idnits 2.17.1 draft-schoenw-syslog-msg-mib-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 171 has weird spacing: '...yString sysl...' == Line 172 has weird spacing: '...yString sysl...' == Line 259 has weird spacing: '... field octet...' == The document seems to use 'NOT RECOMMENDED' as an RFC 2119 keyword, but does not include the phrase in its RFC 2119 key words list. -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 7, 2009) is 5557 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC3412' is mentioned on line 596, but not defined -- No information found for draft-ietf-syslog-tc-mib - is the name correct? -- Possible downref: Normative reference to a draft: ref. 'I-D.ietf-syslog-tc-mib' Summary: 0 errors (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Schoenwaelder 3 Internet-Draft Jacobs University Bremen 4 Intended status: Standards Track A. Clemm 5 Expires: August 11, 2009 A. Karmakar 6 Cisco Systems 7 February 7, 2009 9 Definitions of Managed Objects for Mapping SYSLOG Messages to Simple 10 Network Management Protocol (SNMP) Notifications 11 draft-schoenw-syslog-msg-mib-02.txt ($Rev: 3063 $) 13 Status of this Memo 15 This Internet-Draft is submitted to IETF in full conformance with the 16 provisions of BCP 78 and BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on August 11, 2009. 36 Copyright Notice 38 Copyright (c) 2009 IETF Trust and the persons identified as the 39 document authors. All rights reserved. 41 This document is subject to BCP 78 and the IETF Trust's Legal 42 Provisions Relating to IETF Documents 43 (http://trustee.ietf.org/license-info) in effect on the date of 44 publication of this document. Please review these documents 45 carefully, as they describe your rights and restrictions with respect 46 to this document. 48 Abstract 50 This memo defines a portion of the Management Information Base (MIB) 51 for use with network management protocols in the Internet community. 52 In particular, it defines a mapping of SYSLOG messages to Simple 53 Network Management Protocol (SNMP) notifications. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2. The Internet-Standard Management Framework . . . . . . . . . . 3 59 3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 5 62 6. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 7. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 17 64 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 65 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 66 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 67 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 68 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 69 11.2. Informative References . . . . . . . . . . . . . . . . . 20 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 72 1. Introduction 74 SNMP [RFC3410] [RFC3411] and SYSLOG [I-D.ietf-syslog-protocol] are 75 two widely used protocols to communicate event notifications. 76 Although co-existence of several management protocols in one 77 operational environment is possible, certain environments require 78 that all event notifications are collected by a single system daemon 79 such as a SYSLOG collector or an SNMP notification receiver via a 80 single management protocol. In such environments, it is necessary to 81 translate event notifications between management protocols. 83 This document defines an SNMP MIB module to represent SYSLOG messages 84 and to send SYSLOG messages as SNMP notifications to SNMP 85 notification receivers. 87 2. The Internet-Standard Management Framework 89 For a detailed overview of the documents that describe the current 90 Internet-Standard Management Framework, please refer to section 7 of 91 RFC 3410 [RFC3410] 93 Managed objects are accessed via a virtual information store, termed 94 the Management Information Base or MIB. MIB objects are generally 95 accessed through the Simple Network Management Protocol (SNMP). 