Network Working Group Glenn Mansfield Keeni INTERNET-DRAFT Cyber Solutions Inc. Expires: January 24, 2007 July 25, 2006 Syslog Management Information Base Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This document is a product of the syslog Working Group. Comments should be addressed to the authors or the mailing list at syslog@ietf.org This Internet-Draft will expire on January 24, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This memo defines a portion of the Management Information Base (MIB), the Syslog MIB, for use with network management protocols in the Internet community. In particular, the Syslog MIB will be Expires: January 24, 2007 [Page 1] Internet Draft July 25, 2006 used to monitor and control syslog devices. Table of Contents 1. The Internet-Standard Management Framework .... 3 2. Background .................................... 3 3. The MIB Design ................................ 4 4. The Syslog MIB ................................ 6 5. Security Considerations ....................... 26 6. IANA Considerations ........................... 28 7. References .................................... 28 8 Acknowledgments ............................... 29 9. Author's Addresses ............................ 30 10. Full Copyright Statement ...................... 31 Appendix ...................................... 33 Expires: January 24, 2007 [Page 2] Internet Draft July 25, 2006 1. The Internet-Standard Management Framework For a detailed overview of the documents that describe the current Internet-Standard Management Framework, please refer to section 7 of RFC 3410 [RFC3410]. Managed objects are accessed via a virtual information store, termed the Management Information Base or MIB. MIB objects are generally accessed through the Simple Network Management Protocol (SNMP). Objects in the MIB are defined using the mechanisms defined in the Structure of Management Information (SMI). This memo specifies a MIB module that is compliant to the SMIv2, which is described in STD 58, RFC 2578 [RFC2578], STD 58, RFC 2579 [RFC2579] and STD 58, RFC 2580 [RFC2580]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [RFC2119]. 2. Background Operating systems, processes and applications, collectively termed "facilities" in the following, generate messages indicating their own status or the occurance of events. These messages are handled by what has come to be known as the syslog process or device. [ ref rfc3164, id-proto-15]. This document defines a set of managed objects (MOs) that can be used to monitor a group of syslog devices. The syslogMIB can be used in conjunction with other MIBs - in particular the Host Resources MIB. The generic process related matters e.g. process control, status, resource usage etc. can be serviced by the corresponding entries in the Host Resources MIB. Expires: January 24, 2007 [Page 3] Internet Draft July 25, 2006 / +------+ / | SA-1 |------> SA-R1 /+------+ \ Facility-1-->| / -->| / +------+ / Facility-N-->|+---| SA-2 |------> SA-R2 -->| \ +------+ \ SyslogHost-N-->| \ \+------+ / | SA-N |------> SA-RN +------+ \ \ Facility: Facility originating the message (locally) SyslogHost: Remote SyslogHost relaying a message SA: Syslog Process Fig.1 Syslog Application Model The group of syslog devices modelled by the MIB is shown in Fig.1. One or more syslog devices which may be on the same host receive syslog messages from local facilities and from other syslog devices which may be on other hosts. The syslog device receives the message and processes it. The processing will depend on internal configuration and may involve relaying the message to a syslog device which may be on another host. 3. The MIB Design. The purpose of the SyslogMIB is to allow the monitoring of a group of syslog devices. This requires MOs representing o The default configuration parameters for the group of syslog devices. - maximum message size, - type of transport, port numbers on which the process will listen for messages, etc. o The configuration and status related details of each syslog device. o