On Thu, Sep 19, 2013 at 07:00:52AM -0400, Tom Taylor wrote: > In Behave, we are dealing with a potential logging architecture > where Device A generates the content but exports it in the form of > IPFIX records. Device B reformats the content into SYSLOG event > reports. > > Up to now I interpreted the first sentence of Section 6.2.4 to mean > that the HOSTNAME field in the SYSLOG header had to identify Device > B. > > "The HOSTNAME field identifies the machine that originally sent the > syslog message." > > This meant that I had to define another field to identify Device A. > > However, the very next paragraph says: > > "The HOSTNAME field SHOULD contain the hostname and the domain name of > the originator in the format specified in STD 13 [RFC1034]." > > So there are grounds for identifying Device A in the HOSTNAME field. > > Any opinions one way or another? I'll go with Device A in the > HOSTNAME field unless there are objections.
I can't tell what is right or wrong here but back in a day when we did RFC 5675, we decided to have the real originator of the notification encoded in the structured data element. Of course, since RFC 5675 talks about SNMP notifications, we identify the source using an SNMP context and not by a hostname. RFC 5675 actually says: The VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID, and MSGID fields in the SYSLOG message header are filled with values that are specific to the system on which the SNMP-to-SYSLOG translator is running. The character set used in the HEADER MUST be seven-bit ASCII in an eight- bit field, as described in [RFC5424]. I think this implies that the HOSTNAME contains the name of the host on which the translator is running, not the HOSTNAME of the SNMP agent emitting the notification (which BTW may not be known in this case since there can be SNMP proxies). I would have to dig deeper into IPFIX to understand whether you can always find out the hostname of the originator (since there might be mediators involved as well) or whether there is another reliable way to identify an IPFIX exporter. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
