Network Working Group Glenn Mansfield Keeni
INTERNET-DRAFT Cyber Solutions Inc.
Expires: January 24, 2007 July 25, 2006
Syslog Management Information Base
<draft-ietf-syslog-device-mib-08.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This document is a product of the syslog Working Group. Comments
should be addressed to the authors or the mailing list at
syslog@ietf.org
This Internet-Draft will expire on January 24, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This memo defines a portion of the Management Information Base (MIB),
the Syslog MIB, for use with network management protocols
in the Internet community. In particular, the Syslog MIB will be
Expires: January 24, 2007 [Page 1]
Internet Draft July 25, 2006
used to monitor and control syslog devices.
Table of Contents
1. The Internet-Standard Management Framework .... 3
2. Background .................................... 3
3. The MIB Design ................................ 4
4. The Syslog MIB ................................ 6
5. Security Considerations ....................... 26
6. IANA Considerations ........................... 28
7. References .................................... 28
8 Acknowledgments ............................... 29
9. Author's Addresses ............................ 30
10. Full Copyright Statement ...................... 31
Appendix ...................................... 33
Expires: January 24, 2007 [Page 2]
Internet Draft July 25, 2006
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
2. Background
Operating systems, processes and applications, collectively termed
"facilities" in the following, generate messages indicating their own
status or the occurance of events. These messages are handled by what
has come to be known as the syslog process or device. [ ref rfc3164,
id-proto-15].
This document defines a set of managed objects (MOs) that can be used
to monitor a group of syslog devices.
The syslogMIB can be used in conjunction with other MIBs - in
particular the Host Resources MIB. The generic process related
matters e.g. process control, status, resource usage etc. can be
serviced by the corresponding entries in the Host Resources MIB.
Expires: January 24, 2007 [Page 3]
Internet Draft July 25, 2006
/
+------+ /
| SA-1 |------> SA-R1
/+------+ \
Facility-1-->| /
-->| / +------+ /
Facility-N-->|+---| SA-2 |------> SA-R2
-->| \ +------+ \
SyslogHost-N-->| \
\+------+ /
| SA-N |------> SA-RN
+------+ \
\
Facility: Facility originating the message (locally)
SyslogHost: Remote SyslogHost relaying a message
SA: Syslog Process
Fig.1 Syslog Application Model
The group of syslog devices modelled by the MIB is shown in Fig.1.
One or more syslog devices which may be on the same host receive
syslog messages from local facilities and from other syslog devices
which may be on other hosts. The syslog device receives the message
and processes it. The processing will depend on internal
configuration and may involve relaying the message to a syslog device
which may be on another host.
3. The MIB Design.
The purpose of the SyslogMIB is to allow the monitoring of a group of
syslog devices. This requires MOs representing
o The default configuration parameters for the group of
syslog devices.
- maximum message size,
- type of transport, port numbers on which
the process will listen for messages, etc.
o The configuration and status related details of each
syslog device.
o Statistics on syslog messages received, processed
locally, relayed by each syslog device.
Expires: January 24, 2007 [Page 4]
Internet Draft July 25, 2006
The MIB comprises of four groups
o The syslogSystem group services the default configuration
parameters.
o The syslog device group consisting of the
- syslDevCtlTable which deals with the configuration and
control related information for a syslog device.
- syslDevOpsTable which deals with statistical information
about messages processed by a syslog device.
o The syslogNotifications group defines the set of
notifications that will be used to asynchronously monitor
the status of a syslog device.
o The conformance group defines the compliance statements.
Expires: January 24, 2007 [Page 5]
Internet Draft July 25, 2006
4. The Syslog MIB
SYSLOG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
Unsigned32, Counter32, Integer32, mib-2,
NOTIFICATION-TYPE
FROM SNMPv2-SMI
RowStatus, StorageType,
TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
syslogMIB MODULE-IDENTITY
LAST-UPDATED "200511250000Z" -- 25th November, 2005
ORGANIZATION "IETF Syslog Working Group"
CONTACT-INFO
" Glenn Mansfield Keeni
Postal: Cyber Solutions Inc.
