Syslog Working Group Glenn Mansfield Keeni
INTERNET-DRAFT Cyber Solutions Inc.
Expires: March 2, 2007 September 3, 2006
Syslog Management Information Base
<draft-ietf-syslog-device-mib-09.txt>
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This document is a product of the syslog Working Group. Comments
should be addressed to the authors or the mailing list at
syslog@ietf.org
This Internet-Draft will expire on March 2, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This memo defines a portion of the Management Information Base (MIB),
the Syslog MIB, for use with network management protocols
in the Internet community. In particular, the Syslog MIB will be
Expires: March 2, 2007 [Page 1]
Internet Draft September 3, 2006
used to monitor and control syslog entities.
Table of Contents
1. The Internet-Standard Management Framework .... 3
2. Background .................................... 3
3. The MIB Design ................................ 4
4. The Syslog MIB ................................ 6
5. Security Considerations ....................... 26
6. IANA Considerations ........................... 28
7. References .................................... 28
8 Acknowledgments ............................... 29
9. Author's Addresses ............................ 30
10. Full Copyright Statement ...................... 31
Appendix ...................................... 33
Expires: March 2, 2007 [Page 2]
Internet Draft September 3, 2006
1. The Internet-Standard Management Framework
For a detailed overview of the documents that describe the current
Internet-Standard Management Framework, please refer to section 7 of
RFC 3410 [RFC3410].
Managed objects are accessed via a virtual information store, termed
the Management Information Base or MIB. MIB objects are generally
accessed through the Simple Network Management Protocol (SNMP).
Objects in the MIB are defined using the mechanisms defined in the
Structure of Management Information (SMI). This memo specifies a MIB
module that is compliant to the SMIv2, which is described in STD 58,
RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580
[RFC2580].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in BCP 14, RFC 2119
[RFC2119].
2. Background
Operating systems, processes and applications, collectively termed
"facilities" in the following, generate messages indicating their own
status or the occurence of events. These messages are handled by what
has come to be known as the syslog application[RFCPROT] or device
[RFC3164]. In this document we refer to a syslog application or
device as a syslog entity. The reader is referred to [RFCPROT] for a
description of the various roles a syslog entity maybe in. [RFCUDPX]
describes the UDP transport for the syslog protocol.
This document defines a set of managed objects (MOs) that can be used
to monitor a group of syslog entities.
The syslogMIB can be used in conjunction with other MIBs - in
particular the Host Resources MIB[RFC2790]. The generic process
related matters e.g. control and monitoring for status, resource
usage etc. can be serviced by the corresponding entries in the Host
Resources MIB.
Expires: March 2, 2007 [Page 3]
Internet Draft September 3, 2006
+------+
| SA-L1|
/+------+
Facility-1-->| /
-->| / +------+ /
Facility-N-->|+---| SA-L2|------> SA-R1
-->| \ +------+ \
SyslogHost-N-->| \
\+------+ /
| SA-L3|------> SA-RN
+------+ \
\
Facility-i: Facility originating the message (locally)
SA-Li, SA-Rj: Syslog entity
The syslog entities may be on the same host
or on different hosts.
Fig.1 Syslog Application Model
The group of syslog entities modeled by the MIB is shown in Fig.1.
One or more syslog entities which may be on the same host receive
syslog messages from local facilities and from other syslog entities
which may be on other hosts. The syslog entity receives the message
and processes it. The processing will depend on internal
configuration and may involve relaying the message to a syslog entity
which may be on another host.
3. The MIB Design.
The purpose of the SyslogMIB is to allow the monitoring of a group of
syslog entities. This requires managed objects representing
o The default configuration parameters for the group of
syslog entities.
- maximum message size,
- type of transport, port numbers on which
the process will listen for messages, etc.
o The configuration and status related details of each
syslog entity.
o Statistics on syslog messages received, processed
locally, relayed by each syslog entity.
The MIB comprises of four groups
o The syslogSystem group services the default configuration
parameters.
Expires: March 2, 2007 [Page 4]
Internet Draft September 3, 2006
o The syslog entity group consisting of the
- syslEntCtlTable which deals with the configuration and
control related information for a syslog entity.
- syslEntOpsTable which deals with statistical information
about messages processed by a syslog entity.
o The syslogNotifications group defines the set of
notifications that will be used to asynchronously monitor
the status of a syslog entity.
o The conformance group defines the compliance statements.
