idnits 2.17.1 draft-ietf-opsawg-syslog-msg-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 146 has weird spacing: '...acility syslo...' == Line 147 has weird spacing: '...everity syslo...' == Line 150 has weird spacing: '...yString sysl...' == Line 151 has weird spacing: '...yString sysl...' == Line 152 has weird spacing: '...yString sysl...' == (4 more instances...) == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (March 9, 2009) is 5526 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3412' is mentioned on line 651, but not defined -- No information found for draft-ietf-syslog-tc-mib - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-syslog-tc-mib' Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Intended status: Standards Track A. Clemm 5 Expires: September 10, 2009 A. Karmakar 6 Cisco Systems 7 March 9, 2009 9 Definitions of Managed Objects for Mapping SYSLOG Messages to Simple 10 Network Management Protocol (SNMP) Notifications 11 draft-ietf-opsawg-syslog-msg-mib-02.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on September 10, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents in effect on the date of 43 publication of this document (http://trustee.ietf.org/license-info). 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. 47 Abstract 49 This memo defines a portion of the Management Information Base (MIB) 50 for use with network management protocols in the Internet community. 51 In particular, it defines a mapping of SYSLOG messages to Simple 52 Network Management Protocol (SNMP) notifications. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. The Internet-Standard Management Framework . . . . . . . . . . 3 58 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 5 61 6. Relationship to SYSLOG to SNMP Mappings . . . . . . . . . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 8. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 18 64 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 65 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 66 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 67 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 68 12.1. Normative References . . . . . . . . . . . . . . . . . . 21 69 12.2. Informative References . . . . . . . . . . . . . . . . . 21 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 72 1. Introduction 74 SNMP [RFC3410] [RFC3411] and SYSLOG [I-D.ietf-syslog-protocol] are 75 two widely used protocols to communicate event notifications. 76 Although co-existence of several management protocols in one 77 operational environment is possible, certain environments require 78 that all event notifications are collected by a single system daemon 79 such as a SYSLOG collector or an SNMP notification receiver via a 80 single management protocol. In such environments, it is necessary to 81 translate event notifications between management protocols. 83 This document defines an SNMP MIB module to represent SYSLOG messages 84 and to send SYSLOG messages as SNMP notifications to SNMP 85 notification receivers. 87 2. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 RFC 3410 [RFC3410] 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 100 [RFC2580] . 102 3. Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 4. Overview 110 SYSLOG messages are converted by a SYSLOG to SNMP converter. Such a 111 converter acts as a SYSLOG receiver [I-D.ietf-syslog-protocol] and 112 implements a MIB module according to the SNMP architecture [RFC3411]. 113 The converter might be tightly coupled to an SNMP agent or it might 114 interface with an SNMP agent via a subagent protocol. 116 After initialization, the converter will listen for SYSLOG messages. 118 On receiving a message, the message will be parsed to extract 119 information as described in the MIB module. A conceptual table is 120 populated with information extracted from the SYSLOG message and 121 finally a notification may be generated. 123 The MIB module is organized into a group of scalars and two tables. 124 The syslogMsgControl group contains two scalars controlling the 125 maximum size of SYSLOG messages recorded in the tables and whether 126 SNMP notifications are generated for SYSLOG messages. 