Syslog Working Group Glenn Mansfield Keeni
INTERNET-DRAFT Cyber Solutions Inc.
Expires: August 15, 2005 B. Pape
Enterasys Networks
February 16, 2005
Syslog Management Information Base
<draft-ietf-syslog-device-mib-06.txt>
Status of this Memo
By submitting this Internet-Draft, we certify that any applicable
patent or other IPR claims of which we are aware have been disclosed,
or will be disclosed, and any of which we become aware will be
disclosed, in accordance with RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than a "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This document is a product of the syslog Working Group. Comments
should be addressed to the authors or the mailing list at
syslog-sec@employees.org
This Internet-Draft will expire on August 15, 2005.
Copyright Notice
Copyright (C) The Internet Society (2005). All Rights Reserved.
Expires: August 15, 2005 [Page 1]
Internet Draft February 16, 2005
Abstract
This memo provides a MIB module that can be used to monitor and
manage syslog processes. It defines objects that allow the collection
of information related to syslog processes, it also defines objects
that can be used to monitor and/or control syslog processes.
Table of Contents
1. The Internet-Standard Management Framework .... 3
2. Overview ...................................... 3
3. The MIB Design ................................ 5
4. The Syslog MIB ................................ 6
5. Security Considerations ....................... 30
6. IANA Considerations ........................... 31
7. References .................................... 32
8 Acknowledgments ............................... 32
9. Authors Address ............................... 33
10. Full Copyright Statement ...................... 34
Appendix: History of Changes ...................... 36
Expires: August 15, 2005 [Page 2]
Internet Draft February 16, 2005
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
2. Overview
2.1 The syslog process model
Operating systems, processes and applications generate messages
indicating their own status or the occurance of events. These
messages are useful for managing and/or debugging the network and its
services. The BSD Syslog protocol is a widely adopted protocol that
is used for transmission and processing of the messages.
Essentially, a syslog process receives messages (from the kernel,
processes, applications or other syslog processes) and processes
those. The processing involves logging to a local file, displaying on
console, user terminal, and/or relaying to syslog processes on other
machines. The processing is determined by the "facility" that
originated the message and the "severity" assigned to the message by
the facility.
This document defines a generic MIB that may be used to monitor and
control one or more syslog processes running on a system.
The syslogMIB will be used in conjunction with other MIBs - in
particular the Host Resources MIB and the script MIB. The generic
process related matters e.g. process control, status, resource usage
etc. will be serviced by the corresponding entries in the Host
Resources MIB. The configuration of the syslog process is not
directly supported. The configuration process can be serviced by an
implementation of a script MIB in which the configuration file is
treated as the script which is interpreted by the syslog process,
Expires: August 15, 2005 [Page 3]
Internet Draft February 16, 2005
/
+------+ /
| SP-1 |------> SP-R1
/+------+ \
Facility-1-->| /
-->| / +------+ /
Facility-N-->|+---| SP-2 |------> SP-R2
-->| \ +------+ \
SyslogHost-N-->| \
\+------+ /
| SP-N |------> SP-RN
+------+ \
\
Facility: Facility originating the message (locally)
SyslogHost: Remote SyslogHost relaying a message
SP: Syslog Process
Fig.1 Syslog Process Model
The syslog process modelled by the MIB is shown in Fig.1. One or more
syslog processes running on a system receive syslog messages from the
local facilities and from other syslog processes on other hosts. The
syslog process receives the message and processes it depending on the
processing mandated for the facility and severity of the message in
its local message-process configuration table.
2.2 Terminology.
The terminology used in this document is consistent with the
definitions used in The BSD Syslog Protocol specification[RFC3164].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14, RFC 2119 [RFC2119].
Expires: August 15, 2005 [Page 4]
Internet Draft February 16, 2005
3. The MIB Design.
The purpose of the SyslogMIB is to allow monitoring and control of
the syslog process(es) on a system. This requires MOs representing
o Statistics on messages, received, processed locally, relayed,
o Syslog system wide parameters that are available to all syslog
processes.
o Syslog run time parameters for each syslog process e.g.
- maximum message size,
- sockets and/or type of transport, port numbers on which
the process will listen for messages, etc.
