RFC5676
Network Working Group J. Schoenwaelder Request for Comments: 5676 Jacobs University Bremen Category: Standards Track A. Clemm
Cisco Systems
A. Karmakar
Cisco Systems India Pvt Ltd
October 2009
Definitions of Managed Objects for Mapping SYSLOG Messages to
Simple Network Management Protocol (SNMP) Notifications
Abstract
This memo defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it defines a mapping of SYSLOG messages to Simple Network Management Protocol (SNMP) notifications.
Status of This Memo
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.
6. Relationship to the SNMP Notification to SYSLOG Mapping . . . 6
Contents
Introduction
SNMP (RFC3410, RFC3411) and SYSLOG RFC5424 are two widely used protocols to communicate event notifications. Although co-existence of several management protocols in one operational environment is possible, certain environments require that all event notifications be collected by a single system daemon, such as a SYSLOG collector or an SNMP notification receiver, via a single management protocol. In such environments, it is necessary to translate event notifications between management protocols.
This document defines an SNMP MIB module to represent SYSLOG messages and to send SYSLOG messages as SNMP notifications to SNMP notification receivers.
The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 RFC3410.
Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 RFC2578, STD 58, RFC 2579 RFC2579 and STD 58, RFC 2580 RFC2580.
Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC2119.
Overview
SYSLOG messages are translated to SNMP by a SYSLOG-to-SNMP translator. Such a translator acts as a SYSLOG collector RFC5424 and implements a MIB module according to the SNMP architecture RFC3411. The translator might be tightly coupled to an SNMP agent or it might interface with an SNMP agent via a subagent protocol.
After initialization, the SYSLOG-to-SNMP translator will listen for SYSLOG messages. On receiving a message, the message will be parsed to extract information as described in the MIB module. A conceptual table is populated with information extracted from the SYSLOG message, and finally a notification may be generated.
The MIB module is organized into a group of scalars and two tables. The syslogMsgControl group contains two scalars controlling the maximum size of SYSLOG messages recorded in the tables and also controlling whether SNMP notifications are generated for SYSLOG messages.
--syslogMsgObjects(1)
|
+--syslogMsgControl(1)
|
+-- Unsigned32 syslogMsgTableMaxSize(1)
+-- TruthValue syslogMsgEnableNotifications(2)
The syslogMsgTable contains one entry for each recorded SYSLOG message. The basic fields of SYSLOG messages as well as message properties are represented in different columns of the conceptual table.
--syslogMsgObjects(1)
|
+--syslogMsgTable(2)
|
+--syslogMsgEntry(1) [syslogMsgIndex]
|
+-- Unsigned32 syslogMsgIndex(1)
+-- SyslogFacility syslogMsgFacility(2)
+-- SyslogSeverity syslogMsgSeverity(3)
+-- Unsigned32 syslogMsgVersion(4)
+-- SyslogTimeStamp syslogMsgTimeStamp(5)
+-- DisplayString syslogMsgHostName(6)
+-- DisplayString syslogMsgAppName(7)
+-- DisplayString syslogMsgProcID(8)
+-- DisplayString syslogMsgMsgID(9)
+-- Unsigned32 syslogMsgSDParams(10)
+-- OctetString syslogMsgMsg(11)
The syslogMsgSDTable contains one entry for each structured data element parameter contained in a SYSLOG message. Since structured data elements are optional, the relationship between the syslogMsgTable and the syslogMsgSDTable ranges from one-to-zero to one-to-many.
--syslogMsgObjects(1)
|
+--syslogMsgSDTable(3)
|
+--syslogMsgSDEntry(1) [syslogMsgIndex,
| syslogMsgSDParamIndex,
| syslogMsgSDID,
| syslogMsgSDParamName]
|
+-- Unsigned32 syslogMsgSDParamIndex(1)
+-- DisplayString syslogMsgSDID(2)
+-- DisplayString syslogMsgSDParamName(3)
+-- SyslogParamValueString syslogMsgSDParamValue(4)
Relationship to Other MIB Modules
The NOTIFICATION-LOG-MIB RFC3014 provides a generic mechanism for logging SNMP notifications in order to deal with lost SNMP notifications, e.g., due to transient communication problems. Applications can poll the notification log to verify that they have not missed important SNMP notifications.
The MIB module defined in this memo provides a mechanism for logging SYSLOG notifications. This additional SYSLOG notification log is provided because (a) SYSLOG messages might not lead to SNMP notification (this is configurable) and (b) SNMP notifications might not carry all information associated with a SYSLOG notification.
