idnits 2.17.1 draft-ietf-opsawg-syslog-msg-mib-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? -- It seems you're using the 'non-IETF stream' Licence Notice instead Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 171 has weird spacing: '...yString sysl...' == Line 172 has weird spacing: '...yString sysl...' == Line 259 has weird spacing: '... field octet...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (February 16, 2009) is 5546 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3412' is mentioned on line 615, but not defined -- No information found for draft-ietf-syslog-tc-mib - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-syslog-tc-mib' Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Intended status: Standards Track A. Clemm 5 Expires: August 20, 2009 A. Karmakar 6 Cisco Systems 7 February 16, 2009 9 Definitions of Managed Objects for Mapping SYSLOG Messages to Simple 10 Network Management Protocol (SNMP) Notifications 11 draft-ietf-opsawg-syslog-msg-mib-01.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on August 20, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. 48 Abstract 50 This memo defines a portion of the Management Information Base (MIB) 51 for use with network management protocols in the Internet community. 52 In particular, it defines a mapping of SYSLOG messages to Simple 53 Network Management Protocol (SNMP) notifications. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. The Internet-Standard Management Framework . . . . . . . . . . 3 59 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 5 62 6. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 7. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 17 64 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 66 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 67 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 68 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 69 11.2. Informative References . . . . . . . . . . . . . . . . . 20 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 21 72 1. Introduction 74 SNMP [RFC3410] [RFC3411] and SYSLOG [I-D.ietf-syslog-protocol] are 75 two widely used protocols to communicate event notifications. 76 Although co-existence of several management protocols in one 77 operational environment is possible, certain environments require 78 that all event notifications are collected by a single system daemon 79 such as a SYSLOG collector or an SNMP notification receiver via a 80 single management protocol. In such environments, it is necessary to 81 translate event notifications between management protocols. 83 This document defines an SNMP MIB module to represent SYSLOG messages 84 and to send SYSLOG messages as SNMP notifications to SNMP 85 notification receivers. 87 2. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 RFC 3410 [RFC3410] 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 100 [RFC2580] . 102 3. Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 4. Overview 110 SYSLOG messages are converted by a SYSLOG to SNMP converter. Such a 111 converter acts as a SYSLOG receiver [I-D.ietf-syslog-protocol] and 112 implements a MIB module according to the SNMP architecture [RFC3411]. 113 The converter might be tightly coupled to an SNMP agent or it might 114 interface with an SNMP agent via a subagent protocol. 116 After initialization, the converter will listen for SYSLOG messages. 118 On receiving a message, the message will be parsed to extract 119 information as described in the MIB module. A conceptual table is 120 populated with information extracted from the SYSLOG message and 121 finally a notification may be generated. 123 The MIB module is organized into a group of scalars and two tables. 124 The syslogMsgControl group contains two scalars controlling the 125 maximum size of SYSLOG messages recorded in the tables and whether 126 SNMP notifications are generated for SYSLOG messages. 