The SyslogMIB module uses textual conventions defined in INET-
ADDRESS-MIB[RFC4001], TRANSPORT-ADDRESS-MIB[RFC4001] and SNMP-
FRAMEWORK-MIB[RFC3411].
Expires: March 2, 2007 [Page 5]
Internet Draft September 3, 2006
4. The Syslog MIB
SYSLOG-MIB DEFINITIONS ::= BEGIN
IMPORTS
MODULE-IDENTITY, OBJECT-TYPE,
Unsigned32, Counter32, Integer32, mib-2,
NOTIFICATION-TYPE
FROM SNMPv2-SMI
RowStatus, StorageType,
TEXTUAL-CONVENTION, TimeStamp
FROM SNMPv2-TC
InetAddressType, InetAddress
FROM INET-ADDRESS-MIB
TransportAddressType
FROM TRANSPORT-ADDRESS-MIB
MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP
FROM SNMPv2-CONF
SnmpAdminString
FROM SNMP-FRAMEWORK-MIB;
syslogMIB MODULE-IDENTITY
LAST-UPDATED "200511250000Z" -- 25th November, 2005
ORGANIZATION "IETF Syslog Working Group"
CONTACT-INFO
" Glenn Mansfield Keeni
Postal: Cyber Solutions Inc.
6-6-3, Minami Yoshinari
Aoba-ku, Sendai, Japan 989-3204.
Tel: +81-22-303-4012
Fax: +81-22-303-4015
E-mail: glenn@cysols.com
Support Group E-mail: syslog@ietf.org
"
DESCRIPTION
"The MIB module for monitoring syslog entities.
Copyright (C) The Internet Society (2006). The initial
version of this MIB module was published in RFC yyyy;
for full legal notices see the RFC itself. Supplementary
information may be available at:
http://www.ietf.org/copyrights/ianamib.html.
"
-- RFC Ed.: replace XXXX with the actual RFC number & remove this
-- note
Expires: March 2, 2007 [Page 6]
Internet Draft September 3, 2006
REVISION "200609R04000Z" -- 9th September, 2006
DESCRIPTION
"The initial version, published as RFC XXXX."
-- RFC Ed.: replace XXXX with the actual RFC number & remove this
-- note
::= { mib-2 YYYY } -- Will be assigned by IANA
-- IANA Reg.: Please assign a value for "YYYY" under the
-- 'mib-2' subtree and record the assignment in the SMI
-- Numbers registry.
-- RFC Ed.: When the above assignment has been made, please
-- remove the above note
-- replace "YYYY" here with the assigned value and
-- remove this note.
-- -------------------------------------------------------------
-- Textual Conventions
-- -------------------------------------------------------------
Expires: March 2, 2007 [Page 7]
Internet Draft September 3, 2006
SyslogFacility ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the facilities
that originate syslog messages.
The value noMap(99) indicates that the appropriate
facility will be provided by the application on the
managed entity.
If this option is not available on a particular entity,
attempts to set the facility to this value will fail
with an error-status of wrongValue.
"
REFERENCE
"The Syslog Protocol RFCPROT sec. 6.2.1 (Table 1).
"
SYNTAX INTEGER
{
kernel (0), -- kernel messages
user (1), -- user-level messages
mail (2), -- mail system messages
daemon (3), -- system daemons' messages
auth (4), -- security/authorization messages
syslog (5), -- messages generated internally by
-- syslogd
lpr (6), -- line printer subsystem messages
news (7), -- network news subsystem messages
uucp (8), -- UUCP subsystem messages
cron (9), -- clock daemon messages
auth (10),-- security/authorization messages
ftp (11),-- ftp daemon messages
ntp (12),-- NTP subsystem messages
logAudit (13),-- log audit messages
logAlert (14),-- log alert messages
cron (15),-- clock daemon messages
local0 (16),
local1 (17),
local2 (18),
local3 (19),
local4 (20),
local5 (21),
local6 (22),
local7 (23),
noMap (99)
}
Expires: March 2, 2007 [Page 8]
Internet Draft September 3, 2006
SyslogSeverity ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"This textual convention enumerates the severity levels
of syslog messages. The syslog protocol uses the values
0 (emergency), to 7 (debug)."
