gmane.ietf.syslog

Syslog message to Remote Rerver

Aditya Dogra (addogra — 2013-02-21T16:25:29

Hi All ,

Currently syslog messages collected locally on the network device are transmitted to the remote syslog servers as per RFC 5424 (UDP protocol used for transmission) and RFC 3195 (TCP protocol used for transmission)

However, we have observed that increasingly, customers are using syslog messages archived in the remote server for business logic .

In some networks, it is possible that some of the syslog messages may be dropped due to link failure or other network conditions.
However, the customers are expecting much higher resiliency for the syslog messages.


The questions we seek clarification are:

a)         What are the expectations from the external syslog delivery?

b)         Should we rely on syslog's alone ? Please note that SNMP traps functionality for network management is also there.?


Your thoughts and suggestions much appreciated.


Regards,
Aditya dogra


_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

I-D Action:draft-cloud-log-01.txt (fwd)

Chris Lonvick — 2011-03-16T13:37:49

Hi Folks,

Just passing this along.

Thanks,
Chris

---------- Forwarded message ----------
Date: Mon, 14 Mar 2011 14:45:09 -0700
From: Internet-Drafts< at >ietf.org
To: i-d-announce< at >ietf.org
Subject: I-D Action:draft-cloud-log-01.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

 Title           : Syslog Extension for Cloud Using Syslog Structured Data
 Author(s)       : G. Golovinsky, et al.
 Filename        : draft-cloud-log-01.txt
 Pages           : 11
 Date            : 2011-03-14

This document provides an open and extensible log format to be used
by any cloud entity or cloud application to log and trace activities
that occur in the cloud.  It is equally applicable for cloud
infrastructure (IaaS), platform (PaaS), and application (SaaS)
services.  CloudLog is defferent in content, but not in nature from
the traditional logging as it takes in account transient nature of
identities and resources in the cloud.

A URL for this Internet-Draft is:
http://www.ietf.org/inter

draft-cloud-log-00 / CEE - why not IPFIX?

Jeroen Massar — 2011-02-15T11:17:28

Hi,

As the subject states, for both this cloud[1] and CEE[2] proposals, why
not use IPFIX instead for structured logging data!?

Greets,
 Jeroen

[1] http://www.ietf.org/id/draft-cloud-log-00.txt
[2] http://cee.mitre.org/
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

I-D Action:draft-gerhards-syslog-plain-tcp-08.txt (fwd)

Chris Lonvick — 2011-02-02T14:39:56

Hi Folks,

I've updated the document to include the reference from Steve Bellovin.

We'd appreciate reviews and feedback.

Thanks,
Chris

---------- Forwarded message ----------
Date: Tue, 01 Feb 2011 18:15:01 -0800
From: Internet-Drafts< at >ietf.org
To: i-d-announce< at >ietf.org
Subject: I-D Action:draft-gerhards-syslog-plain-tcp-08.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.

 Title           : Transmission of Syslog Messages over TCP
 Author(s)       : R. Gerhards, C. Lonvick
 Filename        : draft-gerhards-syslog-plain-tcp-08.txt
 Pages           : 13
 Date            : 2011-02-01

There have been many implementations and deployments of legacy syslog
over TCP for many years.  That protocol has evolved without being
standardized and has proven to be quite interoperable in practice.

The aim of this specification is to document three things: how to
transmit standardized syslog over TCP, how TCP has been used as a
transport for legacy syslog, and how to correlate thes

New syslog/tcp draft available

Chris Lonvick — 2011-01-30T17:01:07

Hi Folks,

We've finally gotten around to revising draft-gerhards-syslog-plain-tcp. 
:-)

This addresses the issues that Tom raised about
- the intro specifically stating what to expect in the body of the text
- a note on the transport security.

For the first, we just sort'a straightened things out with a few edits. 
For the latter, I looked in many places for a list of TCP vulnerabilities 
but couldn't find anything substantial.  The US-CERT had a few 
implementation things and there were a scattering of other things.  In the 
end, I just added a subsection to warn impelemters to look closely before 
writing code.  If anyone has any other suggestions, please let us know.

Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

[Editorial Errata Reported] RFC5424 (2682)

RFC Errata System — 2011-01-08T07:58:56

The following errata report has been submitted for RFC5424,
"The Syslog Protocol".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata_search.php?rfc=5424&eid=2682

--------------------------------------
Type: Editorial
Reported by: VicTor Smirnoff <iamvic< at >rambler.ru>

Section: 6.2.1.

