Bob,

Syslog message severity is set in RFC 5424 Table 2. The model in 
draft-ietf-netmod-syslog-model-23 conforms to that specification. A lower 
number means higher severity.

The severity-filter specifies that “all messages of the specified severity and 
greater match” and therefore will be selected. This conforms to the way that 
many vendors that we evaluated perform syslog message severity match selection.

Juniper Example:
https://www.juniper.net/documentation/en_US/junos12.3/topics/task/configuration/syslog-single-chassis-facility-severity-messages-specifying.html

“Messages from the facility that are rated at that level or higher are logged 
to the destination”

Linux rsyslogd Example:
http://www.rsyslog.com/doc/v8-stable/configuration/filters.html#selectors

“The behavior of the original BSD syslogd is that all messages of the specified 
priority and higher are logged according to the given action. Rsyslogd behaves 
the same…”

Changing the table to match higher severity to higher number means that we 
would not conform the RFC 5424.

Note: I do see a typo in the description for severity-filter (the word “use” is 
missing):

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, the advance-compare
          rule.

should be:

else compare message severity with the specified severity
          according to the default compare rule (all messages of the
          specified severity and greater match) or if the
          select-adv-compare feature is present, use the advance-compare
          rule.

Thanks,

Clyde

From: netmod <netmod-boun...@ietf.org> on behalf of Bob Harold 
<rharo...@umich.edu>
Date: Friday, March 2, 2018 at 12:33 PM
To: "netmod@ietf.org" <netmod@ietf.org>
Subject: [netmod] draft-ietf-netmod-syslog-model-23

Sorry for being late to the discussion - just joined this group.

Can we have "higher severity" match "higher number" in the enumerated values, 
to avoid confusion?

In section 4.1.  The ietf-syslog Module
on Page 11

typedef syslog-severity {

-- should be in the order:
debug=0
emergency=7

because "severity-filter" uses "equals-or-higher" which means "higher severity" 
but should also mean "higher number" to avoid confusion.
--
Bob Harold
_______________________________________________
netmod mailing list
netmod@ietf.org
https://www.ietf.org/mailman/listinfo/netmod

Reply via email to