[sip-clf] A primer on syslog.
"David Harrington" <ietfdbh@comcast.net> Wed, 03 February 2010 19:49 UTC
Return-Path: <ietfdbh@comcast.net>
X-Original-To: sip-clf@core3.amsl.com
Delivered-To: sip-clf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EA61B28C104 for <sip-clf@core3.amsl.com>; Wed, 3 Feb 2010 11:49:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LzhMve8WVOZ for <sip-clf@core3.amsl.com>; Wed, 3 Feb 2010 11:49:25 -0800 (PST)
Received: from qmta05.westchester.pa.mail.comcast.net (qmta05.westchester.pa.mail.comcast.net [76.96.62.48]) by core3.amsl.com (Postfix) with ESMTP id 1C6703A67B4 for <sip-clf@ietf.org>; Wed, 3 Feb 2010 11:49:25 -0800 (PST)
Received: from omta12.westchester.pa.mail.comcast.net ([76.96.62.44]) by qmta05.westchester.pa.mail.comcast.net with comcast id dQ2S1d0070xGWP855XpPad; Wed, 03 Feb 2010 19:49:23 +0000
Received: from Harrington73653 ([24.147.240.98]) by omta12.westchester.pa.mail.comcast.net with comcast id dXq81d00h284sdk3YXq8ui; Wed, 03 Feb 2010 19:50:09 +0000
From: David Harrington <ietfdbh@comcast.net>
To: 'Spencer Dawkins' <spencer@wonderhamster.org>, "'Vijay K. Gurbani'" <vkg@alcatel-lucent.com>, sip-clf@ietf.org
References: <7505A2C58D8F4FD88B47D10EA74649CD@china.huawei.com><00ce01caa41e$fe5a5ef0$0600a8c0@china.huawei.com> <4B68920B.5090908@alcatel-lucent.com> <81F3AF977ADD49E7A883F138ECCC71D0@china.huawei.com> <01eb01caa4ec$0fbe0930$0600a8c0@china.huawei.com> <DCBC0046E3434E519A2E9EDB4071C7B6@china.huawei.com>
Date: Wed, 03 Feb 2010 14:50:07 -0500
Message-ID: <023501caa50a$16943c70$0600a8c0@china.huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <DCBC0046E3434E519A2E9EDB4071C7B6@china.huawei.com>
Thread-Index: Acqk8HGw9hmy+vMRTBW+9/JjIJoFBgADdXdw
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
Subject: [sip-clf] A primer on syslog.
X-BeenThere: sip-clf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <sip-clf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip-clf>
List-Post: <mailto:sip-clf@ietf.org>
List-Help: <mailto:sip-clf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip-clf>, <mailto:sip-clf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Feb 2010 19:49:27 -0000
Hi, For those unacquainted with syslog, let me try to summarize how it works. I will focus on the forwarding and filtering and security mechanisms, since I think those will be important considerations for SIP logging. Rainer is the guy I go to when I have a question about syslog. He has answered Vijay's concern in considerable detail in another email. I don't personally deploy syslog, so Rainer can feel free to correct anything I get wrong. ;-) I will recommend looking at the wikipedia entry, which has a summary of its history and usage, but some factual details about the protocol are about the limitations of BSD syslog, rather than the IETF standard syslog. As technical advisor, I recommend the IETF standard syslog because it overcomes many of the limitations and interoperability issues with BSD syslog. The wikipedia entry mentions some work that is being done, work that relates to anomaly detection and security management systems. The IETF has worked at standardizing syslog across operating systems, and focused mainly on standardizing aspects of syslog that impacted security and filtering and correlation (such as standardizing the header, and more detailed info about the source and time of the messages). ---- The forwarding mechanism ---- Syslog allows log information for both kernel processes and user processes to be forwarded to a file, a set of users, or another node in a network. IETF syslog provides support for UDP, TLS, and (soon) DTLS. It is designed to allow additional transports to be defined, so could also be used in non-IP environments, I suppose. This flexibility in the forwarding rules allows syslog to concentrate on collecting data and putting it where the operator wants it so other applications can focus on sorting, filtering, and alerting on the contents. Forwarding to a collector elsewhere in the network can help prevent attackers from modifying the local logs to cover their tracks, and allows a centralized location for operators and tools to do log analysis rather than having to go to each device to look at the logs. But you can also store it locally if you want. ---- The filtering mechanism ---- syslog messages start with a <priority> byte that is calculated from two factors - the facility that generated the message and the severity of the message. This is the primary mechanism for sorting messages that are logged. Facilities define the source of a syslog message. There are 23 different facilities defined for use in the <priority field>, ranging from "kernel" to system daemons to mail to security to local applications. A SIP application would use one of the "local" facilities to log messages. If there are multiple SIP applications, they might use different "local" facilities to generate separate logging streams for forwarding purposes, but whether this is done depends on the implementations and operator configurations. Additional header fields and the SDE feature of IETF syslog allow much finer filtering during log analysis. There are 7 levels of severity ranging from emergency to critical to informational to debug messages. The IETF standard syslog severities can be aligned with the ITU-T values of perceived severity (M.2100, X.733, X.736), and with the SNMP values defined in the ALARM-MIB. This helps operators correlate events reported by different applications or by different mechanisms. syslog.conf is the normal mechanism for configuring what to log and how to distribute it. The filtering/forwarding instructions look something like this: mail.info /var/log/maillog -- send all informational mail-related messages to the file /var/log/maillog cron.