idnits 2.17.1 draft-ietf-opsawg-syslog-msg-mib-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 147 has weird spacing: '...acility syslo...' == Line 148 has weird spacing: '...everity syslo...' == Line 151 has weird spacing: '...yString sysl...' == Line 152 has weird spacing: '...yString sysl...' == Line 153 has weird spacing: '...yString sysl...' == (4 more instances...) == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document date (May 15, 2009) is 5452 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3412' is mentioned on line 663, but not defined -- No information found for draft-ietf-opsawg-syslog-snmp - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-opsawg-syslog-snmp' Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Intended status: Standards Track A. Clemm 5 Expires: November 16, 2009 A. Karmakar 6 Cisco Systems 7 May 15, 2009 9 Definitions of Managed Objects for Mapping SYSLOG Messages to Simple 10 Network Management Protocol (SNMP) Notifications 11 draft-ietf-opsawg-syslog-msg-mib-03.txt 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 16, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents in effect on the date of 43 publication of this document (http://trustee.ietf.org/license-info). 44 Please review these documents carefully, as they describe your rights 45 and restrictions with respect to this document. 47 Abstract 49 This memo defines a portion of the Management Information Base (MIB) 50 for use with network management protocols in the Internet community. 51 In particular, it defines a mapping of SYSLOG messages to Simple 52 Network Management Protocol (SNMP) notifications. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. The Internet-Standard Management Framework . . . . . . . . . . 3 58 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 5 61 6. Relationship to the SNMP Notification to SYSLOG Mapping . . . 5 62 7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 8. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 18 64 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 65 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 66 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 67 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 68 12.1. Normative References . . . . . . . . . . . . . . . . . . 21 69 12.2. Informative References . . . . . . . . . . . . . . . . . 22 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 72 1. Introduction 74 SNMP [RFC3410] [RFC3411] and SYSLOG [RFC5424] are two widely used 75 protocols to communicate event notifications. Although co-existence 76 of several management protocols in one operational environment is 77 possible, certain environments require that all event notifications 78 are collected by a single system daemon such as a SYSLOG collector or 79 an SNMP notification receiver via a single management protocol. In 80 such environments, it is necessary to translate event notifications 81 between management protocols. 83 This document defines an SNMP MIB module to represent SYSLOG messages 84 and to send SYSLOG messages as SNMP notifications to SNMP 85 notification receivers. 87 2. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 RFC 3410 [RFC3410] 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 100 [RFC2580] . 102 3. Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 4. Overview 110 SYSLOG messages are converted by a SYSLOG to SNMP converter. Such a 111 converter acts as a SYSLOG collector [RFC5424] and implements a MIB 112 module according to the SNMP architecture [RFC3411]. The converter 113 might be tightly coupled to an SNMP agent or it might interface with 114 an SNMP agent via a subagent protocol. 116 After initialization, the converter will listen for SYSLOG messages. 118 On receiving a message, the message will be parsed to extract 119 information as described in the MIB module. A conceptual table is 120 populated with information extracted from the SYSLOG message and 121 finally a notification may be generated. 123 The MIB module is organized into a group of scalars and two tables. 124 The syslogMsgControl group contains two scalars controlling the 125 maximum size of SYSLOG messages recorded in the tables and whether 126 SNMP notifications are generated for SYSLOG messages. 