The MIB module IMPORTS objects from SNMPv2-SMI RFC2578, SNMPv2-TC RFC2579, SNMPv2-CONF RFC2580, SNMP-FRAMEWORK-MIB RFC3411, and SYSLOG-TC-MIB RFC5427.
The textual convention SyslogParamValueString uses the UTF-8 transformation format of the ISO/IEC IS 10646-1 character set defined in RFC3629.
Relationship to the SNMP Notification to SYSLOG Mapping
A companion document RFC5675 defines a mapping of SNMP notifications to SYSLOG messages. This section discusses the possibilities of using both specifications in combination.
A SYSLOG collector implementing the SYSLOG-MSG-MIB module and the mapping of SNMP notifications to SYSLOG messages may be configured to translate received SYSLOG messages containing SNMP notifications back into the original SNMP notification. In this case, the relevant tables of the SYSLOG-MSG-MIB will not be populated for SYSLOG messages carrying SNMP notifications. This configuration allows operators to build a forwarding chain where SNMP notifications are "tunneled" through SYSLOG messages. Due to size restrictions of the SYSLOG transports and the more verbose textual encoding used by SYSLOG, there is a possibility that SNMP notification content will get truncated when tunneled through SYSLOG, and thus the resulting SNMP notification may be incomplete.
An SNMP management application supporting the SYSLOG-MSG-MIB and the mapping of SNMP notifications to SYSLOG messages may process information from the SYSLOG-MSG-MIB in order to emit a SYSLOG message representing the SYSLOG message recorded in the SYSLOG-MSG-MIB module. This configuration allows operators to build a forwarding chain where SYSLOG messages are "tunneled" through SNMP messages. A notification receiver can determine whether a syslogMsgNotification contained all structured data element parameters of a SYSLOG message. In case parameters are missing, a forwarding application MUST retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular polling of the SYSLOG-MSG-MIB can be used to take care of any lost SNMP notifications.
Definitions
SYSLOG-MSG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE, NOTIFICATION-TYPE, Unsigned32, mib-2
FROM SNMPv2-SMI
TEXTUAL-CONVENTION, DisplayString, TruthValue
FROM SNMPv2-TC
OBJECT-GROUP, NOTIFICATION-GROUP, MODULE-COMPLIANCE
FROM SNMPv2-CONF
SyslogFacility, SyslogSeverity
FROM SYSLOG-TC-MIB;
syslogMsgMib MODULE-IDENTITY
LAST-UPDATED "200908130800Z"
ORGANIZATION "IETF OPSAWG Working Group"
CONTACT-INFO
"Juergen Schoenwaelder
<[email protected]>
Jacobs University Bremen
Campus Ring 1
28757 Bremen
Germany
Alexander Clemm
<[email protected]>
Cisco Systems
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Anirban Karmakar
<[email protected]>
Cisco Systems India Pvt Ltd
SEZ Unit, Cessna Business Park,
Sarjapur Marathahalli ORR,
Bangalore, Karnataka 560103
India"
DESCRIPTION
"This MIB module represents SYSLOG messages as SNMP objects.
Copyright (c) 2009 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this MIB module is part of RFC 5676; see the RFC itself for full legal notices."
REVISION "200908130800Z"
DESCRIPTION
"Initial version issued as part of RFC 5676."
::= { mib-2 192 }
-- textual convention definitions
SyslogTimeStamp ::= TEXTUAL-CONVENTION
DISPLAY-HINT "2d-1d-1d,1d:1d:1d.3d,1a1d:1d"
STATUS current
DESCRIPTION
"A date-time specification. This type is similar to the
DateAndTime type defined in the SNMPv2-TC, except the
subsecond granulation is microseconds instead of
deciseconds and a zero-length string can be used
to indicate a missing value.
field octets contents range
----- ------ -------- -----
1 1-2 year* 0..65536
2 3 month 1..12
3 4 day 1..31
4 5 hour 0..23
5 6 minutes 0..59
6 7 seconds 0..60
(use 60 for leap-second)
7 8-10 microseconds* 0..999999
8 11 direction from UTC '+' / '-'
9 12 hours from UTC* 0..13
10 13 minutes from UTC 0..59
* Notes:
- the value of year is in network-byte order
- the value of microseconds is in network-byte order
- daylight saving time in New Zealand is +13
For example, Tuesday May 26, 1992 at 1:30:15 PM EDT would be
displayed as:
1992-5-26,13:30:15.0,-4:0
Note that if only local time is known, then timezone
information (fields 11-13) is not present."