6-6-3, Minami Yoshinari
Aoba-ku, Sendai, Japan 989-3204.
Tel: +81-22-303-4012
Fax: +81-22-303-4015
E-mail: glenn@cysols.com
"
DESCRIPTION
"The MIB module for monitoring syslog devices.
Copyright (C) The Internet Society (2006). This
version of this MIB module is part of RFC XXXX;
see the RFC itself for full legal notices.
"
-- RFC Ed.: replace XXXX with the actual RFC number & remove this
-- note
Expires: January 24, 2007 [Page 6]
Internet Draft July 25, 2006
REVISION "200511250000Z" -- 25th November, 2005
DESCRIPTION
"The initial version, published as RFC XXXX."
-- RFC Ed.: replace XXXX with the actual RFC number & remove this
-- note
::= { mib-2 YYYY } -- Will be assigned by IANA
-- IANA Reg.: Please assign a value for "YYYY" under the
-- 'mib-2' subtree and record the assignment in the SMI
-- Numbers registry.
-- RFC Ed.: When the above assignment has been made, please
-- remove the above note
-- replace "YYYY" here with the assigned value and
-- remove this note.
-- -------------------------------------------------------------
-- Textual Conventions
-- -------------------------------------------------------------
Expires: January 24, 2007 [Page 7]
Internet Draft July 25, 2006
SyslogFacility ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the facilities
that originate syslog messages.
The value noMap(99) indicates that the appropriate
facility will be provided by the application on the
managed entity.
If this option is not available on a particular entity,
attempts to set the facility to this value will fail
with an error-status of wrongValue.
"
REFERENCE
"The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 1).
"
SYNTAX INTEGER
{
kernel (0), -- kernel messages
user (1), -- user-level messages
mail (2), -- mail system
daemon (3), -- system daemons
auth (4), -- authorization messages
syslog (5), -- messages generated by syslogd
lpr (6), -- line printer subsystem
news (7), -- network news subsystem
uucp (8), -- UUCP subsystem
cron (9), -- clock daemon
authPriv (10),-- authorization messages
-- (private)
ftp (11),-- ftp daemon
ntp (12),-- NTP subsystem
security (13),-- security subsystems
-- (firewalling, etc.)
console (14),-- /dev/console output
local0 (16),
local1 (17),
local2 (18),
local3 (19),
local4 (20),
local5 (21),
local6 (22),
local7 (23),
noMap (99)
}
Expires: January 24, 2007 [Page 8]
Internet Draft July 25, 2006
SyslogSeverity ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the severity levels
of syslog messages. The syslog protocol uses the values
0 (emergency), to 7 (debug)."
REFERENCE
"The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 2)
"
SYNTAX INTEGER {
emergency (0), -- system is unusable
alert (1), -- action must be taken
-- immediately
critical (2), -- critical conditions
error (3), -- error conditions
warning (4), -- warning conditions
notice (5), -- normal but significant
-- condition
info (6), -- informational
debug (7), -- debug-level messages
other (99) -- none of the above
}
SyslogTransport ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The transport protocol that will be used to send and/or
receive messages.
"
REFERENCE
"The The BSD syslog Protocol RFC 3164 Sec. 2.
"
SYNTAX INTEGER {
any (1),
udp (2),
tcp (3)
}
Expires: January 24, 2007 [Page 9]
Internet Draft July 25, 2006
SyslogService ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The service name or port number that will be used to
send and/or receive messages.
The service name must resolve to a port number on the
local host.
