Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?

Jeroen Massar <jeroen@unfix.org> Wed, 16 February 2011 10:34 UTC

Return-Path: <jeroen@unfix.org>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3FD173A6DD2 for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:34:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.996
X-Spam-Level:
X-Spam-Status: No, score=-101.996 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0cxFejZx3YPJ for <syslog@core3.amsl.com>; Wed, 16 Feb 2011 02:34:27 -0800 (PST)
Received: from abaddon.unfix.org (abaddon.unfix.org [62.220.146.203]) by core3.amsl.com (Postfix) with ESMTP id D289D3A6B59 for <syslog@ietf.org>; Wed, 16 Feb 2011 02:34:26 -0800 (PST)
Received: from [IPv6:2001:41e0:ff42:99:222:cfff:fe31:ce41] (spaghetti.ch.unfix.org [IPv6:2001:41e0:ff42:99:222:cfff:fe31:ce41]) (using SSLv3 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jeroen) by abaddon.unfix.org (Postfix) with ESMTPSA id 48ECB20B3E; Wed, 16 Feb 2011 11:34:19 +0100 (CET)
Message-ID: <4D5BA85B.7040007@unfix.org>
Date: Wed, 16 Feb 2011 11:35:07 +0100
From: Jeroen Massar <jeroen@unfix.org>
Organization: Unfix
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7
MIME-Version: 1.0
To: "Heinbockel, Bill" <heinbockel@mitre.org>
References: <4D5A60C8.3090000@unfix.org> <93ED0A84F9A1D74FA65021D940AA588405446C41F9@IMCMBX3.MITRE.ORG>
In-Reply-To: <93ED0A84F9A1D74FA65021D940AA588405446C41F9@IMCMBX3.MITRE.ORG>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: Sam Johnston <sj@google.com>, cee@mitre.org, syslog@ietf.org
Subject: Re: [Syslog] draft-cloud-log-00 / CEE - why not IPFIX?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Feb 2011 10:34:28 -0000

On 2011-02-16 06:21, Heinbockel, Bill wrote:
> From what I understand, IPFIX is for expression of IP flows from network sensing
> devices.

For a short bit forget about the history of IPFIX, it indeed comes from
NetFlow, and thus is used quite in a network centric way, but
effectively it is a structured streaming data format.

> Could you please explain how IPFIX is relevant to event and cloud logging data?
> I understand how CEE and IPFIX may overlap for describing networking events, but
> it is unclear to me how IPFIX could handle things like Windows Event Logs and
> RHEL audit logs.

There are two parts to IPFIX: Templates + Data

The template describes how the data looks like, for instance, lets take
an Apache CLF log entry:

66.249.66.174 - - [16/Feb/2011:10:48:11 +0100] "GET /robots.txt
HTTP/1.1" 200 2629 "-" "Googlebot-Image/0"

We can make an IPFIX template for that

[
	{4, IPv4_SRC },
	{4, TIMESTAMP},
	{4, HTTP_METHOD},
	{v, URL},
	{v, HTTP_PROTOCOL},
	{2, HTTP_RESULT},
	{8, OCTETS},
	{v, HTTP_REFER},
	{v, HTTP_USERAGENT},
]

The 'v' markers indicate variable fieldlengths, the others indicates the
number of bytes such a field takes. The data is then just encoded in the
above format, presto.

The above is a simple example, one can also have repeating lists and of
course you could make a variable template which just includes the fields
that you actually want to look at or you could already do some
aggregation and add other fields. Templates are only sent every now and
then, as they should not change. The data is the important bit.

The fieldnames are actually numbers in the data, thus very compact, and
are mapped to descriptions, data types etc, per a nice XML file
 http://www.iana.org/assignments/ipfix/ipfix.xml (or .xhtml or .txt for
a more human readable version ;) for the official IANA list and with the
help of Enterprise IDs any others can easily be added.

The big advantage is that you can more or less do static templates if
you want and you only need one single parser on the collector side, thus
one does not have to create another parser and collector again for
decoding other protocols, just one, the IPFIX one, and you can optimize
that really well for all kinds of scenarios.

Greets,
 Jeroen