128 --syslogMsgObjects(1) 129 | 130 +--syslogMsgControl(1) 131 | 132 +-- Unsigned32 syslogMsgTableMaxSize(1) 133 +-- TruthValue syslogMsgEnableNotifications(2) 135 The syslogMsgTable contains one entry for each recorded SYSLOG 136 message. The basic fields of SYSLOG messages are represented in 137 different columns of the conceptual table. 139 --syslogMsgObjects(1) 140 | 141 +--syslogMsgTable(2) 142 | 143 +--syslogMsgEntry(1) [syslogMsgIndex] 144 | 145 +-- Unsigned32 syslogMsgIndex(1) 146 +-- SyslogFacility syslogMsgFacility(2) 147 +-- SyslogSeverity syslogMsgSeverity(3) 148 +-- Unsigned32 syslogMsgVersion(4) 149 +-- SyslogTimeStamp syslogMsgTimeStamp(5) 150 +-- DisplayString syslogMsgHostName(6) 151 +-- DisplayString syslogMsgAppName(7) 152 +-- DisplayString syslogMsgProcID(8) 153 +-- DisplayString syslogMsgMsgID(9) 154 +-- OctetString syslogMsgMsg(10) 155 +-- Bits syslogMsgFlags(11) 157 The syslogMsgSDTable contains one entry for each structured data 158 element parameter contained in a SYSLOG message. Since structured 159 data elements are optional, the relationship between the 160 syslogMsgTable and the syslogMsgSDTable is 1:0..*. 162 --syslogMsgObjects(1) 163 | 164 +--syslogMsgSDTable(3) 165 | 166 +--syslogMsgSDEntry(1) [syslogMsgIndex, 167 | syslogMsgSDParamIndex 168 | syslogMsgSDID, 169 | syslogMsgSDParamName] 170 | 171 +-- Unsigned32 syslogMsgSDParamIndex(1) 172 +-- DisplayString syslogMsgSDID(2) 173 +-- DisplayString syslogMsgSDParamName(3) 174 +-- SnmpAdminString syslogMsgSDParamValue(4) 176 5. Relationship to Other MIB Modules 178 The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for 179 logging SNMP notifications in order to deal with lost SNMP 180 notifications, e.g., due to transient communication problems. 181 Applications can poll the notification log to verify that they have 182 not missed important SNMP notifications. 184 The MIB module defined in this memo provides a mechanism for logging 185 SYSLOG notifications. This additional SYSLOG notification log is 186 provided because (a) SYSLOG messages might not lead to SNMP 187 notification (this is configurable) and (b) SNMP notifications might 188 not carry all information associated with a SYSLOG notification. 190 The following MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 191 SNMPv2-TC [RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB 192 [RFC3411], and SYSLOG-TC-MIB [I-D.ietf-syslog-tc-mib]. 194 6. Relationship to SYSLOG to SNMP Mappings 196 A companion document defines a mapping of SNMP notifications to 197 SYSLOG messages [I-D.ietf-opsawg-syslog-snmp]. This section 198 discusses the possibilities of using both specifications in 199 combination to create notification "tunnels". 201 A SYSLOG receiver implementing the SYSLOG-MSG-MIB module and the 202 mapping of SNMP notifications to SYSLOG messages may be configured to 203 translate received SYSLOG messages containing SNMP notifications back 204 into the original SNMP notification. In this case, the relevant 205 tables of the SYSLOG-MSG-MIB will not be populated for SYSLOG 206 messages carrying SNMP notifications. This configuration allows 207 operators to build a forwarding chain where SNMP notifications are 208 "tunneled" through SYSLOG messages. 210 An SNMP management application supporting the SYSLOG-MSG-MIB and the 211 mapping of SNMP notifications to SYSLOG messages may process 212 information from the SYSLOG-MSG-MIB in order to emit a SYSLOG message 213 representing the SYSLOG message recorded in the SYSLOG-MSG-MIB 214 module. This configuration allows operators to build a forwarding 215 chain where SYSLOG messages are "tunneled" through SNMP messages. 216 While the SYSLOG-MSG-MIB provides a definition of an SNMP 217 notification to carry essential parts of a SYSLOG message, it is 218 important to realize that it is not required to include all 219 structured data elements (SD-IDs) of a SYSLOG message in this 220 notification due to SNMP message size limitations. As a consequence, 221 an SNMP management application should use trap-directed polling to 222 determine whether a received SNMP notification did include all SD-IDs 223 of a SYSLOG message. Regular polling of the SYSLOG-MSG-MIB also 224 takes care of any lost SNMP notifications. 