SYNTAX OCTET STRING (SIZE (0 | 10 | 13))
SyslogParamValueString ::= TEXTUAL-CONVENTION
DISPLAY-HINT "65535t"
STATUS current
DESCRIPTION
"The value of a SYSLOG SD-PARAM is represented using the
ISO/IEC IS 10646-1 character set, encoded as an octet string
using the UTF-8 transformation format described in RFC 3629.
Since additional code points are added by amendments to the
10646 standard from time to time, implementations must be
prepared to encounter any code point from 0x00000000 to
0x7fffffff. Byte sequences that do not correspond to the
valid UTF-8 encoding of a code point or that are outside this
range are prohibited. Similarly, overlong UTF-8 sequences
are prohibited.
UTF-8 may require multiple bytes to represent a single
character / code point; thus, the length of this object in
octets may be different from the number of characters
encoded. Similarly, size constraints refer to the number of
encoded octets, not the number of characters represented by
an encoding."
REFERENCE
"RFC 3629: UTF-8, a transformation format of ISO 10646"
SYNTAX OCTET STRING
-- object definitions
syslogMsgNotifications OBJECT IDENTIFIER ::= { syslogMsgMib 0 }
syslogMsgObjects OBJECT IDENTIFIER ::= { syslogMsgMib 1 }
syslogMsgConformance OBJECT IDENTIFIER ::= { syslogMsgMib 2 }
syslogMsgControl OBJECT IDENTIFIER ::= { syslogMsgObjects 1 }
syslogMsgTableMaxSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum number of SYSLOG messages that may be held in
syslogMsgTable. A particular setting does not guarantee that
there is sufficient memory available for the maximum number
of table entries indicated by this object. A value of 0 means
no fixed limit.
If an application reduces the limit while there are SYSLOG
messages in the syslogMsgTable, the SYSLOG messages that are
in the syslogMsgTable for the longest time MUST be discarded
to bring the table down to the new limit.
The value of this object should be kept in nonvolatile
memory."
DEFVAL { 0 }
::= { syslogMsgControl 1 }
syslogMsgEnableNotifications OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"Indicates whether syslogMsgNotification notifications are
generated.
The value of this object should be kept in nonvolatile
memory."
DEFVAL { false }
::= { syslogMsgControl 2 }
syslogMsgTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogMsgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing recent SYSLOG messages. The size of the
table is controlled by the syslogMsgTableMaxSize object."
::= { syslogMsgObjects 2 }
syslogMsgEntry OBJECT-TYPE
SYNTAX SyslogMsgEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry of the syslogMsgTable."
INDEX { syslogMsgIndex }
::= { syslogMsgTable 1 }
SyslogMsgEntry ::= SEQUENCE {
syslogMsgIndex Unsigned32,
syslogMsgFacility SyslogFacility,
syslogMsgSeverity SyslogSeverity,
syslogMsgVersion Unsigned32,
syslogMsgTimeStamp SyslogTimeStamp,
syslogMsgHostName DisplayString,
syslogMsgAppName DisplayString,
syslogMsgProcID DisplayString,
syslogMsgMsgID DisplayString,
syslogMsgSDParams Unsigned32,
syslogMsgMsg OCTET STRING
}
syslogMsgIndex OBJECT-TYPE SYNTAX Unsigned32 (1..4294967295) MAX-ACCESS not-accessible STATUS current
DESCRIPTION
"A monotonically increasing number used to identify entries in
the syslogMsgTable. When syslogMsgIndex reaches the maximum
value (4294967295), the value wraps back to 1.
Applications periodically polling the syslogMsgTable for new
entries should take into account that a complete rollover of
syslogMsgIndex will happen if more than 4294967294 messages
are received during a poll interval."
::= { syslogMsgEntry 1 }
syslogMsgFacility OBJECT-TYPE
SYNTAX SyslogFacility
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The facility of the SYSLOG message."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.1)
RFC 5427: Textual Conventions for Syslog Management"
::= { syslogMsgEntry 2 }
syslogMsgSeverity OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The severity of the SYSLOG message"
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.1)
RFC 5427: Textual Conventions for Syslog Management"
::= { syslogMsgEntry 3 }
syslogMsgVersion OBJECT-TYPE
SYNTAX Unsigned32 (0..999)
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The version of the SYSLOG message. A value of 0 indicates
that the version is unknown."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.2)"
::= { syslogMsgEntry 4 }
syslogMsgTimeStamp OBJECT-TYPE SYNTAX SyslogTimeStamp MAX-ACCESS read-only STATUS current
DESCRIPTION
"The timestamp of the SYSLOG message. A zero-length
string is returned if the timestamp is unknown."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.3)"
::= { syslogMsgEntry 5 }
syslogMsgHostName OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..255))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The hostname and the (optional) domain name of the SYSLOG
message. A zero-length string indicates an unknown hostname.
