This is a purely informative rendering of an RFC that includes verified errata. This rendering may not be used as a reference.
The following 'Verified' errata have been incorporated in this document:
EID 1927
Network Working Group J. Schoenwaelder
Request for Comments: 5676 Jacobs University Bremen
Category: Standards Track A. Clemm
Cisco Systems
A. Karmakar
Cisco Systems India Pvt Ltd
October 2009
Definitions of Managed Objects for Mapping SYSLOG Messages to
Simple Network Management Protocol (SNMP) Notifications
Abstract
This memo defines a portion of the Management Information Base (MIB)
for use with network management protocols in the Internet community.
In particular, it defines a mapping of SYSLOG messages to Simple
Network Management Protocol (SNMP) notifications.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Internet-Standard Management Framework . . . . . . . . . . 2
3. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
5. Relationship to Other MIB Modules . . . . . . . . . . . . . . 4
6. Relationship to the SNMP Notification to SYSLOG Mapping . . . 6
7. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 5
8. Usage Example . . . . . . . . . . . . . . . . . . . . . . . . 18
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
10. Security Considerations . . . . . . . . . . . . . . . . . . . 19
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20
12.1. Normative References . . . . . . . . . . . . . . . . . . 20
12.2. Informative References . . . . . . . . . . . . . . . . . 21
1. Introduction
SNMP ([RFC3410], [RFC3411]) and SYSLOG [RFC5424] are two widely used
protocols to communicate event notifications. Although co-existence
of several management protocols in one operational environment is
possible, certain environments require that all event notifications
be collected by a single system daemon, such as a SYSLOG collector or
an SNMP notification receiver, via a single management protocol. In
such environments, it is necessary to translate event notifications
between management protocols.
This document defines an SNMP MIB module to represent SYSLOG messages
and to send SYSLOG messages as SNMP notifications to SNMP
notification receivers.
2. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
3. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
4. Overview
SYSLOG messages are translated to SNMP by a SYSLOG-to-SNMP
translator. Such a translator acts as a SYSLOG collector [RFC5424]
and implements a MIB module according to the SNMP architecture
[RFC3411]. The translator might be tightly coupled to an SNMP agent
or it might interface with an SNMP agent via a subagent protocol.
After initialization, the SYSLOG-to-SNMP translator will listen for
SYSLOG messages. On receiving a message, the message will be parsed
to extract information as described in the MIB module. A conceptual
table is populated with information extracted from the SYSLOG
message, and finally a notification may be generated.
The MIB module is organized into a group of scalars and two tables.
The syslogMsgControl group contains two scalars controlling the
maximum number of SYSLOG messages recorded in the tables and also
controlling whether SNMP notifications are generated for SYSLOG
messages.
EID 1927 (Verified) is as follows:Section: 4, 3rd para
Original Text:
The MIB module is organized into a group of scalars and two tables.
The syslogMsgControl group contains two scalars controlling the
| maximum size of SYSLOG messages recorded in the tables and also
controlling whether SNMP notifications are generated for SYSLOG
messages.
Corrected Text:
The MIB module is organized into a group of scalars and two tables.
The syslogMsgControl group contains two scalars controlling the
| maximum number of SYSLOG messages recorded in the tables and also
controlling whether SNMP notifications are generated for SYSLOG
messages.
Notes:
Rationale: possible confusion.
"maximum size of SYSLOG messages recorded" conceptionally would relate to the SIZE of syslogMsgMsg OCTET STRING instances or the maximum value for syslogMsgSDParams instances, but the DESCRIPTION clause for the syslogMsgTableMaxSize OBJECT-TYPE in the MIB module in Section 7 clarifies that this object indicates the maximum *number* of entries in the syslogMsgTable and does not describe some filtering criterion (by size) of the SYSLOG messages recorded.
--syslogMsgObjects(1)
|
+--syslogMsgControl(1)
|
+-- Unsigned32 syslogMsgTableMaxSize(1)
+-- TruthValue syslogMsgEnableNotifications(2)
The syslogMsgTable contains one entry for each recorded SYSLOG
message. The basic fields of SYSLOG messages as well as message
properties are represented in different columns of the conceptual
table.