226 7. Definitions 228 SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN 230 IMPORTS 231 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 232 FROM SNMPv2-SMI 233 TEXTUAL-CONVENTION, DisplayString, TruthValue 234 FROM SNMPv2-TC 235 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 236 FROM SNMPv2-CONF 237 SnmpAdminString 238 FROM SNMP-FRAMEWORK-MIB 239 SyslogFacility, SyslogSeverity 240 FROM SYSLOG-TC-MIB; 242 syslogMsgMib MODULE-IDENTITY 243 LAST-UPDATED "200903090800Z" 244 ORGANIZATION "IETF OPSAWG Working Group" 245 CONTACT-INFO 246 "Juergen Schoenwaelder 247 248 Jacobs University Bremen 249 Campus Ring 1 250 28757 Bremen 251 Germany 253 Alexander Clemm 254 255 Cisco Systems 256 170 West Tasman Drive 257 San Jose, CA 95134-1706 258 USA 260 Anirban Karmakar 261 262 Cisco Systems 263 170 West Tasman Drive 264 San Jose, CA 95134-1706 265 USA" 266 DESCRIPTION 267 "This MIB module represent SYSLOG messages as SNMP objects. 269 Copyright (c) 2009 IETF Trust and the persons identified as 270 the document authors. All rights reserved. This version of 271 this MIB module is part of RFC XXXX; see the RFC itself for 272 full legal notices." 273 REVISION "200902200800Z" 274 DESCRIPTION 275 "Initial version issued as part of RFC XXXX." 276 -- RFC Ed.: replace XXXX with actual RFC number & remove this note 277 ::= { mib-2 XXX } 278 -- RFC Ed.: replace XXX with IANA-assigned number & remove this note 280 -- textual convention definitions 282 SyslogTimeStamp ::= TEXTUAL-CONVENTION 283 DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d" 284 STATUS current 285 DESCRIPTION 286 "A date-time specification. This type is similar to the 287 DateAndTime type defined in the SNMPv2-TC except that 288 the subsecond granulation is microseconds instead of 289 deciseconds and that a zero-length string can be used 290 to indicate a missing value. 292 field octets contents range 293 ----- ------ -------- ----- 294 1 1-2 year* 0..65536 295 2 3 month 1..12 296 3 4 day 1..31 297 4 5 hour 0..23 298 5 6 minutes 0..59 299 6 7 seconds 0..60 300 (use 60 for leap-second) 301 7 8-10 microseconds 0..999999 302 8 11 direction from UTC '+' / '-' 303 9 12 hours from UTC* 0..13 304 10 13 minutes from UTC 0..59 306 * Notes: 307 - the value of year is in network-byte order 308 - the value of microseconds is in network-byte order 309 - daylight saving time in New Zealand is +13 311 For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be 312 displayed as: 314 1992-5-26,13:30:15.0,-4:0 316 Note that if only local time is known, then timezone 317 information (fields 11-13) is not present." 318 SYNTAX OCTET STRING (SIZE (0 | 10 | 13)) 320 -- object definitions 322 syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 } 323 syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 } 324 syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 } 326 syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 } 328 syslogMsgTableMaxSize OBJECT-TYPE 329 SYNTAX Unsigned32 330 MAX-ACCESS read-write 331 STATUS current 332 DESCRIPTION 333 "The maximum number of syslog messages that may be held in 334 syslogMsgTable. A particular setting does not guarantee that 335 there is sufficient memory available for the maximum number 336 of table entries indicated by this object. A value of 0 means 337 no limit. 339 If an application reduces the limit while there are syslog 340 messages in the syslogMsgTable, the syslog messages that are 341 in the syslogMsgTable for the longest time MUST be discarded 342 to bring the table down to the new limit. 344 The value of this object should be kept in nonvolatile 345 memory." 346 DEFVAL { 0 } 347 ::= { syslogMsgControl 1 } 349 syslogMsgEnableNotifications OBJECT-TYPE 350 SYNTAX TruthValue 351 MAX-ACCESS read-write 352 STATUS current 353 DESCRIPTION 354 "Indicates whether syslogMsgNotification notifications are 355 generated. 357 The value of this object should be kept in nonvolatile 358 memory." 359 DEFVAL { false } 360 ::= { syslogMsgControl 2 } 362 syslogMsgTable OBJECT-TYPE 363 SYNTAX SEQUENCE OF SyslogMsgEntry 364 MAX-ACCESS not-accessible 365 STATUS current 366 DESCRIPTION 367 "A table containing recent syslog messages. The size of the 368 table is controlled by the syslogMsgTableMaxSize object." 