REFERENCE
"The Syslog Protocol RFCPROT sec. 6.2.1 (Table 2)
"
SYNTAX INTEGER
{
emergency (0), -- system is unusable
alert (1), -- action must be taken immediately
critical (2), -- critical condition
error (3), -- error condition
warning (4), -- warning condition
notice (5), -- normal but significant condition
info (6), -- informational message
debug (7), -- debug-level messages
other (99) -- none of the above
}
SyslogService ::= TEXTUAL-CONVENTION
STATUS current
DESCRIPTION
"The service name or port number that will be used to
send and/or receive messages.
The service name must resolve to a port number on the
local host.
"
SYNTAX OCTET STRING (SIZE (0..255))
-- -------------------------------------------------------------
-- syslogMIB - the main groups
-- -------------------------------------------------------------
syslogNotifications OBJECT IDENTIFIER
::= { syslogMIB 0 }
syslogSystem OBJECT IDENTIFIER
::= { syslogMIB 1 }
syslogDevice OBJECT IDENTIFIER
::= { syslogMIB 2 }
syslogConformance OBJECT IDENTIFIER
::= { syslogMIB 3 }
Expires: March 2, 2007 [Page 9]
Internet Draft September 3, 2006
-- -------------------------------------------------------------
-- syslogSystem
-- -------------------------------------------------------------
-- The default parameters
syslogDefaultTransport OBJECT-TYPE
SYNTAX TransportAddressType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default transport that a syslog process will use
to send syslog messages.
"
REFERENCE
"The Syslog Protocol RFCPROT Sec. 5.
"
DEFVAL {udpIpv4}
::= { syslogSystem 1 }
syslogDefaultService OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default service name or port number that a syslog
process will use to send syslog messages.
"
REFERENCE
"Transmission of syslog messages over UDP
RFCUDPX Sec. 3.3.
"
DEFVAL { "514" }
::= { syslogSystem 2 }
syslogDefaultFacility OBJECT-TYPE
SYNTAX SyslogFacility
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog facility that will be added to syslog
messages when the message needs to be relayed and does not
have facility specified.
"
::= { syslogSystem 3 }
Expires: March 2, 2007 [Page 10]
Internet Draft September 3, 2006
syslogDefaultSeverity OBJECT-TYPE
SYNTAX SyslogSeverity
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default syslog severity that will be added to syslog
messages when the message needs to be relayed and does not
have priority specified.
"
::= { syslogSystem 4 }
syslogDefaultMaxMessageSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default maximum syslog message size in bytes.
"
REFERENCE
"The Syslog Protocol RFCPROT Sec. 6.1.
"
DEFVAL { 480 }
::= { syslogSystem 5 }
-- -------------------------------------------------------------
-- syslEntOps
-- -------------------------------------------------------------
syslEntOpsTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslDevOpsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing information about the syslog entities
serviced by an SNMP agent.
"
::= { syslogDevice 1 }
syslEntOpsEntry OBJECT-TYPE
SYNTAX SyslDevOpsEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The information pertaining to a syslog entity.
"
INDEX { syslEntOpsIndex }
::= { syslEntOpsTable 1 }
Expires: March 2, 2007 [Page 11]
Internet Draft September 3, 2006
SyslDevOpsEntry ::=
SEQUENCE {
syslEntOpsIndex
Unsigned32,
syslEntOpsMsgsReceived
Counter32,
syslEntOpsMsgsRelayed
Counter32,
syslEntOpsMsgsDropped
Counter32,
syslEntOpsMsgsIllFormed
Counter32,
syslEntOpsMsgsIgnored
Counter32,
syslEntOpsLastMsgRecdTime
TimeStamp,
syslEntOpsLastMsgDeliveredTime
TimeStamp,
syslEntOpsStartTime
TimeStamp,
syslEntOpsLastError
SnmpAdminString,
syslEntOpsLastErrorTime
TimeStamp,
syslEntOpsReference
Integer32
}
syslEntOpsIndex OBJECT-TYPE
SYNTAX Unsigned32 (1..2147483647)
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The Index that uniquely identifies the syslog entity in the
syslEntOpsTable.
"
::= { syslEntOpsEntry 1 }
syslEntOpsMsgsReceived OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages received by the syslog
entity. This includes messages that were ignored.
"
Expires: March 2, 2007 [Page 12]
Internet Draft September 3, 2006
::= { syslEntOpsEntry 2 }
syslEntOpsMsgsRelayed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages relayed by the syslog
entity to other syslog entities.