--syslogMsgObjects(1)
|
+--syslogMsgTable(2)
|
+--syslogMsgEntry(1) [syslogMsgIndex]
|
+-- Unsigned32 syslogMsgIndex(1)
+-- SyslogFacility syslogMsgFacility(2)
+-- SyslogSeverity syslogMsgSeverity(3)
+-- Unsigned32 syslogMsgVersion(4)
+-- SyslogTimeStamp syslogMsgTimeStamp(5)
+-- DisplayString syslogMsgHostName(6)
+-- DisplayString syslogMsgAppName(7)
+-- DisplayString syslogMsgProcID(8)
+-- DisplayString syslogMsgMsgID(9)
+-- Unsigned32 syslogMsgSDParams(10)
+-- OctetString syslogMsgMsg(11)
The syslogMsgSDTable contains one entry for each structured data
element parameter contained in a SYSLOG message. Since structured
data elements are optional, the relationship between the
syslogMsgTable and the syslogMsgSDTable ranges from one-to-zero to
one-to-many.
--syslogMsgObjects(1)
|
+--syslogMsgSDTable(3)
|
+--syslogMsgSDEntry(1) [syslogMsgIndex,
| syslogMsgSDParamIndex,
| syslogMsgSDID,
| syslogMsgSDParamName]
|
+-- Unsigned32 syslogMsgSDParamIndex(1)
+-- DisplayString syslogMsgSDID(2)
+-- DisplayString syslogMsgSDParamName(3)
+-- SyslogParamValueString syslogMsgSDParamValue(4)
5. Relationship to Other MIB Modules
The NOTIFICATION-LOG-MIB [RFC3014] provides a generic mechanism for
logging SNMP notifications in order to deal with lost SNMP
notifications, e.g., due to transient communication problems.
Applications can poll the notification log to verify that they have
not missed important SNMP notifications.
The MIB module defined in this memo provides a mechanism for logging
SYSLOG notifications. This additional SYSLOG notification log is
provided because (a) SYSLOG messages might not lead to SNMP
notification (this is configurable) and (b) SNMP notifications might
not carry all information associated with a SYSLOG notification.
The MIB module IMPORTS objects from SNMPv2-SMI [RFC2578], SNMPv2-TC
[RFC2579], SNMPv2-CONF [RFC2580], SNMP-FRAMEWORK-MIB [RFC3411], and
SYSLOG-TC-MIB [RFC5427].
The textual convention SyslogParamValueString uses the UTF-8
transformation format of the ISO/IEC IS 10646-1 character set defined
in [RFC3629].
6. Relationship to the SNMP Notification to SYSLOG Mapping
A companion document [RFC5675] defines a mapping of SNMP
notifications to SYSLOG messages. This section discusses the
possibilities of using both specifications in combination.
A SYSLOG collector implementing the SYSLOG-MSG-MIB module and the
mapping of SNMP notifications to SYSLOG messages may be configured to
translate received SYSLOG messages containing SNMP notifications back
into the original SNMP notification. In this case, the relevant
tables of the SYSLOG-MSG-MIB will not be populated for SYSLOG
messages carrying SNMP notifications. This configuration allows
operators to build a forwarding chain where SNMP notifications are
"tunneled" through SYSLOG messages. Due to size restrictions of the
SYSLOG transports and the more verbose textual encoding used by
SYSLOG, there is a possibility that SNMP notification content will
get truncated when tunneled through SYSLOG, and thus the resulting
SNMP notification may be incomplete.
An SNMP management application supporting the SYSLOG-MSG-MIB and the
mapping of SNMP notifications to SYSLOG messages may process
information from the SYSLOG-MSG-MIB in order to emit a SYSLOG message
representing the SYSLOG message recorded in the SYSLOG-MSG-MIB
module. This configuration allows operators to build a forwarding
chain where SYSLOG messages are "tunneled" through SNMP messages. A
notification receiver can determine whether a syslogMsgNotification
contained all structured data element parameters of a SYSLOG message.
In case parameters are missing, a forwarding application MUST
retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular
polling of the SYSLOG-MSG-MIB can be used to take care of any lost
SNMP notifications.