369 ::= { syslogMsgObjects 2 } 371 syslogMsgEntry OBJECT-TYPE 372 SYNTAX SyslogMsgEntry 373 MAX-ACCESS not-accessible 374 STATUS current 375 DESCRIPTION 376 "An entry of the syslogMsgTable." 377 INDEX { syslogMsgIndex } 378 ::= { syslogMsgTable 1 } 380 SyslogMsgEntry ::= SEQUENCE { 381 syslogMsgIndex Unsigned32, 382 syslogMsgFacility SyslogFacility, 383 syslogMsgSeverity SyslogSeverity, 384 syslogMsgVersion Unsigned32, 385 syslogMsgTimeStamp SyslogTimeStamp, 386 syslogMsgHostName DisplayString, 387 syslogMsgAppName DisplayString, 388 syslogMsgProcID DisplayString, 389 syslogMsgMsgID DisplayString, 390 syslogMsgMsg OCTET STRING, 391 syslogMsgFlags BITS 392 } 394 syslogMsgIndex OBJECT-TYPE 395 SYNTAX Unsigned32 (1..4294967295) 396 MAX-ACCESS not-accessible 397 STATUS current 398 DESCRIPTION 399 "A monotonically increasing number used to identify entries in 400 the syslogMsgTable. When syslogMsgIndex reaches the maximum 401 value the value wraps back to 1." 402 ::= { syslogMsgEntry 1 } 404 syslogMsgFacility OBJECT-TYPE 405 SYNTAX SyslogFacility 406 MAX-ACCESS read-only 407 STATUS current 408 DESCRIPTION 409 "The facility of the syslog message." 410 REFERENCE 411 "RFCYYYY: The syslog Protocol (section 6.2.1) 412 RFCZZZZ: Textual Conventions for Syslog Management" 413 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 414 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 415 ::= { syslogMsgEntry 2 } 417 syslogMsgSeverity OBJECT-TYPE 418 SYNTAX SyslogSeverity 419 MAX-ACCESS read-only 420 STATUS current 421 DESCRIPTION 422 "The severity of the syslog message" 423 REFERENCE 424 "RFCYYYY: The syslog Protocol (section 6.2.1) 425 RFCZZZZ: Textual Conventions for Syslog Management" 426 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 427 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 428 ::= { syslogMsgEntry 3 } 430 syslogMsgVersion OBJECT-TYPE 431 SYNTAX Unsigned32 (0..999) 432 MAX-ACCESS read-only 433 STATUS current 434 DESCRIPTION 435 "The version of the syslog message. A value of 0 indicates 436 that the version is unknown." 437 REFERENCE 438 "RFCYYYY: The syslog Protocol (section 6.2.2)" 439 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 440 ::= { syslogMsgEntry 4 } 442 syslogMsgTimeStamp OBJECT-TYPE 443 SYNTAX SyslogTimeStamp 444 MAX-ACCESS read-only 445 STATUS current 446 DESCRIPTION 447 "The timestamp of the syslog message. A zero length 448 string is returned if the timestamp is unknown." 449 REFERENCE 450 "RFCYYYY: The syslog Protocol (section 6.2.3)" 451 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 452 ::= { syslogMsgEntry 5 } 454 syslogMsgHostName OBJECT-TYPE 455 SYNTAX DisplayString (SIZE (0..255)) 456 MAX-ACCESS read-only 457 STATUS current 458 DESCRIPTION 459 "The host name of the syslog message. A zero-length string 460 indicates an unknown host name. The SYSLOG protocol 461 specification constraints this string to printable US-ASCII 462 code points." 463 REFERENCE 464 "RFCYYYY: The syslog Protocol (section 6.2.4)" 465 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 466 ::= { syslogMsgEntry 6 } 468 syslogMsgAppName OBJECT-TYPE 469 SYNTAX DisplayString (SIZE (0..48)) 470 MAX-ACCESS read-only 471 STATUS current 472 DESCRIPTION 473 "The app-name of the syslog message. A zero-length string 474 indicates an unknown app-name. The SYSLOG protocol 475 specification constraints this string to printable US-ASCII 476 code points." 477 REFERENCE 478 "RFCYYYY: The syslog Protocol (section 6.2.5)" 479 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 480 ::= { syslogMsgEntry 7 } 482 syslogMsgProcID OBJECT-TYPE 483 SYNTAX DisplayString (SIZE (0..128)) 484 MAX-ACCESS read-only 485 STATUS current 486 DESCRIPTION 487 "The procid of the syslog message. A zero-length string 488 indicates an unknown procid. The SYSLOG protocol specification 489 constraints this string to printable US-ASCII code points." 490 REFERENCE 491 "RFCYYYY: The syslog Protocol (section 6.2.6)" 492 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 493 ::= { syslogMsgEntry 8 } 495 syslogMsgMsgID OBJECT-TYPE 496 SYNTAX DisplayString (SIZE (0..32)) 497 MAX-ACCESS read-only 498 STATUS current 499 DESCRIPTION 500 "The msgid of the syslog message. A zero-length string 501 indicates an unknown msgid. The SYSLOG protocol specification 502 constraints this string to printable US-ASCII code points." 