"
::= { syslEntOpsEntry 3 }
syslEntOpsMsgsDropped OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that could not be relayed
(could not be queued for transmitting)."
::= { syslEntOpsEntry 4 }
syslEntOpsMsgsIllFormed OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were rejected by the
syslog entity because these were not well-formed.
"
::= { syslEntOpsEntry 5 }
syslEntOpsMsgsIgnored OBJECT-TYPE
SYNTAX Counter32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The number of messages that were not processed by the
syslog entity because the messages did not meet
the 'allowed specifications'.
"
::= { syslEntOpsEntry 6 }
Expires: March 2, 2007 [Page 13]
Internet Draft September 3, 2006
syslEntOpsLastMsgRecdTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was received
by the syslog entity locally or from a remote
syslog entity.
"
::= { syslEntOpsEntry 7 }
syslEntOpsLastMsgDeliveredTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last message was delivered
by the syslog process.
"
::= { syslEntOpsEntry 8 }
syslEntOpsStartTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when this entity was started.
"
::= { syslEntOpsEntry 9 }
syslEntOpsLastError OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"A description of the last error that was encountered
by this process.
"
::= { syslEntOpsEntry 10 }
Expires: March 2, 2007 [Page 14]
Internet Draft September 3, 2006
syslEntOpsLastErrorTime OBJECT-TYPE
SYNTAX TimeStamp
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The local time when the last error was encountered.
"
::= { syslEntOpsEntry 11 }
syslEntOpsReference OBJECT-TYPE
SYNTAX Integer32
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"If the Host resource MIB is serviced on the host then
this entry will have the value of the hrSWRunIndex
of the corresponding entry in the hrSWRunTable.
Otherwise this object will be inaccessible,
"
::= { syslEntOpsEntry 12 }
-- -------------------------------------------------------------
-- syslog entity static info table
-- -------------------------------------------------------------
syslEntCtlTable OBJECT-TYPE
SYNTAX SEQUENCE OF SyslDevCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"A table containing static information about
the syslog entity.
"
::= { syslogDevice 2 }
syslEntCtlEntry OBJECT-TYPE
SYNTAX SyslDevCtlEntry
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The parameters pertaining to a syslog process."
INDEX { syslEntOpsIndex }
::= { syslEntCtlTable 1 }
Expires: March 2, 2007 [Page 15]
Internet Draft September 3, 2006
SyslDevCtlEntry ::=
SEQUENCE {
syslEntCtlProcDescr
SnmpAdminString,
syslEntCtlBindAddrType
InetAddressType,
syslEntCtlBindAddr
InetAddress,
syslEntCtlTransport
TransportAddressType,
syslEntCtlService
SyslogService,
syslEntCtlMaxMessageSize
Unsigned32,
syslEntCtlConfFileName
SnmpAdminString,
syslEntCtlStatus
INTEGER,
syslEntCtlStorageType
StorageType,
syslEntCtlRowStatus
RowStatus
}
syslEntCtlProcDescr OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"A user definable description of the syslog process.
"
::= { syslEntCtlEntry 1 }
syslEntCtlBindAddrType OBJECT-TYPE
SYNTAX InetAddressType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The type of Internet address which follows
in syslEntCtlBindAddr.
"
::= { syslEntCtlEntry 2 }
Expires: March 2, 2007 [Page 16]
Internet Draft September 3, 2006
syslEntCtlBindAddr OBJECT-TYPE
SYNTAX InetAddress
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The specific IP address or hostname the syslog process
will bind to. If a hostname is specified, the IPv4 or
IPv6 address corresponding to the hostname will be used.
"
::= { syslEntCtlEntry 3 }
syslEntCtlTransport OBJECT-TYPE
SYNTAX TransportAddressType
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default transport that a syslog entity will use
to send syslog messages.
"
::= { syslEntCtlEntry 4 }
syslEntCtlService OBJECT-TYPE
SYNTAX SyslogService
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The default service name or port number that a syslog
process will use to send syslog messages.
"
::= { syslEntCtlEntry 5 }
syslEntCtlMaxMessageSize OBJECT-TYPE
SYNTAX Unsigned32
MAX-ACCESS read-write
STATUS current
DESCRIPTION
"The maximum size of the syslog messages in bytes
for this syslog entity.