128 --syslogMsgObjects(1) 129 | 130 +--syslogMsgControl(1) 131 | 132 +-- Unsigned32 syslogMsgTableMaxSize(1) 133 +-- TruthValue syslogMsgEnableNotifications(2) 135 The syslogMsgTable contains one entry for each recorded SYSLOG 136 message. The basic fields of SYSLOG messages as well as message 137 properties are represented in different columns of the conceptual 138 table. 140 --syslogMsgObjects(1) 141 | 142 +--syslogMsgTable(2) 143 | 144 +--syslogMsgEntry(1) [syslogMsgIndex] 145 | 146 +-- Unsigned32 syslogMsgIndex(1) 147 +-- SyslogFacility syslogMsgFacility(2) 148 +-- SyslogSeverity syslogMsgSeverity(3) 149 +-- Unsigned32 syslogMsgVersion(4) 150 +-- SyslogTimeStamp syslogMsgTimeStamp(5) 151 +-- DisplayString syslogMsgHostName(6) 152 +-- DisplayString syslogMsgAppName(7) 153 +-- DisplayString syslogMsgProcID(8) 154 +-- DisplayString syslogMsgMsgID(9) 155 +-- Unsigned32 syslogMsgSDParams(10) 156 +-- OctetString syslogMsgMsg(11) 158 The syslogMsgSDTable contains one entry for each structured data 159 element parameter contained in a SYSLOG message. Since structured 160 data elements are optional, the relationship between the 161 syslogMsgTable and the syslogMsgSDTable is 1:0..*. 163 --syslogMsgObjects(1) 164 | 165 +--syslogMsgSDTable(3) 166 | 167 +--syslogMsgSDEntry(1) [syslogMsgIndex, 168 | syslogMsgSDParamIndex, 169 | syslogMsgSDID, 170 | syslogMsgSDParamName] 171 | 172 +-- Unsigned32 syslogMsgSDParamIndex(1) 173 +-- DisplayString syslogMsgSDID(2) 174 +-- DisplayString syslogMsgSDParamName(3) 175 +-- SnmpAdminString syslogMsgSDParamValue(4) 177 5. Relationship to Other MIB Modules 179 The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for 180 logging SNMP notifications in order to deal with lost SNMP 181 notifications, e.g., due to transient communication problems. 182 Applications can poll the notification log to verify that they have 183 not missed important SNMP notifications. 185 The MIB module defined in this memo provides a mechanism for logging 186 SYSLOG notifications. This additional SYSLOG notification log is 187 provided because (a) SYSLOG messages might not lead to SNMP 188 notification (this is configurable) and (b) SNMP notifications might 189 not carry all information associated with a SYSLOG notification. 191 The following MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 192 SNMPv2-TC [RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB 193 [RFC3411], and SYSLOG-TC-MIB [RFC5427]. 195 6. Relationship to the SNMP Notification to SYSLOG Mapping 197 A companion document defines a mapping of SNMP notifications to 198 SYSLOG messages [I-D.ietf-opsawg-syslog-snmp]. This section 199 discusses the possibilities of using both specifications in 200 combination. 202 A SYSLOG collector implementing the SYSLOG-MSG-MIB module and the 203 mapping of SNMP notifications to SYSLOG messages may be configured to 204 translate received SYSLOG messages containing SNMP notifications back 205 into the original SNMP notification. In this case, the relevant 206 tables of the SYSLOG-MSG-MIB will not be populated for SYSLOG 207 messages carrying SNMP notifications. This configuration allows 208 operators to build a forwarding chain where SNMP notifications are 209 "tunneled" through SYSLOG messages. Due to size restrictions of the 210 SYSLOG transports and the more verbose textual encoding used by 211 SYSLOG, there is a possibility that SNMP notification content gets 212 truncated while tunneled through SYSLOG and thus the resulting SNMP 213 notification may be incomplete. 215 An SNMP management application supporting the SYSLOG-MSG-MIB and the 216 mapping of SNMP notifications to SYSLOG messages may process 217 information from the SYSLOG-MSG-MIB in order to emit a SYSLOG message 218 representing the SYSLOG message recorded in the SYSLOG-MSG-MIB 219 module. This configuration allows operators to build a forwarding 220 chain where SYSLOG messages are "tunneled" through SNMP messages. A 221 notification receiver can determine whether a syslogMsgNotification 222 contained all structured data element parameters of a SYSLOG message. 223 In case parameters are missing, a forwarding application MUST 224 retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular 225 polling of the SYSLOG-MSG-MIB can be used to take care of any lost 226 SNMP notifications. 