503 REFERENCE 504 "RFCYYYY: The syslog Protocol (section 6.2.7)" 505 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 506 ::= { syslogMsgEntry 9 } 508 syslogMsgMsg OBJECT-TYPE 509 SYNTAX OCTET STRING 510 MAX-ACCESS read-only 511 STATUS current 512 DESCRIPTION 513 "The message part of the syslog message. The syntax does not 514 impose a size restriction. Implementations of this MIB module 515 may truncate the message part of the syslog message such that 516 it fits into the size constraints imposed by the 517 implementation environment. If the message has been truncated 518 by the SYSLOG to SNMP converter, the truncated bit in the 519 syslogMsgFlags must be set to 1. 521 If the first octets contain the value 'EFBBBF'h, then the rest 522 of the message is a UTF-8 string. Since syslog messages may be 523 truncated at arbitrary octet boundaries during forwarding, the 524 message may contain invalid UTF-8 encodings at the end." 525 REFERENCE 526 "RFCYYYY: The syslog Protocol (section 6.4)" 527 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 528 ::= { syslogMsgEntry 10 } 530 syslogMsgFlags OBJECT-TYPE 531 SYNTAX BITS { truncated(0), sdparams(1) } 532 MAX-ACCESS read-only 533 STATUS current 534 DESCRIPTION 535 "The bits contained in this object convey meta information 536 about the syslog message. The meaning of the bits is as 537 follows: 539 truncated - This bit is set if the converter had to 540 truncate the syslogMsgMsg to comply with 541 implementation and/or SNMP message size 542 constraints. 544 sdparams - This bit is set if the syslog messages 545 contained structured data element parameters 546 and serves as an indicator whether there is 547 data in the syslogMsgSDTable for this syslog 548 message. 550 For syslog messages without structured data element parameters 551 that were not truncated by the converter, none of the bits is 552 set." 553 ::= { syslogMsgEntry 11 } 555 syslogMsgSDTable OBJECT-TYPE 556 SYNTAX SEQUENCE OF SyslogMsgSDEntry 557 MAX-ACCESS not-accessible 558 STATUS current 559 DESCRIPTION 560 "A table containing structured data elements of syslog 561 messages." 562 ::= { syslogMsgObjects 3 } 564 syslogMsgSDEntry OBJECT-TYPE 565 SYNTAX SyslogMsgSDEntry 566 MAX-ACCESS not-accessible 567 STATUS current 568 DESCRIPTION 569 "An entry of the syslogMsgSDTable." 570 INDEX { syslogMsgIndex, syslogMsgSDParamIndex, 571 syslogMsgSDID, syslogMsgSDParamName } 572 ::= { syslogMsgSDTable 1 } 574 SyslogMsgSDEntry ::= SEQUENCE { 575 syslogMsgSDParamIndex Unsigned32, 576 syslogMsgSDID DisplayString, 577 syslogMsgSDParamName DisplayString, 578 syslogMsgSDParamValue SnmpAdminString 579 } 581 syslogMsgSDParamIndex OBJECT-TYPE 582 SYNTAX Unsigned32 (1..4294967295) 583 MAX-ACCESS not-accessible 584 STATUS current 585 DESCRIPTION 586 "This object indexes the structured data element parameters 587 contained in a SYSLOG message. The first structured data 588 element parameter has the index value 1 and subsequent 589 parameters are indexed by incrementing the index of the 590 previous parameter. The index increases across structured 591 data element boundaries so that the value reflects the 592 position of a structured data element parameter in a 593 SYSLOG message." 594 REFERENCE 595 "RFCYYYY: The syslog Protocol (section 6.3.3)" 596 ::= { syslogMsgSDEntry 1 } 598 syslogMsgSDID OBJECT-TYPE 599 SYNTAX DisplayString (SIZE (1..32)) 600 MAX-ACCESS not-accessible 601 STATUS current 602 DESCRIPTION 603 "The name (SD-ID) of a structured data element. The SYSLOG 604 protocol specification constraints this string to printable 605 US-ASCII code points." 606 REFERENCE 607 "RFCYYYY: The syslog Protocol (section 6.3.2)" 608 ::= { syslogMsgSDEntry 2 } 610 syslogMsgSDParamName OBJECT-TYPE 611 SYNTAX DisplayString (SIZE (1..32)) 612 MAX-ACCESS not-accessible 613 STATUS current 614 DESCRIPTION 615 "The name of a parameter of the structured data element. The 616 SYSLOG protocol specification constraints this string to 617 printable US-ASCII code points." 