"
::= { syslEntCtlEntry 6 }
Expires: March 2, 2007 [Page 17]
Internet Draft September 3, 2006
syslEntCtlConfFileName OBJECT-TYPE
SYNTAX SnmpAdminString
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"The fullpath name of the configuration file where the
syslog entity's message selection and corresponding
action rules will be read from.
Data is loaded from this file into the
syslogCtlSelectionTable and the syslogCtlLogActionTable.
If the objects loaded from the file specified by this
object have an access level of read-create, this file MUST
be writable so that modifications to the corresponding
objects, if any, will be effected in this file.
If the system does not support the specification of a
configuration file, this field will not be accessible.
"
DEFVAL { "/etc/syslog.conf" }
::= { syslEntCtlEntry 7 }
syslEntCtlStatus OBJECT-TYPE
SYNTAX INTEGER {
unknown (1),
started (2),
suspended(3),
stopped (4)
}
MAX-ACCESS read-only
STATUS current
DESCRIPTION
"The status of the process.
"
DEFVAL { unknown }
::= { syslEntCtlEntry 8 }
Expires: March 2, 2007 [Page 18]
Internet Draft September 3, 2006
syslEntCtlStorageType OBJECT-TYPE
SYNTAX StorageType
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object defines whether the parameters defined in
this row are kept in volatile storage and lost upon
reboot or are backed up by non-volatile (permanent)
storage.
Conceptual rows having the value 'permanent' need not
allow write-access to any columnar objects in the row.
"
::= { syslEntCtlEntry 9 }
syslEntCtlRowStatus OBJECT-TYPE
SYNTAX RowStatus
MAX-ACCESS read-create
STATUS current
DESCRIPTION
"This object is used to create, modify and delete rows in
the syslEntCtlTable.
Objects in a row can be modified only when the value of
this object in the corresponding conceptual row is not
''active''. Thus to modify one or more of the objects in
this conceptual row,
a. change the row status to ''notInService'',
b. change the values of the row
c. change the row status to ''active''
The syslEntCtlRowStatus may be changed to ''active'' iff
all the managed objects in the conceptual row have been
assigned valid values.
"
::= { syslEntCtlEntry 10 }
Expires: March 2, 2007 [Page 19]
Internet Draft September 3, 2006
syslEntStarted NOTIFICATION-TYPE
OBJECTS {
syslEntCtlProcDescr,
syslEntCtlBindAddrType,
syslEntCtlBindAddr,
syslEntCtlTransport,
syslEntCtlService,
syslEntCtlConfFileName
}
STATUS current
DESCRIPTION
"This notification is sent when a syslog entity
operation is started. [The syslEntCtlStatus
entered the state ''started'']
The MO instances in the notifications will be
identified by the syslEntOpsIndex for the syslog
entity in the syslEntOpsTable.
"
::= { syslogNotifications 1 }
syslEntStopped NOTIFICATION-TYPE
OBJECTS {
syslEntCtlStatus,
syslEntCtlProcDescr,
syslEntCtlBindAddrType,
syslEntCtlBindAddr,
syslEntCtlTransport,
syslEntCtlService,
syslEntCtlConfFileName
}
STATUS current
DESCRIPTION
"This notification is sent when a syslog entity
operation is stopped or suspended i.e. the
syslEntCtlStatus entered the state ''stopped''
or ''suspended'' from the ''started'' state]
The MO instances in the notifications will be
identified by the syslEntOpsIndex for the syslog
entity in the syslEntOpsTable.
"
::= { syslogNotifications 2 }
Expires: March 2, 2007 [Page 20]
Internet Draft September 3, 2006
-- -------------------------------------------------------------
-- Conformance Information
-- -------------------------------------------------------------
syslogGroups OBJECT IDENTIFIER
::= { syslogConformance 1 }
syslogCompliances OBJECT IDENTIFIER
::= { syslogConformance 2 }
-- -------------------------------------------------------------
-- units of conformance
-- -------------------------------------------------------------
syslogSystemGroup OBJECT-GROUP
OBJECTS {
syslogDefaultTransport,
syslogDefaultService,
syslogDefaultFacility,
syslogDefaultSeverity,
syslogDefaultMaxMessageSize
}
STATUS current
DESCRIPTION
"A collection of objects providing default
parameters for syslog entities
"
::= { syslogGroups 1}
syslogDevOpsGroup OBJECT-GROUP
OBJECTS {
-- syslEntOpsIndex,
syslEntOpsMsgsReceived,
syslEntOpsMsgsRelayed,
syslEntOpsMsgsDropped,
syslEntOpsMsgsIllFormed,
syslEntOpsMsgsIgnored,
syslEntOpsLastMsgRecdTime,
syslEntOpsLastMsgDeliveredTime,
syslEntOpsStartTime,
syslEntOpsLastError,
syslEntOpsLastErrorTime,
syslEntOpsReference
}
STATUS current
DESCRIPTION
"A collection of objects providing message related
Expires: March 2, 2007 [Page 21]
Internet Draft September 3, 2006
statistics."