228 7. Definitions 230 SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN 232 IMPORTS 233 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 234 FROM SNMPv2-SMI 235 TEXTUAL-CONVENTION, DisplayString, TruthValue 236 FROM SNMPv2-TC 237 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 238 FROM SNMPv2-CONF 239 SnmpAdminString 240 FROM SNMP-FRAMEWORK-MIB 241 SyslogFacility, SyslogSeverity 242 FROM SYSLOG-TC-MIB; 244 syslogMsgMib MODULE-IDENTITY 245 LAST-UPDATED "200905150800Z" 246 ORGANIZATION "IETF OPSAWG Working Group" 247 CONTACT-INFO 248 "Juergen Schoenwaelder 249 250 Jacobs University Bremen 251 Campus Ring 1 252 28757 Bremen 253 Germany 255 Alexander Clemm 256 257 Cisco Systems 258 170 West Tasman Drive 259 San Jose, CA 95134-1706 260 USA 262 Anirban Karmakar 263 264 Cisco Systems 265 170 West Tasman Drive 266 San Jose, CA 95134-1706 267 USA" 268 DESCRIPTION 269 "This MIB module represent SYSLOG messages as SNMP objects. 271 Copyright (c) 2009 IETF Trust and the persons identified as 272 the document authors. All rights reserved. 274 Redistribution and use in source and binary forms, with or 275 without modification, are permitted provided that the 276 following conditions are met: 278 - Redistributions of source code must retain the above 279 copyright notice, this list of conditions and the 280 following disclaimer. 282 - Redistributions in binary form must reproduce the above 283 copyright notice, this list of conditions and the 284 following disclaimer in the documentation and/or other 285 materials provided with the distribution. 287 - Neither the name of Internet Society, IETF or IETF 288 Trust, nor the names of specific contributors, may be 289 used to endorse or promote products derived from this 290 software without specific prior written permission. 292 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 293 CONTRIBUTORS 'AS IS' AND ANY EXPRESS OR IMPLIED 294 WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 295 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 296 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 297 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 298 INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 299 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 300 GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR 301 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 302 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 303 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 304 OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 305 POSSIBILITY OF SUCH DAMAGE. 307 This version of this MIB module is part of RFC XXXX; see 308 the RFC itself for full legal notices." 309 REVISION "200905150800Z" 310 DESCRIPTION 311 "Initial version issued as part of RFC XXXX." 312 -- RFC Ed.: replace XXXX with actual RFC number & remove this note 313 ::= { mib-2 XXX } 314 -- RFC Ed.: replace XXX with IANA-assigned number & remove this note 316 -- textual convention definitions 318 SyslogTimeStamp ::= TEXTUAL-CONVENTION 319 DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d" 320 STATUS current 321 DESCRIPTION 322 "A date-time specification. This type is similar to the 323 DateAndTime type defined in the SNMPv2-TC except that 324 the subsecond granulation is microseconds instead of 325 deciseconds and that a zero-length string can be used 326 to indicate a missing value. 328 field octets contents range 329 ----- ------ -------- ----- 330 1 1-2 year* 0..65536 331 2 3 month 1..12 332 3 4 day 1..31 333 4 5 hour 0..23 334 5 6 minutes 0..59 335 6 7 seconds 0..60 336 (use 60 for leap-second) 337 7 8-10 microseconds 0..999999 338 8 11 direction from UTC '+' / '-' 339 9 12 hours from UTC* 0..13 340 10 13 minutes from UTC 0..59 342 * Notes: 343 - the value of year is in network-byte order 344 - the value of microseconds is in network-byte order 345 - daylight saving time in New Zealand is +13 347 For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be 348 displayed as: 350 1992-5-26,13:30:15.0,-4:0 352 Note that if only local time is known, then timezone 353 information (fields 11-13) is not present." 