128 --syslogMsgObjects(1) 129 | 130 +--syslogMsgControl(1) 131 | 132 +-- Unsigned32 syslogMsgTableMaxSize(1) 133 +-- TruthValue syslogMsgEnableNotifications(2) 135 The syslogMsgTable contains one entry for each recorded SYSLOG 136 message. The basic fields of SYSLOG messages are represented in 137 different columns of the conceptual table. 139 --syslogMsgObjects(1) 140 | 141 +--syslogMsgTable(2) 142 | 143 +--syslogMsgEntry(1) [syslogMsgIndex] 144 | 145 +-- Unsigned32 syslogMsgIndex(1) 146 +-- SyslogFacility syslogMsgFacility(2) 147 +-- SyslogSeverity syslogMsgSeverity(3) 148 +-- Unsigned32 syslogMsgVersion(4) 149 +-- DateAndTimeMicroSeconds syslogMsgTimeStamp(5) 150 +-- DisplayString syslogMsgHostName(6) 151 +-- DisplayString syslogMsgAppName(7) 152 +-- DisplayString syslogMsgProcID(8) 153 +-- DisplayString syslogMsgMsgID(9) 154 +-- OctetString syslogMsgMsg(10) 155 +-- Bits syslogMsgFlags(11) 157 The syslogMsgSDTable contains one entry for each structured data 158 element parameter contained in a SYSLOG message. Since structured 159 data elements are optional, the relationship between the 160 syslogMsgTable and the syslogMsgSDTable is 1:0..*. 162 --syslogMsgObjects(1) 163 | 164 +--syslogMsgSDTable(3) 165 | 166 +--syslogMsgSDEntry(1) [syslogMsgIndex, 167 | syslogMsgSDElementName, 168 | syslogMsgSDParamName, 169 | syslogMsgSDParamIndex] 170 | 171 +-- DisplayString syslogMsgSDElementName(1) 172 +-- DisplayString syslogMsgSDParamName(2) 173 +-- Unsigned32 syslogMsgSDParamIndex(3) 174 +-- SnmpAdminString syslogMsgSDParamValue(4) 176 5. Relationship to Other MIB Modules 178 The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for 179 logging SNMP notifications in order to deal with lost SNMP 180 notifications, e.g., due to transient communication problems. 181 Applications can poll the notification log to verify that they have 182 not missed important SNMP notifications. 184 The MIB module defined in this memo provides a mechanism for logging 185 SYSLOG notifications. This additional SYSLOG notification log is 186 provided because (a) SYSLOG messages might not lead to SNMP 187 notification (this is configurable) and (b) SNMP notifications might 188 not carry all information associated with a SYSLOG notification. 190 The following MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 191 SNMPv2-TC [RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB 192 [RFC3411], and SYSLOG-TC-MIB [I-D.ietf-syslog-tc-mib]. 194 6. Definitions 196 SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN 198 IMPORTS 199 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 200 FROM SNMPv2-SMI 201 TEXTUAL-CONVENTION, DisplayString, TruthValue 202 FROM SNMPv2-TC 203 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 204 FROM SNMPv2-CONF 205 SnmpAdminString 206 FROM SNMP-FRAMEWORK-MIB 207 SyslogFacility, SyslogSeverity 208 FROM SYSLOG-TC-MIB; 210 syslogMsgMib MODULE-IDENTITY 211 LAST-UPDATED "200902100800Z" 212 ORGANIZATION "IETF OPSAWG Working Group" 213 CONTACT-INFO 214 "Juergen Schoenwaelder 215 216 Jacobs University Bremen 217 Campus Ring 1 218 28757 Bremen 219 Germany 221 Alexander Clemm 222 223 Cisco Systems 224 170 West Tasman Drive 225 San Jose, CA 95134-1706 226 USA 228 Anirban Karmakar 229 230 Cisco Systems 231 170 West Tasman Drive 232 San Jose, CA 95134-1706 233 USA" 234 DESCRIPTION 235 "This MIB module represent SYSLOG messages as SNMP objects. 237 Copyright (c) 2009 IETF Trust and the persons identified as 238 the document authors. All rights reserved. This version of 239 this MIB module is part of RFC XXXX; see the RFC itself for 240 full legal notices." 