96 Objects in the MIB are defined using the mechanisms defined in the 97 Structure of Management Information (SMI). This memo specifies a MIB 98 module that is compliant to the SMIv2, which is described in STD 58, 99 RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 100 [RFC2580] . 102 3. Conventions 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119]. 108 4. Overview 110 SYSLOG messages are converted by a SYSLOG to SNMP converter. Such a 111 converter acts as a SYSLOG receiver [I-D.ietf-syslog-protocol] and 112 implements a MIB module according to the SNMP architecture [RFC3411]. 113 The converter might be tightly coupled to an SNMP agent or it might 114 interface with an SNMP agent via a subagent protocol. 116 After initialization, the converter will listen for SYSLOG messages. 118 On receiving a message, the message will be parsed to extract 119 information as described in the MIB module. A conceptual table is 120 populated with information extracted from the SYSLOG message and 121 finally a notification may be generated. 123 The MIB module is organized into a group of scalars and two tables. 124 The syslogMsgControl group contains two scalars controlling the 125 maximum size of SYSLOG messages recorded in the tables and whether 126 SNMP notifications are generated for SYSLOG messages. 128 --syslogMsgObjects(1) 129 | 130 +--syslogMsgControl(1) 131 | 132 +-- Unsigned32 syslogMsgTableMaxSize(1) 133 +-- TruthValue syslogMsgEnableNotifications(2) 135 The syslogMsgTable contains one entry for each recorded SYSLOG 136 message. The basic fields of SYSLOG messages are represented in 137 different columns of the conceptual table. 139 --syslogMsgObjects(1) 140 | 141 +--syslogMsgTable(2) 142 | 143 +--syslogMsgEntry(1) [syslogMsgIndex] 144 | 145 +-- Unsigned32 syslogMsgIndex(1) 146 +-- SyslogFacility syslogMsgFacility(2) 147 +-- SyslogSeverity syslogMsgSeverity(3) 148 +-- Unsigned32 syslogMsgVersion(4) 149 +-- DateAndTimeMicroSeconds syslogMsgTimeStamp(5) 150 +-- DisplayString syslogMsgHostName(6) 151 +-- DisplayString syslogMsgAppName(7) 152 +-- DisplayString syslogMsgProcID(8) 153 +-- DisplayString syslogMsgMsgID(9) 154 +-- OctetString syslogMsgMsg(10) 155 +-- Bits syslogMsgFlags(11) 157 The syslogMsgSDTable contains one entry for each structured data 158 element parameter contained in a SYSLOG message. Since structured 159 data elements are optional, the relationship between the 160 syslogMsgTable and the syslogMsgSDTable is 1:0..*. 162 --syslogMsgObjects(1) 163 | 164 +--syslogMsgSDTable(3) 165 | 166 +--syslogMsgSDEntry(1) [syslogMsgIndex, 167 | syslogMsgSDElementName, 168 | syslogMsgSDParamName, 169 | syslogMsgSDParamIndex] 170 | 171 +-- DisplayString syslogMsgSDElementName(1) 172 +-- DisplayString syslogMsgSDParamName(2) 173 +-- Unsigned32 syslogMsgSDParamIndex(3) 174 +-- SnmpAdminString syslogMsgSDParamValue(4) 176 5. Relationship to Other MIB Modules 178 The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for 179 logging SNMP notifications in order to deal with lost SNMP 180 notifications, e.g., due to transient communication problems. 181 Applications can poll the notification log to verify that they have 182 not missed important SNMP notifications. 184 The MIB module defined in this memo provides a mechanism for logging 185 SYSLOG notifications. This additional SYSLOG notification log is 186 provided because (a) SYSLOG messages might not lead to SNMP 187 notification (this is configurable) and (b) SNMP notifications might 188 not carry all information associated with a SYSLOG notification. 190 The following MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], 191 SNMPv2-TC [RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB 192 [RFC3411], and SYSLOG-TC-MIB [I-D.ietf-syslog-tc-mib]. 