618 REFERENCE 619 "RFCYYYY: The syslog Protocol (section 6.3.3)" 620 ::= { syslogMsgSDEntry 3 } 622 syslogMsgSDParamValue OBJECT-TYPE 623 SYNTAX SnmpAdminString 624 MAX-ACCESS read-only 625 STATUS current 626 DESCRIPTION 627 "The value of the parameter of a syslog message identified by 628 the index of this table. The value is stored in the unescaped 629 format." 630 REFERENCE 631 "RFCYYYY: The syslog Protocol (section 6.3.3)" 632 ::= { syslogMsgSDEntry 4 } 634 -- notification definitions 636 syslogMsgNotification NOTIFICATION-TYPE 637 OBJECTS { syslogMsgFacility, syslogMsgSeverity, 638 syslogMsgVersion, syslogMsgTimeStamp, 639 syslogMsgHostName, syslogMsgAppName, 640 syslogMsgProcID, syslogMsgMsgID, 641 syslogMsgMsg, syslogMsgFlags } 642 STATUS current 643 DESCRIPTION 644 "The syslogMsgNotification is generated when a new syslog 645 message is received and the value of 646 syslogMsgGenerateNotifications is true. 648 Implementations may add syslogMsgSDParamValue objects as long 649 as the resulting notification fits into the size constraints 650 imposed by the implementation environment and the notification 651 message size constraints imposed by maxMessageSize [RFC3412] 652 and SNMP transport mappings." 653 ::= { syslogMsgNotifications 1 } 655 -- conformance statements 657 syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 } 658 syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 } 660 syslogMsgFullCompliance MODULE-COMPLIANCE 661 STATUS current 662 DESCRIPTION 663 "The compliance statement for implementations of the 664 SYSLOG-MSG-MIB." 665 MODULE -- this module 666 MANDATORY-GROUPS { 667 syslogMsgGroup, 668 syslogMsgSDGroup, 669 syslogMsgControlGroup, 670 syslogMsgNotificationGroup 671 } 672 ::= { syslogMsgCompliances 1 } 674 syslogMsgReadOnlyCompliance MODULE-COMPLIANCE 675 STATUS current 676 DESCRIPTION 677 "The compliance statement for implementations of the 678 SYSLOG-MSG-MIB that do not support read-write access." 679 MODULE -- this module 680 MANDATORY-GROUPS { 681 syslogMsgGroup, 682 syslogMsgSDGroup, 683 syslogMsgControlGroup, 684 syslogMsgNotificationGroup 685 } 686 OBJECT syslogMsgTableMaxSize 687 MIN-ACCESS read-only 688 DESCRIPTION 689 "Write access is not required." 690 OBJECT syslogMsgEnableNotifications 691 MIN-ACCESS read-only 692 DESCRIPTION 693 "Write access is not required." 694 ::= { syslogMsgCompliances 2 } 696 syslogMsgNotificationCompliance MODULE-COMPLIANCE 697 STATUS current 698 DESCRIPTION 699 "The compliance statement for implementations of the 700 SYSLOG-MSG-MIB that do only generate notifications and not 701 provide a table to allow read access to syslog message 702 details." 703 MODULE -- this module 704 MANDATORY-GROUPS { 705 syslogMsgGroup, 706 syslogMsgSDGroup, 707 syslogMsgNotificationGroup 708 } 709 OBJECT syslogMsgFacility 710 MIN-ACCESS accessible-for-notify 711 DESCRIPTION 712 "Read access is not required." 713 OBJECT syslogMsgSeverity 714 MIN-ACCESS accessible-for-notify 715 DESCRIPTION 716 "Read access is not required." 717 OBJECT syslogMsgVersion 718 MIN-ACCESS accessible-for-notify 719 DESCRIPTION 720 "Read access is not required." 721 OBJECT syslogMsgTimeStamp 722 MIN-ACCESS accessible-for-notify 723 DESCRIPTION 724 "Read access is not required." 725 OBJECT syslogMsgHostName 726 MIN-ACCESS accessible-for-notify 727 DESCRIPTION 728 "Read access is not required." 729 OBJECT syslogMsgAppName 730 MIN-ACCESS accessible-for-notify 731 DESCRIPTION 732 "Read access is not required." 733 OBJECT syslogMsgProcID 734 MIN-ACCESS accessible-for-notify 735 DESCRIPTION 736 "Read access is not required." 737 OBJECT syslogMsgMsgID 738 MIN-ACCESS accessible-for-notify 739 DESCRIPTION 740 "Read access is not required." 741 OBJECT syslogMsgMsg 742 MIN-ACCESS accessible-for-notify 743 DESCRIPTION 744 "Read access is not required." 745 OBJECT syslogMsgFlags 746 MIN-ACCESS accessible-for-notify 747 DESCRIPTION 748 "Read access is not required." 749 OBJECT syslogMsgSDParamValue 750 MIN-ACCESS accessible-for-notify 751 DESCRIPTION 752 "Read access is not required." 753 ::= { syslogMsgCompliances 3 } 755 syslogMsgNotificationGroup NOTIFICATION-GROUP 756 NOTIFICATIONS { 757 syslogMsgNotification 758 } 759 STATUS current 760 DESCRIPTION 761 "The notifications emitted by this MIB module." 