The SYSLOG protocol specification constrains this string to
printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.4)"
::= { syslogMsgEntry 6 }
syslogMsgAppName OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..48))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The app-name of the SYSLOG message. A zero-length string
indicates an unknown app-name. The SYSLOG protocol
specification constrains this string to printable US-ASCII
code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.5)"
::= { syslogMsgEntry 7 }
syslogMsgProcID OBJECT-TYPE
SYNTAX DisplayString (SIZE (0..128))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The procid of the SYSLOG message. A zero-length string
indicates an unknown procid. The SYSLOG protocol
specification constrains this string to printable
US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.6)"
::= { syslogMsgEntry 8 }
syslogMsgMsgID OBJECT-TYPE SYNTAX DisplayString (SIZE (0..32))
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The msgid of the SYSLOG message. A zero-length string
indicates an unknown msgid. The SYSLOG protocol specification
constrains this string to printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.2.7)"
::= { syslogMsgEntry 9 }
syslogMsgSDParams OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The total number of structured data element parameters
carried in the SYSLOG message. This number effectively
indicates the number of entries in the syslogMsgSDTable.
It can be used, for example, by a notification receiver
to determine whether a notification carried all
structured data element parameters of a SYSLOG message."
::= { syslogMsgEntry 10 }
syslogMsgMsg OBJECT-TYPE
SYNTAX OCTET STRING
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The message part of the SYSLOG message. The syntax does not
impose a size restriction. Implementations of this MIB module
may truncate the message part of the SYSLOG message such that
it fits into the size constraints imposed by the implementation
environment. Such truncations can also happen elsewhere in the
SYSLOG forwarding chain.
If the first octets contain the value 'EFBBBF'h, then the rest
of the message is a UTF-8 string. Since SYSLOG messages may be
truncated at arbitrary octet boundaries during forwarding, the
message may contain invalid UTF-8 encodings at the end."
REFERENCE
"RFC 5424: The Syslog Protocol (Sections 6.1 and 6.4)"
::= { syslogMsgEntry 11 }
syslogMsgSDTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogMsgSDEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION
"A table containing structured data elements of SYSLOG
messages."
::= { syslogMsgObjects 3 }
syslogMsgSDEntry OBJECT-TYPE
SYNTAX SyslogMsgSDEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"An entry of the syslogMsgSDTable."
INDEX { syslogMsgIndex, syslogMsgSDParamIndex,
syslogMsgSDID, syslogMsgSDParamName }
::= { syslogMsgSDTable 1 }
SyslogMsgSDEntry ::= SEQUENCE {
syslogMsgSDParamIndex Unsigned32,
syslogMsgSDID DisplayString,
syslogMsgSDParamName DisplayString,
syslogMsgSDParamValue SyslogParamValueString
}
syslogMsgSDParamIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..4294967295)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"This object indexes the structured data element parameters
contained in a SYSLOG message. The first structured data
element parameter has the index value 1, and subsequent
parameters are indexed by incrementing the index of the
previous parameter. The index increases across structured
data element boundaries so that the value reflects the
position of a structured data element parameter in a
SYSLOG message."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 1 }
syslogMsgSDID OBJECT-TYPE
SYNTAX DisplayString (SIZE (1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name (SD-ID) of a structured data element. The SYSLOG
protocol specification constrains this string to printable
US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.2)"
::= { syslogMsgSDEntry 2 }
syslogMsgSDParamName OBJECT-TYPE
SYNTAX DisplayString (SIZE (1..32))
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The name of a parameter of the structured data element. The
SYSLOG protocol specification constrains this string to
printable US-ASCII code points."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 3 }
syslogMsgSDParamValue OBJECT-TYPE
SYNTAX SyslogParamValueString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The value of the parameter of a SYSLOG message identified by
the index of this table. The value is stored in the unescaped
format."