194 6. Definitions 196 SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN 198 IMPORTS 199 MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2 200 FROM SNMPv2-SMI 201 TEXTUAL-CONVENTION, DisplayString, TruthValue 202 FROM SNMPv2-TC 203 OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE 204 FROM SNMPv2-CONF 205 SnmpAdminString 206 FROM SNMP-FRAMEWORK-MIB 207 SyslogFacility, SyslogSeverity 208 FROM SYSLOG-TC-MIB; 210 syslogMsgMib MODULE-IDENTITY 211 LAST-UPDATED "200902010800Z" 212 ORGANIZATION "IETF XXX Working Group" 213 CONTACT-INFO 214 "Juergen Schoenwaelder 215 216 Jacobs University Bremen 217 Campus Ring 1 218 28757 Bremen 219 Germany 221 Alexander Clemm 222 223 Cisco Systems 224 170 West Tasman Drive 225 San Jose, CA 95134-1706 226 USA 228 Anirban Karmakar 229 230 Cisco Systems 231 170 West Tasman Drive 232 San Jose, CA 95134-1706 233 USA" 234 DESCRIPTION 235 "This MIB module represent SYSLOG messages as SNMP objects. 237 Copyright (c) 2009 IETF Trust and the persons identified as 238 the document authors. All rights reserved. This version of 239 this MIB module is part of RFC XXXX; see the RFC itself for 240 full legal notices." 241 REVISION "200902010800Z" 242 DESCRIPTION 243 "Initial version issued as part of RFC XXXX." 244 -- RFC Ed.: replace XXXX with actual RFC number & remove this note 245 ::= { mib-2 XXX } 246 -- RFC Ed.: replace XXX with IANA-assigned number & remove this note 248 -- textual convention definitions 250 DateAndTimeMicroSeconds ::= TEXTUAL-CONVENTION 251 DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d" 252 STATUS current 253 DESCRIPTION 254 "A date-time specification. This type is similar to the 255 DateAndTime type defined in the SNMPv2-TC except that 256 the subsecond granulation is microseconds instead of 257 deciseconds. 259 field octets contents range 260 ----- ------ -------- ----- 261 1 1-2 year* 0..65536 262 2 3 month 1..12 263 3 4 day 1..31 264 4 5 hour 0..23 265 5 6 minutes 0..59 266 6 7 seconds 0..60 267 (use 60 for leap-second) 268 7 8-10 microseconds 0..999999 269 8 11 direction from UTC '+' / '-' 270 9 12 hours from UTC* 0..13 271 10 13 minutes from UTC 0..59 273 * Notes: 274 - the value of year is in network-byte order 275 - the value of microseconds is in network-byte order 276 - daylight saving time in New Zealand is +13 278 For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be 279 displayed as: 281 1992-5-26,13:30:15.0,-4:0 283 Note that if only local time is known, then timezone 284 information (fields 11-13) is not present." 285 SYNTAX OCTET STRING (SIZE (10 | 13)) 287 -- object definitions 289 syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 } 290 syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 } 291 syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 } 293 syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 } 295 syslogMsgTableMaxSize OBJECT-TYPE 296 SYNTAX Unsigned32 297 MAX-ACCESS read-write 298 STATUS current 299 DESCRIPTION 300 "The maximum number of syslog messages that may be held in 301 syslogMsgTable. A particular setting does not guarantee that 302 there is sufficient memory available for the maximum number 303 of table entries indicated by this object. A value of 0 means 304 no limit. 306 If an application reduces the limit while there are syslog 307 messages in the syslogMsgTable, the syslog messages that are 308 in the syslogMsgTable for the longest time MUST be discarded 309 to bring the table down to the new limit. 311 The value of this object should be kept in nonvolatile 312 memory." 313 DEFVAL { 0 } 314 ::= { syslogMsgControl 1 } 316 syslogMsgEnableNotifications OBJECT-TYPE 317 SYNTAX TruthValue 318 MAX-ACCESS read-write 319 STATUS current 320 DESCRIPTION 321 "Indicates whether syslogMsgNotification notifications are 322 generated. 324 The value of this object should be kept in nonvolatile 325 memory." 326 DEFVAL { false } 327 ::= { syslogMsgControl 2 } 329 syslogMsgTable OBJECT-TYPE 330 SYNTAX SEQUENCE OF SyslogMsgEntry 331 MAX-ACCESS not-accessible 332 STATUS current 333 DESCRIPTION 334 "A table containing recent syslog messages. The size of the 335 table is controlled by the syslogMsgTableMaxSize object." 