Statistics on syslog messages received, processed locally, relayed by each syslog device. Expires: January 24, 2007 [Page 4] Internet Draft July 25, 2006 The MIB comprises of four groups o The syslogSystem group services the default configuration parameters. o The syslog device group consisting of the - syslDevCtlTable which deals with the configuration and control related information for a syslog device. - syslDevOpsTable which deals with statistical information about messages processed by a syslog device. o The syslogNotifications group defines the set of notifications that will be used to asynchronously monitor the status of a syslog device. o The conformance group defines the compliance statements. Expires: January 24, 2007 [Page 5] Internet Draft July 25, 2006 4. The Syslog MIB SYSLOG-MIB DEFINITIONS ::= BEGIN IMPORTS MODULE-IDENTITY, OBJECT-TYPE, Unsigned32, Counter32, Integer32, mib-2, NOTIFICATION-TYPE FROM SNMPv2-SMI RowStatus, StorageType, TEXTUAL-CONVENTION, TimeStamp FROM SNMPv2-TC InetAddressType, InetAddress FROM INET-ADDRESS-MIB MODULE-COMPLIANCE, OBJECT-GROUP, NOTIFICATION-GROUP FROM SNMPv2-CONF SnmpAdminString FROM SNMP-FRAMEWORK-MIB; syslogMIB MODULE-IDENTITY LAST-UPDATED "200511250000Z" -- 25th November, 2005 ORGANIZATION "IETF Syslog Working Group" CONTACT-INFO " Glenn Mansfield Keeni Postal: Cyber Solutions Inc. 6-6-3, Minami Yoshinari Aoba-ku, Sendai, Japan 989-3204. Tel: +81-22-303-4012 Fax: +81-22-303-4015 E-mail: glenn@cysols.com " DESCRIPTION "The MIB module for monitoring syslog devices. Copyright (C) The Internet Society (2006). This version of this MIB module is part of RFC XXXX; see the RFC itself for full legal notices. " -- RFC Ed.: replace XXXX with the actual RFC number & remove this -- note Expires: January 24, 2007 [Page 6] Internet Draft July 25, 2006 REVISION "200511250000Z" -- 25th November, 2005 DESCRIPTION "The initial version, published as RFC XXXX." -- RFC Ed.: replace XXXX with the actual RFC number & remove this -- note ::= { mib-2 YYYY } -- Will be assigned by IANA -- IANA Reg.: Please assign a value for "YYYY" under the -- 'mib-2' subtree and record the assignment in the SMI -- Numbers registry. -- RFC Ed.: When the above assignment has been made, please -- remove the above note -- replace "YYYY" here with the assigned value and -- remove this note. -- ------------------------------------------------------------- -- Textual Conventions -- ------------------------------------------------------------- Expires: January 24, 2007 [Page 7] Internet Draft July 25, 2006 SyslogFacility ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the facilities that originate syslog messages. The value noMap(99) indicates that the appropriate facility will be provided by the application on the managed entity. If this option is not available on a particular entity, attempts to set the facility to this value will fail with an error-status of wrongValue. " REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 1). " SYNTAX INTEGER { kernel (0), -- kernel messages user (1), -- user-level messages mail (2), -- mail system daemon (3), -- system daemons auth (4), -- authorization messages syslog (5), -- messages generated by syslogd lpr (6), -- line printer subsystem news (7), -- network news subsystem uucp (8), -- UUCP subsystem cron (9), -- clock daemon authPriv (10),-- authorization messages -- (private) ftp (11),-- ftp daemon ntp (12),-- NTP subsystem security (13),-- security subsystems -- (firewalling, etc.) console (14),-- /dev/console output local0 (16), local1 (17), local2 (18), local3 (19), local4 (20), local5 (21), local6 (22), local7 (23), noMap (99) } Expires: January 24, 2007 [Page 8] Internet Draft July 25, 2006 SyslogSeverity ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "This textual convention enumerates the severity levels of syslog messages. The syslog protocol uses the values 0 (emergency), to 7 (debug)." REFERENCE "The BSD syslog Protocol (RFC 3164) sec. 4.1.1 (Table 2) " SYNTAX INTEGER { emergency (0), -- system is unusable alert (1), -- action