REFERENCE
"RFC 5424: The Syslog Protocol (Section 6.3.3)"
::= { syslogMsgSDEntry 4 }
-- notification definitions
syslogMsgNotification NOTIFICATION-TYPE
OBJECTS { syslogMsgFacility, syslogMsgSeverity,
syslogMsgVersion, syslogMsgTimeStamp,
syslogMsgHostName, syslogMsgAppName,
syslogMsgProcID, syslogMsgMsgID,
syslogMsgSDParams, syslogMsgMsg }
STATUS current
DESCRIPTION
"The syslogMsgNotification is generated when a new SYSLOG
message is received and the value of
syslogMsgGenerateNotifications is true.
Implementations may add syslogMsgSDParamValue objects as long
as the resulting notification fits into the size constraints
imposed by the implementation environment and the notification
message size constraints imposed by maxMessageSize RFC3412
and SNMP transport mappings."
::= { syslogMsgNotifications 1 }
-- conformance statements
syslogMsgGroups OBJECT IDENTIFIER ::= { syslogMsgConformance 1 }
syslogMsgCompliances OBJECT IDENTIFIER ::= { syslogMsgConformance 2 }
syslogMsgFullCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgControlGroup,
syslogMsgNotificationGroup
}
::= { syslogMsgCompliances 1 }
syslogMsgReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB that do not support read-write access."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgControlGroup,
syslogMsgNotificationGroup
}
OBJECT syslogMsgTableMaxSize
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
OBJECT syslogMsgEnableNotifications
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required."
::= { syslogMsgCompliances 2 }
syslogMsgNotificationCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for implementations of the
SYSLOG-MSG-MIB that do only generate notifications and do not
provide a table to allow read access to SYSLOG message
details."
MODULE -- this module
MANDATORY-GROUPS {
syslogMsgGroup,
syslogMsgSDGroup,
syslogMsgNotificationGroup
}
OBJECT syslogMsgFacility
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSeverity
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgVersion
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgTimeStamp
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgHostName
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgAppName
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgProcID
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgMsgID
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSDParams
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgMsg
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
OBJECT syslogMsgSDParamValue
MIN-ACCESS accessible-for-notify
DESCRIPTION
"Read access is not required."
::= { syslogMsgCompliances 3 }
syslogMsgNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
syslogMsgNotification
}
STATUS current
DESCRIPTION
"The notifications emitted by this MIB module."
::= { syslogMsgGroups 1 }
syslogMsgGroup OBJECT-GROUP
OBJECTS {
-- syslogMsgIndex,
syslogMsgFacility,
syslogMsgSeverity,
syslogMsgVersion,
syslogMsgTimeStamp,
syslogMsgHostName,
syslogMsgAppName,
syslogMsgProcID,
syslogMsgMsgID,
syslogMsgSDParams,
syslogMsgMsg
}
STATUS current
DESCRIPTION
"A collection of objects representing a SYSLOG message,
excluding structured data elements."
::= { syslogMsgGroups 2 }
syslogMsgSDGroup OBJECT-GROUP
OBJECTS {
-- syslogMsgSDParamIndex,
-- syslogMsgSDID,
-- syslogMsgSDParamName,
syslogMsgSDParamValue
}
STATUS current
DESCRIPTION
"A collection of objects representing the structured data
elements of a SYSLOG message."
::= { syslogMsgGroups 3 }
syslogMsgControlGroup OBJECT-GROUP
OBJECTS {
syslogMsgTableMaxSize,
syslogMsgEnableNotifications
}
STATUS current
DESCRIPTION
"A collection of control objects to control the size of the
syslogMsgTable and to enable/disable notifications."
::= { syslogMsgGroups 4 }
END
Usage Example
The following example shows a valid SYSLOG message including structured data. The otherwise-unprintable Unicode byte order mark (BOM) is represented as "BOM" in the example.
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com evntslog - ID47 [exampleSDID@32473 iut="3" eventSource="Application" eventID="1011"] BOMAn application event log entry...
This SYSLOG message leads to the following entries in the syslogMsgTable and the syslogMsgSDTable (note that string indexes are written as strings for readability reasons):
syslogMsgIndex.1 = 1
syslogMsgFacility.1 = 20
syslogMsgSeverity.1 = 5
syslogMsgVersion.1 = 1
syslogMsgTimeStamp.1 = 2003-10-11,22:14:15.003,+0:0
syslogMsgHostName.1 = "mymachine.example.com"
syslogMsgAppName.1 = "evntslog"
syslogMsgProcID.1 = "-"
syslogMsgMsgID.1 = "ID47"
syslogMsgMsg.1 = "BOMAn application event log entry..."
syslogMsgSDParamValue.1.1."exampleSDID@32473"."iut"
= "3"
syslogMsgSDParamValue.1.2."exampleSDID@32473"."eventSource"
= "Application"
syslogMsgSDParamValue.1.3."exampleSDID@32473"."eventID"
= "1011"
IANA Considerations
The IANA has assigned value "192" under the 'mib-2' subtree and recorded the assignment in the SMI Numbers registry.