336 ::= { syslogMsgObjects 2 } 338 syslogMsgEntry OBJECT-TYPE 339 SYNTAX SyslogMsgEntry 340 MAX-ACCESS not-accessible 341 STATUS current 342 DESCRIPTION 343 "An entry of the syslogMsgTable." 344 INDEX { syslogMsgIndex } 345 ::= { syslogMsgTable 1 } 347 SyslogMsgEntry ::= SEQUENCE { 348 syslogMsgIndex Unsigned32, 349 syslogMsgFacility SyslogFacility, 350 syslogMsgSeverity SyslogSeverity, 351 syslogMsgVersion Unsigned32, 352 syslogMsgTimeStamp DateAndTimeMicroSeconds, 353 syslogMsgHostName DisplayString, 354 syslogMsgAppName DisplayString, 355 syslogMsgProcID DisplayString, 356 syslogMsgMsgID DisplayString, 357 syslogMsgMsg OCTET STRING, 358 syslogMsgFlags BITS 359 } 361 syslogMsgIndex OBJECT-TYPE 362 SYNTAX Unsigned32 (1..4294967295) 363 MAX-ACCESS not-accessible 364 STATUS current 365 DESCRIPTION 366 "A monotonically increasing number used to identify entries in 367 the syslogMsgTable. When syslogMsgIndex reaches the maximum 368 value the value wraps back to 1." 369 ::= { syslogMsgEntry 1 } 371 syslogMsgFacility OBJECT-TYPE 372 SYNTAX SyslogFacility 373 MAX-ACCESS read-only 374 STATUS current 375 DESCRIPTION 376 "The facility of the syslog message." 377 REFERENCE 378 "RFCYYYY: The syslog Protocol (section 6.2.1) 379 RFCZZZZ: Textual Conventions for Syslog Management" 380 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 381 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 382 ::= { syslogMsgEntry 2 } 384 syslogMsgSeverity OBJECT-TYPE 385 SYNTAX SyslogSeverity 386 MAX-ACCESS read-only 387 STATUS current 388 DESCRIPTION 389 "The severity of the syslog message" 390 REFERENCE 391 "RFCYYYY: The syslog Protocol (section 6.2.1) 392 RFCZZZZ: Textual Conventions for Syslog Management" 393 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 394 -- RFC Ed.: replace ZZZZ with SYSLOG TC RFC number, remove this note 395 ::= { syslogMsgEntry 3 } 397 syslogMsgVersion OBJECT-TYPE 398 SYNTAX Unsigned32 (0..999) 399 MAX-ACCESS read-only 400 STATUS current 401 DESCRIPTION 402 "The version of the syslog message. A value of 0 indicates 403 that the version is unknown." 404 REFERENCE 405 "RFCYYYY: The syslog Protocol (section 6.2.2)" 406 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 407 ::= { syslogMsgEntry 4 } 409 syslogMsgTimeStamp OBJECT-TYPE 410 SYNTAX DateAndTimeMicroSeconds 411 MAX-ACCESS read-only 412 STATUS current 413 DESCRIPTION 414 "The timestamp of the syslog message. The special value 415 '00000000000000000000'H is returned if the timestamp 416 is unknown." 417 REFERENCE 418 "RFCYYYY: The syslog Protocol (section 6.2.3)" 419 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 420 ::= { syslogMsgEntry 5 } 422 syslogMsgHostName OBJECT-TYPE 423 SYNTAX DisplayString (SIZE (0..255)) 424 MAX-ACCESS read-only 425 STATUS current 426 DESCRIPTION 427 "The host name of the syslog message. A zero-length string 428 indicates an unknown host name." 429 REFERENCE 430 "RFCYYYY: The syslog Protocol (section 6.2.4)" 431 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 432 ::= { syslogMsgEntry 6 } 434 syslogMsgAppName OBJECT-TYPE 435 SYNTAX DisplayString (SIZE (0..48)) 436 MAX-ACCESS read-only 437 STATUS current 438 DESCRIPTION 439 "The app-name of the syslog message. A zero-length string 440 indicates an unknown app-name." 441 REFERENCE 442 "RFCYYYY: The syslog Protocol (section 6.2.5)" 443 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 444 ::= { syslogMsgEntry 7 } 446 syslogMsgProcID OBJECT-TYPE 447 SYNTAX DisplayString (SIZE (0..128)) 448 MAX-ACCESS read-only 449 STATUS current 450 DESCRIPTION 451 "The procid of the syslog message. A zero-length string 452 indicates an unknown procid." 453 REFERENCE 454 "RFCYYYY: The syslog Protocol (section 6.2.6)" 455 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 456 ::= { syslogMsgEntry 8 } 458 syslogMsgMsgID OBJECT-TYPE 459 SYNTAX DisplayString (SIZE (0..32)) 460 MAX-ACCESS read-only 461 STATUS current 462 DESCRIPTION 463 "The msgid of the syslog message. A zero-length string 464 indicates an unknown msgid." 