must be taken -- immediately critical (2), -- critical conditions error (3), -- error conditions warning (4), -- warning conditions notice (5), -- normal but significant -- condition info (6), -- informational debug (7), -- debug-level messages other (99) -- none of the above } SyslogTransport ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The transport protocol that will be used to send and/or receive messages. " REFERENCE "The The BSD syslog Protocol RFC 3164 Sec. 2. " SYNTAX INTEGER { any (1), udp (2), tcp (3) } Expires: January 24, 2007 [Page 9] Internet Draft July 25, 2006 SyslogService ::= TEXTUAL-CONVENTION STATUS current DESCRIPTION "The service name or port number that will be used to send and/or receive messages. The service name must resolve to a port number on the local host. " SYNTAX OCTET STRING (SIZE (0..255)) -- ------------------------------------------------------------- -- syslogMIB - the main groups -- ------------------------------------------------------------- syslogNotifications OBJECT IDENTIFIER ::= { syslogMIB 0 } syslogSystem OBJECT IDENTIFIER ::= { syslogMIB 1 } syslogDevice OBJECT IDENTIFIER ::= { syslogMIB 2 } -- ------------------------------------------------------------- -- syslogSystem -- ------------------------------------------------------------- -- The default parameters syslogDefaultTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-write STATUS current DESCRIPTION "The default transport that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL {udp} ::= { syslogSystem 1 } Expires: January 24, 2007 [Page 10] Internet Draft July 25, 2006 syslogDefaultService OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-write STATUS current DESCRIPTION "The default service name or port number that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " DEFVAL { "514" } ::= { syslogSystem 2 } syslogDefaultFacility OBJECT-TYPE SYNTAX SyslogFacility MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog facility that will be added to syslog messages when the message needs to be relayed and does not have facility specified. " ::= { syslogSystem 3 } syslogDefaultSeverity OBJECT-TYPE SYNTAX SyslogSeverity MAX-ACCESS read-write STATUS current DESCRIPTION "The default syslog severity that will be added to syslog messages when the message needs to be relayed and does not have priority specified. " ::= { syslogSystem 4 } syslogDefaultMaxMessageSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The default maximum syslog message size in bytes. " DEFVAL { 1024 } ::= { syslogSystem 5 } Expires: January 24, 2007 [Page 11] Internet Draft July 25, 2006 -- ------------------------------------------------------------- -- syslDevOps -- ------------------------------------------------------------- syslDevOpsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslDevOpsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing information about the syslog devices serviced by an SNMP agent. " ::= { syslogDevice 1 } syslDevOpsEntry OBJECT-TYPE SYNTAX SyslDevOpsEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The information pertaining to a syslog device. " INDEX { syslDevOpsIndex } ::= { syslDevOpsTable 1 } SyslDevOpsEntry ::= SEQUENCE { syslDevOpsIndex Unsigned32, syslDevOpsMsgsReceived Counter32, syslDevOpsMsgsRelayed Counter32, syslDevOpsMsgsDropped Counter32, syslDevOpsMsgsIllFormed Counter32, syslDevOpsMsgsIgnored Counter32, syslDevOpsLastMsgRecdTime TimeStamp, syslDevOpsLastMsgDeliveredTime TimeStamp, syslDevOpsStartTime TimeStamp, syslDevOpsLastError SnmpAdminString, syslDevOpsLastErrorTime TimeStamp, syslDevOpsReference Expires: January 24, 2007 [Page 12] Internet Draft July 25, 2006 Integer32 } syslDevOpsIndex OBJECT-TYPE SYNTAX Unsigned32 (1..2147483647) MAX-ACCESS not-accessible STATUS current DESCRIPTION "The Index that uniquely identifies the syslog device in the syslDevOpsTable. " ::= { syslDevOpsEntry 1 } syslDevOpsMsgsReceived OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages received by the syslog device. This includes messages that were