"
SYNTAX OCTET STRING (SIZE (0..255))
-- -------------------------------------------------------------
-- syslogMIB - the main groups
-- -------------------------------------------------------------
syslogNotifications OBJECT IDENTIFIER
::= { syslogMIB 0 }
syslogSystem OBJECT IDENTIFIER
::= { syslogMIB 1 }
syslogDevice OBJECT IDENTIFIER
::= { syslogMIB 2 }
-- -------------------------------------------------------------
-- syslogSystem
-- -------------------------------------------------------------
-- The default parameters
syslogDefaultTransport OBJECT-TYPE
SYNTAX SyslogTransport
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default transport that a syslog process will use
to send syslog messages.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
DEFVAL {udp}
::= { syslogSystem 1 }
Expires: January 24, 2007 [Page 10]
Internet Draft July 25, 2006
syslogDefaultService OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default service name or port number that a syslog
process will use to send syslog messages.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
DEFVAL { "514" }
::= { syslogSystem 2 }
syslogDefaultFacility OBJECT-TYPE
SYNTAX SyslogFacility
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog facility that will be added to syslog
messages when the message needs to be relayed and does not
have facility specified.
"
::= { syslogSystem 3 }
syslogDefaultSeverity OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog severity that will be added to syslog
messages when the message needs to be relayed and does not
have priority specified.
"
::= { syslogSystem 4 }
syslogDefaultMaxMessageSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default maximum syslog message size in bytes.
"
DEFVAL { 1024 }
::= { syslogSystem 5 }
Expires: January 24, 2007 [Page 11]
Internet Draft July 25, 2006
-- -------------------------------------------------------------
-- syslDevOps
-- -------------------------------------------------------------
syslDevOpsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslDevOpsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about the syslog devices
serviced by an SNMP agent.
"
::= { syslogDevice 1 }
syslDevOpsEntry OBJECT-TYPE
SYNTAX SyslDevOpsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The information pertaining to a syslog device.
"
INDEX { syslDevOpsIndex }
::= { syslDevOpsTable 1 }
SyslDevOpsEntry ::=
SEQUENCE {
syslDevOpsIndex
Unsigned32,
syslDevOpsMsgsReceived
Counter32,
syslDevOpsMsgsRelayed
Counter32,
syslDevOpsMsgsDropped
Counter32,
syslDevOpsMsgsIllFormed
Counter32,
syslDevOpsMsgsIgnored
Counter32,
syslDevOpsLastMsgRecdTime
TimeStamp,
syslDevOpsLastMsgDeliveredTime
TimeStamp,
syslDevOpsStartTime
TimeStamp,
syslDevOpsLastError
SnmpAdminString,
syslDevOpsLastErrorTime
TimeStamp,
syslDevOpsReference
Expires: January 24, 2007 [Page 12]
Internet Draft July 25, 2006
Integer32
}
syslDevOpsIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Index that uniquely identifies the syslog device in the
syslDevOpsTable.
"
::= { syslDevOpsEntry 1 }
syslDevOpsMsgsReceived OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages received by the syslog
device. This includes messages that were ignored.
"
::= { syslDevOpsEntry 2 }
syslDevOpsMsgsRelayed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages relayed by the syslog
device to other syslog devices.
"
::= { syslDevOpsEntry 3 }
syslDevOpsMsgsDropped OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that could not be relayed
(could not be queued for transmitting)."
::= { syslDevOpsEntry 4 }
Expires: January 24, 2007 [Page 13]
Internet Draft July 25, 2006
syslDevOpsMsgsIllFormed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were rejected by the
syslog device because these were not well-formed.
"
::= { syslDevOpsEntry 5 }
syslDevOpsMsgsIgnored OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were not processed by the
syslog device because the message did not meet
the 'allowed specifications'.
"
::= { syslDevOpsEntry 6 }
syslDevOpsLastMsgRecdTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was received
by the syslog device locally or from a remote
syslog device.
"
::= { syslDevOpsEntry 7 }
syslDevOpsLastMsgDeliveredTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was delivered
by the syslog process.
"
::= { syslDevOpsEntry 8 }
Expires: January 24, 2007 [Page 14]
Internet Draft July 25, 2006
syslDevOpsStartTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when this device was started.
