--- 1/draft-ietf-opsawg-syslog-alarm-01.txt 2009-05-27 01:12:10.000000000 +0200 +++ 2/draft-ietf-opsawg-syslog-alarm-02.txt 2009-05-27 01:12:10.000000000 +0200 @@ -1,106 +1,114 @@ Network Working Group S. Chisholm Internet-Draft Nortel Intended status: Standards Track R. Gerhards -Expires: May 6, 2009 Adiscon GmbH - November 2, 2008 +Expires: November 27, 2009 Adiscon GmbH + May 26, 2009 Alarms in SYSLOG - draft-ietf-opsawg-syslog-alarm-01.txt + draft-ietf-opsawg-syslog-alarm-02.txt Status of this Memo - By submitting this Internet-Draft, each author represents that any - applicable patent or other IPR claims of which he or she is aware - have been or will be disclosed, and any of which he or she becomes - aware will be disclosed, in accordance with Section 6 of BCP 79. + This Internet-Draft is submitted to IETF in full conformance with the + provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. + Task Force (IETF), its areas, and its working groups. Note that other + groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. - This Internet-Draft will expire on May 6, 2009. + This Internet-Draft will expire on November 27, 2009. Copyright Notice - Copyright (C) The IETF Trust (2008). + Copyright (c) 2009 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents in effect on the date of + publication of this document (http://trustee.ietf.org/license-info). + Please review these documents carefully, as they describe your rights + and restrictions with respect to this document. Abstract This document describes how to send alarm information in syslog. It includes the mapping of ITU perceived severities onto syslog message - fields. + fields and a number of alarm-specific SD-PARAM definitions from X.733 + and the IETF Alarm MIB. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 1.1. terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Severity Mapping . . . . . . . . . . . . . . . . . . . . . . . 4 3. Alarm STRUCTURED-DATA Elements . . . . . . . . . . . . . . . . 5 - 3.1. alarmedResource . . . . . . . . . . . . . . . . . . . . . 5 + 3.1. resource . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2. probableCause . . . . . . . . . . . . . . . . . . . . . . 5 3.3. perceivedSeverity . . . . . . . . . . . . . . . . . . . . 5 3.4. eventType . . . . . . . . . . . . . . . . . . . . . . . . 6 3.5. trendIndication . . . . . . . . . . . . . . . . . . . . . 6 - 3.6. resourceMapping . . . . . . . . . . . . . . . . . . . . . 6 - 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 - 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 - 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 - 7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 - 7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 - 7.2. Informative References . . . . . . . . . . . . . . . . . . 10 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 - Intellectual Property and Copyright Statements . . . . . . . . . . 12 + 3.6. resourceURI . . . . . . . . . . . . . . . . . . . . . . . 6 + 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 + 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 + 8.2. Informative References . . . . . . . . . . . . . . . . . . 12 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13 + Intellectual Property and Copyright Statements . . . . . . . . . . 14 1. Introduction In addition to sending out alarm information asynchronously via protocols such as SNMP or Netconf, many implementations also log alarms via syslog. This memo defines a set of SD-PARAM to support logging and defines a mapping of syslog severity to the severity of the alarm. -1.1. terminology + The Alarm MIB (RFC 3877) included mandatory alarm fields from X.733 + as well as information from X.736. In additional, the Alarm MIB + introduced its own alarm fields. This memo reuses terminology and + fields from the Alarm MIB. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this - document are to be interpreted as described in RFC2119 [RFC2119]. + document are to be interpreted as described in [RFC2119]. Alarm related terminology is defined in [RFC3877]. 2. Severity Mapping - The Alarm MIB RFC3877 [RFC3877] defines ITU perceived severities - which are useful to be able to relate to the syslog message fields, + The Alarm MIB [RFC3877] defines ITU perceived severities which are + useful to be able to relate to the syslog message fields, particularly in the case where alarms are being logged. This memo describes the representation of ITU perceived severities in - appropriate syslog fields described in [Syslog]. Syslog offers both + appropriate syslog fields described in [RFC5424]. Syslog offers both a so-called SEVERITY as well as STRUCTURED-DATA. Due to constraints in syslog, there is no one-to-one mapping possible for SEVERITY. A STRUCTURED-DATA element is defined to allow inclusion of the unmodified ITU perceived