ignored. " ::= { syslDevOpsEntry 2 } syslDevOpsMsgsRelayed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages relayed by the syslog device to other syslog devices. " ::= { syslDevOpsEntry 3 } syslDevOpsMsgsDropped OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that could not be relayed (could not be queued for transmitting)." ::= { syslDevOpsEntry 4 } Expires: January 24, 2007 [Page 13] Internet Draft July 25, 2006 syslDevOpsMsgsIllFormed OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were rejected by the syslog device because these were not well-formed. " ::= { syslDevOpsEntry 5 } syslDevOpsMsgsIgnored OBJECT-TYPE SYNTAX Counter32 MAX-ACCESS read-only STATUS current DESCRIPTION "The number of messages that were not processed by the syslog device because the message did not meet the 'allowed specifications'. " ::= { syslDevOpsEntry 6 } syslDevOpsLastMsgRecdTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was received by the syslog device locally or from a remote syslog device. " ::= { syslDevOpsEntry 7 } syslDevOpsLastMsgDeliveredTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last message was delivered by the syslog process. " ::= { syslDevOpsEntry 8 } Expires: January 24, 2007 [Page 14] Internet Draft July 25, 2006 syslDevOpsStartTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when this device was started. " ::= { syslDevOpsEntry 9 } syslDevOpsLastError OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-only STATUS current DESCRIPTION "A description of the last error that was encountered by this process. " ::= { syslDevOpsEntry 10 } syslDevOpsLastErrorTime OBJECT-TYPE SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The local time when the last error was encountered. " ::= { syslDevOpsEntry 11 } syslDevOpsReference OBJECT-TYPE SYNTAX Integer32 MAX-ACCESS read-only STATUS current DESCRIPTION "If the Host resource MIB is serviced on the host then this entry will have the value of the hrSWRunIndex of the corresponding entry in the hrSWRunTable. Otherwise this object will be inaccessible, " ::= { syslDevOpsEntry 12 } -- ------------------------------------------------------------- -- syslog device static info table -- ------------------------------------------------------------- Expires: January 24, 2007 [Page 15] Internet Draft July 25, 2006 syslDevCtlTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslDevCtlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "A table containing static information about the syslog devices. " ::= { syslogDevice 2 } syslDevCtlEntry OBJECT-TYPE SYNTAX SyslDevCtlEntry MAX-ACCESS not-accessible STATUS current DESCRIPTION "The parameters pertaining to a syslog process." INDEX { syslDevOpsIndex } ::= { syslDevCtlTable 1 } SyslDevCtlEntry ::= SEQUENCE { syslDevCtlProcDescr SnmpAdminString, syslDevCtlBindAddrType InetAddressType, syslDevCtlBindAddr InetAddress, syslDevCtlTransport SyslogTransport, syslDevCtlService SyslogService, syslDevCtlMaxMessageSize Unsigned32, syslDevCtlConfFileName SnmpAdminString, syslDevCtlStatus INTEGER, syslDevCtlStorageType StorageType, syslDevCtlRowStatus RowStatus } Expires: January 24, 2007 [Page 16] Internet Draft July 25, 2006 syslDevCtlProcDescr OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "A user definable description of the syslog process. " ::= { syslDevCtlEntry 1 } syslDevCtlBindAddrType OBJECT-TYPE SYNTAX InetAddressType MAX-ACCESS read-create STATUS current DESCRIPTION "The type of Internet address which follows in syslDevCtlBindAddr. " ::= { syslDevCtlEntry 2 } syslDevCtlBindAddr OBJECT-TYPE SYNTAX InetAddress MAX-ACCESS read-create STATUS current DESCRIPTION "The specific IP address or hostname the syslog process will bind to. If a hostname is specified, the IPv4 or IPv6 address corresponding to the hostname will be used. " ::= { syslDevCtlEntry 3 } syslDevCtlTransport OBJECT-TYPE SYNTAX SyslogTransport MAX-ACCESS read-write STATUS current DESCRIPTION "The default transport that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " ::= { syslDevCtlEntry 4 } Expires: January 