241 REVISION "200902100800Z" 242 DESCRIPTION 243 "Initial version issued as part of RFC XXXX." 244 -- RFC Ed.: replace XXXX with actual RFC number & remove this note 245 ::= { mib-2 XXX } 246 -- RFC Ed.: replace XXX with IANA-assigned number & remove this note 248 -- textual convention definitions 250 DateAndTimeMicroSeconds ::= TEXTUAL-CONVENTION 251 DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d" 252 STATUS current 253 DESCRIPTION 254 "A date-time specification. This type is similar to the 255 DateAndTime type defined in the SNMPv2-TC except that 256 the subsecond granulation is microseconds instead of 257 deciseconds. 259 field octets contents range 260 ----- ------ -------- ----- 261 1 1-2 year* 0..65536 262 2 3 month 1..12 263 3 4 day 1..31 264 4 5 hour 0..23 265 5 6 minutes 0..59 266 6 7 seconds 0..60 267 (use 60 for leap-second) 268 7 8-10 microseconds 0..999999 269 8 11 direction from UTC '+' / '-' 270 9 12 hours from UTC* 0..13 271 10 13 minutes from UTC 0..59 273 * Notes: 274 - the value of year is in network-byte order 275 - the value of microseconds is in network-byte order 276 - daylight saving time in New Zealand is +13 278 For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be 279 displayed as: 281 1992-5-26,13:30:15.0,-4:0 283 Note that if only local time is known, then timezone 284 information (fields 11-13) is not present." 285 SYNTAX OCTET STRING (SIZE (10 | 13)) 287 -- object definitions 289 syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 } 290 syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 } 291 syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 } 293 syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 } 295 syslogMsgTableMaxSize OBJECT-TYPE 296 SYNTAX Unsigned32 297 MAX-ACCESS read-write 298 STATUS current 299 DESCRIPTION 300 "The maximum number of syslog messages that may be held in 301 syslogMsgTable. A particular setting does not guarantee that 302 there is sufficient memory available for the maximum number 303 of table entries indicated by this object. A value of 0 means 304 no limit. 306 If an application reduces the limit while there are syslog 307 messages in the syslogMsgTable, the syslog messages that are 308 in the syslogMsgTable for the longest time MUST be discarded 309 to bring the table down to the new limit. 311 The value of this object should be kept in nonvolatile 312 memory." 313 DEFVAL { 0 } 314 ::= { syslogMsgControl 1 } 316 syslogMsgEnableNotifications OBJECT-TYPE 317 SYNTAX TruthValue 318 MAX-ACCESS read-write 319 STATUS current 320 DESCRIPTION 321 "Indicates whether syslogMsgNotification notifications are 322 generated. 324 The value of this object should be kept in nonvolatile 325 memory." 326 DEFVAL { false } 327 ::= { syslogMsgControl 2 } 329 syslogMsgTable OBJECT-TYPE 330 SYNTAX SEQUENCE OF SyslogMsgEntry 331 MAX-ACCESS not-accessible 332 STATUS current 333 DESCRIPTION 334 "A table containing recent syslog messages. The size of the 335 table is controlled by the syslogMsgTableMaxSize object." 336 ::= { syslogMsgObjects 2 } 338 syslogMsgEntry OBJECT-TYPE 339 SYNTAX SyslogMsgEntry 340 MAX-ACCESS not-accessible 341 STATUS current 342 DESCRIPTION 343 "An entry of the syslogMsgTable." 344 INDEX { syslogMsgIndex } 345 ::= { syslogMsgTable 1 } 347 SyslogMsgEntry ::= SEQUENCE { 348 syslogMsgIndex Unsigned32, 349 syslogMsgFacility SyslogFacility, 350 syslogMsgSeverity SyslogSeverity, 351 syslogMsgVersion Unsigned32, 352 syslogMsgTimeStamp DateAndTimeMicroSeconds, 353 syslogMsgHostName DisplayString, 354 syslogMsgAppName DisplayString, 355 syslogMsgProcID DisplayString, 356 syslogMsgMsgID DisplayString, 357 syslogMsgMsg OCTET STRING, 358 syslogMsgFlags BITS 359 } 361 syslogMsgIndex OBJECT-TYPE 362 SYNTAX Unsigned32 (1..4294967295) 363 MAX-ACCESS not-accessible 364 STATUS current 365 DESCRIPTION 366 "A monotonically increasing number used to identify entries in 367 the syslogMsgTable. When syslogMsgIndex reaches the maximum 368 value the value wraps back to 1." 369 ::= { syslogMsgEntry 1 } 371 syslogMsgFacility OBJECT-TYPE 372 SYNTAX SyslogFacility 373 MAX-ACCESS read-only 374 STATUS current 375 DESCRIPTION 376 "The facility of the syslog message." 