severity. Syslog supports severity values different from ITU perceived - severities. These are defined in section 6.2.1 of [Syslog]. The + severities. These are defined in section 6.2.1 of [RFC5424]. The mapping shown in table 1 below SHOULD be used to map ITU perceived severities to syslog severities. ITU Perceived Severity syslog SEVERITY (Name) Critical 1 (Alert) Major 2 (Critical) Minor 3 (Error) Warning 4 (Warning) Indeterminate 5 (Notice) Cleared 5 (Notice) @@ -116,134 +124,193 @@ o Resource Under Alarm o Probable Cause o Event Type o Perceived Severity o Trend Indication - o Resource Mapping + o Resource URI - Support of the alarm SD-ID is optional, but once supported some of + Support of the "alarm" SD-ID is optional, but once supported some of the SD-PARARMS are mandatory. -3.1. alarmedResource +3.1. resource - If the alarm SD-ID is supported, the alarmResource SD-PARAM MUST be + If the "alarm" SD-ID is supported, the "resource" SD-PARAM MUST be supported. This item uniquely identifies the resource under alarm within the scope of a network element. 3.2. probableCause - If the alarm SD-ID is supported, the probableCause SD-PARAM MUST be - supported. This parameter is the mnemonic associated with the + If the "alarm" SD-ID is supported, the "probableCause" SD-PARAM MUST + be supported. This parameter is the mnemonic associated with the IANAItuProbableCause object defined within [RFC3877] and any subsequent extensions defined by IANA. For example, IANAItuProbableCause defines a transmission failure to a probable cause of 'transmissionError (10)'. The value of the parameter in this case would be 'transmissionError'" 3.3. perceivedSeverity - If the alarm SD-ID is supported, the perceivedSeverity SD-PARAM MUST - be supported. Similar to the definition of perceived severity in - [X.736] and [RFC3877], this object can take the following values: + If the "alarm" SD-ID is supported, the "perceivedSeverity" SD-PARAM + MUST be supported. Similar to the definition of perceived severity + in [X.736] and [RFC3877], this object can take the following values: o cleared o indeterminate o critical o major o minor o warning See section 2 for the relationship between this severity and syslog severity. 3.4. eventType - If the alarm SD-ID is supported, the eventType SD-PARAM SHOULD be + If the "alarm" SD-ID is supported, the "eventType" SD-PARAM SHOULD be supported. This parameter is the mnemonic associated with the IANAItuEventType object defined within [RFC3877] and any subsequent extensions defined by IANA. For example, IANAItuEventType defines a environmental alarm to a event type of 'environmentalAlarm (6)'. The value of the parameter in this case would be 'environmentalAlarm'" 3.5. trendIndication - If the alarm SD-ID is supported, the trendIndication SD-PARAM SHOULD - be supported. Similar to the definition of perceived severity in - [X.733] and [RFC3877], this object can take the following values: + If the "alarm" SD-ID is supported, the "trendIndication" SD-PARAM + SHOULD be supported. Similar to the definition of perceived severity + in [X.733] and [RFC3877], this object can take the following values: o moreSevere o noChange o lessSevere -3.6. resourceMapping +3.6. resourceURI - If the alarm SD-ID is supported, the resourceMapping SD-PARAM SHOULD - be supported. This item uniquely identifies the resource under alarm - within the scope of a network element. This must be the same value - as alarmActiveResourceId [RFC3877] for this alarm or follow similar - semantics if the Alarm MIB is not supported. + If the "alarm" SD-ID is supported, the "resourceURI" SD-PARAM SHOULD + be supported. This item uniquely identifies the resource under + alarm. -4. Security Considerations + The value of this field MUST conform to the URI definition in + [RFC1738] and its updates. In the case of an SNMP resource, the + syntax in [RFC4088] MUST be used and "resourceURI" must point to the + same resource as alarmActiveResourceId [RFC3877] for this alarm. + + Both the "resource" and the "resourceURI" parameters point at the + resource experiencing the alarm, but the "resourceURI" has syntactic + constraint requiring it to be a URI. This makes it easy to correlate + this syslog alarm with any alarms that are received via other + protocols, such as SNMP or to use SNMP or other protocols to get + additional information about this resource. + +4. Examples + + Example 1 - Mandatory Alarm Information + + <165>1 2003-10-11T22:14:15.003Z mymachine.example.com + evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= + "Application" eventID="1011"][alarm resource="su root" + probableCause="unauthorizedAccessAttempt" + perceivedSeverity="major"] + BOMAn application event log entry... + + In this example, extended from [Syslog], the VERSION is 1 and the + Facility has the value of 4. The severity is 2. The message was + created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the + next second. The message originated from a host that identifies + itself as "mymachine.example.com". The APP-NAME is "su" and the + PROCID is unknown. The MSGID is "ID47". We have included both the + structured data from the original example, a single element with the + value "[exampleSDID@0 iut="3" eventSource="Application" + eventID="1011"]" and a new one with the alarm information defined in + this memo. The alarm SD-ID contains the mandatory SD-PARAMS of + resource, probableCause and preceivedSeverity. The MSG itself is "An + application event log entry..." The BOM at the beginning of MSG + indicates UTF-8 encoding. + + Example 2 - Additional Alarm Information + + <165>1 2004-11-10T20:15:15.003Z mymachine.example.com + evntslog - ID48 [alarm resource="interface 42" + probableCause="unauthorizedAccessAttempt" + perceivedSeverity="major" + eventType="communicationsAlarm" + resourceURI ="snmp://example.com//1.3.6.1.2.1.2.2.1.1.42"] + + In this example, we include two optional alarm fields - eventType and + resourceURI. + +5. Security Considerations In addition to general syslog security considerations discussed in - [Syslog], the information contained with alarms may provide hackers + [RFC5424], the information contained with alarms may provide hackers with helpful information about parts of the system currently experiencing stress as well as general information about the system such as inventory. Users should not have access to information in alarms that their normal access permissions would not permit if the information was accessed in another manner. -5. IANA Considerations + There is no standardized access control model for SYSLOG and hence + the ability to filter alarms based on a notion of a receiver identity + is at best implementation specific. + +6. IANA Considerations IANA is requested to register the SD-IDs and PARAM-NAMEs shown below: SD-ID PARAM-NAME alarm OPTIONAL - alarmedResource MANDATORY + resource MANDATORY probableCause MANDATORY perceivedSeverity MANDATORY eventType OPTIONAL trendIndication OPTIONAL - resourceMapping OPTIONAL + resourceURI OPTIONAL -6. Acknowledgments +7. Acknowledgments Thanks to members of the Syslog and OPSAWG work group who contributed - to this specification. + to this specification. We'd also like to thank Juergen + Schoenwaelder, Dave Harrington, Wes Hardaker and Randy Presuhn for + their reviews. -7. References +8. References -7.1. Normative References +8.1. Normative References + + [RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform + Resource Locators (URL)", RFC 1738, December 1994. [RFC2119] Bradner, s., "Key words for RFCs to Indicate Requirements Levels", RFC 2119, March 1997. [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management Information Base (MIB)", RFC 3877, September 2004. - [Syslog] Gerhards, Rainer., "The syslog Protocol", - ID draft-ietf-syslog-protocol-19.txt, November 2006. + [RFC4088] Black, D., McCloghrie, K., and J. Schoenwaelder, "Uniform + Resource Identifier (URI) Scheme for the Simple Network + Management Protocol (SNMP)", RFC 4088, June 2005. -7.2. Informative References + [RFC5424] Gerhards, R., "The syslog Protocol", RFC 5424, March 2009. + +8.2. Informative References [X.733] ITU-T, ""Information Technology - Open Systems Interconnection - System Management: Alarm Reporting Function"", ITU-T X.733, 1992. [X.736] ITU-T, ""Information Technology - Open Systems Interconnection - System Management: Security Alarm Reporting Function"", ITU-T X.736, 1992. Authors' Addresses @@ -256,55 +323,10 @@ Email: schishol@nortel.com Rainer Gerhards Adiscon GmbH Mozartstrasse 21 Grossrinderfeld, BW 97950 Germany Email: rgerhards@adiscon.com - -Full Copyright Statement - - Copyright (C) The IETF Trust (2008). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on an - "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS - OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND - THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS - OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Intellectual Property - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed to - pertain to the implementation or use of the technology described in - this document or the extent to which any license under such rights - might or might not be available; nor does it represent that it has - made any independent effort to identify any such rights. Information - on the procedures with respect to rights in RFC documents can be - found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use of - such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository at - http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at - ietf-ipr@ietf.org. - -Acknowledgment - - Funding for the RFC Editor function is provided by the IETF - Administrative Support Activity (IASA).