762 ::= { syslogMsgGroups 1 } 764 syslogMsgGroup OBJECT-GROUP 765 OBJECTS { 766 -- syslogMsgIndex, 767 syslogMsgFacility, 768 syslogMsgSeverity, 769 syslogMsgVersion, 770 syslogMsgTimeStamp, 771 syslogMsgHostName, 772 syslogMsgAppName, 773 syslogMsgProcID, 774 syslogMsgMsgID, 775 syslogMsgMsg, 776 syslogMsgFlags 777 } 778 STATUS current 779 DESCRIPTION 780 "A collection of objects representing a syslog message 781 excluding structured data elements." 782 ::= { syslogMsgGroups 2 } 784 syslogMsgSDGroup OBJECT-GROUP 785 OBJECTS { 786 -- syslogMsgSDParamIndex, 787 -- syslogMsgSDID, 788 -- syslogMsgSDParamName, 789 syslogMsgSDParamValue 790 } 791 STATUS current 792 DESCRIPTION 793 "A collection of objects representing the structured data 794 elements of a syslog message." 795 ::= { syslogMsgGroups 3 } 797 syslogMsgControlGroup OBJECT-GROUP 798 OBJECTS { 799 syslogMsgTableMaxSize, 800 syslogMsgEnableNotifications 801 } 802 STATUS current 803 DESCRIPTION 804 "A collection of control objects to control the size of the 805 syslogMsgTable and to enable / disable notifications." 806 ::= { syslogMsgGroups 4 } 808 END 810 8. Usage Example 812 The following example shows a valid syslog message including 813 structured data. The otherwise-unprintable Unicode BOM is 814 represented as "BOM" in the example. 816 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com 817 evntslog - ID47 [exampleSDID@0 iut="3" eventSource="Application" 818 eventID="1011"] BOMAn application event log entry... 820 This syslog message leads to the following entries in the 821 syslogMsgTable and the syslogMsgSDTable (note that string indexes are 822 written as strings for readability reasons): 824 syslogMsgIndex.1 = 1 825 syslogMsgFacility.1 = 20 826 syslogMsgSeverity.1 = 5 827 syslogMsgVersion.1 = 1 828 syslogMsgTimeStamp.1 = 2003-10-11 22:14:15.003+00:00 829 syslogMsgHostName.1 = "mymachine.example.com" 830 syslogMsgAppName.1 = "evntslog" 831 syslogMsgProcID.1 = "-" 832 syslogMsgMsgID.1 = "ID47" 833 syslogMsgMsg.1 = "BOMAn application event log entry..." 834 syslogMsgSDParamValue.1.1."exampleSDID@0"."iut" 835 = "3" 836 syslogMsgSDParamValue.1.2."exampleSDID@0"."eventSource" 837 = "Application" 838 syslogMsgSDParamValue.1.3."exampleSDID@0"."eventID" 839 = "1011" 841 9. IANA Considerations 843 The IANA is requested to assign a value for "XXX" under the 'mib-2' 844 subtree and to record the assignment in the SMI Numbers registry. 845 When the assignment has been made, the RFC Editor is asked to replace 846 "XXX" (here and in the MIB module) with the assigned value. 848 10. Security Considerations 850 There are a number of management objects defined in this MIB module 851 with a MAX-ACCESS clause of read-write and/or read-create. Such 852 objects may be considered sensitive or vulnerable in some network 853 environments. The support for SET operations in a non-secure 854 environment without proper protection can have a negative effect on 855 network operations. These are the tables and objects and their 856 sensitivity/vulnerability: 858 o syslogMsgTableMaxSize: This object controls how many entries are 859 kept in the syslogMsgTable. Unauthorized modifications may either 860 cause increased memory consumption (by setting this object to a 861 large value) or turn off the capability to retrieve notifications 862 using GET class operations (by setting this object to zero). This 863 might be used to hide traces of an attack. 864 o syslogMsgEnableNotifications: This object enables notifications. 865 Unauthorized modifications to disable notification generation can 866 be used to hide an attack. Unauthorized modifications to enable 867 notification generation may be used as part of a denial of service 868 attack against a network management system if for example the 869 SYSLOG to SNMP converter accepts unauthorized syslog messages. 