354 SYNTAX OCTET STRING (SIZE (0 | 10 | 13)) 356 -- object definitions 358 syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 } 359 syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 } 360 syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 } 362 syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 } 364 syslogMsgTableMaxSize OBJECT-TYPE 365 SYNTAX Unsigned32 366 MAX-ACCESS read-write 367 STATUS current 368 DESCRIPTION 369 "The maximum number of syslog messages that may be held in 370 syslogMsgTable. A particular setting does not guarantee that 371 there is sufficient memory available for the maximum number 372 of table entries indicated by this object. A value of 0 means 373 no limit. 375 If an application reduces the limit while there are syslog 376 messages in the syslogMsgTable, the syslog messages that are 377 in the syslogMsgTable for the longest time MUST be discarded 378 to bring the table down to the new limit. 380 The value of this object should be kept in nonvolatile 381 memory." 382 DEFVAL { 0 } 383 ::= { syslogMsgControl 1 } 385 syslogMsgEnableNotifications OBJECT-TYPE 386 SYNTAX TruthValue 387 MAX-ACCESS read-write 388 STATUS current 389 DESCRIPTION 390 "Indicates whether syslogMsgNotification notifications are 391 generated. 393 The value of this object should be kept in nonvolatile 394 memory." 395 DEFVAL { false } 396 ::= { syslogMsgControl 2 } 398 syslogMsgTable OBJECT-TYPE 399 SYNTAX SEQUENCE OF SyslogMsgEntry 400 MAX-ACCESS not-accessible 401 STATUS current 402 DESCRIPTION 403 "A table containing recent syslog messages. The size of the 404 table is controlled by the syslogMsgTableMaxSize object." 405 ::= { syslogMsgObjects 2 } 407 syslogMsgEntry OBJECT-TYPE 408 SYNTAX SyslogMsgEntry 409 MAX-ACCESS not-accessible 410 STATUS current 411 DESCRIPTION 412 "An entry of the syslogMsgTable." 413 INDEX { syslogMsgIndex } 414 ::= { syslogMsgTable 1 } 416 SyslogMsgEntry ::= SEQUENCE { 417 syslogMsgIndex Unsigned32, 418 syslogMsgFacility SyslogFacility, 419 syslogMsgSeverity SyslogSeverity, 420 syslogMsgVersion Unsigned32, 421 syslogMsgTimeStamp SyslogTimeStamp, 422 syslogMsgHostName DisplayString, 423 syslogMsgAppName DisplayString, 424 syslogMsgProcID DisplayString, 425 syslogMsgMsgID DisplayString, 426 syslogMsgSDParams Unsigned32, 427 syslogMsgMsg OCTET STRING 428 } 430 syslogMsgIndex OBJECT-TYPE 431 SYNTAX Unsigned32 (1..4294967295) 432 MAX-ACCESS not-accessible 433 STATUS current 434 DESCRIPTION 435 "A monotonically increasing number used to identify entries in 436 the syslogMsgTable. When syslogMsgIndex reaches the maximum 437 value the value wraps back to 1." 438 ::= { syslogMsgEntry 1 } 440 syslogMsgFacility OBJECT-TYPE 441 SYNTAX SyslogFacility 442 MAX-ACCESS read-only 443 STATUS current 444 DESCRIPTION 445 "The facility of the syslog message." 446 REFERENCE 447 "RFC5424: The Syslog Protocol (section 6.2.1) 448 RFC5427: Textual Conventions for Syslog Management" 449 ::= { syslogMsgEntry 2 } 451 syslogMsgSeverity OBJECT-TYPE 452 SYNTAX SyslogSeverity 453 MAX-ACCESS read-only 454 STATUS current 455 DESCRIPTION 456 "The severity of the syslog message" 457 REFERENCE 458 "RFC5424: The Syslog Protocol (section 6.2.1) 459 RFC5427: Textual Conventions for Syslog Management" 460 ::= { syslogMsgEntry 3 } 462 syslogMsgVersion OBJECT-TYPE 463 SYNTAX Unsigned32 (0..999) 464 MAX-ACCESS read-only 465 STATUS current 466 DESCRIPTION 467 "The version of the syslog message. A value of 0 indicates 468 that the version is unknown." 469 REFERENCE 470 "RFC5424: The Syslog Protocol (section 6.2.2)" 471 ::= { syslogMsgEntry 4 } 473 syslogMsgTimeStamp OBJECT-TYPE 474 SYNTAX SyslogTimeStamp 475 MAX-ACCESS read-only 476 STATUS current 477 DESCRIPTION 478 "The timestamp of the syslog message. A zero length 479 string is returned if the timestamp is unknown." 480 REFERENCE 481 "RFC5424: The Syslog Protocol (section 6.2.3)" 482 ::= { syslogMsgEntry 5 } 484 syslogMsgHostName OBJECT-TYPE 485 SYNTAX DisplayString (SIZE (0..255)) 486 MAX-ACCESS read-only 487 STATUS current 488 DESCRIPTION 489 "The host name of the syslog message. A zero-length string 490 indicates an unknown host name. The SYSLOG protocol 491 specification constraints this string to printable US-ASCII 492 code points." 493 REFERENCE 494 "RFC5424: The Syslog Protocol (section 6.2.4)" 495 ::= { syslogMsgEntry 6 } 497 syslogMsgAppName OBJECT-TYPE 498 SYNTAX DisplayString (SIZE (0..48)) 499 MAX-ACCESS read-only 500 STATUS current 501 DESCRIPTION 502 "The app-name of the syslog message. A zero-length string 503 indicates an unknown app-name. The SYSLOG protocol 504 specification constraints this string to printable US-ASCII 505 code points." 