7. Definitions
SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DisplayString, TruthValue
FROM SNMPv2-TC
OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE
FROM SNMPv2-CONF
SyslogFacility, SyslogSeverity
FROM SYSLOG-TC-MIB;
syslogMsgMib MODULE-IDENTITY
LAST-UPDATED "200908130800Z"
ORGANIZATION "IETF OPSAWG Working Group"
CONTACT-INFO
"Juergen Schoenwaelder
<j.schoenwaelder@jacobs-university.de>
Jacobs University Bremen
Campus Ring 1
28757 Bremen
Germany
Alexander Clemm
<alex@cisco.com>
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Anirban Karmakar
<akarmaka@cisco.com>
Cisco Systems India Pvt Ltd
SEZ Unit, Cessna Business Park,
Sarjapur Marathahalli ORR,
Bangalore, Karnataka 560103
India"
DESCRIPTION
"This MIB module represents SYSLOG messages as SNMP objects.
Copyright (c) 2009 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC 5676; see
the RFC itself for full legal notices."
REVISION "200908130800Z"
DESCRIPTION
"Initial version issued as part of RFC 5676."
::= { mib-2 192 }
-- textual convention definitions
SyslogTimeStamp ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d"
STATUS current
DESCRIPTION
"A date-time specification. This type is similar to the
DateAndTime type defined in the SNMPv2-TC, except the
subsecond granulation is microseconds instead of
deciseconds and a zero-length string can be used
to indicate a missing value.
field octets contents range
----- ------ -------- -----
1 1-2 year* 0..65536
2 3 month 1..12
3 4 day 1..31
4 5 hour 0..23
5 6 minutes 0..59
6 7 seconds 0..60
(use 60 for leap-second)
7 8-10 microseconds* 0..999999
8 11 direction from UTC '+' / '-'
9 12 hours from UTC* 0..13
10 13 minutes from UTC 0..59
* Notes:
- the value of year is in network-byte order
- the value of microseconds is in network-byte order
- daylight saving time in New Zealand is +13
For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be
displayed as:
1992-5-26,13:30:15.0,-4:0
Note that if only local time is known, then timezone
information (fields 11-13) is not present."
SYNTAX OCTET STRING (SIZE (0 | 10 | 13))
SyslogParamValueString ::= TEXTUAL-CONVENTION
DISPLAY-HINT "65535t"
STATUS current
DESCRIPTION
"The value of a SYSLOG SD-PARAM is represented using the
ISO/IEC IS 10646-1 character set, encoded as an octet string
using the UTF-8 transformation format described in RFC 3629.
Since additional code points are added by amendments to the
10646 standard from time to time, implementations must be
prepared to encounter any code point from 0x00000000 to
0x7fffffff. Byte sequences that do not correspond to the
valid UTF-8 encoding of a code point or that are outside this
range are prohibited. Similarly, overlong UTF-8 sequences
are prohibited.
UTF-8 may require multiple bytes to represent a single
character / code point; thus, the length of this object in
octets may be different from the number of characters
encoded. Similarly, size constraints refer to the number of
encoded octets, not the number of characters represented by
an encoding."
REFERENCE
"RFC 3629: UTF-8, a transformation format of ISO 10646"
SYNTAX OCTET STRING
-- object definitions
syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 }
syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 }
syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 }
syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 }
syslogMsgTableMaxSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum number of SYSLOG messages that may be held in
syslogMsgTable. A particular setting does not guarantee that
there is sufficient memory available for the maximum number
of table entries indicated by this object. A value of 0 means
no fixed limit.
If an application reduces the limit while there are SYSLOG
messages in the syslogMsgTable, the SYSLOG messages that are
in the syslogMsgTable for the longest time MUST be discarded
to bring the table down to the new limit.
The value of this object should be kept in nonvolatile
memory."
DEFVAL { 0 }
::= { syslogMsgControl 1 }
syslogMsgEnableNotifications OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether syslogMsgNotification notifications are
generated.
The value of this object should be kept in nonvolatile
memory."
DEFVAL { false }
::= { syslogMsgControl 2 }
syslogMsgTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogMsgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing recent SYSLOG messages. The size of the
table is controlled by the syslogMsgTableMaxSize object."
::= { syslogMsgObjects 2 }
syslogMsgEntry OBJECT-TYPE
SYNTAX SyslogMsgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry of the syslogMsgTable."