- etc.
The SYSLOG-MIB uses the textual conventions defined in the INET-
ADDRESS-MIB [RFC3291bis].
The MIB comprises of four groups
o The syslogSystem group handles the system wide parameters
that applies to all the syslog processes served by the
SNMP agent.
o The syslog process group consisting of the
- syslogStatsTable which deals with statistical information about
the syslog processes.
- syslogParamsTable for monitoring and controlling syslog
processes. It contains MOs representing the run-time parameters
of the syslog processes.
o The conformance group that defines the compliance statements.
Expires: August 15, 2005 [Page 5]
Internet Draft February 16, 2005
4. The Syslog MIB
SYSLOG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
Unsigned32, Counter32, Integer32, mib-2
FROM SNMPv2-SMI
RowStatus, TEXTUAL-CONVENTION, TimeStamp, TruthValue,
StorageType
FROM SNMPv2-TC
InetAddressType, InetAddress, InetAddressPrefixLength
FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, OBJECT-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
syslogMIB MODULE-IDENTITY
LAST-UPDATED "200502160000Z" -- Wed February 16 00:00 GMT 2005
ORGANIZATION "IETF Syslog Working Group"
CONTACT-INFO
" Glenn Mansfield Keeni
Postal: Cyber Solutions Inc.
6-6-3, Minami Yoshinari
Aoba-ku, Sendai, Japan 989-3204.
Tel: +81-22-303-4012
Fax: +81-22-303-4015
E-mail: glenn@cysols.com
Support Group E-mail: mip6@ietf.org
"
DESCRIPTION
"The MIB module pertaining to the reception and processing
of Syslog compatible messages.
Copyright (C) The Internet Society 2005. This version of
this MIB module is part of RFC XXXX; see the RFC itself
for full legal notices.
"
-- RFC Ed.: replace XXXX with actual RFC number & remove this note
REVISION "200502160000Z" -- Wed February 16 00:00 GMT 2005
DESCRIPTION
"Initial version, published as RFC XXXX."
Expires: August 15, 2005 [Page 6]
Internet Draft February 16, 2005
-- RFC Ed.: replace XXXX with actual RFC number & remove this note
::= { mib-2 YYY } -- Will be assigned by IANA
-- IANA Reg.: Please assign a value for "YYY" under the 'mib-2'
-- subtree and record the assignment in the SMI Numbers registry.
-- RFC Ed.: When the above assignment has been made, please
-- remove the above note
-- replace "YYY" here with the assigned value and
-- remove this note.
-- -------------------------------------------------------------
-- Textual Conventions
-- -------------------------------------------------------------
Expires: August 15, 2005 [Page 7]
Internet Draft February 16, 2005
SyslogFacility ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the facilities
that originate syslog messages.
The value noMap(99) indicates that the appropriate
facility will be provided by the application on the
managed entity.
If this option is not available on a particular entity,
attempts to set the facillity to this value will fail
with an error-status of wrongValue.
"
REFERENCE
"The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 1).
"
SYNTAX INTEGER {
kernel (0), -- kernel messages
user (1), -- user-level messages
mail (2), -- mail system
daemon (3), -- system daemons
auth (4), -- authorization messages
syslog (5), -- messages generated by syslogd
lpr (6), -- line printer subsystem
news (7), -- network news subsystem
uucp (8), -- UUCP subsystem
cron (9), -- clock daemon
authPriv (10),-- authorization messages
-- (private)
ftp (11),-- ftp daemon
ntp (12),-- NTP subsystem
security (13),-- security subsystems
-- (firewalling, etc.)
console (14),-- /dev/console output
local0 (16),
local1 (17),
local2 (18),
local3 (19),
local4 (20),
local5 (21),
local6 (22),
local7 (23),
noMap (99)
}
Expires: August 15, 2005 [Page 8]
Internet Draft February 16, 2005
SyslogSeverity ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the severity levels
of syslog messages. The syslog protocol uses the values
0 (emergency), to 7 (debug)."
