rw private-key-format? 583 | | | identityref 584 | | +--rw (private-key-type) 585 | | | +--:(cleartext-private-key) 586 | | | | +--rw cleartext-private-key? 587 | | | | binary 588 | | | +--:(hidden-private-key) {hidden-keys}? 589 | | | | +--rw hidden-private-key? 590 | | | | empty 591 | | | +--:(encrypted-private-key) 592 | | | {private-key-encryption}? 593 | | | +--rw encrypted-private-key 594 | | | +--rw encrypted-by 595 | | | +--rw encrypted-value-format 596 | | | | identityref 597 | | | +--rw encrypted-value 598 | | | binary 599 | | +--rw certificates 600 | | | +--rw certificate* [name] 601 | | | +--rw name 602 | | | | string 603 | | | +--rw cert-data 604 | | | | end-entity-cert-cms 605 | | | +---n certificate-expiration 606 | | | {certificate-expiration-notific 607 ation}? 608 | | | +-- expiration-date 609 | | | yang:date-and-time 610 | | +---x generate-certificate-signing-request 611 | | {certificate-signing-request-generati 612 on}? 613 | | +---w input 614 | | | +---w csr-info ct:csr-info 615 | | +--ro output 616 | | +--ro certificate-signing-request 617 | | ct:csr 618 | +--rw hash-algorithm? enumeration 619 +--rw cert-initial-repeat? uint32 620 +--rw cert-resend-delay? uint32 621 +--rw cert-resend-count? uint32 622 +--rw sig-max-delay? uint32 623 +--rw sig-number-resends? uint32 624 +--rw sig-resend-delay? uint32 625 +--rw sig-resend-count? uint32 627 Figure 1: Tree Diagram for Syslog Model 629 6. Syslog YANG Module 631 6.1. The ietf-syslog Module 633 This module imports typedefs from [RFC6991], [RFC8343], groupings 634 from [I-D.ietf-netconf-crypto-types], and 635 [I-D.ietf-netconf-tls-client-server], and it references [RFC5424], 636 [RFC5425], [RFC5426], and [RFC5848], [RFC8089], [RFC8174], and 637 [Std-1003.1-2008]. 639 file "ietf-syslog@2022-04-05.yang" 640 module ietf-syslog { 641 yang-version 1.1; 642 namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; 643 prefix syslog; 645 import ietf-inet-types { 646 prefix inet; 647 reference 648 "RFC 6991: Common YANG Data Types"; 649 } 650 import ietf-interfaces { 651 prefix if; 652 reference 653 "RFC 8343: A YANG Data Model for Interface Management"; 654 } 655 import ietf-tls-client { 656 prefix tlsc; 657 reference 658 "I-D.ietf-netconf-tls-client-server: 659 YANG Groupings for TLS Clients and TLS Servers"; 660 } 661 import ietf-crypto-types { 662 prefix ct; 663 reference 664 "I-D.ietf-netconf-crypto-types: YANG Data Types for 665 Cryptography"; 666 } 668 organization 669 "IETF NETMOD (Network Modeling) Working Group"; 670 contact 671 "WG Web: 672 WG List: 674 Editor: Mahesh Jethanandani 675 677 Editor: Joe Clarke 678 680 Editor: Kiran Agrahara Sreenivasa 681 684 Editor: Clyde Wildes 685 "; 686 description 687 "This module contains a collection of YANG definitions 688 for syslog configuration. 690 Copyright (c) 2022 IETF Trust and the persons identified as 691 authors of the code. All rights reserved. 693 Redistribution and use in source and binary forms, with or 694 without modification, is permitted pursuant to, and subject to 695 the license terms contained in, the Revised BSD License set 696 forth in Section 4.c of the IETF Trust's Legal Provisions 697 Relating to IETF Documents 698 (https://trustee.ietf.org/license-info). 700 This version of this YANG module is part of RFC zzzz 701 (https://www.rfc-editor.org/info/rfczzzz); see the RFC itself 702 for full legal notices. 704 The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL 705 NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 706 'MAY', and 'OPTIONAL' in this document are to be interpreted as 707 described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, 708 they appear in all capitals, as shown here."; 710 revision 2022-04-05 { 711 description 712 "Initial Revision"; 713 reference 714 "RFC zzzz: Syslog YANG Model"; 715 } 717 feature console-action { 718 description 719 "This feature indicates that the local console action is 720 supported."; 721 } 723 feature file-action { 724 description 725 "This feature indicates that the local file action is 726 supported."; 727 } 729 feature file-limit-size { 730 description 731 "This feature indicates that file logging resources 732 are managed using size and number limits."; 733 } 735 feature file-limit-duration { 736 description 737 "This feature indicates that file logging resources 738 are managed using time based limits."; 739 } 741 feature remote-action { 742 description 743 "This feature indicates that the remote server action