INDEX { syslogMsgIndex }
::= { syslogMsgTable 1 }
SyslogMsgEntry ::= SEQUENCE {
syslogMsgIndex Unsigned32,
syslogMsgFacility SyslogFacility,
syslogMsgSeverity SyslogSeverity,
syslogMsgVersion Unsigned32,
syslogMsgTimeStamp SyslogTimeStamp,
syslogMsgHostName DisplayString,
syslogMsgAppName DisplayString,
syslogMsgProcID DisplayString,
syslogMsgMsgID DisplayString,
syslogMsgSDParams Unsigned32,
syslogMsgMsg OCTET STRING
}
syslogMsgIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A monotonically increasing number used to identify entries in
the syslogMsgTable. When syslogMsgIndex reaches the maximum
value (4294967295), the value wraps back to 1.
Applications periodically polling the syslogMsgTable for new
entries should take into account that a complete rollover of
syslogMsgIndex will happen if more than 4294967294 messages
are received during a poll interval."
::= { syslogMsgEntry 1 }
syslogMsgFacility OBJECT-TYPE
SYNTAX SyslogFacility
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The facility of the SYSLOG message."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.1)
RFC 5427: Textual Conventions for Syslog Management"
::= { syslogMsgEntry 2 }
syslogMsgSeverity OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The severity of the SYSLOG message"
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.1)
RFC 5427: Textual Conventions for Syslog Management"
::= { syslogMsgEntry 3 }
syslogMsgVersion OBJECT-TYPE
SYNTAX Unsigned32 (0..999)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The version of the SYSLOG message. A value of 0 indicates
that the version is unknown."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.2)"
::= { syslogMsgEntry 4 }
syslogMsgTimeStamp OBJECT-TYPE
SYNTAX SyslogTimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The timestamp of the SYSLOG message. A zero-length
string is returned if the timestamp is unknown."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.3)"
::= { syslogMsgEntry 5 }
syslogMsgHostName OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hostname and the (optional) domain name of the SYSLOG
message. A zero-length string indicates an unknown hostname.
The SYSLOG protocol specification constrains this string to
printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.4)"
::= { syslogMsgEntry 6 }
syslogMsgAppName OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..48))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The app-name of the SYSLOG message. A zero-length string
indicates an unknown app-name. The SYSLOG protocol
specification constrains this string to printable US-ASCII
code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.5)"
::= { syslogMsgEntry 7 }
syslogMsgProcID OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The procid of the SYSLOG message. A zero-length string
indicates an unknown procid. The SYSLOG protocol
specification constrains this string to printable
US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.6)"
::= { syslogMsgEntry 8 }
syslogMsgMsgID OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The msgid of the SYSLOG message. A zero-length string
indicates an unknown msgid. The SYSLOG protocol specification
constrains this string to printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.7)"
::= { syslogMsgEntry 9 }
syslogMsgSDParams OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of structured data element parameters
carried in the SYSLOG message. This number effectively
indicates the number of entries in the syslogMsgSDTable.
It can be used, for example, by a notification receiver
to determine whether a notification carried all
structured data element parameters of a SYSLOG message."
::= { syslogMsgEntry 10 }
syslogMsgMsg OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The message part of the SYSLOG message. The syntax does not
impose a size restriction. Implementations of this MIB module
may truncate the message part of the SYSLOG message such that
it fits into the size constraints imposed by the implementation
environment. Such truncations can also happen elsewhere in the
SYSLOG forwarding chain.
If the first octets contain the value 'EFBBBF'h, then the rest
of the message is a UTF-8 string. Since SYSLOG messages may be
truncated at arbitrary octet boundaries during forwarding, the
message may contain invalid UTF-8 encodings at the end."
REFERENCE
"RFC 5424: The Syslog Protocol (Sections 6.1 and 6.4)"
::= { syslogMsgEntry 11 }
syslogMsgSDTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogMsgSDEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing structured data elements of SYSLOG
messages."
::= { syslogMsgObjects 3 }
syslogMsgSDEntry OBJECT-TYPE
SYNTAX SyslogMsgSDEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry of the syslogMsgSDTable."