REFERENCE
"The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 2)
"
SYNTAX INTEGER {
emergency (0), -- system is unusable
alert (1), -- action must be taken
-- immediately
critical (2), -- critical conditions
error (3), -- error conditions
warning (4), -- warning conditions
notice (5), -- normal but significant
-- condition
info (6), -- informational
debug (7), -- debug-level messages
other (99) -- none of the above
}
SyslogSeverityCompOP ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The operator that will be applied to the severity
before the selection for an action takes place.
"
SYNTAX INTEGER {
none (1),
greaterThanOrEqual (2),
lessThanOrEqual (3),
greaterThan (4),
lessThan (5),
notGreaterThanOrEqual (6),
notLessThanOrEqual (7),
notGreaterThan (8),
notLessThan (9),
equal (10),
notEqual (11)
}
Expires: August 15, 2005 [Page 9]
Internet Draft February 16, 2005
SyslogTransport ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The Transport that will be used to send and/or
receive messages.
"
REFERENCE
"The The BSD syslog Protocol RFC 3164 Sec. 2.
"
SYNTAX INTEGER {
any (1),
udp (2),
tcp (3)
}
SyslogService ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The service name or port number that will be used to
send and/or receive messages.
The special name ''any'' is reserved. It denotes
all ports and is applicable only in the context of
message reception.
In case the service name is given, and it is not ''any'',
the service name must resolve to a port number on the
local host.
"
SYNTAX OCTET STRING (SIZE (0..255))
-- -------------------------------------------------------------
-- syslogMIB - the main groups
-- -------------------------------------------------------------
syslogSystem OBJECT IDENTIFIER
::= { syslogMIB 1 }
syslogProc OBJECT IDENTIFIER
::= { syslogMIB 2 }
Expires: August 15, 2005 [Page 10]
Internet Draft February 16, 2005
-- -------------------------------------------------------------
-- syslogSystem
-- -------------------------------------------------------------
-- The system wide parameters
syslogDefaultTransport OBJECT-TYPE
SYNTAX SyslogTransport
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default transport that a syslog process will use
to send syslog messages.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
DEFVAL {udp}
::= { syslogSystem 1 }
syslogDefaultService OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default service name or port number that a syslog
process will use to send syslog messages.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
DEFVAL { "514" }
::= { syslogSystem 2 }
Expires: August 15, 2005 [Page 11]
Internet Draft February 16, 2005
syslogDefaultFacility OBJECT-TYPE
SYNTAX SyslogFacility
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog facility that will be added to syslog
messages when the message needs to be relayed and does not
have priority specified.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
::= { syslogSystem 3 }
syslogDefaultSeverity OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog severity that will be added to syslog
messages when the message needs to be relayed and does not
have priority specified.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
::= { syslogSystem 4 }
syslogMaxMessageSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum size of the syslog messages in bytes.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
DEFVAL { 1024 }
::= { syslogSystem 5 }
Expires: August 15, 2005 [Page 12]
Internet Draft February 16, 2005
-- -------------------------------------------------------------
-- syslogProc
-- -------------------------------------------------------------
syslogProcTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogProcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about the syslog processes
serviced by an SNMP agent.
"
::= { syslogProc 1 }
syslogProcEntry OBJECT-TYPE
SYNTAX SyslogProcEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The information pertaining to a syslog process.
"
INDEX { syslogProcIndex }
::= { syslogProcTable 1 }
SyslogProcEntry ::=
SEQUENCE {
syslogProcIndex
Unsigned32,
syslogProcMsgsReceived
Counter32,
syslogProcMsgsRelayed
Counter32,
syslogProcMsgsDropped
Counter32,
syslogProcMsgsIllFormed
Counter32,
syslogProcMsgsIgnored
Counter32,
syslogProcMsgsRejected
Counter32,
syslogProcLastMsgRecdTime
TimeStamp,
syslogProcLastMsgDeliveredTime
TimeStamp,
syslogProcStartTime
TimeStamp,
syslogProcLastError
SnmpAdminString,
syslogProcLastErrorTime
Expires: August 15, 2005 [Page 13]
Internet Draft February 16, 2005
TimeStamp,
syslogProcReference
Integer32
}
-- option for allowed peers needs to be added
syslogProcIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Index that uniquely identifies the syslog process in the
syslogProcess table.