Original Text
-------------
 15             clock daemon (note 2)
(...)
 Table 1.  Syslog Message Facilities



Corrected Text
--------------
 15             clock daemon
(...)
 Table 1.  Syslog Message Facilities


Notes
-----
Note 2 isn't present in this document. It's an artefact from RFC 3164.

Instructions:
-------------
This errata is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party (IESG)
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC5424 (draft-ietf-syslog-protocol-23)
-----

Small draft for Syslog File Storage?

Rainer Gerhards — 2010-11-10T06:24:17

Hi all,

In what we did, we specified the on-the-wire format. However, we did not
specify any format to use when persisting syslog data to a file.

Note that we were very generous when specifying the on-the-wire format, for
example we permit LF, CR, NUL and many other characters considered dangerous
in file formats.

There are many tools available which interpret syslog data stored in text
files. However, different syslog implementations may use slightly different
file formats.

Together with the control character issue, the file format question both has
interoperability AND security issues. I think these would be very easy to fix
if we write a small RFC that specifies how text is to be encoded. It would be
similar, but much smaller to RFC4627 (JSON). Actually, I think we would need
to carry over primarily its section 2.5.

I would volunteer to write an initial draft, but would first like to get some
feedback if this effort has any chance of getting through.

Rainer
__________________________________________

Congrats to everyone

Jon Callas — 2010-10-27T16:34:53

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

on a job well done!

Jon


-----BEGIN PGP SIGNATURE-----
Version: PGP Universal 2.10.0 (Build 554)
Charset: us-ascii

wj8DBQFMyFR/sTedWZOD3gYRAk48AKDuqgnxzdinIanCM2n8NWDGQyaP1ACg2jQ1
nuHjZ9ZyGCTyqeNVkRHLifk=
=MRX/
-----END PGP SIGNATURE-----
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Publication of RFC 6012

Chris Lonvick — 2010-10-27T13:12:03

Hi Folks,

I've also not received notification of the publication of syslog/dtls. 
Nonetheless, here it is:
   http://tools.ietf.org/html/rfc6012

I'd like to thank Joe for his editorial skills and perseverence, as well 
as Tom, Rainer, and Hongyan for merging their original proposals into a 
workable document.  Also, thanks to the people on the list who reviewed 
the document and sent in their comments - that's what makes the IETF work.

Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Conclusion of the syslog WG - THANK YOU!

Chris Lonvick — 2010-10-27T13:07:26

Hi Folks,

I totally missed Sean's message from yesterday (can't even find it in the 
deleted bin).
   http://www.ietf.org/mail-archive/web/syslog/current/msg02634.html

With that, I'd like to thank everyone who has participated in this Working 
Group throughout the years.  Your participation has helped create a set of 
documents that standardizes the transport and security of log messages. 
While we went through a few rough spots, overall, I think that the effort 
has paid off.

All of the authors of the documents have been outstanding and I thank you 
for your effort and patience.

I would also like to recognize the IESG members and especially our 
Advisors: Jeff Schiller, Marcus Leach, Steve Bellovin, Sam Hartman, Pasi 
Eronen, and Sean Turner.

And a final thank you to David Harrington who picked up a lot of the 
effort as my co-chair for some of the more interesting years.


The mailing list will remain active and we can use it to discuss 
implementations and related work.

Thanks,
Chris
_______________

I-D ACTION:draft-cloud-log-00.txt (fwd)

Chris Lonvick — 2010-10-19T16:14:19

Hi,

I figured that people might be interested in this.  Please contact the 
authors if you have comments.

Thanks,
Chris

---------- Forwarded message ----------
Date: Fri, 15 Oct 2010 14:15:01 -0700 (PDT)
From: Internet-Drafts< at >ietf.org
To: i-d-announce< at >ietf.org
Subject: I-D ACTION:draft-cloud-log-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


 Title: Syslog Extension for Cloud Using Syslog Structured Data

 Author(s): G. Golovinsky, S. Johnston, Z. Fox
 Filename: draft-cloud-log-00.txt
 Pages: 9
 Date: 2010-10-15

This document provides an open and extensible log format to be used
    by any cloud entity or cloud application to log and trace activities
    that occur in the cloud.  It is equally applicable for cloud
    infrastructure (IaaS), platform (PaaS), and application (SaaS)
    services.  CloudLog is defferent in content, but not in nature from
    the traditional logging as it takes in account transient nature of
    identities and resources

I-D ACTION:draft-cloud-log-00.txt (fwd)

Chris Lonvick — 2010-10-19T16:14:19

Hi,

I figured that people might be interested in this.  Please contact the 
authors if you have comments.