465 REFERENCE 466 "RFCYYYY: The syslog Protocol (section 6.2.7)" 467 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 468 ::= { syslogMsgEntry 9 } 470 syslogMsgMsg OBJECT-TYPE 471 SYNTAX OCTET STRING 472 MAX-ACCESS read-only 473 STATUS current 474 DESCRIPTION 475 "The message part of the syslog message. The syntax does not 476 impose a size restriction. Implementations of this MIB module 477 may truncate the message part of the syslog message such that 478 it fits into the size constraints imposed by the 479 implementation environment. If the message has been truncated 480 by the SYSLOG to SNMP converter, the truncated bit in the 481 syslogMsgFlags must be set to 1. 483 If the first octets contain the value 'EFBBBF'h, then the rest 484 of the message is a UTF-8 string. Since syslog messages may be 485 truncated at arbitrary octet boundaries during forwarding, the 486 message may contain invalid UTF-8 encodings at the end." 487 REFERENCE 488 "RFCYYYY: The syslog Protocol (section 6.4)" 489 -- RFC Ed.: replace YYYY with SYSLOG RFC number & remove this note 490 ::= { syslogMsgEntry 10 } 492 syslogMsgFlags OBJECT-TYPE 493 SYNTAX BITS { truncated(0), sdparams(1) } 494 MAX-ACCESS read-only 495 STATUS current 496 DESCRIPTION 497 "The bits contained in this object convey meta information 498 about the syslog message. The meaning of the bits is as 499 follows: 501 truncated - This bit is set if the converter had to 502 truncate the syslogMsgMsg to comply with 503 implementation and/or SNMP message size 504 constraints. 506 sdparams - This bit is set if the syslog messages 507 contained structured data element parameters 508 and serves as an indicator whether there is 509 data in the syslogMsgSDTable for this syslog 510 message. 512 For syslog messages without structured data element parameters 513 that were not truncated by the converter, none of the bits is 514 set." 515 ::= { syslogMsgEntry 11 } 517 syslogMsgSDTable OBJECT-TYPE 518 SYNTAX SEQUENCE OF SyslogMsgSDEntry 519 MAX-ACCESS not-accessible 520 STATUS current 521 DESCRIPTION 522 "A table containing structured data elements of syslog 523 messages." 524 ::= { syslogMsgObjects 3 } 526 syslogMsgSDEntry OBJECT-TYPE 527 SYNTAX SyslogMsgSDEntry 528 MAX-ACCESS not-accessible 529 STATUS current 530 DESCRIPTION 531 "An entry of the syslogMsgSDTable." 532 INDEX { syslogMsgIndex, syslogMsgSDElementName, 533 syslogMsgSDParamName, syslogMsgSDParamIndex } 534 ::= { syslogMsgSDTable 1 } 536 SyslogMsgSDEntry ::= SEQUENCE { 537 syslogMsgSDElementName DisplayString, 538 syslogMsgSDParamName DisplayString, 539 syslogMsgSDParamIndex Unsigned32, 540 syslogMsgSDParamValue SnmpAdminString 541 } 543 syslogMsgSDElementName OBJECT-TYPE 544 SYNTAX DisplayString (SIZE (1..32)) 545 MAX-ACCESS not-accessible 546 STATUS current 547 DESCRIPTION 548 "The name of a structured data element." 549 ::= { syslogMsgSDEntry 1 } 551 syslogMsgSDParamName OBJECT-TYPE 552 SYNTAX DisplayString (SIZE (1..32)) 553 MAX-ACCESS not-accessible 554 STATUS current 555 DESCRIPTION 556 "The name of a parameter of the structured data element." 557 ::= { syslogMsgSDEntry 2 } 559 syslogMsgSDParamIndex OBJECT-TYPE 560 SYNTAX Unsigned32 (1..4294967295) 561 MAX-ACCESS not-accessible 562 STATUS current 563 DESCRIPTION 564 "This objects indexes the instance of a structured data element 565 that occurs multiple times in a structured data element, 566 starting from 1. For parameters that only occure once, the 567 value of this object is 1." 568 ::= { syslogMsgSDEntry 3 } 570 syslogMsgSDParamValue OBJECT-TYPE 571 SYNTAX SnmpAdminString 572 MAX-ACCESS read-only 573 STATUS current 574 DESCRIPTION 575 "The value of the parameter of a syslog message identified by 576 the index of this table." 