Re: [netmod] draft-ietf-netmod-syslog-model-23

"Clyde Wildes (cwildes)" <cwildes@cisco.com> Mon, 05 March 2018 19:52 UTC

Return-Path: <cwildes@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8E212DA6B for <netmod@ietfa.amsl.com>; Mon, 5 Mar 2018 11:52:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.529
X-Spam-Level:
X-Spam-Status: No, score=-14.529 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5S0VPN5ZJn33 for <netmod@ietfa.amsl.com>; Mon, 5 Mar 2018 11:52:18 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11BF812D874 for <netmod@ietf.org>; Mon, 5 Mar 2018 11:52:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=28490; q=dns/txt; s=iport; t=1520279537; x=1521489137; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=0a3QyasDNSbrx6ZG8OftIPaptTYsX7DvWkrlXW84ezY=; b=koDPBwgYmucZBUcMv8kehD9tb6AAempYmXx/XVS7JvkZ0DoBhwdVq6e5 IYbG7KEw5YcjVNLgAMdqz1riI6ZT8LW8hLGQWT/KelMt0JW7sHbHq15pf WMm7s1QugYtAelYVkmADAX0zgWcLbKjqd6WrFu0ro+h558G12ScEBGQzB s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D9AADTnp1a/5ldJa1dDgsBAQEBAQE?= =?us-ascii?q?BAQEBAQEHAQEBAQGCWkktZnAoCoNKiiSNeYICgRaUNIIVCh6FEgIaglkhNBg?= =?us-ascii?q?BAgEBAQEBAQJrJ4UjAQEBBCNWEAIBBgIOAwMBAiEHAwICAjAUCQgCBA4FhDd?= =?us-ascii?q?kEIsWnW6CJyaETINxgiuFLYIugVeCD4MEgyMLAQEBAQEBgg0WglUwgjIEiQe?= =?us-ascii?q?KPYceCQKGUoMShxmOeIl9hysCERkBgS0BHjiBUnAVZAGCGAmDSAEHNDt3AQG?= =?us-ascii?q?LVYEYAQEB?=
X-IronPort-AV: E=Sophos;i="5.47,428,1515456000"; d="scan'208,217";a="353347991"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 05 Mar 2018 19:52:17 +0000
Received: from XCH-ALN-015.cisco.com (xch-aln-015.cisco.com [173.36.7.25]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id w25JqHgx009517 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 5 Mar 2018 19:52:17 GMT
Received: from xch-aln-015.cisco.com (173.36.7.25) by XCH-ALN-015.cisco.com (173.36.7.25) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 5 Mar 2018 13:52:16 -0600
Received: from xch-aln-015.cisco.com ([173.36.7.25]) by XCH-ALN-015.cisco.com ([173.36.7.25]) with mapi id 15.00.1320.000; Mon, 5 Mar 2018 13:52:16 -0600
From: "Clyde Wildes (cwildes)" <cwildes@cisco.com>
To: Bob Harold <rharolde@umich.edu>
CC: "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: [netmod] draft-ietf-netmod-syslog-model-23
Thread-Index: AQHTsmWyRIrrSql4REOtSderZYOQ3KO95yyAgASCmYCAAAzxAA==
Date: Mon, 5 Mar 2018 19:52:16 +0000
Message-ID: <CDC7EFE8-B753-4D39-BA78-96EFF0642E9A@cisco.com>
References: <CA+nkc8BUwyn=9=YVJCZwJB10dH2rwmvPShdS8yShLDuu5PzwgQ@mail.gmail.com> <8609E4AE-F85D-47BF-873E-764489F58463@cisco.com> <CA+nkc8Ao-OACHFL9EbNNnj-8xDKg6BjFuiOo2bmv=2xzOtA8hQ@mail.gmail.com>
In-Reply-To: <CA+nkc8Ao-OACHFL9EbNNnj-8xDKg6BjFuiOo2bmv=2xzOtA8hQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.20.145.4]
Content-Type: multipart/alternative; boundary="_000_CDC7EFE8B7534D39BA7896EFF0642E9Aciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/8JsgWOW3t4ZLSl7ykep7TkougA0>
Subject: Re: [netmod] draft-ietf-netmod-syslog-model-23
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Mar 2018 19:52:20 -0000

Bob,

I will add your wording in the next revision.

Thanks,

Clyde

From: Bob Harold <rharolde@umich.edu>
Date: Monday, March 5, 2018 at 11:06 AM
To: Clyde Wildes <cwildes@cisco.com>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] draft-ietf-netmod-syslog-model-23


On Fri, Mar 2, 2018 at 5:13 PM, Clyde Wildes (cwildes) <cwildes@cisco.com<mailto:cwildes@cisco.com>> wrote:
Bob,

Syslog message severity is set in RFC 5424 Table 2. The model in draft-ietf-netmod-syslog-model-23 conforms to that specification. A lower number means higher severity.


Thanks.  Can we add "A lower number means higher severity" to make it clear?

In Section "4.1<https://tools.ietf.org/html/draft-ietf-netmod-syslog-model-23#section-4.1>. The ietf-syslog Module"
on page 11, cna we change:

From:


     typedef syslog-severity {

       type enumeration {

         enum "emergency" {

           value 0;

           description



Change to:



     typedef syslog-severity {

       description

         "Note that a lower value is a higher severity.

          Comparisons of equal-or-higher security mean equal or lower numeric value"

       type enumeration {

         enum "emergency" {

           value 0;

           description

--
Bob Harold


The severity-filter specifies that “all messages of the specified severity and greater match” and therefore will be selected. This conforms to the way that many vendors that we evaluated perform syslog message severity match selection.

Juniper Example:
https://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/syslog-single-chassis-facility-severity-messages-specifying.html

“Messages from the facility that are rated at that level or higher are logged to the destination”

Linux rsyslogd Example:
http://www.rsyslog.com/doc/v8-stable/configuration/filters.html#selectors

“The behavior of the original BSD syslogd is that all messages of the specified priority and higher are logged according to the given action. Rsyslogd behaves the same…”

Changing the table to match higher severity to higher number means that we would not conform the RFC 5424.

Note: I do see a typo in the description for severity-filter (the word “use” is missing):

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, the advance-compare
          rule.

should be:

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, use the advance-compare
          rule.

Thanks,

Clyde

From: netmod <netmod-bounces@ietf.org<mailto:netmod-bounces@ietf.org>> on behalf of Bob Harold <rharolde@umich.edu<mailto:rharolde@umich.edu>>
Date: Friday, March 2, 2018 at 12:33 PM
To: "netmod@ietf.org<mailto:netmod@ietf.org>" <netmod@ietf.org<mailto:netmod@ietf.org>>
Subject: [netmod] draft-ietf-netmod-syslog-model-23

Sorry for being late to the discussion - just joined this group.

Can we have "higher severity" match "higher number" in the enumerated values, to avoid confusion?

In section 4.1.  The ietf-syslog Module
on Page 11

typedef syslog-severity {

-- should be in the order:
debug=0
emergency=7

because "severity-filter" uses "equals-or-higher" which means "higher severity" but should also mean "higher number" to avoid confusion.
--
Bob Harold