"
::= { syslogProcEntry 1 }
syslogProcMsgsReceived OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages received by the syslog
process. This includes messages that were ignored.
"
::= { syslogProcEntry 2 }
syslogProcMsgsRelayed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages relayed by the syslog
process to other syslog processes.
"
::= { syslogProcEntry 3 }
syslogProcMsgsDropped OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that could not be relayed
(could not be queued for transmitting)."
::= { syslogProcEntry 4 }
Expires: August 15, 2005 [Page 14]
Internet Draft February 16, 2005
syslogProcMsgsIllFormed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were rejected by the
syslog process because these were not well-formed.
"
::= { syslogProcEntry 5 }
syslogProcMsgsIgnored OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were not processed by the
syslog process because the message did not meet
the message selection criteria for the syslog process.
For example, in the case of BSD syslog messages, either
the program name or the priority level of the message
or both did not match any selection specified
for this process in the syslog process' configuration
file
"
::= { syslogProcEntry 6 }
syslogProcMsgsRejected OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were rejected by the
syslog process because the messsage was from a host/service
that did not match any selection specified for this process
and was not on the allowed host/services list.
"
::= { syslogProcEntry 7 }
syslogProcLastMsgRecdTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was received
by the syslog process locally or from a remote
syslog process.
"
::= { syslogProcEntry 8 }
Expires: August 15, 2005 [Page 15]
Internet Draft February 16, 2005
syslogProcLastMsgDeliveredTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was delivered
by the syslog process.
"
::= { syslogProcEntry 9 }
syslogProcStartTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when this process was started.
"
::= { syslogProcEntry 10 }
syslogProcLastError OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A description of the last error that was encountered
by this process.
"
::= { syslogProcEntry 11 }
syslogProcLastErrorTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last error was encountered.
"
::= { syslogProcEntry 12 }
syslogProcReference OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If the Host resource MIB is serviced on the host then
this will entry will have the value of the hrSWRunIndex
of the corresponding entry in the hrSWRunTable.
Otherwise this object will be inaccessible,
Expires: August 15, 2005 [Page 16]
Internet Draft February 16, 2005
"
::= { syslogProcEntry 13 }
syslogParamsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogParamsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about the parameters
that control the syslog processes.
"
::= { syslogProc 2 }
syslogParamsEntry OBJECT-TYPE
SYNTAX SyslogParamsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The parameters pertaining to a syslog process."
INDEX { syslogProcIndex }
::= { syslogParamsTable 1 }
Expires: August 15, 2005 [Page 17]
Internet Draft February 16, 2005
SyslogParamsEntry ::=
SEQUENCE {
syslogParamsProcDescr
SnmpAdminString,
syslogParamsBindAddrType
InetAddressType,
syslogParamsBindAddr
InetAddress,
syslogParamsSendToAllAddresses
TruthValue,
syslogParamsCompression
INTEGER,
syslogParamsConfFileName
SnmpAdminString,
syslogParamsFacilityTranslation
INTEGER,
syslogParamsPIDFileName
SnmpAdminString,
syslogParamsDNSLookup
INTEGER,
syslogParamsSeverityCompOP
SyslogSeverityCompOP,
syslogParamsSecuritySpecs
INTEGER,
syslogParamsProcessStatus
INTEGER,
syslogParamsStorageType
StorageType,
syslogParamsRowStatus
RowStatus
}
syslogParamsProcDescr OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A user definable description of the syslog process.
"
::= { syslogParamsEntry 1 }
Expires: August 15, 2005 [Page 18]
Internet Draft February 16, 2005
syslogParamsBindAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of Internet address which follows
in syslogParamsBindAddr.
"
::= { syslogParamsEntry 2 }
syslogParamsBindAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The specific IP address or hostname the syslog process will
bind to. If a hostname is specified, the IPv4 or IPv6
address corresponding to the hostname will be used.
"
::= { syslogParamsEntry 3 }
syslogParamsSendToAllAddresses OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If the destination host, for a message to be forwarded,
has more than one A or AAAA record process, Send the
message to all the addresses (true) else send to only
one of the addresses.