577 ::= { syslogMsgSDEntry 4 } 579 -- notification definitions 581 syslogMsgNotification NOTIFICATION-TYPE 582 OBJECTS { syslogMsgFacility, syslogMsgSeverity, 583 syslogMsgVersion, syslogMsgTimeStamp, 584 syslogMsgHostName, syslogMsgAppName, 585 syslogMsgProcID, syslogMsgMsgID, 586 syslogMsgMsg, syslogMsgFlags } 587 STATUS current 588 DESCRIPTION 589 "The syslogMsgNotification is generated when a new syslog 590 message is generated and the value of 591 syslogMsgGenerateNotifications is true. 593 Implementations may add syslogMsgSDParamValue objects as long 594 as the resulting notification fits into the size constraints 595 imposed by the implementation environment and the notification 596 message size constraints imposed by maxMessageSize [RFC3412] 597 and SNMP transport mappings." 598 ::= { syslogMsgNotifications 1 } 600 -- conformance statements 602 syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 } 603 syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 } 605 syslogMsgFullCompliance MODULE-COMPLIANCE 606 STATUS current 607 DESCRIPTION 608 "The compliance statement for implementations of the 609 SYSLOG-MSG-MIB." 610 MODULE -- this module 611 MANDATORY-GROUPS { 612 syslogMsgGroup, 613 syslogMsgSDGroup, 614 syslogMsgControlGroup, 615 syslogMsgNotificationGroup 616 } 617 ::= { syslogMsgCompliances 1 } 619 syslogMsgReadOnlyCompliance MODULE-COMPLIANCE 620 STATUS current 621 DESCRIPTION 622 "The compliance statement for implementations of the 623 SYSLOG-MSG-MIB that do not support read-write access." 624 MODULE -- this module 625 MANDATORY-GROUPS { 626 syslogMsgGroup, 627 syslogMsgSDGroup, 628 syslogMsgControlGroup, 629 syslogMsgNotificationGroup 630 } 631 OBJECT syslogMsgTableMaxSize 632 MIN-ACCESS read-only 633 DESCRIPTION 634 "Write access is not required." 635 OBJECT syslogMsgEnableNotifications 636 MIN-ACCESS read-only 637 DESCRIPTION 638 "Write access is not required." 639 ::= { syslogMsgCompliances 2 } 641 syslogMsgNotificationCompliance MODULE-COMPLIANCE 642 STATUS current 643 DESCRIPTION 644 "The compliance statement for implementations of the 645 SYSLOG-MSG-MIB that do only generate notifications and not 646 provide a table to allow read access to syslog message 647 details." 648 MODULE -- this module 649 MANDATORY-GROUPS { 650 syslogMsgGroup, 651 syslogMsgSDGroup, 652 syslogMsgNotificationGroup 653 } 654 OBJECT syslogMsgFacility 655 MIN-ACCESS accessible-for-notify 656 DESCRIPTION 657 "Read access is not required." 658 OBJECT syslogMsgSeverity 659 MIN-ACCESS accessible-for-notify 660 DESCRIPTION 661 "Read access is not required." 662 OBJECT syslogMsgVersion 663 MIN-ACCESS accessible-for-notify 664 DESCRIPTION 665 "Read access is not required." 666 OBJECT syslogMsgTimeStamp 667 MIN-ACCESS accessible-for-notify 668 DESCRIPTION 669 "Read access is not required." 670 OBJECT syslogMsgHostName 671 MIN-ACCESS accessible-for-notify 672 DESCRIPTION 673 "Read access is not required." 674 OBJECT syslogMsgAppName 675 MIN-ACCESS accessible-for-notify 676 DESCRIPTION 677 "Read access is not required." 678 OBJECT syslogMsgProcID 679 MIN-ACCESS accessible-for-notify 680 DESCRIPTION 681 "Read access is not required." 682 OBJECT syslogMsgMsgID 683 MIN-ACCESS accessible-for-notify 684 DESCRIPTION 685 "Read access is not required." 686 OBJECT syslogMsgMsg 687 MIN-ACCESS accessible-for-notify 688 DESCRIPTION 689 "Read access is not required." 690 OBJECT syslogMsgFlags 691 MIN-ACCESS accessible-for-notify 692 DESCRIPTION 693 "Read access is not required." 694 OBJECT syslogMsgSDParamValue 695 MIN-ACCESS accessible-for-notify 696 DESCRIPTION 697 "Read access is not required." 698 ::= { syslogMsgCompliances 3 } 700 syslogMsgNotificationGroup NOTIFICATION-GROUP 701 NOTIFICATIONS { 702 syslogMsgNotification 703 } 704 STATUS current 705 DESCRIPTION 706 "The notifications emitted by this MIB module." 