506 REFERENCE 507 "RFC5424: The Syslog Protocol (section 6.2.5)" 508 ::= { syslogMsgEntry 7 } 510 syslogMsgProcID OBJECT-TYPE 511 SYNTAX DisplayString (SIZE (0..128)) 512 MAX-ACCESS read-only 513 STATUS current 514 DESCRIPTION 515 "The procid of the syslog message. A zero-length string 516 indicates an unknown procid. The SYSLOG protocol specification 517 constraints this string to printable US-ASCII code points." 518 REFERENCE 519 "RFC5424: The Syslog Protocol (section 6.2.6)" 520 ::= { syslogMsgEntry 8 } 522 syslogMsgMsgID OBJECT-TYPE 523 SYNTAX DisplayString (SIZE (0..32)) 524 MAX-ACCESS read-only 525 STATUS current 526 DESCRIPTION 527 "The msgid of the syslog message. A zero-length string 528 indicates an unknown msgid. The SYSLOG protocol specification 529 constraints this string to printable US-ASCII code points." 530 REFERENCE 531 "RFC5424: The Syslog Protocol (section 6.2.7)" 532 ::= { syslogMsgEntry 9 } 534 syslogMsgSDParams OBJECT-TYPE 535 SYNTAX Unsigned32 536 MAX-ACCESS read-only 537 STATUS current 538 DESCRIPTION 539 "The total number of structured data element parameters 540 carried in the syslog message. This number effectively 541 indicates the number of entries in the syslogMsgSDTable. 542 It can be used, for example, by a notification receiver 543 to determine whether a notification carried all 544 structured data element parameters of a syslog message." 546 ::= { syslogMsgEntry 10 } 548 syslogMsgMsg OBJECT-TYPE 549 SYNTAX OCTET STRING 550 MAX-ACCESS read-only 551 STATUS current 552 DESCRIPTION 553 "The message part of the syslog message. The syntax does not 554 impose a size restriction. Implementations of this MIB module 555 may truncate the message part of the syslog message such that 556 it fits into the size constraints imposed by the implementation 557 environment. Such truncations can also happen elsewhere in the 558 syslog forwarding chain. 560 If the first octets contain the value 'EFBBBF'h, then the rest 561 of the message is a UTF-8 string. Since syslog messages may be 562 truncated at arbitrary octet boundaries during forwarding, the 563 message may contain invalid UTF-8 encodings at the end." 564 REFERENCE 565 "RFC5424: The Syslog Protocol (section 6.4)" 566 ::= { syslogMsgEntry 11 } 568 syslogMsgSDTable OBJECT-TYPE 569 SYNTAX SEQUENCE OF SyslogMsgSDEntry 570 MAX-ACCESS not-accessible 571 STATUS current 572 DESCRIPTION 573 "A table containing structured data elements of syslog 574 messages." 575 ::= { syslogMsgObjects 3 } 577 syslogMsgSDEntry OBJECT-TYPE 578 SYNTAX SyslogMsgSDEntry 579 MAX-ACCESS not-accessible 580 STATUS current 581 DESCRIPTION 582 "An entry of the syslogMsgSDTable." 583 INDEX { syslogMsgIndex, syslogMsgSDParamIndex, 584 syslogMsgSDID, syslogMsgSDParamName } 585 ::= { syslogMsgSDTable 1 } 587 SyslogMsgSDEntry ::= SEQUENCE { 588 syslogMsgSDParamIndex Unsigned32, 589 syslogMsgSDID DisplayString, 590 syslogMsgSDParamName DisplayString, 591 syslogMsgSDParamValue SnmpAdminString 592 } 593 syslogMsgSDParamIndex OBJECT-TYPE 594 SYNTAX Unsigned32 (1..4294967295) 595 MAX-ACCESS not-accessible 596 STATUS current 597 DESCRIPTION 598 "This object indexes the structured data element parameters 599 contained in a SYSLOG message. The first structured data 600 element parameter has the index value 1 and subsequent 601 parameters are indexed by incrementing the index of the 602 previous parameter. The index increases across structured 603 data element boundaries so that the value reflects the 604 position of a structured data element parameter in a 605 SYSLOG message." 606 REFERENCE 607 "RFC5424: The Syslog Protocol (section 6.3.3)" 608 ::= { syslogMsgSDEntry 1 } 610 syslogMsgSDID OBJECT-TYPE 611 SYNTAX DisplayString (SIZE (1..32)) 612 MAX-ACCESS not-accessible 613 STATUS current 614 DESCRIPTION 615 "The name (SD-ID) of a structured data element. The SYSLOG 616 protocol specification constraints this string to printable 617 US-ASCII code points." 618 REFERENCE 619 "RFC5424: The Syslog Protocol (section 6.3.2)" 620 ::= { syslogMsgSDEntry 2 } 622 syslogMsgSDParamName OBJECT-TYPE 623 SYNTAX DisplayString (SIZE (1..32)) 624 MAX-ACCESS not-accessible 625 STATUS current 626 DESCRIPTION 627 "The name of a parameter of the structured data element. The 628 SYSLOG protocol specification constraints this string to 629 printable US-ASCII code points." 