is 744 supported."; 745 } 746 feature remote-source-interface { 747 description 748 "This feature indicates that source-interface is supported 749 supported for the remote-action."; 750 } 752 feature select-adv-compare { 753 description 754 "This feature represents the ability to select messages 755 using the additional comparison operators when comparing 756 the syslog message severity."; 757 } 759 feature select-match { 760 description 761 "This feature represents the ability to select messages 762 based on a Posix 1003.2 regular expression pattern match."; 763 } 765 feature structured-data { 766 description 767 "This feature represents the ability to log messages 768 in structured-data format."; 769 reference 770 "RFC 5424: The Syslog Protocol"; 771 } 773 feature signed-messages { 774 description 775 "This feature represents the ability to configure signed 776 syslog messages."; 777 reference 778 "RFC 5848: Signed Syslog Messages"; 779 } 781 typedef syslog-severity { 782 type enumeration { 783 enum emergency { 784 value 0; 785 description 786 "The severity level 'Emergency' indicating that the 787 system is unusable."; 788 } 789 enum alert { 790 value 1; 791 description 792 "The severity level 'Alert' indicating that an action 793 must be taken immediately."; 795 } 796 enum critical { 797 value 2; 798 description 799 "The severity level 'Critical' indicating a critical 800 condition."; 801 } 802 enum error { 803 value 3; 804 description 805 "The severity level 'Error' indicating an error 806 condition."; 807 } 808 enum warning { 809 value 4; 810 description 811 "The severity level 'Warning' indicating a warning 812 condition."; 813 } 814 enum notice { 815 value 5; 816 description 817 "The severity level 'Notice' indicating a normal but 818 significant condition."; 819 } 820 enum info { 821 value 6; 822 description 823 "The severity level 'Info' indicating an informational 824 message."; 825 } 826 enum debug { 827 value 7; 828 description 829 "The severity level 'Debug' indicating a debug-level 830 message."; 831 } 832 } 833 description 834 "The definitions for Syslog message severity. 835 Note that a lower value is a higher severity. Comparisons of 836 equal-or-higher severity mean equal or lower numeric value"; 837 reference 838 "RFC 5424: The Syslog Protocol"; 839 } 841 identity syslog-facility { 842 description 843 "This identity is used as a base for all syslog facilities."; 844 reference 845 "RFC 5424: The Syslog Protocol"; 846 } 848 identity kern { 849 base syslog-facility; 850 description 851 "The facility for kernel messages (0)."; 852 reference 853 "RFC 5424: The Syslog Protocol"; 854 } 856 identity user { 857 base syslog-facility; 858 description 859 "The facility for user-level messages (1)."; 860 reference 861 "RFC 5424: The Syslog Protocol"; 862 } 864 identity mail { 865 base syslog-facility; 866 description 867 "The facility for the mail system (2)."; 868 reference 869 "RFC 5424: The Syslog Protocol"; 870 } 872 identity daemon { 873 base syslog-facility; 874 description 875 "The facility for the system daemons (3)."; 876 reference 877 "RFC 5424: The Syslog Protocol"; 878 } 880 identity auth { 881 base syslog-facility; 882 description 883 "The facility for security/authorization messages (4)."; 884 reference 885 "RFC 5424: The Syslog Protocol"; 886 } 888 identity syslog { 889 base syslog-facility; 890 description 891 "The facility for messages generated internally by syslogd 892 facility (5)."; 893 reference 894 "RFC 5424: The Syslog Protocol"; 895 } 897 identity lpr { 898 base syslog-facility; 899 description 900 "The facility for the line printer subsystem (6)."; 901 reference 902 "RFC 5424: The Syslog Protocol"; 903 } 905 identity news { 906 base syslog-facility; 907 description 908 "The facility for the network news subsystem (7)."; 909 reference 910 "RFC 5424: The Syslog Protocol"; 911 } 913 identity uucp { 914 base syslog-facility; 915 description 916 "The facility for the UUCP subsystem (8)."; 917 reference 918 "RFC 5424: The Syslog Protocol"; 919 } 921 identity cron { 922 base syslog-facility; 923 description 924 "The facility for the clock daemon (9)."; 925 reference 926 "RFC 5424: The Syslog Protocol"; 927 } 929 identity authpriv { 930 base syslog-facility; 931 description 932 "The facility for privileged security/authorization messages 933 (10)."; 934 reference 935 "RFC 5424: The Syslog Protocol"; 936 } 938 identity ftp { 939 base syslog-facility; 940 description 941 "The facility