10. Security Considerations
There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability:
o syslogMsgTableMaxSize: This object controls how many entries are
kept in the syslogMsgTable. Unauthorized modifications may either cause increased memory consumption (by setting this object to a large value) or turn off the capability to retrieve notifications using GET class operations (by setting this object to zero). This might be used to hide traces of an attack.
o syslogMsgEnableNotifications: This object enables notifications.
Unauthorized modifications to disable notification generation can be used to hide an attack by preventing management applications that use SNMP from receiving real-time notifications about events carried in SYSLOG messages. Unauthorized modifications to enable notification generation may be used as part of a denial-of-service attack against a network management system if, for example, the SYSLOG-to-SNMP translator accepts unauthorized SYSLOG messages.
Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability:
o syslogMsgTableMaxSize, syslogMsgEnableNotifications: These objects
provide information regarding whether SYSLOG messages are forwarded as SNMP notifications and how many messages will be maintained in the syslogMsgTable. This information might be exploited by an attacker in order to plan actions with the goal of hiding attack activities.
o syslogMsgFacility, syslogMsgSeverity, syslogMsgVersion,
syslogMsgTimeStamp, syslogMsgHostName, syslogMsgAppName, syslogMsgProcID, syslogMsgMsgID, syslogMsgSDParams, syslogMsgMsg, syslogMsgSDParamValue: These objects carry the content of SYSLOG messages and the SYSLOG-message-oriented security considerations of RFC5424 apply. In particular, an attacker who gains access to SYSLOG messages via SNMP may use the knowledge gained from
SYSLOG messages to compromise a machine or do other damage. It is therefore desirable to configure SNMP access control rules, enforcing a consistent security policy for SYSLOG messages.
SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPsec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module.
It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see RFC3410, section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them.
Using the security features of the SNMPv3 framework secures the transport of SYSLOG data via SNMP only. It is therefore RECOMMENDED that deployments use SYSLOG security mechanisms in order to prevent attackers from adding malicious SYSLOG data to the MIB tables.
11. Acknowledgments
The editors wish to thank the following individuals for providing helpful comments on various versions of this document: Martin Bjorklund, Washam Fan, Rainer Gerhards, Wes Hardacker, David Harrington, Tom Petch, Juergen Quittek, Dan Romascanu, and Bert Wijnen.
12. References
12.1. Normative References
RFC2119 Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
RFC2578 McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)",
RFC 2578, STD 58, April 1999.
RFC2579 McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Textual Conventions for SMIv2", RFC 2579, STD 58, April 1999.
RFC2580 McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Conformance Statements for SMIv2", RFC 2580, STD 58, April 1999.
RFC3411 Harrington, D., Presuhn, R., and B. Wijnen, "An
Architecture for Describing Simple Network Management
Protocol (SNMP) Management Frameworks", STD 62, RFC 3411,
December 2002.
RFC3412 Case, J., Harrington, D., Presuhn, R., and B. Wijnen,
"Message Processing and Dispatching for the Simple Network
Management Protocol (SNMP)", STD 62, RFC 3412,
December 2002.
RFC3629 Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
RFC5424 Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
RFC5427 Keeni, G., "Textual Conventions for Syslog Management",
RFC 5427, March 2009.
RFC5675 Marinov, V. and J. Schoenwaelder, "Mapping Simple Network
Management Protocol (SNMP) Notifications to SYSLOG
Messages", RFC 5675, October 2009.
12.2. Informative References
RFC3014 Kavasseri, R., Ed., "Notification Log MIB", RFC 3014,
November 2002.
RFC3410 Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for Internet-
Standard Management Framework", RFC 3410, December 2002.
Authors' Addresses
Juergen Schoenwaelder Jacobs University Bremen Campus Ring 1 28725 Bremen Germany
EMail: [email protected]
Alexander Clemm Cisco Systems 170 West Tasman Drive San Jose, CA 95134-1706 USA
EMail: [email protected]
Anirban Karmakar Cisco Systems India Pvt Ltd SEZ Unit, Cessna Business Park, Sarjapur Marathahalli ORR, Bangalore, Karnataka 560103 India
EMail: [email protected]