707 ::= { syslogMsgGroups 1 } 709 syslogMsgGroup OBJECT-GROUP 710 OBJECTS { 711 -- syslogMsgIndex, 712 syslogMsgFacility, 713 syslogMsgSeverity, 714 syslogMsgVersion, 715 syslogMsgTimeStamp, 716 syslogMsgHostName, 717 syslogMsgAppName, 718 syslogMsgProcID, 719 syslogMsgMsgID, 720 syslogMsgMsg, 721 syslogMsgFlags 722 } 723 STATUS current 724 DESCRIPTION 725 "A collection of objects representing a syslog message 726 excluding structured data elements." 727 ::= { syslogMsgGroups 2 } 729 syslogMsgSDGroup OBJECT-GROUP 730 OBJECTS { 731 -- syslogMsgSDElementName, 732 -- syslogMsgSDParamName, 733 -- syslogMsgSDParamIndex, 734 syslogMsgSDParamValue 735 } 736 STATUS current 737 DESCRIPTION 738 "A collection of objects representing the structured data 739 elements of a syslog message." 740 ::= { syslogMsgGroups 3 } 742 syslogMsgControlGroup OBJECT-GROUP 743 OBJECTS { 744 syslogMsgTableMaxSize, 745 syslogMsgEnableNotifications 746 } 747 STATUS current 748 DESCRIPTION 749 "A collection of control objects to control the size of the 750 syslogMsgTable and to enable / disable notifications." 751 ::= { syslogMsgGroups 4 } 753 END 755 7. Usage Example 757 The following example shows a valid syslog message including 758 structured data. The otherwise-unprintable Unicode BOM is 759 represented as "BOM" in the example. 761 <165>1 2003-10-11T22:14:15.003Z mymachine.example.com 762 evntslog - ID47 [exampleSDID@0 iut="3" eventSource="Application" 763 eventID="1011"] BOMAn application event log entry... 765 This syslog message leads to the following entries in the 766 syslogMsgTable and the syslogMsgSDTable (note that string indexes are 767 written as strings for readability reasons): 769 syslogMsgIndex.1 = 1 770 syslogMsgFacility.1 = 20 771 syslogMsgSeverity.1 = 5 772 syslogMsgVersion.1 = 1 773 syslogMsgTimeStamp.1 = 2003-10-11 22:14:15.003+00:00 774 syslogMsgHostName.1 = "mymachine.example.com" 775 syslogMsgAppName.1 = "evntslog" 776 syslogMsgProcID.1 = "-" 777 syslogMsgMsgID.1 = "ID47" 778 syslogMsgMsg.1 = "BOMAn application event log entry..." 779 syslogMsgSDParamValue.1."exampleSDID@0"."iut".1 780 = "3" 781 syslogMsgSDParamValue.1."exampleSDID@0"."eventSource".1 782 = "Application" 783 syslogMsgSDParamValue.1."exampleSDID@0"."eventID".1 784 = "1011" 786 8. IANA Considerations 788 The IANA is requested to assign a value for "XXX" under the 'mib-2' 789 subtree and to record the assignment in the SMI Numbers registry. 790 When the assignment has been made, the RFC Editor is asked to replace 791 "XXX" (here and in the MIB module) with the assigned value. 793 9. Security Considerations 795 There are a number of management objects defined in this MIB module 796 with a MAX-ACCESS clause of read-write and/or read-create. Such 797 objects may be considered sensitive or vulnerable in some network 798 environments. The support for SET operations in a non-secure 799 environment without proper protection can have a negative effect on 800 network operations. These are the tables and objects and their 801 sensitivity/vulnerability: 803 o syslogMsgTableMaxSize: This object controls how many entries are 804 kept in the syslogMsgTable. Unauthorized modifications may either 805 cause increased memory consumption or turn off the capability to 806 retrieve notifications using GET class operations. This be used 807 to hide traces of an attack. 808 o syslogMsgEnableNotifications: This object enables notifications. 809 Unauthorized modifications to disable notification generation can 810 be used to hide an attack. Unauthorized modifications to enable 811 notification generation may be used as part of a denial of service 812 attack against a network management system if for exampe the 813 syslog server accepts unauthorized syslog messages. 