for the FTP daemon (11)."; 942 reference 943 "RFC 5424: The Syslog Protocol"; 944 } 946 identity ntp { 947 base syslog-facility; 948 description 949 "The facility for the NTP subsystem (12)."; 950 reference 951 "RFC 5424: The Syslog Protocol"; 952 } 954 identity audit { 955 base syslog-facility; 956 description 957 "The facility for log audit messages (13)."; 958 reference 959 "RFC 5424: The Syslog Protocol"; 960 } 962 identity console { 963 base syslog-facility; 964 description 965 "The facility for log alert messages (14)."; 966 reference 967 "RFC 5424: The Syslog Protocol"; 968 } 970 identity cron2 { 971 base syslog-facility; 972 description 973 "The facility for the second clock daemon (15)."; 974 reference 975 "RFC 5424: The Syslog Protocol"; 976 } 978 identity local0 { 979 base syslog-facility; 980 description 981 "The facility for local use 0 messages (16)."; 982 reference 983 "RFC 5424: The Syslog Protocol"; 984 } 986 identity local1 { 987 base syslog-facility; 988 description 989 "The facility for local use 1 messages (17)."; 990 reference 991 "RFC 5424: The Syslog Protocol"; 992 } 994 identity local2 { 995 base syslog-facility; 996 description 997 "The facility for local use 2 messages (18)."; 998 reference 999 "RFC 5424: The Syslog Protocol"; 1000 } 1002 identity local3 { 1003 base syslog-facility; 1004 description 1005 "The facility for local use 3 messages (19)."; 1006 reference 1007 "RFC 5424: The Syslog Protocol"; 1008 } 1010 identity local4 { 1011 base syslog-facility; 1012 description 1013 "The facility for local use 4 messages (20)."; 1014 reference 1015 "RFC 5424: The Syslog Protocol"; 1016 } 1018 identity local5 { 1019 base syslog-facility; 1020 description 1021 "The facility for local use 5 messages (21)."; 1022 reference 1023 "RFC 5424: The Syslog Protocol"; 1024 } 1026 identity local6 { 1027 base syslog-facility; 1028 description 1029 "The facility for local use 6 messages (22)."; 1030 reference 1031 "RFC 5424: The Syslog Protocol"; 1032 } 1034 identity local7 { 1035 base syslog-facility; 1036 description 1037 "The facility for local use 7 messages (23)."; 1038 reference 1039 "RFC 5424: The Syslog Protocol"; 1040 } 1042 grouping severity-filter { 1043 description 1044 "This grouping defines the processing used to select 1045 log messages by comparing syslog message severity using 1046 the following processing rules: 1047 - if 'none', do not match. 1048 - if 'all', match. 1049 - else compare message severity with the specified severity 1050 according to the default compare rule (all messages of the 1051 specified severity and greater match) or if the 1052 select-adv-compare feature is present, use the 1053 advance-compare rule."; 1054 leaf severity { 1055 type union { 1056 type syslog-severity; 1057 type enumeration { 1058 enum none { 1059 value 2147483647; 1060 description 1061 "This enum describes the case where no severities 1062 are selected."; 1063 } 1064 enum all { 1065 value -2147483648; 1066 description 1067 "This enum describes the case where all severities 1068 are selected."; 1069 } 1070 } 1071 } 1072 mandatory true; 1073 description 1074 "This leaf specifies the syslog message severity."; 1075 } 1076 container advanced-compare { 1077 when "../severity != \"all\" and 1078 ../severity != \"none\"" { 1079 description 1080 "The advanced compare container is not applicable for 1081 severity 'all' or severity 'none'"; 1082 } 1083 if-feature "select-adv-compare"; 1084 leaf compare { 1085 type enumeration { 1086 enum equals { 1087 description 1088 "This enum specifies that the severity comparison 1089 operation will be equals."; 1090 } 1091 enum equals-or-higher { 1092 description 1093 "This enum specifies that the severity comparison 1094 operation will be equals or higher."; 1095 } 1096 } 1097 default "equals-or-higher"; 1098 description 1099 "The compare can be used to specify the comparison 1100 operator that should be used to compare the syslog message 1101 severity with the specified severity."; 1102 } 1103 leaf action { 1104 type enumeration { 1105 enum log { 1106 description 1107 "This enum specifies that if the compare operation is 1108 true the message will be logged."; 1109 } 1110 enum block { 1111 description 1112 "This enum specifies that if the compare operation is 1113 true the message will not be logged."; 1114 } 1115 } 1116 default "log"; 1117 description 1118 "The action can be used to specify if the message should 1119 be logged or blocked based on the outcome of the compare 1120 operation."; 1121 } 1122 description 1123 "This container describes additional severity compare 1124 operations that can be used in place of the default 1125 severity comparison. The compare leaf specifies the type of 1126 the compare that is done and the action leaf specifies the 1127 intended result. 