630 REFERENCE 631 "RFC5424: The Syslog Protocol (section 6.3.3)" 632 ::= { syslogMsgSDEntry 3 } 634 syslogMsgSDParamValue OBJECT-TYPE 635 SYNTAX SnmpAdminString 636 MAX-ACCESS read-only 637 STATUS current 638 DESCRIPTION 639 "The value of the parameter of a syslog message identified by 640 the index of this table. The value is stored in the unescaped 641 format." 642 REFERENCE 643 "RFC5424: The Syslog Protocol (section 6.3.3)" 644 ::= { syslogMsgSDEntry 4 } 646 -- notification definitions 648 syslogMsgNotification NOTIFICATION-TYPE 649 OBJECTS { syslogMsgFacility, syslogMsgSeverity, 650 syslogMsgVersion, syslogMsgTimeStamp, 651 syslogMsgHostName, syslogMsgAppName, 652 syslogMsgProcID, syslogMsgMsgID, 653 syslogMsgSDParams, syslogMsgMsg } 654 STATUS current 655 DESCRIPTION 656 "The syslogMsgNotification is generated when a new syslog 657 message is received and the value of 658 syslogMsgGenerateNotifications is true. 660 Implementations may add syslogMsgSDParamValue objects as long 661 as the resulting notification fits into the size constraints 662 imposed by the implementation environment and the notification 663 message size constraints imposed by maxMessageSize [RFC3412] 664 and SNMP transport mappings." 665 ::= { syslogMsgNotifications 1 } 667 -- conformance statements 669 syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 } 670 syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 } 672 syslogMsgFullCompliance MODULE-COMPLIANCE 673 STATUS current 674 DESCRIPTION 675 "The compliance statement for implementations of the 676 SYSLOG-MSG-MIB." 677 MODULE -- this module 678 MANDATORY-GROUPS { 679 syslogMsgGroup, 680 syslogMsgSDGroup, 681 syslogMsgControlGroup, 682 syslogMsgNotificationGroup 683 } 684 ::= { syslogMsgCompliances 1 } 686 syslogMsgReadOnlyCompliance MODULE-COMPLIANCE 687 STATUS current 688 DESCRIPTION 689 "The compliance statement for implementations of the 690 SYSLOG-MSG-MIB that do not support read-write access." 691 MODULE -- this module 692 MANDATORY-GROUPS { 693 syslogMsgGroup, 694 syslogMsgSDGroup, 695 syslogMsgControlGroup, 696 syslogMsgNotificationGroup 697 } 698 OBJECT syslogMsgTableMaxSize 699 MIN-ACCESS read-only 700 DESCRIPTION 701 "Write access is not required." 702 OBJECT syslogMsgEnableNotifications 703 MIN-ACCESS read-only 704 DESCRIPTION 705 "Write access is not required." 706 ::= { syslogMsgCompliances 2 } 708 syslogMsgNotificationCompliance MODULE-COMPLIANCE 709 STATUS current 710 DESCRIPTION 711 "The compliance statement for implementations of the 712 SYSLOG-MSG-MIB that do only generate notifications and not 713 provide a table to allow read access to syslog message 714 details." 715 MODULE -- this module 716 MANDATORY-GROUPS { 717 syslogMsgGroup, 718 syslogMsgSDGroup, 719 syslogMsgNotificationGroup 720 } 721 OBJECT syslogMsgFacility 722 MIN-ACCESS accessible-for-notify 723 DESCRIPTION 724 "Read access is not required." 725 OBJECT syslogMsgSeverity 726 MIN-ACCESS accessible-for-notify 727 DESCRIPTION 728 "Read access is not required." 729 OBJECT syslogMsgVersion 730 MIN-ACCESS accessible-for-notify 731 DESCRIPTION 732 "Read access is not required." 733 OBJECT syslogMsgTimeStamp 734 MIN-ACCESS accessible-for-notify 735 DESCRIPTION 736 "Read access is not required." 738 OBJECT syslogMsgHostName 739 MIN-ACCESS accessible-for-notify 740 DESCRIPTION 741 "Read access is not required." 742 OBJECT syslogMsgAppName 743 MIN-ACCESS accessible-for-notify 744 DESCRIPTION 745 "Read access is not required." 746 OBJECT syslogMsgProcID 747 MIN-ACCESS accessible-for-notify 748 DESCRIPTION 749 "Read access is not required." 750 OBJECT syslogMsgMsgID 751 MIN-ACCESS accessible-for-notify 752 DESCRIPTION 753 "Read access is not required." 754 OBJECT syslogMsgSDParams 755 MIN-ACCESS accessible-for-notify 756 DESCRIPTION 757 "Read access is not required." 758 OBJECT syslogMsgMsg 759 MIN-ACCESS accessible-for-notify 760 DESCRIPTION 761 "Read access is not required." 762 OBJECT syslogMsgSDParamValue 763 MIN-ACCESS accessible-for-notify 764 DESCRIPTION 765 "Read access is not required." 