24, 2007 [Page 17] Internet Draft July 25, 2006 syslDevCtlService OBJECT-TYPE SYNTAX SyslogService MAX-ACCESS read-write STATUS current DESCRIPTION "The default service name or port number that a syslog process will use to send syslog messages. " REFERENCE "The BSD syslog Protocol RFC 3164 Sec. 2. " ::= { syslDevCtlEntry 5 } syslDevCtlMaxMessageSize OBJECT-TYPE SYNTAX Unsigned32 MAX-ACCESS read-write STATUS current DESCRIPTION "The maximum size of the syslog messages in bytes for this syslog device. " ::= { syslDevCtlEntry 6 } syslDevCtlConfFileName OBJECT-TYPE SYNTAX SnmpAdminString MAX-ACCESS read-create STATUS current DESCRIPTION "The fullpath name of the configuration file where the syslog device's message selection and corresponding action rules will be read from. Data is loaded from this file into the syslogCtlSelectionTable and the syslogCtlLogActionTable. If the objects loaded from the file specified by this object have an access level of read-create this file MUST be writable so that modifications to the corresponding objects, if any, will be effected in this file. If the system does not support the specification of a configuration file, this field will not be accessible. " DEFVAL { "/etc/syslog.conf" } ::= { syslDevCtlEntry 7 } Expires: January 24, 2007 [Page 18] Internet Draft July 25, 2006 syslDevCtlStatus OBJECT-TYPE SYNTAX INTEGER { unknown (1), started (2), suspended(3), stopped (4) } MAX-ACCESS read-only STATUS current DESCRIPTION "The status of the process. " DEFVAL { unknown } ::= { syslDevCtlEntry 8 } syslDevCtlStorageType OBJECT-TYPE SYNTAX StorageType MAX-ACCESS read-create STATUS current DESCRIPTION "This object defines whether the parameters defined in this row are kept in volatile storage and lost upon reboot or are backed up by non-volatile (permanent) storage. Conceptual rows having the value 'permanent' need not allow write-access to any columnar objects in the row. " ::= { syslDevCtlEntry 9 } syslDevCtlRowStatus OBJECT-TYPE SYNTAX RowStatus MAX-ACCESS read-create STATUS current DESCRIPTION "This object is used to create, modify and delete rows in the syslDevCtlTable. Objects in a row can be modified only when the value of this object in the corresponding conceptual row is not ''active''. Thus to modify one or more of the objects in this conceptual row, a. change the row status to ''notInService'', b. change the values of the row c. change the row status to ''active'' The syslDevCtlRowStatus may be changed to ''active'' iff all the MOs in the conceptual row have been assigned valid values. " ::= { syslDevCtlEntry 10 } Expires: January 24, 2007 [Page 19] Internet Draft July 25, 2006 syslDevStarted NOTIFICATION-TYPE OBJECTS { syslDevCtlProcDescr, syslDevCtlBindAddrType, syslDevCtlBindAddr, syslDevCtlTransport, syslDevCtlService, syslDevCtlConfFileName } STATUS current DESCRIPTION "This notification is sent when a syslog device operation is started. [The syslDevCtlStatus entered the state ''started''] The MO instances in the notifications will be identified by the syslDevOpsIndex for the syslog device in the syslDevOpsTable. " ::= { syslogNotifications 1 } syslDevStopped NOTIFICATION-TYPE OBJECTS { syslDevCtlStatus, syslDevCtlProcDescr, syslDevCtlBindAddrType, syslDevCtlBindAddr, syslDevCtlTransport, syslDevCtlService, syslDevCtlConfFileName } STATUS current DESCRIPTION "This notification is sent when a syslog device operation is stopped or suspended i.e. the syslDevCtlStatus entered the state ''stopped'' or ''suspended'' from the ''started'' state] The MO instances in the notifications will be identified by the syslDevOpsIndex for the syslog device in the syslDevOpsTable. " ::= { syslogNotifications 2 } Expires: January 24, 2007 [Page 20] Internet Draft July 25, 2006 -- ------------------------------------------------------------- -- Conformance Information -- ------------------------------------------------------------- syslogConformance OBJECT IDENTIFIER ::= { syslogMIB 4 } syslogGroups OBJECT IDENTIFIER ::= { syslogConformance 1 } syslogCompliances OBJECT IDENTIFIER ::= { syslogConformance 2 } -- ------------------------------------------------------------- -- units of conformance -- ------------------------------------------------------------- syslogSystemGroup OBJECT-GROUP OBJECTS { syslogDefaultTransport, syslogDefaultService, syslogDefaultFacility, syslogDefaultSeverity, syslogDefaultMaxMessageSize } STATUS current DESCRIPTION "A collection of objects providing default parameters for syslog devices. " ::= { syslogGroups 1} Expires: January 24, 2007 [Page 21] Internet Draft July 25, 2006 syslogDevOpsGroup OBJECT-GROUP OBJECTS { -- syslDevOpsIndex, syslDevOpsMsgsReceived, syslDevOpsMsgsRelayed, syslDevOpsMsgsDropped, syslDevOpsMsgsIllFormed, syslDevOpsMsgsIgnored, syslDevOpsLastMsgRecdTime, syslDevOpsLastMsgDeliveredTime, syslDevOpsStartTime, syslDevOpsLastError, syslDevOpsLastErrorTime, syslDevOpsReference } STATUS current DESCRIPTION "A collection of objects providing message related statistics." ::= { syslogGroups 2} syslogDevCtlGroup OBJECT-GROUP OBJECTS { syslDevCtlProcDescr, syslDevCtlBindAddrType, syslDevCtlBindAddr, syslDevCtlTransport, syslDevCtlService, syslDevCtlMaxMessageSize, syslDevCtlConfFileName, syslDevCtlStatus, syslDevCtlStorageType, syslDevCtlRowStatus } STATUS current DESCRIPTION "A collection of objects representing the run time parameters for the syslog processes. " ::= { syslogGroups 3} Expires: January 24, 2007 [Page 22] Internet Draft July 25, 2006 syslogNotificationGroup NOTIFICATION-GROUP NOTIFICATIONS { syslDevStarted, syslDevStopped } STATUS current DESCRIPTION "A collection of notifications about the operational state of a syslog device. " ::= { syslogGroups 4} -- ------------------------------------------------------------- -- compliance statements -- ------------------------------------------------------------- syslogCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implement the SYSLOG-MIB. " MODULE -- this module MANDATORY-GROUPS { syslogSystemGroup, syslogDevOpsGroup, syslogDevCtlGroup } ::= { syslogCompliances 1 } syslogReadOnlyCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implememt the syslog MIB without support for read-write (i.e. in read-only mode) . " MODULE -- this module MANDATORY-GROUPS { syslogSystemGroup, syslogDevOpsGroup, syslogDevCtlGroup } Expires: January 24, 2007 [Page 23] Internet Draft July 25, 2006 OBJECT syslDevCtlProcDescr MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlBindAddrType MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlBindAddr MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlTransport MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlService MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlMaxMessageSize MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlConfFileName MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlStorageType MIN-ACCESS read-only DESCRIPTION "Write access is not required. " OBJECT syslDevCtlRowStatus MIN-ACCESS read-only DESCRIPTION "Write access is not required. " ::= { syslogCompliances 2 } Expires: January 24, 2007 [Page 24] Internet Draft July 25, 2006 syslogNotificationCompliance MODULE-COMPLIANCE STATUS current DESCRIPTION "The compliance statement for SNMP entities which implement the SYSLOG-MIB and support notifications about change in the operational status of a syslog device. " MODULE -- this module MANDATORY-GROUPS { syslogNotificationGroup } ::= { syslogCompliances 3 } END Expires: January 24, 2007 [Page 25] Internet Draft July 25, 2006 5. Security Considerations Syslog plays a very important role in the computer and network security of an organization. SyslogMIB defines several managed objects that may be used to monitor, configure and control syslog processes. As such improper manipulation of the objects represented by this MIB may lead to an attack on an important component of the computer and network security infrastructure. The objects in syslDevCtlTable may be misconfigured to cause syslog messages to be diverted or lost. There are a number of management objects defined in this MIB module with a