[BEHAVE] SYSLOG strategy for organizing NAT logging event parameters
Tom Taylor <tom.taylor.stds@gmail.com> Fri, 03 May 2013 01:07 UTC
Return-Path: <tom.taylor.stds@gmail.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452E121F8EC2 for <behave@ietfa.amsl.com>; Thu, 2 May 2013 18:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Level:
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HNPXx3Z7aLf2 for <behave@ietfa.amsl.com>; Thu, 2 May 2013 18:07:06 -0700 (PDT)
Received: from mail-ia0-x236.google.com (mail-ia0-x236.google.com [IPv6:2607:f8b0:4001:c02::236]) by ietfa.amsl.com (Postfix) with ESMTP id C195621F8EAF for <behave@ietf.org>; Thu, 2 May 2013 18:07:06 -0700 (PDT)
Received: by mail-ia0-f182.google.com with SMTP id x30so959238iaa.27 for <behave@ietf.org>; Thu, 02 May 2013 18:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=uNDzQzrGIEIZkv6mkwMx2oHZJdgEKVvmNxJnaHSCO9c=; b=oPz77ZRlgMHPzqVfhcfV1I4QSJny4JjuBhhJjEdDKPopy5LRltQszX/L7Mh1MrmnUy 86dHodIC7wRsXWcpiaxb6+2LxlHrpm/Sj7wDcaAORy5XgZ8FZeJI9KTiVs+DibIihk65 vmO+3tDrp3p82xQwnMDzIjLmJCzCSaGrUWC/UaOv1eYpXxNaQ1j08bwRXOYKTvzVYp7Z bgsn36/bpQL2PRXlhuwjsE2Nf/MJbQ0eXWM9/I38W906/bTStGWFBfdFuJ4uSOvk8dah iwHEd5WWoxualJxQ8cMTkbSrL5ahF2b8SRf69N4bsDRwe68qwRCh7NtnJ3oIY43lmsew Vidg==
X-Received: by 10.50.152.105 with SMTP id ux9mr4712957igb.53.1367543226412; Thu, 02 May 2013 18:07:06 -0700 (PDT)
Received: from [192.168.1.65] (dsl-173-206-104-209.tor.primus.ca. [173.206.104.209]) by mx.google.com with ESMTPSA id w8sm18677954igl.9.2013.05.02.18.07.05 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 May 2013 18:07:05 -0700 (PDT)
Message-ID: <51830DB7.4050201@gmail.com>
Date: Thu, 02 May 2013 21:07:03 -0400
From: Tom Taylor <tom.taylor.stds@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: "behave@ietf.org" <behave@ietf.org>, David Harrington <ietfdbh@comcast.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [BEHAVE] SYSLOG strategy for organizing NAT logging event parameters
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2013 01:07:07 -0000
In organizing the encoding for the SYSLOG approach, I need to decide how to define the structured data elements. Each such element is identified by an SD-ID and contains a specified set of parameters. I have eight events in all (including "invalid port detected"), and twenty different parameters. The accounting is a little different from IPFIX because some IPFIX parameters end up in the SYSLOG headers instead. One parameter is common to all of the events, a few are common to at least four of them, and the rest are more scattered. There may be some reconciliation required when I submit the SYSLOG update. The question is how to define the structured data elements. Here are the possibilities: (a) define only one structured data element, within which all parameters are optional from the point of view of SYSLOG, but individual parameters may be mandatory from the application point of view depending on the event type. Every event would use the same structured data element. (b) define one structured data element per event, with mandatory and optional parameters as required. The same parameter would then be registered formally with IANA once for each event using it. (c) variation on (a): partition the parameters amongst multiple structured data elements, more than one of which may be needed to make up a complete event report. One possible use is to group parameters relating to a given NAT type. The disadvantage is a bit longer log lengths because of the additional structured data headers. Are there any opinions on all this? SYSLOG is defined in RFC 5424. Tom Taylor
- [BEHAVE] SYSLOG strategy for organizing NAT loggi… Tom Taylor
- Re: [BEHAVE] SYSLOG strategy for organizing NAT l… Senthil Sivakumar (ssenthil)
- Re: [BEHAVE] SYSLOG strategy for organizing NAT l… Reinaldo Penno (repenno)
- Re: [BEHAVE] SYSLOG strategy for organizing NAT l… Chris Lonvick