815 Some of the readable objects in this MIB module (i.e., objects with a 816 MAX-ACCESS other than not-accessible) may be considered sensitive or 817 vulnerable in some network environments. It is thus important to 818 control even GET and/or NOTIFY access to these objects and possibly 819 to even encrypt the values of these objects when sending them over 820 the network via SNMP. These are the tables and objects and their 821 sensitivity/vulnerability: 823 o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects 824 provide information whether SYSLOG messages are forwarded as SNMP 825 notifications and how many messages will be maintained in the 826 syslogMsgTable. This information might be exploited by an 827 attacker in order to plan actions with the goal of hiding attack 828 activities. 830 o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion, 831 syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, 832 syslogMsgProcID, syslogMsgMsgID, syslogMsgMsg, syslogMsgFlags, 833 syslogMsgSDParamValue: These objects carry the content of syslog 834 messags and the syslog message oriented security considerations of 835 [I-D.ietf-syslog-protocol] apply. In particular, an attacker who 836 gains access to SYSLOG messages via SNMP may use the knowledge 837 gained from SYSLOG messages to compromise a machine or do other 838 damage. 840 SNMP versions prior to SNMPv3 did not include adequate security. 841 Even if the network itself is secure (for example by using IPsec), 842 even then, there is no control as to who on the secure network is 843 allowed to access and GET/SET (read/change/create/delete) the objects 844 in this MIB module. 846 It is RECOMMENDED that implementers consider the security features as 847 provided by the SNMPv3 framework (see [RFC3410], section 8), 848 including full support for the SNMPv3 cryptographic mechanisms (for 849 authentication and privacy). 851 Further, deployment of SNMP versions prior to SNMPv3 is NOT 852 RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to 853 enable cryptographic security. It is then a customer/operator 854 responsibility to ensure that the SNMP entity giving access to an 855 instance of this MIB module is properly configured to give access to 856 the objects only to those principals (users) that have legitimate 857 rights to indeed GET or SET (change/create/delete) them. 859 10. Acknowledgments 861 The authors wish to thank Rainer Gerhards, Wes Hardacker, David 862 Harrington, Juergen Quittek, and all other people who commented on 863 various versions of this proposal. 865 11. References 867 11.1. Normative References 869 [I-D.ietf-syslog-protocol] 870 Gerhards, R., "The syslog Protocol", Internet Draft (work 871 in progress), September 2007. 873 [I-D.ietf-syslog-tc-mib] 874 Keeni, G., "Textual Conventions for Syslog Management", 875 Internet Draft (work in progress), May 2008. 877 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 878 Requirement Levels", BCP 14, RFC 2119, March 1997. 880 [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 881 "Structure of Management Information Version 2 (SMIv2)", 882 RFC 2578, STD 58, April 1999. 884 [RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 885 "Textual Conventions for SMIv2", RFC 2579, STD 58, 886 April 1999. 888 [RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder, 889 "Conformance Statements for SMIv2", RFC 2580, STD 58, 890 April 1999. 892 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 893 Architecture for Describing Simple Network Management 894 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 895 December 2002. 897 11.2. Informative References 899 [RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014, 900 November 2002. 902 [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, 903 "Introduction and Applicability Statements for Internet- 904 Standard Management Framework", RFC 3410, December 2002. 906 Authors' Addresses 908 Juergen Schoenwaelder 909 Jacobs University Bremen 910 Campus Ring 1 911 28725 Bremen 912 Germany 914 Email: j.schoenwaelder@jacobs-university.de 915 Alexander Clemm 916 Cisco Systems 917 170 West Tasman Drive 918 San Jose, CA 95134-1706 919 USA 921 Email: alex@cisco.com 923 Anirban Karmakar 924 Cisco Systems 925 170 West Tasman Drive 926 San Jose, CA 95134-1706 927 USA 929 Email: akarmaka@cisco.com