1128 Example: compare->equals and action->block means 1129 messages that have a severity that are equal to the 1130 specified severity will not be logged."; 1132 } 1133 } 1135 grouping selector { 1136 description 1137 "This grouping defines a syslog selector which is used to 1138 select log messages for the log-actions (console, file, 1139 remote, etc.). Choose one or both of the following: 1140 facility [ ...] 1141 pattern-match regular-expression-match-string 1142 If both facility and pattern-match are specified, both must 1143 match in order for a log message to be selected."; 1144 container facility-filter { 1145 description 1146 "This container describes the syslog filter parameters."; 1147 list facility-list { 1148 key "facility severity"; 1149 ordered-by user; 1150 description 1151 "This list describes a collection of syslog 1152 facilities and severities."; 1153 leaf facility { 1154 type union { 1155 type identityref { 1156 base syslog-facility; 1157 } 1158 type enumeration { 1159 enum all { 1160 description 1161 "This enum describes the case where all 1162 facilities are requested."; 1163 } 1164 } 1165 } 1166 description 1167 "The leaf uniquely identifies a syslog facility."; 1168 } 1169 uses severity-filter; 1170 } 1171 } 1172 leaf pattern-match { 1173 if-feature "select-match"; 1174 type string; 1175 description 1176 "This leaf describes a Posix 1003.2 regular expression 1177 string that can be used to select a syslog message for 1178 logging. The match is performed on the SYSLOG-MSG field."; 1179 reference 1180 "RFC 5424: The Syslog Protocol 1181 Std-1003.1-2008 Regular Expressions"; 1182 } 1183 } 1185 grouping structured-data { 1186 description 1187 "This grouping defines the syslog structured data option 1188 which is used to select the format used to write log 1189 messages."; 1190 leaf structured-data { 1191 if-feature "structured-data"; 1192 type boolean; 1193 default "false"; 1194 description 1195 "This leaf describes how log messages are written. 1196 If true, messages will be written with one or more 1197 STRUCTURED-DATA elements; if false, messages will be 1198 written with STRUCTURED-DATA = NILVALUE."; 1199 reference 1200 "RFC 5424: The Syslog Protocol"; 1201 } 1202 } 1204 container syslog { 1205 presence "Enables logging."; 1206 description 1207 "This container describes the configuration parameters for 1208 syslog."; 1209 container actions { 1210 description 1211 "This container describes the log-action parameters 1212 for syslog."; 1213 container console { 1214 if-feature "console-action"; 1215 presence "Enables logging to the console"; 1216 description 1217 "This container describes the configuration parameters 1218 for console logging."; 1219 uses selector; 1220 } 1221 container file { 1222 if-feature "file-action"; 1223 description 1224 "This container describes the configuration parameters for 1225 file logging. If file-archive limits are not supplied, it 1226 is assumed that the local implementation defined limits 1227 will be used."; 1229 list log-file { 1230 key "name"; 1231 description 1232 "This list describes a collection of local logging 1233 files."; 1234 leaf name { 1235 type inet:uri { 1236 pattern 'file:.*'; 1237 } 1238 description 1239 "This leaf specifies the name of the log file which 1240 MUST use the uri scheme file:."; 1241 reference 1242 "RFC 8089: The file URI Scheme"; 1243 } 1244 uses selector; 1245 uses structured-data; 1246 container file-rotation { 1247 description 1248 "This container describes the configuration 1249 parameters for log file rotation."; 1250 leaf number-of-files { 1251 if-feature "file-limit-size"; 1252 type uint32; 1253 default "1"; 1254 description 1255 "This leaf specifies the maximum number of log 1256 files retained. Specify 1 for implementations 1257 that only support one log file."; 1258 } 1259 leaf max-file-size { 1260 if-feature "file-limit-size"; 1261 type uint32; 1262 units "megabytes"; 1263 description 1264 "This leaf specifies the maximum log file size."; 1265 } 1266 leaf rollover { 1267 if-feature "file-limit-duration"; 1268 type uint32; 1269 units "minutes"; 1270 description 1271 "This leaf specifies the