871 Some of the readable objects in this MIB module (i.e., objects with a 872 MAX-ACCESS other than not-accessible) may be considered sensitive or 873 vulnerable in some network environments. It is thus important to 874 control even GET and/or NOTIFY access to these objects and possibly 875 to even encrypt the values of these objects when sending them over 876 the network via SNMP. These are the tables and objects and their 877 sensitivity/vulnerability: 879 o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects 880 provide information whether SYSLOG messages are forwarded as SNMP 881 notifications and how many messages will be maintained in the 882 syslogMsgTable. This information might be exploited by an 883 attacker in order to plan actions with the goal of hiding attack 884 activities. 885 o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion, 886 syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, 887 syslogMsgProcID, syslogMsgMsgID, syslogMsgMsg, syslogMsgFlags, 888 syslogMsgSDParamValue: These objects carry the content of syslog 889 messags and the syslog message oriented security considerations of 890 [I-D.ietf-syslog-protocol] apply. In particular, an attacker who 891 gains access to SYSLOG messages via SNMP may use the knowledge 892 gained from SYSLOG messages to compromise a machine or do other 893 damage. 895 SNMP versions prior to SNMPv3 did not include adequate security. 896 Even if the network itself is secure (for example by using IPsec), 897 even then, there is no control as to who on the secure network is 898 allowed to access and GET/SET (read/change/create/delete) the objects 899 in this MIB module. 901 It is RECOMMENDED that implementers consider the security features as 902 provided by the SNMPv3 framework (see [RFC3410], section 8), 903 including full support for the SNMPv3 cryptographic mechanisms (for 904 authentication and privacy). 906 Further, deployment of SNMP versions prior to SNMPv3 is NOT 907 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 908 enable cryptographic security. It is then a customer/operator 909 responsibility to ensure that the SNMP entity giving access to an 910 instance of this MIB module is properly configured to give access to 911 the objects only to those principals (users) that have legitimate 912 rights to indeed GET or SET (change/create/delete) them. 914 11. Acknowledgments 916 The authors wish to thank Martin Bjorklund, Washam Fan, Rainer 917 Gerhards, Wes Hardacker, David Harrington, Tom Petch, Juergen 918 Quittek, Bert Wijnen, and all other people who commented on various 919 versions of this document. 921 12. References 923 12.1. Normative References 925 [I-D.ietf-opsawg-syslog-snmp] 926 Marinov, V. and J. Schoenwaelder, "Mapping Simple Network 927 Management Protocol (SNMP) Notifications to SYSLOG 928 Messages", Internet Draft (work in progress), March 2009. 930 [I-D.ietf-syslog-protocol] 931 Gerhards, R., "The syslog Protocol", Internet Draft (work 932 in progress), September 2007. 934 [I-D.ietf-syslog-tc-mib] 935 Keeni, G., "Textual Conventions for Syslog Management", 936 Internet Draft (work in progress), May 2008. 938 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 939 Requirement Levels", BCP 14, RFC 2119, March 1997. 941 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 942 "Structure of Management Information Version 2 (SMIv2)", 943 RFC 2578, STD 58, April 1999. 945 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 946 "Textual Conventions for SMIv2", RFC 2579, STD 58, 947 April 1999. 949 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 950 "Conformance Statements for SMIv2", RFC 2580, STD 58, 951 April 1999. 953 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 954 Architecture for Describing Simple Network Management 955 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 956 December 2002. 958 12.2. Informative References 960 [RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014, 961 November 2002. 963 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 964 "Introduction and Applicability Statements for Internet- 965 Standard Management Framework", RFC 3410, December 2002. 967 Authors' Addresses 969 Juergen Schoenwaelder 970 Jacobs University Bremen 971 Campus Ring 1 972 28725 Bremen 973 Germany 975 Email: j.schoenwaelder@jacobs-university.de 977 Alexander Clemm 978 Cisco Systems 979 170 West Tasman Drive 980 San Jose, CA 95134-1706 981 USA 983 Email: alex@cisco.com 985 Anirban Karmakar 986 Cisco Systems 987 170 West Tasman Drive 988 San Jose, CA 95134-1706 989 USA 991 Email: akarmaka@cisco.com