"
::= { syslDevOpsEntry 9 }
syslDevOpsLastError OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A description of the last error that was encountered
by this process.
"
::= { syslDevOpsEntry 10 }
syslDevOpsLastErrorTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last error was encountered.
"
::= { syslDevOpsEntry 11 }
syslDevOpsReference OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If the Host resource MIB is serviced on the host then
this entry will have the value of the hrSWRunIndex
of the corresponding entry in the hrSWRunTable.
Otherwise this object will be inaccessible,
"
::= { syslDevOpsEntry 12 }
-- -------------------------------------------------------------
-- syslog device static info table
-- -------------------------------------------------------------
Expires: January 24, 2007 [Page 15]
Internet Draft July 25, 2006
syslDevCtlTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslDevCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing static information about
the syslog devices.
"
::= { syslogDevice 2 }
syslDevCtlEntry OBJECT-TYPE
SYNTAX SyslDevCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The parameters pertaining to a syslog process."
INDEX { syslDevOpsIndex }
::= { syslDevCtlTable 1 }
SyslDevCtlEntry ::=
SEQUENCE {
syslDevCtlProcDescr
SnmpAdminString,
syslDevCtlBindAddrType
InetAddressType,
syslDevCtlBindAddr
InetAddress,
syslDevCtlTransport
SyslogTransport,
syslDevCtlService
SyslogService,
syslDevCtlMaxMessageSize
Unsigned32,
syslDevCtlConfFileName
SnmpAdminString,
syslDevCtlStatus
INTEGER,
syslDevCtlStorageType
StorageType,
syslDevCtlRowStatus
RowStatus
}
Expires: January 24, 2007 [Page 16]
Internet Draft July 25, 2006
syslDevCtlProcDescr OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A user definable description of the syslog process.
"
::= { syslDevCtlEntry 1 }
syslDevCtlBindAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of Internet address which follows
in syslDevCtlBindAddr.
"
::= { syslDevCtlEntry 2 }
syslDevCtlBindAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The specific IP address or hostname the syslog process
will bind to. If a hostname is specified, the IPv4 or
IPv6 address corresponding to the hostname will be used.
"
::= { syslDevCtlEntry 3 }
syslDevCtlTransport OBJECT-TYPE
SYNTAX SyslogTransport
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default transport that a syslog process will use
to send syslog messages.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
::= { syslDevCtlEntry 4 }
Expires: January 24, 2007 [Page 17]
Internet Draft July 25, 2006
syslDevCtlService OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default service name or port number that a syslog
process will use to send syslog messages.
"
REFERENCE
"The BSD syslog Protocol RFC 3164 Sec. 2.
"
::= { syslDevCtlEntry 5 }
syslDevCtlMaxMessageSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum size of the syslog messages in bytes
for this syslog device.
"
::= { syslDevCtlEntry 6 }
syslDevCtlConfFileName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The fullpath name of the configuration file where the
syslog device's message selection and corresponding
action rules will be read from.
Data is loaded from this file into the
syslogCtlSelectionTable and the syslogCtlLogActionTable.
If the objects loaded from the file specified by this
object have an access level of read-create this file MUST
be writable so that modifications to the corresponding
objects, if any, will be effected in this file.
If the system does not support the specification of a
configuration file, this field will not be accessible.
"
DEFVAL { "/etc/syslog.conf" }
::= { syslDevCtlEntry 7 }
Expires: January 24, 2007 [Page 18]
Internet Draft July 25, 2006
syslDevCtlStatus OBJECT-TYPE
SYNTAX INTEGER {
unknown (1),
started (2),
suspended(3),
stopped (4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the process.
"
DEFVAL { unknown }
::= { syslDevCtlEntry 8 }
syslDevCtlStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether the parameters defined in
this row are kept in volatile storage and lost upon
reboot or are backed up by non-volatile (permanent)
storage.
Conceptual rows having the value 'permanent' need not
allow write-access to any columnar objects in the row.