length of time that log 1272 events should be written to a specific log file. 1273 Log events that arrive after the rollover period 1274 cause the current log file to be closed and a new 1275 log file to be opened."; 1276 } 1277 leaf retention { 1278 if-feature "file-limit-duration"; 1279 type uint32; 1280 units "minutes"; 1281 description 1282 "This leaf specifies the length of time that 1283 completed/closed log event files should be stored 1284 in the file system before they are removed."; 1285 } 1286 } 1287 } 1288 } 1289 container remote { 1290 if-feature "remote-action"; 1291 description 1292 "This container describes the configuration parameters 1293 for forwarding syslog messages to remote relays or 1294 collectors."; 1295 list destination { 1296 key "name"; 1297 description 1298 "This list describes a collection of remote logging 1299 destinations."; 1300 leaf name { 1301 type string; 1302 description 1303 "An arbitrary name for the endpoint to connect to."; 1304 } 1305 choice transport { 1306 mandatory true; 1307 description 1308 "This choice describes the transport option."; 1309 case udp { 1310 container udp { 1311 description 1312 "This container describes the UDP transport 1313 options."; 1314 reference 1315 "RFC 5426: Transmission of Syslog Messages over 1316 UDP"; 1317 leaf address { 1318 type inet:host; 1319 description 1320 "The leaf uniquely specifies the address of 1321 the remote host. One of the following must be 1322 specified: an ipv4 address, an ipv6 address, 1323 or a host name."; 1324 } 1325 leaf port { 1326 type inet:port-number; 1327 default "514"; 1328 description 1329 "This leaf specifies the port number used to 1330 deliver messages to the remote server."; 1331 } 1332 } 1333 } 1334 case tls { 1335 container tls { 1336 description 1337 "This container describes the TLS transport 1338 options."; 1339 reference 1340 "RFC 5425: Transport Layer Security (TLS) 1341 Transport Mapping for Syslog "; 1342 leaf address { 1343 type inet:host; 1344 description 1345 "The leaf uniquely specifies the address of 1346 the remote host. One of the following must be 1347 specified: an ipv4 address, an ipv6 address, 1348 or a host name."; 1349 } 1350 leaf port { 1351 type inet:port-number; 1352 default "6514"; 1353 description 1354 "TCP port 6514 has been allocated as the default 1355 port for syslog over TLS."; 1356 } 1357 uses tlsc:tls-client-grouping; 1358 } 1359 } 1360 } 1361 uses selector; 1362 uses structured-data; 1363 leaf facility-override { 1364 type identityref { 1365 base syslog-facility; 1366 } 1367 description 1368 "If specified, this leaf specifies the facility used 1369 to override the facility in messages delivered to 1370 the remote server."; 1371 } 1372 leaf source-interface { 1373 if-feature "remote-source-interface"; 1374 type if:interface-ref; 1375 description 1376 "This leaf sets the source interface to be used to 1377 send messages to the remote syslog server. If not 1378 set, messages can be sent on any interface."; 1379 } 1380 container signing { 1381 if-feature "signed-messages"; 1382 presence "If present, syslog-signing options is activated."; 1383 description 1384 "This container describes the configuration 1385 parameters for signed syslog messages."; 1386 reference 1387 "RFC 5848: Signed Syslog Messages"; 1388 container cert-signers { 1389 description 1390 "This container describes the signing certificate 1391 configuration for Signature Group 0 which covers 1392 the case for administrators who want all Signature 1393 Blocks to be sent to a single destination."; 1394 list cert-signer { 1395 key "name"; 1396 description 1397 "This list describes a collection of syslog 1398 message signers."; 1399 leaf name { 1400 type string; 1401 description 1402 "This leaf specifies the name of the syslog 1403 message signer."; 1404 } 1405 container cert { 1406 uses ct:asymmetric-key-pair-with-certs-grouping; 1407 description 1408 "This is the certificate that is periodically 1409 sent to the remote receiver. The certificate 1410 is inherintly associated with its private 1411 and public keys."; 1412 } 1413 leaf hash-algorithm { 1414 type enumeration { 1415 enum SHA1 { 1416 value 1; 1417 description 1418 "This enum describes the SHA1 algorithm."; 1419 } 1420 enum SHA256 { 1421 value 2; 1422 description 1423 "This enum describes the SHA256 algorithm."; 1424 } 1425 } 1426 description 1427 "This leaf describes the syslog signer hash 1428 algorithm used."; 1429 } 1430 } 1431 leaf cert-initial-repeat { 1432 type uint32; 1433 default "3"; 1434 description 1435 "This leaf specifies the number of times each 1436 Certificate Block should be sent before the first 1437 message is sent."; 1438 } 1439 leaf cert-resend-delay { 1440 type uint32; 1441 units "seconds"; 1442 default "3600"; 1443 description 1444 "This leaf specifies the maximum time delay in 1445 seconds until resending the Certificate Block."; 1446 } 1447 leaf cert-resend-count { 1448 type uint32; 1449 default "0"; 1450 description 1451 "This leaf specifies the maximum number of other 1452 syslog messages to send until resending the 1453 Certificate Block."; 1454 } 1455 leaf sig-max-delay { 1456 type uint32; 1457 units "seconds"; 1458 default "60"; 1459 description 1460 "This leaf specifies when to generate a new 1461 Signature Block. If this many seconds have 1462 elapsed since the message with the first message 1463 number of the Signature Block was sent, a new 1464 Signature Block should be generated."; 1465 } 1466 leaf sig-number-resends { 1467 type uint32; 1468 default "0"; 1469 description 1470 "This leaf specifies the number of times a 1471 Signature Block is resent. (It is recommended to 1472 select a value of greater than 0 in particular 1473 when the UDP transport RFC 5426 is used.)."; 1474 } 1475 leaf sig-resend-delay { 1476 type uint32; 1477 units "seconds"; 1478 default "5"; 1479 description 1480 "This leaf specifies when to send the next 1481 Signature Block transmission based on time. If 1482 this many seconds have elapsed since the previous 1483 sending of this Signature Block, resend it."; 1484 } 1485 leaf sig-resend-count { 1486 type uint32; 1487 default "0"; 1488 description 1489 "This leaf specifies when to send the next 1490 Signature Block transmission based on a count. 1491 If this many other syslog messages have been 1492 sent since the previous sending of this 1493 Signature Block, resend it. A value of 0 means 1494 that you don't resend based on the number of 1495 messages."; 1496 } 1497 } 1498 } 1499 } 1500 } 1501 } 1502 } 1503 } 1504 1506 Figure 2: Sylog YANG Model 1508 7. Usage Examples 1510 7.1. Syslog Configuration for Severity Critical 1512 [note: '\' line wrapping for formatting only] 1514 1518 1519 1520 1521 1522 1523 1524 all 1525 critical 1526 1527 1528 1529 1530 1532 Figure 3: Syslog Configuration for Severity Critical 1534 7.2. Remote Syslog Configuration 1536 [note: '\' line wrapping for formatting only] 1538 1542 1543 1544 1545 1546 1547 remote1 1548 1549
foo.example.com
1550 1551 1552 1553 auth 1554 error 1555 1556 1557 1558 1559 1560 1562 Figure 4: Remote Syslog Configuration 1564 8. Acknowledgements 1566 The authors wish to thank the following who commented on this 1567 proposal: 1569 Andy Bierman, Martin Bjorklund, Alex Campbell, Alex Clemm, Francis 1570 Dupont, Jim Gibson, Jeffrey Haas, Bob Harold, John Heasley, Giles 1571 Heron, Lisa Huang, Mahesh Jethanandani, Warren Kumari, Jeffrey K 1572 Lange, Jan Lindblad, Chris Lonvick, Alexey Melnikov, Kathleen 1573 Moriarty, Tom Petch, Adam Roach, Juergen Schoenwaelder, Phil Shafer, 1574 Yaron Sheffer, Jason Sterne, Peter Van Horne, Kent Watsen, Bert 1575 Wijnen, Dale R Worley, and Aleksandr Zhdankin. 1577 9. IANA Considerations 1579 9.1. The IETF XML Registry 1581 This document registers one URI in the IETF XML registry [RFC3688] . 1582 Following the format in [RFC3688], the following registration is 1583 requested: 1585 URI: urn:ietf:params:xml:ns:yang:ietf-syslog 1586 Registrant Contact: The IESG. 1587 XML: N/A, the requested URI is an XML namespace. 1589 9.2. The YANG Module Names Registry 1591 This document registers one YANG module in the YANG Module Names 1592 registry [RFC7895]. Following the format in [RFC7950], the following 1593 registration is requested: 1595 name: ietf-syslog 1596 namespace: urn:ietf:params:xml:ns:yang:ietf-syslog 1597 prefix: ietf-syslog 1598 reference: RFC zzzz 1600 10. Security Considerations 1602 The YANG module defined in this document is designed to be accessed 1603 via YANG based management protocols, such as NETCONF [RFC6241] and 1604 RESTCONF [RFC8040]. Both of these protocols have mandatory-to- 1605 implement secure transport layers (e.g., SSH, TLS) with mutual 1606 authentication. 1608 The NETCONF access control model (NACM) [RFC6536] provides the means 1609 to restrict access for particular users to a pre-configured subset of 1610 all available protocol operations and content. 