377 REFERENCE 378 "RFCYYYY: The syslog Protocol (section 6.2.1) 379 RFCZZZZ: Textual Conventions for Syslog Management" 380 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 381 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 382 ::= { syslogMsgEntry 2 } 384 syslogMsgSeverity OBJECT-TYPE 385 SYNTAX SyslogSeverity 386 MAX-ACCESS read-only 387 STATUS current 388 DESCRIPTION 389 "The severity of the syslog message" 390 REFERENCE 391 "RFCYYYY: The syslog Protocol (section 6.2.1) 392 RFCZZZZ: Textual Conventions for Syslog Management" 393 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 394 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 395 ::= { syslogMsgEntry 3 } 397 syslogMsgVersion OBJECT-TYPE 398 SYNTAX Unsigned32 (0..999) 399 MAX-ACCESS read-only 400 STATUS current 401 DESCRIPTION 402 "The version of the syslog message. A value of 0 indicates 403 that the version is unknown." 404 REFERENCE 405 "RFCYYYY: The syslog Protocol (section 6.2.2)" 406 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 407 ::= { syslogMsgEntry 4 } 409 syslogMsgTimeStamp OBJECT-TYPE 410 SYNTAX DateAndTimeMicroSeconds 411 MAX-ACCESS read-only 412 STATUS current 413 DESCRIPTION 414 "The timestamp of the syslog message. The special value 415 '00000000000000000000'H is returned if the timestamp 416 is unknown." 417 REFERENCE 418 "RFCYYYY: The syslog Protocol (section 6.2.3)" 419 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 420 ::= { syslogMsgEntry 5 } 422 syslogMsgHostName OBJECT-TYPE 423 SYNTAX DisplayString (SIZE (0..255)) 424 MAX-ACCESS read-only 425 STATUS current 426 DESCRIPTION 427 "The host name of the syslog message. A zero-length string 428 indicates an unknown host name. The SYSLOG protocol 429 specification constraints this string to printable US-ASCII 430 code points." 431 REFERENCE 432 "RFCYYYY: The syslog Protocol (section 6.2.4)" 433 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 434 ::= { syslogMsgEntry 6 } 436 syslogMsgAppName OBJECT-TYPE 437 SYNTAX DisplayString (SIZE (0..48)) 438 MAX-ACCESS read-only 439 STATUS current 440 DESCRIPTION 441 "The app-name of the syslog message. A zero-length string 442 indicates an unknown app-name. The SYSLOG protocol 443 specification constraints this string to printable US-ASCII 444 code points." 445 REFERENCE 446 "RFCYYYY: The syslog Protocol (section 6.2.5)" 447 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 448 ::= { syslogMsgEntry 7 } 450 syslogMsgProcID OBJECT-TYPE 451 SYNTAX DisplayString (SIZE (0..128)) 452 MAX-ACCESS read-only 453 STATUS current 454 DESCRIPTION 455 "The procid of the syslog message. A zero-length string 456 indicates an unknown procid. The SYSLOG protocol specification 457 constraints this string to printable US-ASCII code points." 458 REFERENCE 459 "RFCYYYY: The syslog Protocol (section 6.2.6)" 460 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 461 ::= { syslogMsgEntry 8 } 463 syslogMsgMsgID OBJECT-TYPE 464 SYNTAX DisplayString (SIZE (0..32)) 465 MAX-ACCESS read-only 466 STATUS current 467 DESCRIPTION 468 "The msgid of the syslog message. A zero-length string 469 indicates an unknown msgid. The SYSLOG protocol specification 470 constraints this string to printable US-ASCII code points." 471 REFERENCE 472 "RFCYYYY: The syslog Protocol (section 6.2.7)" 473 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 474 ::= { syslogMsgEntry 9 } 476 syslogMsgMsg OBJECT-TYPE 477 SYNTAX OCTET STRING 478 MAX-ACCESS read-only 479 STATUS current 480 DESCRIPTION 481 "The message part of the syslog message. The syntax does not 482 impose a size restriction. Implementations of this MIB module 483 may truncate the message part of the syslog message such that 484 it fits into the size constraints imposed by the 485 implementation environment. If the message has been truncated 486 by the SYSLOG to SNMP converter, the truncated bit in the 487 syslogMsgFlags must be set to 1. 