Thanks,
Chris

---------- Forwarded message ----------
Date: Fri, 15 Oct 2010 14:15:01 -0700 (PDT)
From: Internet-Drafts< at >ietf.org
To: i-d-announce< at >ietf.org
Subject: I-D ACTION:draft-cloud-log-00.txt

A New Internet-Draft is available from the on-line Internet-Drafts
directories.


 Title: Syslog Extension for Cloud Using Syslog Structured Data

 Author(s): G. Golovinsky, S. Johnston, Z. Fox
 Filename: draft-cloud-log-00.txt
 Pages: 9
 Date: 2010-10-15

This document provides an open and extensible log format to be used
    by any cloud entity or cloud application to log and trace activities
    that occur in the cloud.  It is equally applicable for cloud
    infrastructure (IaaS), platform (PaaS), and application (SaaS)
    services.  CloudLog is defferent in content, but not in nature from
    the traditional logging as it takes in account transient nature of
    identities and resources

New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)

Chris Lonvick — 2010-10-01T20:16:03

Hi Folks,

While this is a non-WG item, there are some people interested.  I've 
updated the syslog/tcp draft and I'll invite reviews and comments.

Thanks,
Chris

---------- Forwarded message ----------
Date: Thu, 30 Sep 2010 09:04:15 -0700 (PDT)
From: IETF I-D Submission Tool <idsubmission< at >ietf.org>
To: clonvick< at >cisco.com
Cc: rgerhards< at >adiscon.com
Subject: New Version Notification for draft-gerhards-syslog-plain-tcp-05


A new version of I-D, draft-gerhards-syslog-plain-tcp-05.txt has been successfully submitted by Chris Lonvick and posted to the IETF repository.

Filename: draft-gerhards-syslog-plain-tcp
Revision: 05
Title: Transmission of Syslog Messages over TCP
Creation_date: 2010-09-30
WG ID: Independent Submission
Number_of_pages: 14

Abstract:
There have been many implementations and deployments of legacy syslog
over TCP for many years.  That protocol has evolved without being
standardized and has proven to be quite interoperable in practice.

The aim of this specification is to document thre

Update on syslog/dtls

Chris Lonvick — 2010-10-01T20:12:58

Hi Folks,

Just so everyone is aware, syslog/dtls is in AUTH48.  One of the authors 
got the notification just before going on holiday so won't be able to 
review it for about two weeks.  The others have either ok'd it or are busy 
reviewing it right now.  ..I'm certain.

Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Protocol Action: 'Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog' to Proposed Standard (fwd)

Chris Lonvick — 2010-07-08T17:09:16

Hi Folks,

Congratulations to the authors and to everyone who helped out in getting 
this completed.  :-)

We have now completed all of our Charter items so David and I will start 
talking with Sean about closing the WG.  I expect that we'll stay active 
through the AUTH48 period to make sure that gets done.

Many thanks to all,
Chris


---------- Forwarded message ----------
Date: Thu,  8 Jul 2010 09:39:35 -0700 (PDT)
From: The IESG <iesg-secretary< at >ietf.org>
To: IETF-Announce <ietf-announce< at >ietf.org>
Cc: Internet Architecture Board <iab< at >iab.org>,
     RFC Editor <rfc-editor< at >rfc-editor.org>,
     syslog mailing list <syslog< at >ietf.org>,
     syslog chair <syslog-chairs< at >tools.ietf.org>
Subject: Protocol Action: 'Datagram Transport Layer Security (DTLS) Transport
     Mapping for Syslog' to Proposed Standard

The IESG has approved the following document:

- 'Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog '
    <draft-ietf-syslog-dtls-06.txt> as a Proposed Standard


This document is the pr

I-D Action:draft-ietf-syslog-dtls-06.txt

2010-07-08T05:30:03

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF.


Title           : Datagram Transport Layer Security (DTLS) Transport Mapping for Syslog
Author(s)       : J. Salowey, et al.
Filename        : draft-ietf-syslog-dtls-06.txt
Pages           : 19
Date            : 2010-07-07

This document describes the transport of syslog messages over DTLS
(Datagram Transport Level Security).  It provides a secure transport
for syslog messages in cases where a connection-less transport is
desired.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-dtls-06.txt

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
_______________________________________________
Syslog mai

Udate on open issues - 22 June 2010

Chris Lonvick — 2010-06-23T02:18:51

Hi Folks,

We're getting close so I wanted to let everyone know where we are with 
these.  I'd like to close these out by this FRIDAY, 25 June 2010.

