Re: [Syslog] syslog WG Rechartering Discussion
Balazs Scheidler <bazsi@balabit.hu> Mon, 08 June 2009 16:21 UTC
Return-Path: <bazsi@balabit.hu>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C395C3A6A14 for <syslog@core3.amsl.com>; Mon, 8 Jun 2009 09:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.004
X-Spam-Level:
X-Spam-Status: No, score=-0.004 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_HU=1.35, HOST_EQ_HU=1.245]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o12M66KJ8xVp for <syslog@core3.amsl.com>; Mon, 8 Jun 2009 09:21:48 -0700 (PDT)
Received: from lists.balabit.hu (support.balabit.hu [195.70.41.86]) by core3.amsl.com (Postfix) with ESMTP id 7FBBC3A68E5 for <syslog@ietf.org>; Mon, 8 Jun 2009 09:21:47 -0700 (PDT)
Received: from balabit.hu (unknown [10.80.0.254]) by lists.balabit.hu (Postfix) with ESMTP id 4DFC713A1FD for <syslog@ietf.org>; Mon, 8 Jun 2009 18:21:50 +0200 (CEST)
From: Balazs Scheidler <bazsi@balabit.hu>
To: Chris Lonvick <clonvick@cisco.com>
In-Reply-To: <Pine.GSO.4.63.0906011254040.13437@sjc-cde-011.cisco.com>
References: <Pine.GSO.4.63.0906011254040.13437@sjc-cde-011.cisco.com>
Content-Type: text/plain
Date: Mon, 08 Jun 2009 14:10:17 +0000
Message-Id: <1244470217.5465.70.camel@bzorp.balabit>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Cc: syslog@ietf.org
Subject: Re: [Syslog] syslog WG Rechartering Discussion
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2009 16:21:49 -0000
On Mon, 2009-06-01 at 13:02 -0700, Chris Lonvick wrote: > Hi Folks, > > David and I are going to open the discussion about rechartering. Below > are some ideas that we've seen on the list that may fit into a charter for > a new syslog Working Group. These seem to fit better in the Operations > and Management Area than in the Security Area so we are asking the ADs to > move the WG to there when we do recharter. > > We'd like to get the discussion started now on this mailing list and have > a WG meeting in Stockholm to discuss rechartering issues. We hope that by > having a real meeting, we can draw in more OPS people who are willing to > work on these items, and/or to craft additional goals for syslog. > > Please send your comments in about this and help move syslog forward. > > > > Fundamentals > - Documenting how a syslog relay is supposed to work. RFC3164 says that a > relay MAY change the header information in a syslog message. This needs > to be reexamined since syslog-sign mandates that no changes are allowed > in the whole syslog message between the sender and the device that > validates the detached signatures. there are other relay specific discrepancies, like how Structured Data is supposed to work in relaying scenarios. For example sequenceId is hop-by-hop or end-to-end. And what if the relay drops some messages because of filtering? > - A DHC option for a syslog receiver. Write an ID that standardizes how > DHCP should specify a syslog server and associated transport (udp, tls, > beep) in a URI format. > - The OpSec WG was planning to develop a draft about log event taxonomy > (what to log). This work should be compared to the syslog-alarm draft > from Sharon and Rainer, which defines categories for the alarm that are > fairly consistent with the ALARM-MIB and ITU alarm categories. There is > also CEE work that is also trying to define catagories of what to log. > > > Architecture > - An informational document that describes how each of the header fields > should be used. The technical information is in RFC 5424 but could use > some further explanation. > - Possibly combined with the previous topic, a "practical usage guide" > would be a good document for implementors and coders. > - A relook at the PRI values. There are currently 7 Severity levels and > 21 Facilities. The Facilities are ill-defined and out of date. The > information there could be better described in SDEs. We kept the > historical PRI values so that we would have a smooth(er) transition from > historical syslog to the IETF standard syslog. That has worked as > current syslog receivers do receive syslog messages in the new format. The key here is probably a process to define new facility codes by IANA If there's a process, it does not really matter if it uses numeric codes (e.g. the current PRI field), or textual (perhaps in an SDE). > > > Transport > - Documenting a TCP transport for syslog. There are many implementations > in the wild right now with two major variants. The problem between them > is the delimiter; prevalently a CR (I believe) is used to separate > multiple messages within a single TCP packet. The minor-use > implementation does not have a delimiter and just assumes one message > per packet. This will be relatively easy to straighten out. > - Finish syslog-transport-dtls. There are two individual submissions > which may be combined and moved into the WG. > - We should do something with syslog/BEEP. Should we declare the current > syslog/BEEP historic? and/or should we start an effort to publish an > update? Application layer acks is present in the BEEP transport, but the message formatting is ancient (basically the same as RFC3164, e.g. without year, timezone, etc). I guess a BEEP transport with an updated message format would be interesting. Also, on-the-line compression support is requested by a lot of people. > > > Ancillary > - There are other documents in the OPSAWG which might be better reviewed > in the new syslog WG, if they have not already completed reviews > elsewhere: > - Alarms in SYSLOG > - Mapping Simple Network Management Protocol (SNMP) Notifications to > SYSLOG Messages > - Definitions of Managed Objects for Mapping SYSLOG Messages to Simple > Network Management Protocol (SNMP) Notifications > - It would be good to encourage other groups to bring drafts of Structured > Data implementations to Syslog WG for review. These would likely not be > Syslog WG documents but the documents would benefit from being reviewed > by the Syslog WG. > - draft-fan-syslog-sending-policy-01 (Syslog Discard Messages) create > SDEs to report that a series of messages have been dropped by a > sender. This document defines special syslog messages called > Discard messages for carrying logs loss statistics which indicate > how many logs (in terms of facility level or/and severity level) > were discarded by the syslog sender before they had a chance to hit > the wire connected to the syslog receiver during a particular period > in an extreme case. The statistics information Disard messages > convey is of interest to syslog receivers and helpful for later on > audit. > - draft-dulaunoy-syslog-geolocation-00 proposes adding geographic meta > information to syslog messages. This might be done using SDEs > - In an earlier version of netconf, there was work to correlate between > the information models of alarms from different NM interfaces. Part of > the purpose was to ease correlation of event reports for the same event > via different NM interfaces. > - Benoit Claise proposed making ipfix a general purpose reporting > protocol. Such a protocol might replace or supplement syslog. There > may be benefit to utilizing ipfix for carrying syslog information, so > there might be benefit to defining a way to convert syslog content into > ipfix formats, or to modify ipfix PDUs to carry syslog formats (both the > human-readable message part and the SDEs). This was a brand new > proposal at IETF 74, so has not had much discussion yet. We can discuss > this to see if there would be interest in such a direction. -- Bazsi
- [Syslog] syslog WG Rechartering Discussion Chris Lonvick
- Re: [Syslog] syslog WG Rechartering Discussion Juergen Schoenwaelder
- Re: [Syslog] syslog WG Rechartering Discussion fenghongyan
- Re: [Syslog] syslog WG Rechartering Discussion Balazs Scheidler
- Re: [Syslog] syslog WG Rechartering Discussion tom.petch
- Re: [Syslog] syslog WG Rechartering Discussion Glenn M. Keeni