::= { syslogGroups 2}
syslogDevCtlGroup OBJECT-GROUP
OBJECTS {
syslEntCtlProcDescr,
syslEntCtlBindAddrType,
syslEntCtlBindAddr,
syslEntCtlTransport,
syslEntCtlService,
syslEntCtlMaxMessageSize,
syslEntCtlConfFileName,
syslEntCtlStatus,
syslEntCtlStorageType,
syslEntCtlRowStatus
}
STATUS current
DESCRIPTION
"A collection of objects representing the run time parameters
for the syslog processes.
"
::= { syslogGroups 3}
syslogNotificationGroup NOTIFICATION-GROUP
NOTIFICATIONS {
syslEntStarted,
syslEntStopped
}
STATUS current
DESCRIPTION
"A collection of notifications about the operational
state of a syslog entity.
"
::= { syslogGroups 4}
Expires: March 2, 2007 [Page 22]
Internet Draft September 3, 2006
-- -------------------------------------------------------------
-- compliance statements
-- -------------------------------------------------------------
syslogCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the SYSLOG-MIB.
"
MODULE -- this module
MANDATORY-GROUPS {
syslogSystemGroup,
syslogDevOpsGroup,
syslogDevCtlGroup
}
::= { syslogCompliances 1 }
syslogReadOnlyCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities which
implememt the syslog MIB without support
for read-write (i.e. in read-only mode) .
"
MODULE -- this module
MANDATORY-GROUPS {
syslogSystemGroup,
syslogDevOpsGroup,
syslogDevCtlGroup
}
OBJECT syslEntCtlProcDescr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlBindAddrType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlBindAddr
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
Expires: March 2, 2007 [Page 23]
Internet Draft September 3, 2006
OBJECT syslEntCtlTransport
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlService
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlMaxMessageSize
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlConfFileName
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlStorageType
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
OBJECT syslEntCtlRowStatus
MIN-ACCESS read-only
DESCRIPTION
"Write access is not required.
"
::= { syslogCompliances 2 }
syslogNotificationCompliance MODULE-COMPLIANCE
STATUS current
DESCRIPTION
"The compliance statement for SNMP entities
which implement the SYSLOG-MIB and support
notifications about change in the operational
status of a syslog entity.
"
MODULE -- this module
MANDATORY-GROUPS {
syslogNotificationGroup
}
::= { syslogCompliances 3 }
Expires: March 2, 2007 [Page 24]
Internet Draft September 3, 2006
END
Expires: March 2, 2007 [Page 25]
Internet Draft September 3, 2006
5. Security Considerations
Syslog plays a very important role in the computer and network
security of an organization. SyslogMIB defines several managed
objects that may be used to monitor, configure and control syslog
processes. As such improper manipulation of the objects represented
by this MIB may lead to an attack on an important component of the
computer and network security infrastructure. The objects in
syslEntCtlTable may be misconfigured to cause syslog messages to be
diverted or lost.
There are a number of management objects defined in this MIB module
with a MAX-ACCESS clause of read-write and/or read-create. Such
objects may be considered sensitive or vulnerable in some network
environments. The support for SET operations in a non-secure
environment without proper protection can have a negative effect on
network operations. These are the tables and objects and their
sensitivity/vulnerability:
o syslEntCtlTable: the objects in this table describe
the configuration of the syslog processes. It may be
misconfigured to start up a very large number of
syslog entities (processes) and deny the sysem of its
resources.
o syslEntCtlBindAddr: This object may be misconfigured
to bind syslog entity to the wrong address. This will
cause messages to be lost.
o syslEntCtlTransport : This object may be misconfigured
to specify a wrong transport for the syslog entity.
This will cause messages to be lost.
o syslEntCtlService : This object may be misconfigured
to bind syslog entity to the wrong service (port).