"
DEFVAL { false }
::= { syslogParamsEntry 4 }
Expires: August 15, 2005 [Page 19]
Internet Draft February 16, 2005
syslogParamsCompression OBJECT-TYPE
SYNTAX INTEGER {
off (1),
offIfPipe (2),
on (3)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If 'off', disable the compression of repeated instances
of the same line into a single line of the form ``last
message repeated N times''.
If 'offIfPipe' disable the compression when the output
is a pipe to another program. Otherwise the compression
is enabled.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
DEFVAL { on }
::= { syslogParamsEntry 5 }
syslogParamsConfFileName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The fullpath name of the configuration file where the
syslog process's message selection and corresponding action
rules will be read from.
The syslog process reads its configuration information from
this file.
If the system does not support the specification of a
configuration file this field will not be accessible.
"
DEFVAL { "/etc/syslog.conf" }
::= { syslogParamsEntry 6 }
Expires: August 15, 2005 [Page 20]
Internet Draft February 16, 2005
syslogParamsFacilityTranslation OBJECT-TYPE
SYNTAX TruthValue
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If false(2), disable the translation of messages received
with facility ``kern'' to facility ``user''. Usually the
``kern'' facility is reserved for messages read directly
from /dev/klog.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
DEFVAL { true }
::= { syslogParamsEntry 7 }
syslogParamsPIDFileName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The fullpath name of the file where the syslog process ID
will be recorded.
In case the system does not support the feature of recording
syslog's process ID - this object will not be accessible.
"
DEFVAL { "/etc/syslog.pid" }
::= { syslogParamsEntry 8 }
syslogParamsDNSLookup OBJECT-TYPE
SYNTAX INTEGER {
useLocalCache (1),
doNotUseLocalCache (2)
}
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"If doNotUseLocalCache is on, fresh DNS lookups will
be carried out everytime a hostname is encountered.
Else, DNS lookups will be carried out only once for
each hostname.
The value of this object SHOULD remain unchanged across
reboots of the managed entity.
"
DEFVAL { useLocalCache }
::= { syslogParamsEntry 9 }
Expires: August 15, 2005 [Page 21]
Internet Draft February 16, 2005
syslogParamsSeverityCompOP OBJECT-TYPE
SYNTAX SyslogSeverityCompOP
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The default value of the operator that should be
applied to the syslogCtlSelectionSeverity before the
selection takes place.
"
DEFVAL { greaterThanOrEqual }
::= { syslogParamsEntry 10 }
syslogParamsSecuritySpecs OBJECT-TYPE
SYNTAX INTEGER {
none (1),
doNotRecvFromRemoteHosts (2),
doNotOpenNetworkSockets (3)
}
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If doNotRecvFromRemoteHosts is selected then the
corresponding syslog process will not receive messages
from remote hosts.
If doNotOpenNetworkSockets is selected then the syslog
process will not receive from or forward to remote hosts.
"
DEFVAL { none }
::= { syslogParamsEntry 11 }
syslogParamsProcessStatus OBJECT-TYPE
SYNTAX INTEGER {
unknown (1),
started (2),
suspended(3),
stopped (4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the process.
"
DEFVAL { unknown }
::= { syslogParamsEntry 12 }
Expires: August 15, 2005 [Page 22]
Internet Draft February 16, 2005
syslogParamsStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether the parameters defined in this
row are kept in volatile storage and lost upon reboot or
are backed up by non-volatile (permanent) storage.
Conceptual rows having the value 'permanent' need not
allow write-access to any columnar objects in the row.
"
::= { syslogParamsEntry 13 }
syslogParamsRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create, modify and delete rows in
the syslogParamsTable.
Objects in a row can be modified only when the value of this
object in the corresponding conceptual row is not
''active''.
Thus to modify one or more of the objects in this conceptual
row,
a. change the row status to ''notInService'',
b. change the values of the row
c. change the row status to ''active''
The syslogParamsRowStatus may be changed to ''active'' iff
all the MOs in the conceptual row have been assigned valid
values.
"
::= { syslogParamsEntry 14 }
syslogAllowedHostsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslogAllowedHostsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about the Hosts
from which messages will be accepted.
