Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver

"ietfdbh" <ietfdbh@comcast.net> Mon, 25 February 2013 06:54 UTC

From: ietfdbh <ietfdbh@comcast.net>
To: "'Aditya Dogra (addogra)'" <addogra@cisco.com>, syslog@ietf.org, opsawg@ietf.org
References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com>
In-Reply-To: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com>
Date: Mon, 25 Feb 2013 01:54:14 -0500
Message-ID: <004301ce1324$ecb29500$c617bf00$@comcast.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0044_01CE12FB.03DF4C20"
Thread-Index: AQFvPKhnBeHB2YGabgDQ3u8+JIZqvJlHx4eA
Content-Language: en-us
Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver
Precedence: list

From: opsawg-bounces@ietf.org [mailto:opsawg-bounces@ietf.org] On Behalf Of
Aditya Dogra (addogra)
Sent: Thursday, February 21, 2013 11:25 AM
To: syslog@ietf.org; opsawg@ietf.org
Subject: [OPSAWG] Syslog message to Remote Rerver

Hi All ,

Currently syslog messages collected locally on the network device are
transmitted to the remote syslog servers as per RFC 5424 (UDP protocol used
for transmission) and RFC 3195 (TCP protocol used for transmission) 

[dbh>] RFC5424 defines the IETF version of the syslog protocol message
format (not the UDP transport).

RFC5424 RECOMMENDS using a TLS-based transport (RFC5425) rather than a
UDP-based or plain-TCP-based transport for syslog.

If you use a UDP-based transport for interoperability, it should probably
follow RFC5426.

The IETF standard for syslog over UDP (RFC5426) states:

"   Network administrators and architects should be aware of the

   significant reliability and security issues of this transport, which

   stem from the use of UDP."

Note that RFC6587 (plain TCP transport for syslog) is Historic, and contains
an IESG Note:

   The IESG does not recommend implementing or deploying syslog over

   plain tcp, which is described in this document, because it lacks the

   ability to enable strong security [RFC3365].

   Implementation of the TLS transport [RFC5425] is recommended so that

   appropriate security features are available to operators who want to

   deploy secure syslog.  Similarly, those security features can be

   turned off for those who do not want them.

However, we have observed that increasingly, customers are using syslog
messages archived in the remote server for business logic .

[dbh>] If customers are using archived messages, they might want to consider
using signing syslog messages.

       RFC5848, Signed syslog,  describes a mechanism to add origin
authentication,

   message integrity, replay resistance, message sequencing, and

   detection of missing messages to the transmitted syslog messages.

Signed syslog helps ensure integrity of messages both in-transit and in
archived storage.

I think that would be a valuable feature in support of business logic.

David Harrington

ietfdbh@comcast.net

+1-603-828-1401

co-chair, syslog WG

In some networks, it is possible that some of the syslog messages may be
dropped due to link failure or other network conditions. 

However, the customers are expecting much higher resiliency for the syslog
messages. 

The questions we seek clarification are: 

a)         What are the expectations from the external syslog delivery? 

b)         Should we rely on syslog's alone ? Please note that SNMP traps
functionality for network management is also there.?

Your thoughts and suggestions much appreciated. 

Regards,

Aditya dogra

[Syslog] Syslog message to Remote Rerver Aditya Dogra (addogra)
Re: [Syslog] [OPSAWG] Syslog message to Remote Re… ietfdbh
Re: [Syslog] [OPSAWG] Syslog message to Remote Re… Christopher LILJENSTOLPE
Re: [Syslog] [OPSAWG] Syslog message to Remote Re… Aditya Dogra (addogra)
Re: [Syslog] Syslog message to Remote Rerver Rainer Gerhards
Re: [Syslog] [OPSAWG] Syslog message to Remote Re… William Herrin