"
::= { syslDevCtlEntry 9 }
syslDevCtlRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create, modify and delete rows in
the syslDevCtlTable.
Objects in a row can be modified only when the value of
this object in the corresponding conceptual row is not
''active''. Thus to modify one or more of the objects in
this conceptual row,
a. change the row status to ''notInService'',
b. change the values of the row
c. change the row status to ''active''
The syslDevCtlRowStatus may be changed to ''active'' iff
all the MOs in the conceptual row have been assigned valid
values.
"
::= { syslDevCtlEntry 10 }
Expires: January 24, 2007 [Page 19]
Internet Draft July 25, 2006
syslDevStarted NOTIFICATION-TYPE
OBJECTS {
syslDevCtlProcDescr,
syslDevCtlBindAddrType,
syslDevCtlBindAddr,
syslDevCtlTransport,
syslDevCtlService,
syslDevCtlConfFileName
}
STATUS current
DESCRIPTION
"This notification is sent when a syslog device
operation is started. [The syslDevCtlStatus
entered the state ''started'']
The MO instances in the notifications will be
identified by the syslDevOpsIndex for the syslog
device in the syslDevOpsTable.
"
::= { syslogNotifications 1 }
syslDevStopped NOTIFICATION-TYPE
OBJECTS {
syslDevCtlStatus,
syslDevCtlProcDescr,
syslDevCtlBindAddrType,
syslDevCtlBindAddr,
syslDevCtlTransport,
syslDevCtlService,
syslDevCtlConfFileName
}
STATUS current
DESCRIPTION
"This notification is sent when a syslog device
operation is stopped or suspended i.e. the
syslDevCtlStatus entered the state ''stopped''
or ''suspended'' from the ''started'' state]
The MO instances in the notifications will be
identified by the syslDevOpsIndex for the syslog
device in the syslDevOpsTable.
"
::= { syslogNotifications 2 }
Expires: January 24, 2007 [Page 20]
Internet Draft July 25, 2006
-- -------------------------------------------------------------
-- Conformance Information
-- -------------------------------------------------------------
syslogConformance OBJECT IDENTIFIER
::= { syslogMIB 4 }
syslogGroups OBJECT IDENTIFIER
::= { syslogConformance 1 }
syslogCompliances OBJECT IDENTIFIER
::= { syslogConformance 2 }
-- -------------------------------------------------------------
-- units of conformance
-- -------------------------------------------------------------
syslogSystemGroup OBJECT-GROUP
OBJECTS {
syslogDefaultTransport,
syslogDefaultService,
syslogDefaultFacility,
syslogDefaultSeverity,
syslogDefaultMaxMessageSize
}
STATUS current
DESCRIPTION
"A collection of objects providing default
parameters for syslog devices.
"
::= { syslogGroups 1}
Expires: January 24, 2007 [Page 21]
Internet Draft July 25, 2006
syslogDevOpsGroup OBJECT-GROUP
OBJECTS {
-- syslDevOpsIndex,
syslDevOpsMsgsReceived,
syslDevOpsMsgsRelayed,
syslDevOpsMsgsDropped,
syslDevOpsMsgsIllFormed,
syslDevOpsMsgsIgnored,
syslDevOpsLastMsgRecdTime,
syslDevOpsLastMsgDeliveredTime,
syslDevOpsStartTime,
syslDevOpsLastError,
syslDevOpsLastErrorTime,
syslDevOpsReference
}
STATUS current
DESCRIPTION
"A collection of objects providing message related
statistics."
::= { syslogGroups 2}
syslogDevCtlGroup OBJECT-GROUP
OBJECTS {
syslDevCtlProcDescr,
syslDevCtlBindAddrType,
syslDevCtlBindAddr,
syslDevCtlTransport,
syslDevCtlService,
syslDevCtlMaxMessageSize,
syslDevCtlConfFileName,
syslDevCtlStatus,
syslDevCtlStorageType,
syslDevCtlRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects representing the run time parameters
for the syslog processes.
