Re: [Syslog] Syslog message to Remote Rerver
Rainer Gerhards <rgerhards@hq.adiscon.com> Tue, 26 February 2013 10:34 UTC
Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@ietfa.amsl.com
Delivered-To: syslog@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3D021F8949; Tue, 26 Feb 2013 02:34:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1+KaQtuFVMp; Tue, 26 Feb 2013 02:34:52 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com [176.9.56.141]) by ietfa.amsl.com (Postfix) with ESMTP id BE5D121F868B; Tue, 26 Feb 2013 02:34:50 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id 300EA74A37B; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Adrm+8IDQhmf; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from vmexch2.intern.adiscon.com (vmvpn.adiscon.com [188.40.57.185]) by vmmail.adiscon.com (Postfix) with ESMTPSA id 1B7FF74A358; Tue, 26 Feb 2013 11:33:40 +0100 (CET)
Received: from VMEXCH2.intern.adiscon.com ([fe80::8cb1:e14c:5f97:b29b]) by vmexch2.intern.adiscon.com ([fe80::8cb1:e14c:5f97:b29b%10]) with mapi id 14.02.0342.003; Tue, 26 Feb 2013 11:34:48 +0100
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: "Aditya Dogra (addogra)" <addogra@cisco.com>
Thread-Topic: [Syslog] Syslog message to Remote Rerver
Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQDtHheA
Date: Tue, 26 Feb 2013 10:34:47 +0000
Message-ID: <1361874887.37195.8.camel@localhost>
References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com>
In-Reply-To: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [217.92.119.74]
Content-Type: text/plain; charset="utf-8"
Content-ID: <05DFFC775AE5FB4D9A9C125A506E4903@ADISCON.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "syslog@ietf.org" <syslog@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
Subject: Re: [Syslog] Syslog message to Remote Rerver
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2013 10:34:53 -0000
sorry for the late reply, have been off to a conference... On Thu, 2013-02-21 at 16:25 +0000, Aditya Dogra (addogra) wrote: > Currently syslog messages collected locally on the network device are > transmitted to the remote syslog servers as per RFC 5424 (UDP protocol > used for transmission) RFC5424 does NOT specify UDP transport. In fact, it does not specify any transport at all, it just describes the format and the stack. Transport mappings are done in RFC5425 - TLS (TCP), the recommended protocol RFC5426 - UDP there is also historic RFC6587 on industry standard plain tcp, but this is just for interoperating with legacy systems, not for new implementation. It is strongly discouraged to use that in new systems. > and RFC 3195 (TCP protocol used for transmission) RFC3195 is a bit dated and would need to be changed to base on RFC5424. This has not yet been done as there was no notable implementation of RFC3195. > > However, we have observed that increasingly, customers are using > syslog messages archived in the remote server for business logic . > > > > In some networks, it is possible that some of the syslog messages may > be dropped due to link failure or other network conditions. > > However, the customers are expecting much higher resiliency for the > syslog messages. > > > > > > The questions we seek clarification are: > > > > a) What are the expectations from the external syslog > delivery? There is a very small window of exposure, see section 5.3 of RFC5425. I also wrote a somewhat more elaborate blog post on this problem, which may be useful for you: http://blog.gerhards.net/2008/04/on-unreliability-of-plain-tcp-syslog.html > > > > b) Should we rely on syslog's alone ? Please note that SNMP > traps functionality for network management is also there.? that's something that you need to answer based on your use cases and requirements. As far as my personal experience goes, the loss potential is very slim, and lot's of our customers use the RFC protocols to do biz critical things. Some use other protocols in addition. side-note: modern-day syslogd implementations do not rely on the syslog protocol alone. They accept input from a wide variety of sources, including SNMP. HTH Rainer
- [Syslog] Syslog message to Remote Rerver Aditya Dogra (addogra)
- Re: [Syslog] [OPSAWG] Syslog message to Remote Re… ietfdbh
- Re: [Syslog] [OPSAWG] Syslog message to Remote Re… Christopher LILJENSTOLPE
- Re: [Syslog] [OPSAWG] Syslog message to Remote Re… Aditya Dogra (addogra)
- Re: [Syslog] Syslog message to Remote Rerver Rainer Gerhards
- Re: [Syslog] [OPSAWG] Syslog message to Remote Re… William Herrin