766 ::= { syslogMsgCompliances 3 } 768 syslogMsgNotificationGroup NOTIFICATION-GROUP 769 NOTIFICATIONS { 770 syslogMsgNotification 771 } 772 STATUS current 773 DESCRIPTION 774 "The notifications emitted by this MIB module." 775 ::= { syslogMsgGroups 1 } 777 syslogMsgGroup OBJECT-GROUP 778 OBJECTS { 779 -- syslogMsgIndex, 780 syslogMsgFacility, 781 syslogMsgSeverity, 782 syslogMsgVersion, 783 syslogMsgTimeStamp, 784 syslogMsgHostName, 785 syslogMsgAppName, 786 syslogMsgProcID, 787 syslogMsgMsgID, 788 syslogMsgSDParams, 789 syslogMsgMsg 790 } 791 STATUS current 792 DESCRIPTION 793 "A collection of objects representing a syslog message 794 excluding structured data elements." 795 ::= { syslogMsgGroups 2 } 797 syslogMsgSDGroup OBJECT-GROUP 798 OBJECTS { 799 -- syslogMsgSDParamIndex, 800 -- syslogMsgSDID, 801 -- syslogMsgSDParamName, 802 syslogMsgSDParamValue 803 } 804 STATUS current 805 DESCRIPTION 806 "A collection of objects representing the structured data 807 elements of a syslog message." 808 ::= { syslogMsgGroups 3 } 810 syslogMsgControlGroup OBJECT-GROUP 811 OBJECTS { 812 syslogMsgTableMaxSize, 813 syslogMsgEnableNotifications 814 } 815 STATUS current 816 DESCRIPTION 817 "A collection of control objects to control the size of the 818 syslogMsgTable and to enable / disable notifications." 819 ::= { syslogMsgGroups 4 } 821 END 823 8. Usage Example 825 The following example shows a valid syslog message including 826 structured data. The otherwise-unprintable Unicode BOM is 827 represented as "BOM" in the example. 829 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com 830 evntslog - ID47 [exampleSDID@0 iut="3" eventSource="Application" 831 eventID="1011"] BOMAn application event log entry... 833 This syslog message leads to the following entries in the 834 syslogMsgTable and the syslogMsgSDTable (note that string indexes are 835 written as strings for readability reasons): 837 syslogMsgIndex.1 = 1 838 syslogMsgFacility.1 = 20 839 syslogMsgSeverity.1 = 5 840 syslogMsgVersion.1 = 1 841 syslogMsgTimeStamp.1 = 2003-10-11 22:14:15.003+00:00 842 syslogMsgHostName.1 = "mymachine.example.com" 843 syslogMsgAppName.1 = "evntslog" 844 syslogMsgProcID.1 = "-" 845 syslogMsgMsgID.1 = "ID47" 846 syslogMsgMsg.1 = "BOMAn application event log entry..." 847 syslogMsgSDParamValue.1.1."exampleSDID@0"."iut" 848 = "3" 849 syslogMsgSDParamValue.1.2."exampleSDID@0"."eventSource" 850 = "Application" 851 syslogMsgSDParamValue.1.3."exampleSDID@0"."eventID" 852 = "1011" 854 9. IANA Considerations 856 The IANA is requested to assign a value for "XXX" under the 'mib-2' 857 subtree and to record the assignment in the SMI Numbers registry. 858 When the assignment has been made, the RFC Editor is asked to replace 859 "XXX" (here and in the MIB module) with the assigned value. 861 10. Security Considerations 863 There are a number of management objects defined in this MIB module 864 with a MAX-ACCESS clause of read-write and/or read-create. Such 865 objects may be considered sensitive or vulnerable in some network 866 environments. The support for SET operations in a non-secure 867 environment without proper protection can have a negative effect on 868 network operations. These are the tables and objects and their 869 sensitivity/vulnerability: 871 o syslogMsgTableMaxSize: This object controls how many entries are 872 kept in the syslogMsgTable. Unauthorized modifications may either 873 cause increased memory consumption (by setting this object to a 874 large value) or turn off the capability to retrieve notifications 875 using GET class operations (by setting this object to zero). This 876 might be used to hide traces of an attack. 878 o syslogMsgEnableNotifications: This object enables notifications. 879 Unauthorized modifications to disable notification generation can 880 be used to hide an attack. Unauthorized modifications to enable 881 notification generation may be used as part of a denial of service 882 attack against a network management system if for example the 883 SYSLOG to SNMP converter accepts unauthorized syslog messages. 