1612 There are a number of data nodes defined in this YANG module that are 1613 writable/creatable/deletable (i.e., config true, which is the 1614 default). These data nodes should be considered sensitive or 1615 vulnerable in all network environments. Logging in particular is 1616 used to assess the state of systems and can be used to indicate a 1617 network compromise. If logging were to be disabled through malicious 1618 means, attacks may not be readily detectable. Therefore write 1619 operations (e.g., edit-config) to these data nodes without proper 1620 protection can have a negative effect on network operations and on 1621 network security. 1623 In addition there are data nodes that require careful analysis and 1624 review. These are the subtrees and data nodes and their sensitivity/ 1625 vulnerability: 1627 facility-filter/pattern-match: When writing this node, 1628 implementations MUST ensure that the regular expression pattern 1629 match is not constructed to cause a regular expression denial 1630 of service attack due to a pattern that causes the regular 1631 expression implementation to work very slowly (exponentially 1632 related to input size). 1634 remote/destination/signing/cert-signer: When writing this subtree, 1635 implementations MUST NOT specify a private key that is used for 1636 any other purpose. 1638 Some of the readable data nodes in this YANG module may be considered 1639 sensitive or vulnerable in some network environments. It is thus 1640 important to control read access (e.g., via get, get-config, or 1641 notification) to these data nodes. These are the subtrees and data 1642 nodes and their sensitivity/vulnerability: 1644 remote/destination/transport: This subtree contains information 1645 about other hosts in the network, and the TLS transport 1646 certificate properties if TLS is selected as the transport 1647 protocol. 1649 remote/destination/signing: This subtree contains information about 1650 the syslog message signing properties including signing 1651 certificate information. 1653 There are no RPC operations defined in this YANG module. 1655 11. References 1657 11.1. Normative References 1659 [I-D.ietf-netconf-crypto-types] 1660 Watsen, K., "YANG Data Types and Groupings for 1661 Cryptography", Work in Progress, Internet-Draft, draft- 1662 ietf-netconf-crypto-types-22, 7 March 2022, 1663 . 1666 [I-D.ietf-netconf-tls-client-server] 1667 Watsen, K., "YANG Groupings for TLS Clients and TLS 1668 Servers", Work in Progress, Internet-Draft, draft-ietf- 1669 netconf-tls-client-server-27, 7 March 2022, 1670 . 1673 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1674 Requirement Levels", BCP 14, RFC 2119, 1675 DOI 10.17487/RFC2119, March 1997, 1676 . 1678 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, 1679 DOI 10.17487/RFC5424, March 2009, 1680 . 1682 [RFC5425] Miao, F., Ed., Ma, Y., Ed., and J. Salowey, Ed., 1683 "Transport Layer Security (TLS) Transport Mapping for 1684 Syslog", RFC 5425, DOI 10.17487/RFC5425, March 2009, 1685 . 1687 [RFC5426] Okmianski, A., "Transmission of Syslog Messages over UDP", 1688 RFC 5426, DOI 10.17487/RFC5426, March 2009, 1689 . 1691 [RFC5848] Kelsey, J., Callas, J., and A. Clemm, "Signed Syslog 1692 Messages", RFC 5848, DOI 10.17487/RFC5848, May 2010, 1693 . 1695 [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", 1696 RFC 6991, DOI 10.17487/RFC6991, July 2013, 1697 . 1699 [RFC7895] Bierman, A., Bjorklund, M., and K. Watsen, "YANG Module 1700 Library", RFC 7895, DOI 10.17487/RFC7895, June 2016, 1701 . 1703 [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", 1704 RFC 7950, DOI 10.17487/RFC7950, August 2016, 1705 . 1707 [RFC8089] Kerwin, M., "The "file" URI Scheme", RFC 8089, 1708 DOI 10.17487/RFC8089, February 2017, 1709 . 1711 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 1712 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 1713 May 2017, . 1715 [RFC8343] Bjorklund, M., "A YANG Data Model for Interface 1716 Management", RFC 8343, DOI 10.17487/RFC8343, March 2018, 1717 . 1719 [Std-1003.1-2008] 1720 Group, I. A. T. O., ""Chapter 9: Regular Expressions". The 1721 Open Group Base Specifications Issue 6, IEEE Std 1722 1003.1-2008, 2016 Edition.", September 2016, 1723 . 1725 11.2. Informative References 1727 [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, 1728 DOI 10.17487/RFC3688, January 2004, 1729 . 1731 [RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed., 1732 and A. Bierman, Ed., "Network Configuration Protocol 1733 (NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011, 1734 . 