INDEX { syslogMsgIndex, syslogMsgSDParamIndex,
syslogMsgSDID, syslogMsgSDParamName }
::= { syslogMsgSDTable 1 }
SyslogMsgSDEntry ::= SEQUENCE {
syslogMsgSDParamIndex Unsigned32,
syslogMsgSDID DisplayString,
syslogMsgSDParamName DisplayString,
syslogMsgSDParamValue SyslogParamValueString
}
syslogMsgSDParamIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indexes the structured data element parameters
contained in a SYSLOG message. The first structured data
element parameter has the index value 1, and subsequent
parameters are indexed by incrementing the index of the
previous parameter. The index increases across structured
data element boundaries so that the value reflects the
position of a structured data element parameter in a
SYSLOG message."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 1 }
syslogMsgSDID OBJECT-TYPE
SYNTAX DisplayString (SIZE (1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name (SD-ID) of a structured data element. The SYSLOG
protocol specification constrains this string to printable
US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.2)"
::= { syslogMsgSDEntry 2 }
syslogMsgSDParamName OBJECT-TYPE
SYNTAX DisplayString (SIZE (1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of a parameter of the structured data element. The
SYSLOG protocol specification constrains this string to
printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 3 }
syslogMsgSDParamValue OBJECT-TYPE
SYNTAX SyslogParamValueString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the parameter of a SYSLOG message identified by
the index of this table. The value is stored in the unescaped
format."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 4 }
-- notification definitions
syslogMsgNotification NOTIFICATION-TYPE
OBJECTS { syslogMsgFacility, syslogMsgSeverity,
syslogMsgVersion, syslogMsgTimeStamp,
syslogMsgHostName, syslogMsgAppName,
syslogMsgProcID, syslogMsgMsgID,
syslogMsgSDParams, syslogMsgMsg }
STATUS current
DESCRIPTION
"The syslogMsgNotification is generated when a new SYSLOG
message is received and the value of
syslogMsgGenerateNotifications is true.
Implementations may add syslogMsgSDParamValue objects as long
as the resulting notification fits into the size constraints
imposed by the implementation environment and the notification
message size constraints imposed by maxMessageSize [RFC3412]
and SNMP transport mappings."
::= { syslogMsgNotifications 1 }
-- conformance statements
syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 }
syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 }
syslogMsgFullCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgControlGroup,
syslogMsgNotificationGroup
}
::= { syslogMsgCompliances 1 }
syslogMsgReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB that do not support read-write access."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgControlGroup,
syslogMsgNotificationGroup
}
OBJECT syslogMsgTableMaxSize
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT syslogMsgEnableNotifications
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { syslogMsgCompliances 2 }
syslogMsgNotificationCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB that do only generate notifications and do not
provide a table to allow read access to SYSLOG message
details."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgNotificationGroup
}
OBJECT syslogMsgFacility
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSeverity
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgVersion
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgTimeStamp
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgHostName
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgAppName
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgProcID
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgMsgID
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSDParams
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgMsg
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSDParamValue
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
::= { syslogMsgCompliances 3 }
syslogMsgNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
syslogMsgNotification
}
STATUS current
DESCRIPTION
"The notifications emitted by this MIB module."
::= { syslogMsgGroups 1 }
syslogMsgGroup OBJECT-GROUP
OBJECTS {
-- syslogMsgIndex,
syslogMsgFacility,
syslogMsgSeverity,
syslogMsgVersion,
syslogMsgTimeStamp,
syslogMsgHostName,
syslogMsgAppName,
syslogMsgProcID,
syslogMsgMsgID,
syslogMsgSDParams,
syslogMsgMsg
}
STATUS current
DESCRIPTION
"A collection of objects representing a SYSLOG message,
excluding structured data elements."
::= { syslogMsgGroups 2 }
syslogMsgSDGroup OBJECT-GROUP
OBJECTS {
-- syslogMsgSDParamIndex,
-- syslogMsgSDID,
-- syslogMsgSDParamName,
syslogMsgSDParamValue
}
STATUS current
DESCRIPTION
"A collection of objects representing the structured data
elements of a SYSLOG message."
::= { syslogMsgGroups 3 }
syslogMsgControlGroup OBJECT-GROUP
OBJECTS {
syslogMsgTableMaxSize,
syslogMsgEnableNotifications
}
STATUS current
DESCRIPTION
"A collection of control objects to control the size of the
syslogMsgTable and to enable/disable notifications."
::= { syslogMsgGroups 4 }
END
8. Usage Example
The following example shows a valid SYSLOG message including
structured data. The otherwise-unprintable Unicode byte order mark
(BOM) is represented as "BOM" in the example.
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application"
eventID="1011"] BOMAn application event log entry...