Here's where we stand on the open issues:

Issue 1 - COMMENT from Alexy
STATUS: Combined with Issue 10

Issue 2 - Fragmentation
STATUS: Combined with Issue 10

Issue 3 - Text revision from GENART review
STATUS: Joe composed text.

Issue 4 - Service code subregistry
STATUS: Tacit approval from the WG.  Joe using proposed text.

Issue 5 - Reference
STATUS: Tacit approval from the WG.  Joe using proposed text.

Issue 6 - Reference 2
STATUS: Sean agrees with proposed text.  Joe to incorporate.

Issue 7 - text
STATUS: Joe using proposed text.

Issue 8 - Tim Polk DISCUSS
STATUS: Discussion ongoing.  Looking for resolution.

Issue 9, 9a, and 9b - from a Tim Polk COMMENT
STATUS: 9 and 9a discussed and resolved.  Joe proposed text for 9b.

Issue 10 - Jari Arrko DISCUSS
STATUS: Same as Issus 1 and 2.  Joe using proposed text.

Issue 11 - Adrian Farrel DISCUSS
STATUS: CLO

Issue 16 - Security Policies

Chris Lonvick — 2010-06-19T03:45:30

SECDIR reviewer said:

Section 7 says "The security policies for syslog over DTLS are the
same as those described in [RFC5425]." Does that mean that all the
normative text in section 5 of RFC 5425 applies to implementations
of this document as well? I hope so but if that's the intent, it
should be explicitly stated (for example by adding the text "and
all the normative requirements of section 5 of [RFC5425] apply").

My comment back to the reviewer and the IESG was:
"That is the intent and the added text looks good."

ACTION: Comments?

Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Issue 15 - DoS measures

Chris Lonvick — 2010-06-19T03:44:33

SECDIR reviewer said:

Section 5.3 says "Implementations MUST support the denial of service
countermeasures defined by DTLS." That's good but it's not clear
whether this means that these countermeasures MUST always be enabled.
Since that is not explicitly stated, it seems that a server could
have those countermeasures enabled by default and a client could
have them disabled by default. That would result in a client and
server that would not interoperate until the administrator tracked
down the problem and changed their configuration. I suggest that
the document be changed to require not only that implementations
support these countermeasures but that they be enabled by default.

My response was:
"Good catch."

ACTION:  Comments?

Thanks,
Chris
_______________________________________________
Syslog mailing list
Syslog< at >ietf.org
https://www.ietf.org/mailman/listinfo/syslog

Issue 14 - Unreliable Delivery

Chris Lonvick — 2010-06-19T03:41:47

SECDIR Reviewer comments:

One difference between the security considerations for syslog over
DTLS and those for syslog over TLS (unnoted in the current Security
Considerations section) is that DTLS does not provide retransmission.
If an attacker can cause a packet to be dropped (especially one
carrying significant information about an attack), the transport
receiver may not consider this a significant event and so the syslog
server may be completely unaware of the occurrence. This contrasts
with syslog over TLS where a dropped packet would be retransmitted
until acknowledged or until the TLS connection goes down (indicating
to the transport sender and receiver and perhaps to the syslog client
and server that a significant event has occurred). Maybe it would be
a good idea to recommend that the transport receiver notice gaps in
the DTLS sequence numbers and notify the syslog server. Still, this
is not as good from a security standpoint as syslog over TLS since
none of the client code will be aware that the d

secdir review of draft-ietf-syslog-dtls-05 (fwd)

Chris Lonvick — 2010-06-19T03:35:36

Hi Folks,

This one slipped past me.  :-(

Don't comment on this as I'm going to open up three additional issues 
which I think will be easy to resolve.

Thanks,
Chris


-----Original Message-----
From: Stephen Hanna [mailto:shanna< at >juniper.net]
Sent: Monday, May 17, 2010 6:13 PM
To: draft-ietf-syslog-dtls.all< at >tools.ietf.org
Cc: secdir< at >ietf.org; iesg< at >ietf.org
Subject: secdir review of draft-ietf-syslog-dtls-05

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other comments.

This document defines a DTLS transport for syslog. The document is
well-written, clear, and seems to serve a worthwhile purpose.

Although the security considerations section is brief (mainly just
referring to the security considerations in RFC 5425, RFC 5246,
and RFC 4347), it is largely a