885 Some of the readable objects in this MIB module (i.e., objects with a 886 MAX-ACCESS other than not-accessible) may be considered sensitive or 887 vulnerable in some network environments. It is thus important to 888 control even GET and/or NOTIFY access to these objects and possibly 889 to even encrypt the values of these objects when sending them over 890 the network via SNMP. These are the tables and objects and their 891 sensitivity/vulnerability: 893 o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects 894 provide information whether SYSLOG messages are forwarded as SNMP 895 notifications and how many messages will be maintained in the 896 syslogMsgTable. This information might be exploited by an 897 attacker in order to plan actions with the goal of hiding attack 898 activities. 899 o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion, 900 syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, 901 syslogMsgProcID, syslogMsgMsgID, syslogMsgSDParams, syslogMsgMsg, 902 syslogMsgSDParamValue: These objects carry the content of syslog 903 messags and the syslog message oriented security considerations of 904 [RFC5424] apply. In particular, an attacker who gains access to 905 SYSLOG messages via SNMP may use the knowledge gained from SYSLOG 906 messages to compromise a machine or do other damage. It is 907 therefore desirable to configure SNMP access control rules 908 enforcing a consistent security policy for SYSLOG messages. 910 SNMP versions prior to SNMPv3 did not include adequate security. 911 Even if the network itself is secure (for example by using IPsec), 912 even then, there is no control as to who on the secure network is 913 allowed to access and GET/SET (read/change/create/delete) the objects 914 in this MIB module. 916 It is RECOMMENDED that implementers consider the security features as 917 provided by the SNMPv3 framework (see [RFC3410], section 8), 918 including full support for the SNMPv3 cryptographic mechanisms (for 919 authentication and privacy). 921 Further, deployment of SNMP versions prior to SNMPv3 is NOT 922 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 923 enable cryptographic security. It is then a customer/operator 924 responsibility to ensure that the SNMP entity giving access to an 925 instance of this MIB module is properly configured to give access to 926 the objects only to those principals (users) that have legitimate 927 rights to indeed GET or SET (change/create/delete) them. 929 11. Acknowledgments 931 The authors wish to thank Martin Bjorklund, Washam Fan, Rainer 932 Gerhards, Wes Hardacker, David Harrington, Tom Petch, Juergen 933 Quittek, Bert Wijnen, and all other people who commented on various 934 versions of this document. 936 12. References 938 12.1. Normative References 940 [I-D.ietf-opsawg-syslog-snmp] 941 Marinov, V. and J. Schoenwaelder, "Mapping Simple Network 942 Management Protocol (SNMP) Notifications to SYSLOG 943 Messages", Internet Draft (work in progress), March 2009. 945 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 946 Requirement Levels", BCP 14, RFC 2119, March 1997. 948 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 949 "Structure of Management Information Version 2 (SMIv2)", 950 RFC 2578, STD 58, April 1999. 952 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 953 "Textual Conventions for SMIv2", RFC 2579, STD 58, 954 April 1999. 956 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 957 "Conformance Statements for SMIv2", RFC 2580, STD 58, 958 April 1999. 960 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 961 Architecture for Describing Simple Network Management 962 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 963 December 2002. 965 [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. 967 [RFC5427] Keeni, G., "Textual Conventions for Syslog Management", 968 RFC 5427, March 2009. 970 12.2. Informative References 972 [RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014, 973 November 2002. 975 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 976 "Introduction and Applicability Statements for Internet- 977 Standard Management Framework", RFC 3410, December 2002. 979 Authors' Addresses 981 Juergen Schoenwaelder 982 Jacobs University Bremen 983 Campus Ring 1 984 28725 Bremen 985 Germany 987 Email: j.schoenwaelder@jacobs-university.de 989 Alexander Clemm 990 Cisco Systems 991 170 West Tasman Drive 992 San Jose, CA 95134-1706 993 USA 995 Email: alex@cisco.com 997 Anirban Karmakar 998 Cisco Systems 999 170 West Tasman Drive 1000 San Jose, CA 95134-1706 1001 USA 1003 Email: akarmaka@cisco.com