"
::= { syslogGroups 3}
Expires: January 24, 2007 [Page 22]
Internet Draft July 25, 2006
syslogNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
syslDevStarted,
syslDevStopped
}
STATUS current
DESCRIPTION
"A collection of notifications about the operational
state of a syslog device.
"
::= { syslogGroups 4}
-- -------------------------------------------------------------
-- compliance statements
-- -------------------------------------------------------------
syslogCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the SYSLOG-MIB.
"
MODULE -- this module
MANDATORY-GROUPS {
syslogSystemGroup,
syslogDevOpsGroup,
syslogDevCtlGroup
}
::= { syslogCompliances 1 }
syslogReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities which
implememt the syslog MIB without support
for read-write (i.e. in read-only mode) .
"
MODULE -- this module
MANDATORY-GROUPS {
syslogSystemGroup,
syslogDevOpsGroup,
syslogDevCtlGroup
}
Expires: January 24, 2007 [Page 23]
Internet Draft July 25, 2006
OBJECT syslDevCtlProcDescr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlBindAddrType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlBindAddr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlTransport
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlService
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlMaxMessageSize
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlConfFileName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslDevCtlRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
::= { syslogCompliances 2 }
Expires: January 24, 2007 [Page 24]
Internet Draft July 25, 2006
syslogNotificationCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the SYSLOG-MIB and support
notifications about change in the operational
status of a syslog device.
"
MODULE -- this module
MANDATORY-GROUPS {
syslogNotificationGroup
}
::= { syslogCompliances 3 }
END
Expires: January 24, 2007 [Page 25]
Internet Draft July 25, 2006
5. Security Considerations
Syslog plays a very important role in the computer and network
security of an organization. SyslogMIB defines several managed
objects that may be used to monitor, configure and control syslog
processes. As such improper manipulation of the objects represented
by this MIB may lead to an attack on an important component of the
computer and network security infrastructure. The objects in
syslDevCtlTable may be misconfigured to cause syslog messages to be
diverted or lost.
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
o syslDevCtlTable: the objects in this table describe
the configuration of the syslog processes. It may be
misconfigured to start up a very large number of
syslog devices (processes) and deny the sysem of its
resources.
o syslDevCtlBindAddr: This object may be misconfigured
to bind syslog device to the wrong address. This will
cause messages to be lost.
o syslDevCtlTransport : This object may be misconfigured
to specify a wrong transport for the syslog device.
This will cause messages to be lost.
o syslDevCtlService : This object may be misconfigured
to bind syslog device to the wrong service (port).
This will cause messages to be lost.
o syslDevCtlMaxMessageSize: This message may be
misconfigured to set the wrong MaxMessageSize for the
syslog device. It may cause syslog messages to be lost.
o syslDevCtlConfFileName: This object may be
misconfigured to start the syslog device with the
wrong (rogue) configuration.
o syslDevCtlStorageType: This object may be misconfigured
to set the wrong storage type. That may cause
confusion, operational errors and/or loss of information.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
Expires: January 24, 2007 [Page 26]
Internet Draft July 25, 2006
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
o syslDevStatsTable: objects in this table carry
sensitive information. The counters may reveal
information about the deployment and effectiveness of
the relevant security systems. The counters may be
analyzed to tell whether the security systems are able
to detect an event or not.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Expires: January 24, 2007 [Page 27]
Internet Draft July 25, 2006
6. IANA Considerations
The MIB modules in this document use the following IANA-assigned
OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
syslogMIB { mib-2 YYYY }
IANA Reg.: Please assign a base arc in the 'mib-2' OID subtree for
the 'syslogMIB' MODULE-IDENTITY and record the
assignment in the SMI Numbers registry.
RFC Ed.: When the above assignments have been made, please
- remove the above note
- replace "YYYY" here with the assigned values and
- remove this note.
7. References
7.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirements Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578,
April 1999
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Textual Conventions for
SMIv2", STD 58, RFC 2579, April 1999
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999
[RFC2819] Waldbusser, S., "Remote Network Monitoring
Management Information Base", STD 59, RFC 2819,
May 2000.
