Re: [netmod] draft-ietf-netmod-syslog-model-23

"Clyde Wildes (cwildes)" <> Fri, 02 March 2018 22:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0A38B12D7F1 for <>; Fri, 2 Mar 2018 14:13:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P-hCgcNsbBxL for <>; Fri, 2 Mar 2018 14:13:31 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 837FF1250B8 for <>; Fri, 2 Mar 2018 14:13:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=16214; q=dns/txt; s=iport; t=1520028811; x=1521238411; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=69bwNRQGwIDyNRcDppGMb4WnqkOrDIIABWfShbS/Hz4=; b=f/O1wnfv2RivdqWxzGBDrtgd8k3n0dzYJS22/80+lDKIPSruUfPDYqXw dRV7tdaZEg3W8117y0StTTOsjZbkWTPu8SdbLHpolgxRHoAvT0VUVW4pw 12oYd26Tk0oHMDSVbU/9QweNK4fafbevoq47UyDleLevyMiCHvpB4cgLx A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BtAgDWy5la/49dJa1eDgsBAQEBAQEBA?= =?us-ascii?q?QEBAQEHAQEBAQGCWkktZnAoCoNKmB2CAoEWjw2FIIIVCh6FEgIagkchNhYBAgE?= =?us-ascii?q?BAQEBAQJrJ4UjAQEBBCNmAgEGAg4DAwECKwICAjAdCAIEARKEN2QQjCidboInJ?= =?us-ascii?q?oRMg3aCK4UsgimBV4IPgwSDIwsBAgECgg2CazCCMgSTQYcdCQKJYocZjniRKAI?= =?us-ascii?q?RGQGBLQElCCmBUnAVZAGCGAmDSAEHNDt3AQGLIoEYAQEB?=
X-IronPort-AV: E=Sophos; i="5.47,414,1515456000"; d="scan'208,217"; a="78039258"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Mar 2018 22:13:30 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id w22MDUxx002609 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 2 Mar 2018 22:13:30 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1320.4; Fri, 2 Mar 2018 16:13:29 -0600
Received: from ([]) by ([]) with mapi id 15.00.1320.000; Fri, 2 Mar 2018 16:13:29 -0600
From: "Clyde Wildes (cwildes)" <>
To: Bob Harold <>, "" <>
Thread-Topic: [netmod] draft-ietf-netmod-syslog-model-23
Thread-Index: AQHTsmWyRIrrSql4REOtSderZYOQ3KO95yyA
Date: Fri, 2 Mar 2018 22:13:29 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_8609E4AEF85D47BF873E764489F58463ciscocom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [netmod] draft-ietf-netmod-syslog-model-23
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 02 Mar 2018 22:13:33 -0000


Syslog message severity is set in RFC 5424 Table 2. The model in draft-ietf-netmod-syslog-model-23 conforms to that specification. A lower number means higher severity.

The severity-filter specifies that “all messages of the specified severity and greater match” and therefore will be selected. This conforms to the way that many vendors that we evaluated perform syslog message severity match selection.

Juniper Example:

“Messages from the facility that are rated at that level or higher are logged to the destination”

Linux rsyslogd Example:

“The behavior of the original BSD syslogd is that all messages of the specified priority and higher are logged according to the given action. Rsyslogd behaves the same…”

Changing the table to match higher severity to higher number means that we would not conform the RFC 5424.

Note: I do see a typo in the description for severity-filter (the word “use” is missing):

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, the advance-compare

should be:

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, use the advance-compare



From: netmod <> on behalf of Bob Harold <>
Date: Friday, March 2, 2018 at 12:33 PM
To: "" <>
Subject: [netmod] draft-ietf-netmod-syslog-model-23

Sorry for being late to the discussion - just joined this group.

Can we have "higher severity" match "higher number" in the enumerated values, to avoid confusion?

In section 4.1.  The ietf-syslog Module
on Page 11

typedef syslog-severity {

-- should be in the order:

because "severity-filter" uses "equals-or-higher" which means "higher severity" but should also mean "higher number" to avoid confusion.
Bob Harold