MAX-ACCESS clause of read-write and/or read-create. Such objects may be considered sensitive or vulnerable in some network environments. The support for SET operations in a non-secure environment without proper protection can have a negative effect on network operations. These are the tables and objects and their sensitivity/vulnerability: o syslDevCtlTable: the objects in this table describe the configuration of the syslog processes. It may be misconfigured to start up a very large number of syslog devices (processes) and deny the sysem of its resources. o syslDevCtlBindAddr: This object may be misconfigured to bind syslog device to the wrong address. This will cause messages to be lost. o syslDevCtlTransport : This object may be misconfigured to specify a wrong transport for the syslog device. This will cause messages to be lost. o syslDevCtlService : This object may be misconfigured to bind syslog device to the wrong service (port). This will cause messages to be lost. o syslDevCtlMaxMessageSize: This message may be misconfigured to set the wrong MaxMessageSize for the syslog device. It may cause syslog messages to be lost. o syslDevCtlConfFileName: This object may be misconfigured to start the syslog device with the wrong (rogue) configuration. o syslDevCtlStorageType: This object may be misconfigured to set the wrong storage type. That may cause confusion, operational errors and/or loss of information. Some of the readable objects in this MIB module (i.e., objects with a MAX-ACCESS other than not-accessible) may be considered sensitive or vulnerable in some network environments. It is thus important to Expires: January 24, 2007 [Page 26] Internet Draft July 25, 2006 control even GET and/or NOTIFY access to these objects and possibly to even encrypt the values of these objects when sending them over the network via SNMP. These are the tables and objects and their sensitivity/vulnerability: o syslDevStatsTable: objects in this table carry sensitive information. The counters may reveal information about the deployment and effectiveness of the relevant security systems. The counters may be analyzed to tell whether the security systems are able to detect an event or not. SNMP versions prior to SNMPv3 did not include adequate security. Even if the network itself is secure (for example by using IPSec), even then, there is no control as to who on the secure network is allowed to access and GET/SET (read/change/create/delete) the objects in this MIB module. It is RECOMMENDED that implementers consider the security features as provided by the SNMPv3 framework (see [RFC3410], section 8), including full support for the SNMPv3 cryptographic mechanisms (for authentication and privacy). Further, deployment of SNMP versions prior to SNMPv3 is NOT RECOMMENDED. Instead, it is RECOMMENDED to deploy SNMPv3 and to enable cryptographic security. It is then a customer/operator responsibility to ensure that the SNMP entity giving access to an instance of this MIB module is properly configured to give access to the objects only to those principals (users) that have legitimate rights to indeed GET or SET (change/create/delete) them. Expires: January 24, 2007 [Page 27] Internet Draft July 25, 2006 6. IANA Considerations The MIB modules in this document use the following IANA-assigned OBJECT IDENTIFIER values recorded in the SMI Numbers registry: Descriptor OBJECT IDENTIFIER value ---------- ----------------------- syslogMIB { mib-2 YYYY } IANA Reg.: Please assign a base arc in the 'mib-2' OID subtree for the 'syslogMIB' MODULE-IDENTITY and record the assignment in the SMI Numbers registry. RFC Ed.: When the above assignments have been made, please - remove the above note - replace "YYYY" here with the assigned values and - remove this note. 7. References 7.1 Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirements Levels", BCP 14, RFC 2119, March 1997. [RFC2578] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Structure of Management Information Version 2 (SMIv2)", STD 58, RFC 2578, April 1999 [RFC2579] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Textual Conventions for SMIv2", STD 58, RFC 2579, April 1999 [RFC2580] McCloghrie, K., Perkins, D., Schoenwaelder, J., Case, J., Rose, M., and S. Waldbusser, "Conformance Statements for SMIv2", STD 58, RFC 2580, April 1999 [RFC2819] Waldbusser, S., "Remote Network Monitoring Management Information Base", STD 59, RFC 2819, May 2000. [RFC3411] Harrington, D., Presuhn, R. and B. Wijnen, "An Architecture for Describing Simple Network Management Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, December 2002. Expires: January 24, 2007 [Page 28] Internet Draft July 25, 2006 [RFC3231] Levi. D. and Schoenwaelder, J., "Definitions of Managed Objects for Scheduling Management Operations", RFC3231, January 2002 [RFC1951] Deutsch. P., "DEFLATE Compressed Data Format Specification version 1.3", RFC 1951, May 1996. [RFC3164] C. Lonvick, "The BSD Syslog Protocol", RFC 3164, August 2001. 7.2 Informative References [RFC3410] Case, J., Mundy, R., Partain, D., and B. Stewart, "Introduction and Applicability Statements for the Internet-Standard Management Framework", RFC 3410, December 2002. 8. Acknowledgments The initial draft of this document was authored by Bruno Pape. The authors would like to thank David Harrington, Mark Ellison, Mike MacFaden, Dave T Perkins and members of the WIDE-netman group for their comments and suggestions. Expires: January 24, 2007 [Page 29] Internet Draft July 25, 2006 9. Author's Addresses Glenn Mansfield Keeni Cyber Solutions Inc. 6-6-3 Minami Yoshinari Aoba-ku, Sendai 989-3204 Japan Phone: +81-22-303-4012 EMail: glenn@cysols.com Expires: January 24, 2007 [Page 30] Internet Draft July 25, 2006 10. Full Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Expires: January 24, 2007 [Page 31] Internet Draft July 25, 2006 Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Expires: January 24, 2007 [Page 32] Internet Draft July 25, 2006 APPENDIX This section documents the development of the draft. It will be deleted when the draft becomes an RFC. Revision History: REVISION "200707250000Z" -- 25th July 2006 DESCRIPTION "the internet draft's version number has been changed (7->8). " REVISION "200511250000Z" -- 25th November 2005 DESCRIPTION "A near complete overhaul of the MIB and the document. The BSD-syslog flavor has been abandoned in favor of a more generic syslog-protocol document that is under preparation. TBD. The reference clauses need to be redone once the new syslog document is ready. List of authors changed. Original draft author Bruno Pape is acknowledged in the Acknowldgments section. Editorial nits fixed. " REVISION "200406160000Z" -- Mon Feb 16 00:00 GMT 2004 DESCRIPTION "Major change. The configuration parts have been removed. Updated the description clauses. Editorial nits fixed. " REVISION "200306250000Z" -- Wed June 25 00:00 GMT 2003 DESCRIPTION "Changed the type of syslogProcLastError SnmpAdminString, from Integer32. DEFVAL { 0 ] is added to syslogAllowedHostsMaskLen MO name changed from Expires: January 24, 2007 [Page 33] Internet Draft July 25, 2006 syslogCtlSelectionHostname to syslogCtlSelectionHostName Updated the description clauses. Fixed nits pointed out in Bert's mails of 20030319 and revised the document wrt the guidelines in draft-ietf-ops-mib-review-guidelines-01.txt Editorial nits fixed. " REVISION "200303030000Z" -- Mon March 03 00:00 GMT 2003 DESCRIPTION "Fixing of nits in descriptions, addition of references, addition of the following MOs syslogProcMsgsIllFormed Counter32, syslogProcStartTime TimeStamp, syslogProcLastError Integer32, syslogProcLastErrorTime TimeStamp, syslDevCtlStorageType StorageType, syslogCtlFwdActionSrcAddrType InetAddressType, syslogCtlFwdActionSrcAddr InetAddress, added enumeration ''suspended(2)'' to syslDevCtlStatus. " REVISION "200212252343Z" -- Wed December 25 23:43 GMT 2002 DESCRIPTION "Radical revision of the MIB structure and design." REVISION "200206061841Z" -- Thu Jun 6 18:41 GMT 2002 DESCRIPTION "The initial version of this MIB module." Expires: January 24, 2007 [Page 34]