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture
for Describing Simple Network Management Protocol (SNMP)
Management Frameworks", STD 62, RFC 3411, December 2002.
Expires: January 24, 2007 [Page 28]
Internet Draft July 25, 2006
[RFC3231] Levi. D. and Schoenwaelder, J., "Definitions of Managed
Objects for Scheduling Management Operations", RFC3231,
January 2002
[RFC1951] Deutsch. P., "DEFLATE Compressed Data Format Specification
version 1.3", RFC 1951, May 1996.
[RFC3164] C. Lonvick, "The BSD Syslog Protocol", RFC 3164,
August 2001.
7.2 Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for the
Internet-Standard Management Framework", RFC 3410,
December 2002.
8. Acknowledgments
The initial draft of this document was authored by Bruno Pape.
The authors would like to thank David Harrington, Mark Ellison,
Mike MacFaden, Dave T Perkins and members of the WIDE-netman
group for their comments and suggestions.
Expires: January 24, 2007 [Page 29]
Internet Draft July 25, 2006
9. Author's Addresses
Glenn Mansfield Keeni
Cyber Solutions Inc.
6-6-3 Minami Yoshinari
Aoba-ku, Sendai 989-3204
Japan
Phone: +81-22-303-4012
EMail: glenn@cysols.com
Expires: January 24, 2007 [Page 30]
Internet Draft July 25, 2006
10. Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires: January 24, 2007 [Page 31]
Internet Draft July 25, 2006
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Expires: January 24, 2007 [Page 32]
Internet Draft July 25, 2006
APPENDIX
This section documents the development of the draft. It will be
deleted when the draft becomes an RFC.
Revision History:
REVISION "200707250000Z" -- 25th July 2006
DESCRIPTION
"the internet draft's version number has
been changed (7->8).
"
REVISION "200511250000Z" -- 25th November 2005
DESCRIPTION
"A near complete overhaul of the MIB and the document.
The BSD-syslog flavor has been abandoned in favor of a
more generic syslog-protocol document that is under
preparation.
TBD. The reference clauses need to be redone once the
new syslog document is ready.
List of authors changed. Original draft author Bruno
Pape is acknowledged in the Acknowldgments section.
Editorial nits fixed.
"
REVISION "200406160000Z" -- Mon Feb 16 00:00 GMT 2004
DESCRIPTION
"Major change.
The configuration parts have been removed.
Updated the description clauses.
Editorial nits fixed.
"
REVISION "200306250000Z" -- Wed June 25 00:00 GMT 2003
DESCRIPTION
"Changed the type of
syslogProcLastError SnmpAdminString,
from Integer32.
DEFVAL { 0 ] is added to syslogAllowedHostsMaskLen
MO name changed from
Expires: January 24, 2007 [Page 33]
Internet Draft July 25, 2006
syslogCtlSelectionHostname to syslogCtlSelectionHostName
Updated the description clauses.
Fixed nits pointed out in Bert's mails of 20030319 and
revised the document wrt the guidelines in
draft-ietf-ops-mib-review-guidelines-01.txt
Editorial nits fixed.
"
REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003
DESCRIPTION
"Fixing of nits in descriptions, addition of references,
addition of the following MOs
syslogProcMsgsIllFormed Counter32,
syslogProcStartTime TimeStamp,
syslogProcLastError Integer32,
syslogProcLastErrorTime TimeStamp,
syslDevCtlStorageType StorageType,
syslogCtlFwdActionSrcAddrType InetAddressType,
syslogCtlFwdActionSrcAddr InetAddress,
added enumeration ''suspended(2)'' to
syslDevCtlStatus.
"
REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002
DESCRIPTION
"Radical revision of the MIB structure and design."
REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002
DESCRIPTION
"The initial version of this MIB module."
Expires: January 24, 2007 [Page 34]
