IETF Logo Mail Archive

Re: [BEHAVE] SYSLOG strategy for organizing NAT logging event parameters

Chris Lonvick <clonvick@cisco.com> Fri, 03 May 2013 16:28 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E7C321F9730 for <behave@ietfa.amsl.com>; Fri, 3 May 2013 09:28:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nq5DFI-B0xHm for <behave@ietfa.amsl.com>; Fri, 3 May 2013 09:27:56 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com [173.36.130.12]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA4C21F9802 for <behave@ietf.org>; Fri, 3 May 2013 08:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3050; q=dns/txt; s=iport; t=1367595500; x=1368805100; h=date:from:to:cc:subject:in-reply-to:message-id: references:mime-version; bh=P463ZBHPPWIjtqp19qy090OH92GYQZ5BoBKg0BuH6s4=; b=SAFXEs5ghW9BRfmDtrTbB1WOgpLDvTnGwOyUbz3TWHJybhfMbn6KyFb9 2xb9Op1q2zOjoJCTIR/bTnMT1waCe2i2FJqlM0GwNA0MGroFYkDYR7lIr LZ81iIPotDRKuTBPyXFCELu3Vw401SUEAfhh7Vi0XP3Vpp3eqjbfThzrF A=;
X-IronPort-AV: E=Sophos;i="4.87,605,1363132800"; d="scan'208";a="77160329"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-1.cisco.com with ESMTP; 03 May 2013 15:38:19 +0000
Received: from sjc-xdm-112 (sjc-xdm-112.cisco.com [171.71.188.44]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r43FcIto024266 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 3 May 2013 15:38:18 GMT
Date: Fri, 03 May 2013 08:38:17 -0700
From: Chris Lonvick <clonvick@cisco.com>
To: Tom Taylor <tom.taylor.stds@gmail.com>, "Reinaldo Penno (repenno)" <repenno@cisco.com>
In-Reply-To: <45A697A8FFD7CF48BCF2BE7E106F060409062ADD@xmb-rcd-x04.cisco.com>
Message-ID: <alpine.LRH.2.00.1305030825430.32145@sjc-xdm-112.cisco.com>
References: <45A697A8FFD7CF48BCF2BE7E106F060409062ADD@xmb-rcd-x04.cisco.com>
User-Agent: Alpine 2.00 (LRH 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Cc: David Harrington <ietfdbh@comcast.net>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] SYSLOG strategy for organizing NAT logging event parameters
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2013 16:28:02 -0000

Hi,

The thought that went into structured data in RFC5424 was to keep it 
simple for the sender to put together, and easy for the receiver to parse. 
The latter is especially critical if the receiver is going to immediately 
parse the message upon receipt.  If anyone is interested, John Kelsey 
wrote some things about that in Section 7 of RFC 5848, "Signed Syslog 
Messages".

I'd also agree that B gives the most flexibility.

Thanks,
Chris


On Thu, 2 May 2013, Reinaldo Penno (repenno) wrote:

> I agree Senthil's proposal.
>
> On 5/2/13 10:42 PM, "Senthil Sivakumar (ssenthil)" <ssenthil@cisco.com>
> wrote:
>
>> Option b would be my preference, as it seems the most straight forward
>> approach,
>> easy to understand and implement.
>>
>> Senthil
>>
>> On 5/2/13 9:07 PM, "Tom Taylor" <tom.taylor.stds@gmail.com> wrote:
>>
>>> In organizing the encoding for the SYSLOG approach, I need to decide how
>>> to define the structured data elements. Each such element is identified
>>> by an SD-ID and contains a specified set of parameters.
>>>
>>> I have eight events in all (including "invalid port detected"), and
>>> twenty different parameters. The accounting is a little different from
>>> IPFIX because some IPFIX parameters end up in the SYSLOG headers
>>> instead. One parameter is common to all of the events, a few are common
>>> to at least four of them, and the rest are more scattered. There may be
>>> some reconciliation required when I submit the SYSLOG update.
>>>
>>> The question is how to define the structured data elements. Here are the
>>> possibilities:
>>>
>>> (a) define only one structured data element, within which all parameters
>>> are optional from the point of view of SYSLOG, but individual parameters
>>> may be mandatory from the application point of view depending on the
>>> event type. Every event would use the same structured data element.
>>>
>>> (b) define one structured data element per event, with mandatory and
>>> optional parameters as required. The same parameter would then be
>>> registered formally with IANA once for each event using it.
>>>
>>> (c) variation on (a): partition the parameters amongst multiple
>>> structured data elements, more than one of which may be needed to make
>>> up a complete event report. One possible use is to group parameters
>>> relating to a given NAT type. The disadvantage is a bit longer log
>>> lengths because of the additional structured data headers.
>>>
>>> Are there any opinions on all this? SYSLOG is defined in RFC 5424.
>>>
>>> Tom Taylor
>>> _______________________________________________
>>> Behave mailing list
>>> Behave@ietf.org
>>> https://www.ietf.org/mailman/listinfo/behave
>>
>> _______________________________________________
>> Behave mailing list
>> Behave@ietf.org
>> https://www.ietf.org/mailman/listinfo/behave
>
> _______________________________________________
> Behave mailing list
> Behave@ietf.org
> https://www.ietf.org/mailman/listinfo/behave
>

v2.23.0 | Report a Bug | By Email