489 If the first octets contain the value 'EFBBBF'h, then the rest 490 of the message is a UTF-8 string. Since syslog messages may be 491 truncated at arbitrary octet boundaries during forwarding, the 492 message may contain invalid UTF-8 encodings at the end." 493 REFERENCE 494 "RFCYYYY: The syslog Protocol (section 6.4)" 495 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 496 ::= { syslogMsgEntry 10 } 498 syslogMsgFlags OBJECT-TYPE 499 SYNTAX BITS { truncated(0), sdparams(1) } 500 MAX-ACCESS read-only 501 STATUS current 502 DESCRIPTION 503 "The bits contained in this object convey meta information 504 about the syslog message. The meaning of the bits is as 505 follows: 507 truncated - This bit is set if the converter had to 508 truncate the syslogMsgMsg to comply with 509 implementation and/or SNMP message size 510 constraints. 512 sdparams - This bit is set if the syslog messages 513 contained structured data element parameters 514 and serves as an indicator whether there is 515 data in the syslogMsgSDTable for this syslog 516 message. 518 For syslog messages without structured data element parameters 519 that were not truncated by the converter, none of the bits is 520 set." 521 ::= { syslogMsgEntry 11 } 523 syslogMsgSDTable OBJECT-TYPE 524 SYNTAX SEQUENCE OF SyslogMsgSDEntry 525 MAX-ACCESS not-accessible 526 STATUS current 527 DESCRIPTION 528 "A table containing structured data elements of syslog 529 messages." 530 ::= { syslogMsgObjects 3 } 532 syslogMsgSDEntry OBJECT-TYPE 533 SYNTAX SyslogMsgSDEntry 534 MAX-ACCESS not-accessible 535 STATUS current 536 DESCRIPTION 537 "An entry of the syslogMsgSDTable." 538 INDEX { syslogMsgIndex, syslogMsgSDElementName, 539 syslogMsgSDParamName, syslogMsgSDParamIndex } 540 ::= { syslogMsgSDTable 1 } 542 SyslogMsgSDEntry ::= SEQUENCE { 543 syslogMsgSDElementName DisplayString, 544 syslogMsgSDParamName DisplayString, 545 syslogMsgSDParamIndex Unsigned32, 546 syslogMsgSDParamValue SnmpAdminString 547 } 549 syslogMsgSDElementName OBJECT-TYPE 550 SYNTAX DisplayString (SIZE (1..32)) 551 MAX-ACCESS not-accessible 552 STATUS current 553 DESCRIPTION 554 "The name of a structured data element. The SYSLOG protocol 555 specification constraints this string to printable US-ASCII 556 code points." 557 REFERENCE 558 "RFCYYYY: The syslog Protocol (section 6.3.2)" 559 ::= { syslogMsgSDEntry 1 } 561 syslogMsgSDParamName OBJECT-TYPE 562 SYNTAX DisplayString (SIZE (1..32)) 563 MAX-ACCESS not-accessible 564 STATUS current 565 DESCRIPTION 566 "The name of a parameter of the structured data element. The 567 SYSLOG protocol specification constraints this string to 568 printable US-ASCII code points." 569 REFERENCE 570 "RFCYYYY: The syslog Protocol (section 6.3.3)" 571 ::= { syslogMsgSDEntry 2 } 573 syslogMsgSDParamIndex OBJECT-TYPE 574 SYNTAX Unsigned32 (1..4294967295) 575 MAX-ACCESS not-accessible 576 STATUS current 577 DESCRIPTION 578 "This objects indexes the instance of a structured data element 579 that occurs multiple times in a structured data element, 580 starting from 1. For parameters that only occure once, the 581 value of this object is 1." 582 REFERENCE 583 "RFCYYYY: The syslog Protocol (section 6.3.3)" 584 ::= { syslogMsgSDEntry 3 } 586 syslogMsgSDParamValue OBJECT-TYPE 587 SYNTAX SnmpAdminString 588 MAX-ACCESS read-only 589 STATUS current 590 DESCRIPTION 591 "The value of the parameter of a syslog message identified by 592 the index of this table. The value is stored in the unescaped 593 format." 