* /var/log/cron -- send all messages from cron, regardless of severity to the file /var/log/cron security.* @loghost.netlab.lander.edu -- send all security related messages, regardless of severity to a remote system (loghost.netlab.lander.edu) *.notice root -- send all notices, regardless of source, to the root user, if root is logged on. and so on. These are all configured administratively. Operators are usually very acquainted with syslog as a tool. ---- Post logging analysis ---- Other header values can also be used for analyzing logs, including timestamp, hostname, application name, process ID, etc. Filtering based on header values has been in wide use for a long time, although the header format for different syslog implementations vary widely. IETF syslog standardizes the order and format of header fields, but still keeps roughly the same historic header fields. There are many tools available for syslog log analysis. The Structured Data Elements provide even more capability. This is only available in the IETF standard syslog. My earlier message pointed out some of the already-standardized SDEs defined by the WG that can be used to filter log entries. Hope this helps, dbh > -----Original Message----- > From: Spencer Dawkins [mailto:spencer@wonderhamster.org] > Sent: Wednesday, February 03, 2010 11:46 AM > To: David Harrington; 'Vijay K. Gurbani'; sip-clf@ietf.org > Subject: Re: [sip-clf] WGLC: SIPCLF > ProblemStatement(draft-gurbani-sipclf-problem-statement-01) > > Hi, Dave, > > <as-co-chair> > > Thanks for clarifying your role - it's helpful. > > </as-co-chair> > > <as-participant> > > On one specific point: > > > > As I read the problem-statement-01, my > > impression is syslog and/or ipfix might fit well to meet certain > > goals, however, it is highly possible that syslog and ipfix > are WRONG > > to solve the sipclf problem. > > > > As Technical Advisor - not as technical contributor - I > recommend that > > the WG consider syslog and ipfix seriously. My advice as Technical > > Advisor is to do a real analysis about the applicability of existing > > standards like syslog and ipfix to the various sip clf use > cases. This > > should not be just a cursory analysis; we spent probably > less than one > > minute talking about syslog at the last IETF meeting. > > I think the discussion lasted longer than a minute, but I > suspect the longer > time I'm remembering included people walking to the mike :D > > So, my understanding of the pushback on SYSLOG in Hiroshima - > and I think > this is what Vijay was saying in his followup - was that > SYSLOG entries > become really important when Bad Things Happen(TM), and > people weren't sure > that producing a lot of SIPCLF SYSLOG entries, which might even be > message-by-message for a large SIP proxy, that you needed to > prune through > in order to find more "interesting" SYSLOG entries like "file > system full", > was the right thing to do. > > Since you are a smart guy about SYSLOG - is this a realistic > concern for us > to have? and, if the answer is "yes", does modern SYSLOG with > structured > data elements provide a way to either (1) quickly separate > the SIPCLF SYSLOG > entries from other "oh, no" SYSLOG entries, or (2) send > SIPCLF log entries > using the same protocol to two different destinations, one > potentially > containing massive amounts of SIPCLF log entries, and the > other containing > "everything else"? > > I would really like to use one of the existing management > frameworks (still > speaking as a participant here), IFF it's the right thing to do. > > </as-participant> > > Thanks, > > Spencer > >
- [sip-clf] WGLC: SIPCLF Problem Statement (draft-g… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Elwell, John
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… Eric Burger
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… David Harrington
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Vijay K. Gurbani
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… Romascanu, Dan (Dan)
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… David Harrington
- Re: [sip-clf] WGLC: SIPCLF ProblemStatement(draft… Spencer Dawkins
- Re: [sip-clf] WGLC: SIPCLFProblemStatement(draft-… Rainer Gerhards
- [sip-clf] A primer on syslog. David Harrington
- Re: [sip-clf] A primer on syslog. Rainer Gerhards
- Re: [sip-clf] A primer on syslog. Spencer Dawkins
- Re: [sip-clf] A primer on syslog. Cullen Jennings
- [sip-clf] WGLC: SIPCLF Problem Statement (draft-g… Cullen Jennings
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Rainer Gerhards
- Re: [sip-clf] A primer on syslog. Rainer Gerhards
- Re: [sip-clf] WGLC: SIPCLF Problem Statement(draf… Benoit Claise
- Re: [sip-clf] WGLC: SIPCLF Problem Statement (dra… Vijay K. Gurbani
- Re: [sip-clf] WGLC: SIPCLF Problem Statement (dra… Hadriel Kaplan
- Re: [sip-clf] WGLC: SIPCLF Problem Statement (dra… Vijay K. Gurbani