This will cause messages to be lost.
o syslEntCtlMaxMessageSize: This message may be
misconfigured to set the wrong MaxMessageSize for the
syslog entity. It may cause syslog messages to be lost.
o syslEntCtlConfFileName: This object may be
misconfigured to start the syslog entity with the
wrong (rogue) configuration.
o syslEntCtlStorageType: This object may be misconfigured
to set the wrong storage type. That may cause
confusion, operational errors and/or loss of information.
Some of the readable objects in this MIB module (i.e., objects with a
MAX-ACCESS other than not-accessible) may be considered sensitive or
vulnerable in some network environments. It is thus important to
Expires: March 2, 2007 [Page 26]
Internet Draft September 3, 2006
control even GET and/or NOTIFY access to these objects and possibly
to even encrypt the values of these objects when sending them over
the network via SNMP. These are the tables and objects and their
sensitivity/vulnerability:
o syslEntStatsTable: objects in this table carry
sensitive information. The counters may reveal
information about the deployment and effectiveness of
the relevant security systems. The counters may be
analyzed to tell whether the security systems are able
to detect an event or not.
o syslEntOpsLastError: This object may contain sensitive
information e.g. user-id, password etc. depending on the
implementation of the syslog entity. It may reveal details
about the syslog implementation itself, e.g. version, OS
etc.
SNMP versions prior to SNMPv3 did not include adequate security.
Even if the network itself is secure (for example by using IPSec),
even then, there is no control as to who on the secure network is
allowed to access and GET/SET (read/change/create/delete) the objects
in this MIB module.
It is RECOMMENDED that implementers consider the security features as
provided by the SNMPv3 framework (see [RFC3410], section 8),
including full support for the SNMPv3 cryptographic mechanisms (for
authentication and privacy).
Further, deployment of SNMP versions prior to SNMPv3 is NOT
RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to
enable cryptographic security. It is then a customer/operator
responsibility to ensure that the SNMP entity giving access to an
instance of this MIB module is properly configured to give access to
the objects only to those principals (users) that have legitimate
rights to indeed GET or SET (change/create/delete) them.
Expires: March 2, 2007 [Page 27]
Internet Draft September 3, 2006
6. IANA Considerations
The MIB modules in this document use the following IANA-assigned
OBJECT IDENTIFIER values recorded in the SMI Numbers registry:
Descriptor OBJECT IDENTIFIER value
---------- -----------------------
syslogMIB { mib-2 YYYY }
IANA Reg.: Please assign a base arc in the 'mib-2' OID subtree for
the 'syslogMIB' MODULE-IDENTITY and record the
assignment in the SMI Numbers registry.
RFC Ed.: When the above assignments have been made, please
- remove the above note
- replace "YYYY" here with the assigned values and
- remove this note.
7. References
7.1 Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirements Levels", BCP 14, RFC 2119, March 1997.
[RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Structure of Management
Information Version 2 (SMIv2)", STD 58, RFC 2578,
April 1999
[RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Textual Conventions for
SMIv2", STD 58, RFC 2579, April 1999
[RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J.,
Rose, M., and S. Waldbusser, "Conformance Statements for
SMIv2", STD 58, RFC 2580, April 1999
[RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture
for Describing Simple Network Management Protocol (SNMP)
Management Frameworks", STD 62, RFC 3411, December 2002.
[RFC3164] Lonvick, C., "The BSD Syslog Protocol", RFC 3164,
August 2001.
Expires: March 2, 2007 [Page 28]
Internet Draft September 3, 2006
[RFC4001] Daniele, M., Haberman, B., Routhier, S., and Schoenwaelder,
J., "Textual Conventions for Internet Network Addresses",
RFC 4001, February 2005.
[RFCPROT] Gerhards, R., "The syslog Protocol",
draft-ietf-syslog-protocol-17.txt, work in progress,
June, 2006.
[RFCUDPX] Okmianski, A., "Transmission of syslog messages over UDP",
draft-ietf-syslog-transport-udp-07.txt work in progress,
May, 2006.
7.2 Informative References
[RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart,
"Introduction and Applicability Statements for the
Internet-Standard Management Framework", RFC 3410,
December 2002.
[RFC2790] Waldbusser, S., and Grillo, P., "Host Resources MIB",
RFC 2790, March 2000.
8. Acknowledgments
The initial draft of this document was authored by Bruno Pape.