594 REFERENCE 595 "RFCYYYY: The syslog Protocol (section 6.3.3)" 596 ::= { syslogMsgSDEntry 4 } 598 -- notification definitions 600 syslogMsgNotification NOTIFICATION-TYPE 601 OBJECTS { syslogMsgFacility, syslogMsgSeverity, 602 syslogMsgVersion, syslogMsgTimeStamp, 603 syslogMsgHostName, syslogMsgAppName, 604 syslogMsgProcID, syslogMsgMsgID, 605 syslogMsgMsg, syslogMsgFlags } 606 STATUS current 607 DESCRIPTION 608 "The syslogMsgNotification is generated when a new syslog 609 message is generated and the value of 610 syslogMsgGenerateNotifications is true. 612 Implementations may add syslogMsgSDParamValue objects as long 613 as the resulting notification fits into the size constraints 614 imposed by the implementation environment and the notification 615 message size constraints imposed by maxMessageSize [RFC3412] 616 and SNMP transport mappings." 617 ::= { syslogMsgNotifications 1 } 619 -- conformance statements 621 syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 } 622 syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 } 624 syslogMsgFullCompliance MODULE-COMPLIANCE 625 STATUS current 626 DESCRIPTION 627 "The compliance statement for implementations of the 628 SYSLOG-MSG-MIB." 629 MODULE -- this module 630 MANDATORY-GROUPS { 631 syslogMsgGroup, 632 syslogMsgSDGroup, 633 syslogMsgControlGroup, 634 syslogMsgNotificationGroup 635 } 636 ::= { syslogMsgCompliances 1 } 638 syslogMsgReadOnlyCompliance MODULE-COMPLIANCE 639 STATUS current 640 DESCRIPTION 641 "The compliance statement for implementations of the 642 SYSLOG-MSG-MIB that do not support read-write access." 643 MODULE -- this module 644 MANDATORY-GROUPS { 645 syslogMsgGroup, 646 syslogMsgSDGroup, 647 syslogMsgControlGroup, 648 syslogMsgNotificationGroup 649 } 650 OBJECT syslogMsgTableMaxSize 651 MIN-ACCESS read-only 652 DESCRIPTION 653 "Write access is not required." 654 OBJECT syslogMsgEnableNotifications 655 MIN-ACCESS read-only 656 DESCRIPTION 657 "Write access is not required." 658 ::= { syslogMsgCompliances 2 } 660 syslogMsgNotificationCompliance MODULE-COMPLIANCE 661 STATUS current 662 DESCRIPTION 663 "The compliance statement for implementations of the 664 SYSLOG-MSG-MIB that do only generate notifications and not 665 provide a table to allow read access to syslog message 666 details." 667 MODULE -- this module 668 MANDATORY-GROUPS { 669 syslogMsgGroup, 670 syslogMsgSDGroup, 671 syslogMsgNotificationGroup 672 } 673 OBJECT syslogMsgFacility 674 MIN-ACCESS accessible-for-notify 675 DESCRIPTION 676 "Read access is not required." 677 OBJECT syslogMsgSeverity 678 MIN-ACCESS accessible-for-notify 679 DESCRIPTION 680 "Read access is not required." 681 OBJECT syslogMsgVersion 682 MIN-ACCESS accessible-for-notify 683 DESCRIPTION 684 "Read access is not required." 685 OBJECT syslogMsgTimeStamp 686 MIN-ACCESS accessible-for-notify 687 DESCRIPTION 688 "Read access is not required." 689 OBJECT syslogMsgHostName 690 MIN-ACCESS accessible-for-notify 691 DESCRIPTION 692 "Read access is not required." 693 OBJECT syslogMsgAppName 694 MIN-ACCESS accessible-for-notify 695 DESCRIPTION 696 "Read access is not required." 697 OBJECT syslogMsgProcID 698 MIN-ACCESS accessible-for-notify 699 DESCRIPTION 700 "Read access is not required." 701 OBJECT syslogMsgMsgID 702 MIN-ACCESS accessible-for-notify 703 DESCRIPTION 704 "Read access is not required." 705 OBJECT syslogMsgMsg 706 MIN-ACCESS accessible-for-notify 707 DESCRIPTION 708 "Read access is not required." 709 OBJECT syslogMsgFlags 710 MIN-ACCESS accessible-for-notify 711 DESCRIPTION 712 "Read access is not required." 713 OBJECT syslogMsgSDParamValue 714 MIN-ACCESS accessible-for-notify 715 DESCRIPTION 716 "Read access is not required." 717 ::= { syslogMsgCompliances 3 } 719 syslogMsgNotificationGroup NOTIFICATION-GROUP 720 NOTIFICATIONS { 721 syslogMsgNotification 722 } 723 STATUS current 724 DESCRIPTION 725 "The notifications emitted by this MIB module." 726 ::= { syslogMsgGroups 1 } 728 syslogMsgGroup OBJECT-GROUP 729 OBJECTS { 730 -- syslogMsgIndex, 731 syslogMsgFacility, 732 syslogMsgSeverity, 733 syslogMsgVersion, 734 syslogMsgTimeStamp, 735 syslogMsgHostName, 736 syslogMsgAppName, 737 syslogMsgProcID, 738 syslogMsgMsgID, 739 syslogMsgMsg, 740 syslogMsgFlags 741 } 742 STATUS current 743 DESCRIPTION 744 "A collection of objects representing a syslog message 745 excluding structured data elements." 