"
::= { syslogProc 3 }
Expires: August 15, 2005 [Page 23]
Internet Draft February 16, 2005
syslogAllowedHostsEntry OBJECT-TYPE
SYNTAX SyslogAllowedHostsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The host information."
INDEX { syslogProcIndex }
::= { syslogAllowedHostsTable 1 }
SyslogAllowedHostsEntry ::=
SEQUENCE {
syslogAllowedHostsAddressType
InetAddressType,
syslogAllowedHostsAddress
InetAddress,
syslogAllowedHostsMaskLen
InetAddressPrefixLength,
syslogAllowedHostsTransport
SyslogTransport,
syslogAllowedHostsPort
SyslogService,
syslogAllowedHostsStorageType
StorageType,
syslogAllowedHostsRowStatus
RowStatus
}
syslogAllowedHostsAddressType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of Internet address which follows
in syslogAllowedHostsAddress.
"
::= { syslogAllowedHostsEntry 1 }
syslogAllowedHostsAddress OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The IP address or hostname specification of the host from
which the syslog process will accept messages.
"
::= { syslogAllowedHostsEntry 2 }
Expires: August 15, 2005 [Page 24]
Internet Draft February 16, 2005
syslogAllowedHostsMaskLen OBJECT-TYPE
SYNTAX InetAddressPrefixLength
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"If the syslogAllowedHostsAddressType is ipv4(1), ipv6(2)
this object represents the number of bits that will be
taken into account when the address of the originating
is being compared with syslogAllowedHostsAddress.
The default value of this MO will be the length of the
corresponding syslogAllowedHostsAddress.
If the syslogAllowedHostsAddressType is not ipv4(1) or
ipv6(2) this object is not used.
A value of 0 indicates that the prefix is not used or is
not applicable.
"
DEFVAL { 0 }
::= { syslogAllowedHostsEntry 3 }
syslogAllowedHostsTransport OBJECT-TYPE
SYNTAX SyslogTransport
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The Transport specification that will be used to decide
whether the messsage will be accepted from a host or
not.
"
DEFVAL { udp }
::= { syslogAllowedHostsEntry 4 }
syslogAllowedHostsPort OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The port specification that will be used to decide
whether the messsage will be accepted from a host or
not.
"
DEFVAL { "any" }
::= { syslogAllowedHostsEntry 5 }
Expires: August 15, 2005 [Page 25]
Internet Draft February 16, 2005
syslogAllowedHostsStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether the parameters defined in this
row are kept in volatile storage and lost upon reboot or
are backed up by non-volatile (permanent) storage.
Conceptual rows having the value 'permanent' need not
allow write-access to any columnar objects in the row.
"
::= { syslogAllowedHostsEntry 6 }
syslogAllowedHostsRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create and delete rows in the
syslogAllowedHostsTable.
All the columns in this conceptual row MUST have valid
values before this column can be assigned the value
''active''.
"
::= { syslogAllowedHostsEntry 7 }
-- -------------------------------------------------------------
-- Conformance Information
-- -------------------------------------------------------------
syslogConformance OBJECT IDENTIFIER
::= { syslogMIB 4 }
syslogGroups OBJECT IDENTIFIER
::= { syslogConformance 1 }
syslogCompliances OBJECT IDENTIFIER
::= { syslogConformance 2 }
Expires: August 15, 2005 [Page 26]
Internet Draft February 16, 2005
-- -------------------------------------------------------------
-- units of conformance
-- -------------------------------------------------------------
syslogSystemGroup OBJECT-GROUP
OBJECTS {
syslogDefaultTransport,
syslogDefaultService,
syslogDefaultFacility,
syslogDefaultSeverity,
syslogMaxMessageSize
}
STATUS current
DESCRIPTION
"A collection of objects providing system-wide
parameters for syslog processes.
"
::= { syslogGroups 1}
syslogStatsGroup OBJECT-GROUP
OBJECTS {
-- syslogProcIndex,
syslogProcMsgsReceived,
syslogProcMsgsRelayed,
syslogProcMsgsDropped,
syslogProcMsgsIllFormed,
syslogProcMsgsIgnored,
syslogProcMsgsRejected,
syslogProcLastMsgRecdTime,
syslogProcLastMsgDeliveredTime,
syslogProcStartTime,
syslogProcLastError,
syslogProcLastErrorTime,
syslogProcReference
}
STATUS current
DESCRIPTION
"A collection of objects providing message related
statistics."