This SYSLOG message leads to the following entries in the
syslogMsgTable and the syslogMsgSDTable (note that string indexes are
written as strings for readability reasons):
syslogMsgIndex.1 = 1
syslogMsgFacility.1 = 20
syslogMsgSeverity.1 = 5
syslogMsgVersion.1 = 1
syslogMsgTimeStamp.1 = 2003-10-11,22:14:15.003,+0:0
syslogMsgHostName.1 = "mymachine.example.com"
syslogMsgAppName.1 = "evntslog"
syslogMsgProcID.1 = "-"
syslogMsgMsgID.1 = "ID47"
syslogMsgMsg.1 = "BOMAn application event log entry..."
syslogMsgSDParamValue.1.1."exampleSDID@32473"."iut"
= "3"
syslogMsgSDParamValue.1.2."exampleSDID@32473"."eventSource"
= "Application"
syslogMsgSDParamValue.1.3."exampleSDID@32473"."eventID"
= "1011"
9. IANA Considerations
The IANA has assigned value "192" under the 'mib-2' subtree and
recorded the assignment in the SMI Numbers registry.
10. Security Considerations
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
o syslogMsgTableMaxSize: This object controls how many entries are
kept in the syslogMsgTable. Unauthorized modifications may either
cause increased memory consumption (by setting this object to a
large value) or turn off the capability to retrieve notifications
using GET class operations (by setting this object to zero). This
might be used to hide traces of an attack.
o syslogMsgEnableNotifications: This object enables notifications.
Unauthorized modifications to disable notification generation can
be used to hide an attack by preventing management applications
that use SNMP from receiving real-time notifications about events
carried in SYSLOG messages. Unauthorized modifications to enable
notification generation may be used as part of a denial-of-service
attack against a network management system if, for example, the
SYSLOG-to-SNMP translator accepts unauthorized SYSLOG messages.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects
provide information regarding whether SYSLOG messages are
forwarded as SNMP notifications and how many messages will be
maintained in the syslogMsgTable. This information might be
exploited by an attacker in order to plan actions with the goal of
hiding attack activities.
o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion,
syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName,
syslogMsgProcID, syslogMsgMsgID, syslogMsgSDParams, syslogMsgMsg,
syslogMsgSDParamValue: These objects carry the content of SYSLOG
messages and the SYSLOG-message-oriented security considerations
of [RFC5424] apply. In particular, an attacker who gains access
to SYSLOG messages via SNMP may use the knowledge gained from
SYSLOG messages to compromise a machine or do other damage. It is
therefore desirable to configure SNMP access control rules,
enforcing a consistent security policy for SYSLOG messages.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPsec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Using the security features of the SNMPv3 framework secures the
transport of SYSLOG data via SNMP only. It is therefore RECOMMENDED
that deployments use SYSLOG security mechanisms in order to prevent
attackers from adding malicious SYSLOG data to the MIB tables.
11. Acknowledgments
The editors wish to thank the following individuals for providing
helpful comments on various versions of this document: Martin
Bjorklund, Washam Fan, Rainer Gerhards, Wes Hardacker, David
Harrington, Tom Petch, Juergen Quittek, Dan Romascanu, and Bert
Wijnen.
12. References
12.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)",
RFC 2578, STD 58, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Textual Conventions for SMIv2", RFC 2579, STD 58,
April 1999.
[RFC2580] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", RFC 2580, STD 58,
April 1999.
[RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
[RFC3412] Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
[RFC5427] Keeni, G., "Textual Conventions for Syslog Management",
RFC 5427, March 2009.
[RFC5675] Marinov, V. and J. Schoenwaelder, "Mapping Simple Network
Management Protocol (SNMP) Notifications to SYSLOG
Messages", RFC 5675, October 2009.
12.2. Informative References
[RFC3014] Kavasseri, R., Ed., "Notification Log MIB", RFC 3014,
November 2002.
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
Authors' Addresses
Juergen Schoenwaelder
Jacobs University Bremen
Campus Ring 1
28725 Bremen
Germany
EMail: j.schoenwaelder@jacobs-university.de
Alexander Clemm
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134-1706
USA
EMail: alex@cisco.com
Anirban Karmakar
Cisco Systems India Pvt Ltd
SEZ Unit, Cessna Business Park,
Sarjapur Marathahalli ORR,
Bangalore, Karnataka 560103
India
EMail: akarmaka@cisco.com