746 ::= { syslogMsgGroups 2 } 748 syslogMsgSDGroup OBJECT-GROUP 749 OBJECTS { 750 -- syslogMsgSDElementName, 751 -- syslogMsgSDParamName, 752 -- syslogMsgSDParamIndex, 753 syslogMsgSDParamValue 754 } 755 STATUS current 756 DESCRIPTION 757 "A collection of objects representing the structured data 758 elements of a syslog message." 759 ::= { syslogMsgGroups 3 } 761 syslogMsgControlGroup OBJECT-GROUP 762 OBJECTS { 763 syslogMsgTableMaxSize, 764 syslogMsgEnableNotifications 765 } 766 STATUS current 767 DESCRIPTION 768 "A collection of control objects to control the size of the 769 syslogMsgTable and to enable / disable notifications." 770 ::= { syslogMsgGroups 4 } 772 END 774 7. Usage Example 776 The following example shows a valid syslog message including 777 structured data. The otherwise-unprintable Unicode BOM is 778 represented as "BOM" in the example. 780 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com 781 evntslog - ID47 [exampleSDID@0 iut="3" eventSource="Application" 782 eventID="1011"] BOMAn application event log entry... 784 This syslog message leads to the following entries in the 785 syslogMsgTable and the syslogMsgSDTable (note that string indexes are 786 written as strings for readability reasons): 788 syslogMsgIndex.1 = 1 789 syslogMsgFacility.1 = 20 790 syslogMsgSeverity.1 = 5 791 syslogMsgVersion.1 = 1 792 syslogMsgTimeStamp.1 = 2003-10-11 22:14:15.003+00:00 793 syslogMsgHostName.1 = "mymachine.example.com" 794 syslogMsgAppName.1 = "evntslog" 795 syslogMsgProcID.1 = "-" 796 syslogMsgMsgID.1 = "ID47" 797 syslogMsgMsg.1 = "BOMAn application event log entry..." 798 syslogMsgSDParamValue.1."exampleSDID@0"."iut".1 799 = "3" 800 syslogMsgSDParamValue.1."exampleSDID@0"."eventSource".1 801 = "Application" 802 syslogMsgSDParamValue.1."exampleSDID@0"."eventID".1 803 = "1011" 805 8. IANA Considerations 807 The IANA is requested to assign a value for "XXX" under the 'mib-2' 808 subtree and to record the assignment in the SMI Numbers registry. 809 When the assignment has been made, the RFC Editor is asked to replace 810 "XXX" (here and in the MIB module) with the assigned value. 812 9. Security Considerations 814 There are a number of management objects defined in this MIB module 815 with a MAX-ACCESS clause of read-write and/or read-create. Such 816 objects may be considered sensitive or vulnerable in some network 817 environments. The support for SET operations in a non-secure 818 environment without proper protection can have a negative effect on 819 network operations. These are the tables and objects and their 820 sensitivity/vulnerability: 822 o syslogMsgTableMaxSize: This object controls how many entries are 823 kept in the syslogMsgTable. Unauthorized modifications may either 824 cause increased memory consumption (by setting this object to a 825 large value) or turn off the capability to retrieve notifications 826 using GET class operations (by setting this object to zero). This 827 might be used to hide traces of an attack. 829 o syslogMsgEnableNotifications: This object enables notifications. 830 Unauthorized modifications to disable notification generation can 831 be used to hide an attack. Unauthorized modifications to enable 832 notification generation may be used as part of a denial of service 833 attack against a network management system if for example the 834 SYSLOG to SNMP converter accepts unauthorized syslog messages. 836 Some of the readable objects in this MIB module (i.e., objects with a 837 MAX-ACCESS other than not-accessible) may be considered sensitive or 838 vulnerable in some network environments. It is thus important to 839 control even GET and/or NOTIFY access to these objects and possibly 840 to even encrypt the values of these objects when sending them over 841 the network via SNMP. These are the tables and objects and their 842 sensitivity/vulnerability: 844 o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects 845 provide information whether SYSLOG messages are forwarded as SNMP 846 notifications and how many messages will be maintained in the 847 syslogMsgTable. This information might be exploited by an 848 attacker in order to plan actions with the goal of hiding attack 849 activities. 