::= { syslogGroups 2}
Expires: August 15, 2005 [Page 27]
Internet Draft February 16, 2005
syslogParamsGroup OBJECT-GROUP
OBJECTS {
syslogParamsProcDescr,
syslogParamsBindAddrType,
syslogParamsBindAddr,
syslogParamsSendToAllAddresses,
syslogParamsCompression,
syslogParamsConfFileName,
syslogParamsFacilityTranslation,
syslogParamsPIDFileName,
syslogParamsDNSLookup,
syslogParamsSeverityCompOP,
syslogParamsSecuritySpecs,
syslogParamsProcessStatus,
syslogParamsStorageType,
syslogParamsRowStatus,
syslogAllowedHostsAddressType,
syslogAllowedHostsAddress,
syslogAllowedHostsMaskLen,
syslogAllowedHostsTransport,
syslogAllowedHostsPort,
syslogAllowedHostsStorageType,
syslogAllowedHostsRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects representing the run time parameters
for the syslog processes.
"
::= { syslogGroups 3}
Expires: August 15, 2005 [Page 28]
Internet Draft February 16, 2005
-- -------------------------------------------------------------
-- compliance statements
-- -------------------------------------------------------------
syslogCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for for SNMP entities which
implement the SYSLOG-MIB.
"
MODULE -- this module
MANDATORY-GROUPS {
syslogStatsGroup
}
GROUP syslogSystemGroup
DESCRIPTION
"The syslogSystemGroup group is mandatory only for
agents which support monitoring and control of the
syslog system wide parameters.
If only monitoring is supported then the corresponding
objects MUST have access read-only.
"
GROUP syslogParamsGroup
DESCRIPTION
"The syslogParamsGroup group is mandatory only for
agents which support monitoring and/or control of
syslog processes.
If only monitoring is supported then the corresponding
objects MUST have access read-only.
"
::= { syslogCompliances 1 }
END
Expires: August 15, 2005 [Page 29]
Internet Draft February 16, 2005
4. Security Considerations
Syslog plays a very important role in the computer and network
security of an organization. SyslogMIB defines several managed
objects that may be used to monitor configure and control syslog
processes. As such improper manipulation of the objects represented
by this MIB may lead to an attack on an important component of the
computer and network security infrastructure. The objects in
syslogParamsTable, syslogAllowedHostsTable may be misconfigured to
cause syslog messages to be diverted or lost. A misconfiguration may
also result in a DoS attack on a user or service. There are a number
of management objects defined in this MIB module with a MAX-ACCESS
clause of read-write and/or read-create. Such objects may be
considered sensitive or vulnerable in some network environments. The
support for SET operations in a non-secure environment without proper
protection can have a negative effect on network operations. These
are the tables and objects and their sensitivity/vulnerability:
o syslogParamsTable: the objects in this table describe the
configuration of the syslog processes.
o syslogAllowedHostsTable: the objects in this table describe
the hosts from which syslog messages will be accepted.
Improper configuration may lead to loss of messages from an
important source or a flood of messages from a potentially
rogue, source.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
o syslogProcTable: objects in this table carry sensitive
information. The counters may reveal information about
the deployment and effectiveness of the relevant security
systems. The counters may be analyzed to tell whether the
security systems are able to detect an event or not.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
Expires: August 15, 2005 [Page 30]
Internet Draft February 16, 2005
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
5. IANA Considerations
IANA should assign a base arc in the 'mib-2' (standards track) OID
tree for the 'syslogMIB' MODULE-IDENTITY defined in the Syslog-MIB.
Expires: August 15, 2005 [Page 31]
Internet Draft February 16, 2005
6. References:
6.1 Normative References
[RFC2119] Bradner, S., Key words for use in RFCs to Indicate
Requirements Levels, BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case,
J., Rose, M. and S. Waldbusser, Structure of
Management Information Version 2 (SMIv2), STD 58,
RFC 2578, April 1999.