The authors would like to thank David Harrington, Mark Ellison,
Mike MacFaden, Dave T Perkins and members of the WIDE-netman
group for their comments and suggestions.
Expires: March 2, 2007 [Page 29]
Internet Draft September 3, 2006
9. Author's Addresses
Glenn Mansfield Keeni
Cyber Solutions Inc.
6-6-3 Minami Yoshinari
Aoba-ku, Sendai 989-3204
Japan
Phone: +81-22-303-4012
EMail: glenn@cysols.com
Expires: March 2, 2007 [Page 30]
Internet Draft September 3, 2006
10. Full Copyright Statement
Copyright (C) The Internet Society (2006).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Expires: March 2, 2007 [Page 31]
Internet Draft September 3, 2006
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology
described in this document or the extent to which any license
under such rights might or might not be available; nor does it
represent that it has made any independent effort to identify any
such rights. Information on the procedures with respect to
rights in RFC documents can be found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use
of such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository
at http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention
any copyrights, patents or patent applications, or other
proprietary rights that may cover technology that may be required
to implement this standard. Please address the information to the
IETF at ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Expires: March 2, 2007 [Page 32]
Internet Draft September 3, 2006
APPENDIX
This section documents the development of the draft. It will be
deleted when the draft becomes an RFC.
Revision History:
REVISION "200609040000Z" -- 9th September 2006
DESCRIPTION
"
o The draft has been aligned with the current
standards track documents syslog-protocol-17.txt
and syslog-transport-udp-07.txt: the REFERNCE
clauses have changed.
o The TEXTUAL-CONVENTION SyslogTransport has been
replaced by the TransportAddressType.
o The TEXTUAL-CONVENTION SyslogFacility and
SyslogSeverity have been aligned with
syslog-protocol-17.txt
o A paragraph has been added to list the related
MIBs from which MOS and TEXTUAL-CONVENTIONs have
been imported.
o The target of this MIB is now called a syslog
entity. [ Earlier it was referred to as a syslog
device.] The prefix syslDev has been changed to
syslEnt
o The DEFVALS have been aligned with the reference
documents.
o The REFERENCE section has been updated.
o The OID for syslogConformance has been changed
from 4 to 3.
"
REVISION "200607250000Z" -- 25th July 2006
DESCRIPTION
"the internet draft's version number has
been changed (7->8).
"
REVISION "200511250000Z" -- 25th November 2005
DESCRIPTION
"A near complete overhaul of the MIB and the document.
The BSD-syslog flavor has been abandoned in favor of a
more generic syslog-protocol document that is under
preparation.
TBD. The reference clauses need to be redone once the
new syslog document is ready.
Expires: March 2, 2007 [Page 33]
Internet Draft September 3, 2006
List of authors changed. Original draft author Bruno
Pape is acknowledged in the Acknowldgments section.
Editorial nits fixed.
"
REVISION "200406160000Z" -- Mon Feb 16 00:00 GMT 2004
DESCRIPTION
"Major change.
The configuration parts have been removed.
Updated the description clauses.
Editorial nits fixed.
"
REVISION "200306250000Z" -- Wed June 25 00:00 GMT 2003
DESCRIPTION
"Changed the type of
syslogProcLastError SnmpAdminString,
from Integer32.
DEFVAL { 0 ] is added to syslogAllowedHostsMaskLen
MO name changed from
syslogCtlSelectionHostname to syslogCtlSelectionHostName
Updated the description clauses.
Fixed nits pointed out in Bert's mails of 20030319 and
revised the document wrt the guidelines in
draft-ietf-ops-mib-review-guidelines-01.txt
Editorial nits fixed.
"
REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003
DESCRIPTION
"Fixing of nits in descriptions, addition of references,
addition of the following MOs
syslogProcMsgsIllFormed Counter32,
syslogProcStartTime TimeStamp,
syslogProcLastError Integer32,
syslogProcLastErrorTime TimeStamp,
syslDevCtlStorageType StorageType,
syslogCtlFwdActionSrcAddrType InetAddressType,
syslogCtlFwdActionSrcAddr InetAddress,
added enumeration ''suspended(2)'' to
Expires: March 2, 2007 [Page 34]
Internet Draft September 3, 2006
syslDevCtlStatus.
"
REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002
DESCRIPTION
"Radical revision of the MIB structure and design."
REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002
DESCRIPTION
"The initial version of this MIB module."
Expires: March 2, 2007 [Page 35]