850 o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion, 851 syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, 852 syslogMsgProcID, syslogMsgMsgID, syslogMsgMsg, syslogMsgFlags, 853 syslogMsgSDParamValue: These objects carry the content of syslog 854 messags and the syslog message oriented security considerations of 855 [I-D.ietf-syslog-protocol] apply. In particular, an attacker who 856 gains access to SYSLOG messages via SNMP may use the knowledge 857 gained from SYSLOG messages to compromise a machine or do other 858 damage. 860 SNMP versions prior to SNMPv3 did not include adequate security. 861 Even if the network itself is secure (for example by using IPsec), 862 even then, there is no control as to who on the secure network is 863 allowed to access and GET/SET (read/change/create/delete) the objects 864 in this MIB module. 866 It is RECOMMENDED that implementers consider the security features as 867 provided by the SNMPv3 framework (see [RFC3410], section 8), 868 including full support for the SNMPv3 cryptographic mechanisms (for 869 authentication and privacy). 871 Further, deployment of SNMP versions prior to SNMPv3 is NOT 872 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 873 enable cryptographic security. It is then a customer/operator 874 responsibility to ensure that the SNMP entity giving access to an 875 instance of this MIB module is properly configured to give access to 876 the objects only to those principals (users) that have legitimate 877 rights to indeed GET or SET (change/create/delete) them. 879 10. Acknowledgments 881 The authors wish to thank Washam Fan, Rainer Gerhards, Wes Hardacker, 882 David Harrington, Tom Petch, Juergen Quittek, Bert Wijnen, and all 883 other people who commented on various versions of this document. 885 11. References 887 11.1. Normative References 889 [I-D.ietf-syslog-protocol] 890 Gerhards, R., "The syslog Protocol", Internet Draft (work 891 in progress), September 2007. 893 [I-D.ietf-syslog-tc-mib] 894 Keeni, G., "Textual Conventions for Syslog Management", 895 Internet Draft (work in progress), May 2008. 897 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 898 Requirement Levels", BCP 14, RFC 2119, March 1997. 900 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 901 "Structure of Management Information Version 2 (SMIv2)", 902 RFC 2578, STD 58, April 1999. 904 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 905 "Textual Conventions for SMIv2", RFC 2579, STD 58, 906 April 1999. 908 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 909 "Conformance Statements for SMIv2", RFC 2580, STD 58, 910 April 1999. 912 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 913 Architecture for Describing Simple Network Management 914 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 915 December 2002. 917 11.2. Informative References 919 [RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014, 920 November 2002. 922 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 923 "Introduction and Applicability Statements for Internet- 924 Standard Management Framework", RFC 3410, December 2002. 926 Authors' Addresses 928 Juergen Schoenwaelder 929 Jacobs University Bremen 930 Campus Ring 1 931 28725 Bremen 932 Germany 934 Email: j.schoenwaelder@jacobs-university.de 936 Alexander Clemm 937 Cisco Systems 938 170 West Tasman Drive 939 San Jose, CA 95134-1706 940 USA 942 Email: alex@cisco.com 944 Anirban Karmakar 945 Cisco Systems 946 170 West Tasman Drive 947 San Jose, CA 95134-1706 948 USA 950 Email: akarmaka@cisco.com