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case,
J., Rose, M. and S. Waldbusser, Textual Conventions
for SMIv2, STD 58, RFC 2579, April 1999.
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case,
J., Rose, M. and S. Waldbusser, Conformance
Statements for SMIv2, STD 58, RFC 2580, April 1999.
[RFC3775] Johnson, D., Perkins, C. and Arkko J., Mobility
Support in IPv6 RFC 3775, June 2004.
[RFC2011bis] Routhier, S., Management Information Base for the
Internet Protocol (IP), work in progress (currently
<draft-ietf-ipv6-rfc2011-update-10.txt>).
[RFC3291bis] Daniele, M., Haberman, B., Routhier, S. and
Schoenwaelder, J., Textual Conventions for Internet
Network Addresses, work in progress (currently
<draft-ietf-ops-rfc3291bis-06.txt>).
6.2 Informative References
[RFC3410] Case, J., Mundy, R., Partain, D. and B. Stewart,
Introduction and Applicability Statements for
Internet-Standard Management Framework, RFC 3410,
December 2002.
[RFC3164] C. Lonvick, "The BSD Syslog Protocol", RFC 3164,
August 2001.
7. Acknowledgments
The authors would like to thank David Harrington, Mark Ellison, Mike
MacFaden, Dave T Perkins and members of the WIDE-netman group for
their comments and suggestions.
Expires: August 15, 2005 [Page 32]
Internet Draft February 16, 2005
8. Authors Address
Glenn Mansfield Keeni
Cyber Solutions Inc.
6-6-3 Minami Yoshinari
Aoba-ku, Sendai 989-3204
Japan
Phone: +81-22-303-4012
EMail: glenn@cysols.com
Bruno Pape
Enterasys Networks, Inc.
35 Industrial Way
Rochester, NH 03867
USA
Email: bpape@enterasys.com"
Tel: +1 603 337 0446
Expires: August 15, 2005 [Page 33]
Internet Draft February 16, 2005
9. Full Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires: August 15, 2005 [Page 34]
Internet Draft February 16, 2005
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Expires: August 15, 2005 [Page 35]
Internet Draft February 16, 2005
APPENDIX
This section documents the development of the draft. It will be
deleted when the draft bvecomes an RFC.
Revision History:
REVISION "200502160000Z" -- Wed February 16 00:00 GMT 2005
DESCRIPTION
"Major editorial change
- synched with latest mib boiler-plate requirement
- synched with latest I-D requirements
- references fixed
Editorial nits fixed.
"
REVISION "200406160000Z" -- Mon Feb 16 00:00 GMT 2004
DESCRIPTION
"Major change.
The configuration parts have been removed.
Updated the description clauses.
Editorial nits fixed.
"
REVISION "200306250000Z" -- Wed June 25 00:00 GMT 2003
DESCRIPTION
"Changed the type of
syslogProcLastError SnmpAdminString,
from Integer32.
DEFVAL { 0 ] is added to syslogAllowedHostsMaskLen
MO name changed from
syslogCtlSelectionHostname to syslogCtlSelectionHostName
Updated the description clauses.
Fixed nits pointed out in Bert's mails of 20030319 and
revised the document wrt the guidelines in
draft-ietf-ops-mib-review-guidelines-01.txt
Editorial nits fixed.
"
REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003
Expires: August 15, 2005 [Page 36]
Internet Draft February 16, 2005
DESCRIPTION
"Fixing of nits in descriptions, addition of references,
addition of the following MOs
syslogProcMsgsIllFormed Counter32,
syslogProcStartTime TimeStamp,
syslogProcLastError Integer32,
syslogProcLastErrorTime TimeStamp,
syslogParamsStorageType StorageType,
syslogCtlFwdActionSrcAddrType InetAddressType,
syslogCtlFwdActionSrcAddr InetAddress,
added enumeration ''suspended(2)'' to
syslogParamsProcessStatus.
"
REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002
DESCRIPTION
"Radical revision of the MIB structure and design."
REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002
DESCRIPTION
"The initial version of this MIB module."
Expires: August 15, 2005 [Page 37]