1736 [RFC6536] Bierman, A. and M. Bjorklund, "Network Configuration 1737 Protocol (NETCONF) Access Control Model", RFC 6536, 1738 DOI 10.17487/RFC6536, March 2012, 1739 . 1741 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 1742 Protocol", RFC 8040, DOI 10.17487/RFC8040, January 2017, 1743 . 1745 [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", 1746 BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, 1747 . 1749 [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., 1750 and R. Wilton, "Network Management Datastore Architecture 1751 (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, 1752 . 1754 Appendix A. Implementer Guidelines 1756 A.1. Extending Facilities 1758 Many vendors extend the list of facilities available for logging in 1759 their implementation. Additional facilities may not work with the 1760 syslog protocol as defined in [RFC5424] and hence such facilities 1761 apply for local syslog-like logging functionality. 1763 The following is an example that shows how additional facilities 1764 could be added to the list of available facilities (in this example 1765 two facilities are added): 1767 module example-vendor-syslog-types { 1768 namespace "http://example.com/ns/vendor-syslog-types"; 1769 prefix vendor-syslogtypes; 1771 import ietf-syslog { 1772 prefix syslogtypes; 1773 } 1775 organization "Example, Inc."; 1776 contact 1777 "Example, Inc. 1778 Customer Service 1780 E-mail: syslog-yang@example.com"; 1782 description 1783 "This module contains a collection of vendor-specific YANG type 1784 definitions for SYSLOG."; 1786 revision 2017-08-11 { 1787 description 1788 "Version 1.0"; 1789 reference 1790 "Vendor SYSLOG Types: SYSLOG YANG Model"; 1791 } 1793 identity vendor_specific_type_1 { 1794 base syslogtypes:syslog-facility; 1795 description 1796 "Adding vendor specific type 1 to syslog-facility"; 1797 } 1799 identity vendor_specific_type_2 { 1800 base syslogtypes:syslog-facility; 1801 description 1802 "Adding vendor specific type 2 to syslog-facility"; 1803 } 1804 } 1806 A.2. Syslog Terminal Output 1808 Terminal output with requirements more complex than the console 1809 subtree currently provides, are expected to be supported via vendor 1810 extensions rather than handled via the file subtree. 1812 A.3. Syslog File Naming Convention 1814 The syslog/file/log-file/file-rotation container contains 1815 configuration parameters for syslog file rotation. This section 1816 describes how these fields might be used by an implementer to name 1817 syslog files in a rotation process. This information is offered as 1818 an informative guide only. 1820 When an active syslog file with a name specified by log-file/name, 1821 reaches log-file/max-file-size and/or syslog events arrive after the 1822 period specified by log-file/rollover, the logging system can close 1823 the file, can compress it, and can name the archive file .0.gz. The logging system can then open a new active syslog 1825 file . 1827 When the new syslog file reaches either of the size limits referenced 1828 above, .0.gz can be renamed .1.gz and 1829 the new syslog file can be closed, compressed and renamed .0.gz. Each time that a new syslog file is closed, each of the 1831 prior syslog archive files named ..gz can be 1832 renamed to ..gz. 1834 Removal of archive log files could occur when either or both: 1836 - log-file/number-of-files specified - the logging system can create 1837 up to log-file/number-of-files syslog archive files after which, the 1838 contents of the oldest archived file could be overwritten. 1840 - log-file/retention specified - the logging system can remove those 1841 syslog archive files whose file expiration time (file creation time 1842 plus the specified log-file/retention time) is prior to the current 1843 time. 1845 Authors' Addresses 1847 Joe Clarke (editor) 1848 Cisco 1849 United States of America 1850 Email: jclarke@cisco.com 1852 Mahesh Jethanandani (editor) 1853 Kloud Services 1854 United States of America 1855 Email: mjethanandai@gmail.com 1856 Clyde Wildes (editor) 1857 Cisco Systems Inc. 1858 170 West Tasman Drive 1859 San Jose, CA 95134 1860 United States of America 1861 Phone: +1 408 527-2672 1862 Email: cwildes@cisco.com 1864 Kiran Koushik (editor) 1865 Verizon Wireless 1866 500 W Dove Rd. 1867 Southlake, TX 76092 1868 United States of America 1869 Phone: +1 512 650-0210 1870 Email: kirankoushik.agraharasreenivasa@verizonwireless.com