On 19 Sep 2013, at 6:37, Andrew Feren wrote:
On 09/19/2013 08:56 AM, Tom Taylor wrote:
On 19/09/2013 8:07 AM, Juergen Schoenwaelder wrote:
On Thu, Sep 19, 2013 at 07:00:52AM -0400, Tom Taylor wrote:
In Behave, we are dealing with a potential logging architecture
where Device A generates the content but exports it in the form of
IPFIX records. Device B reformats the content into SYSLOG event
reports.
...
I would have to dig deeper into IPFIX to understand whether you can
always find out the hostname of the originator (since there might be
mediators involved as well) or whether there is another reliable way
to identify an IPFIX exporter.
/js
[PTT] Good point about IPFIX. RFC 5102 defines exporter IP address
fields, but not exporter name.
I think the not yet assigned "originalExporterIPv4Address" in
draft-ietf-ipfix-mediation-protocol may be closer to what you are
looking for. Although that draft also has no originalExporterName
defined. Perhaps some name equivalents should be requested.
FWIW very recently 7012 obsoleted 5102 and "The IANA "IPFIX
Information
Elements" registry [IANA-IPFIX] is the current complete reference for
IPFIX Information Elements." Still no exporterName element though.
:-)
As to the original question I think it is much more useful if HOSTNAME
is Device A (the original source of the log)
I would agree with Andrew in both points. A field would be best,
however, in the absence of such a field, the HOSTNAME should be from
Device A, not Device B.
Christopher
-Andrew
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
--
李柯睿
Check my PGP key here: http://www.asgaard.org/cdl/cdl.asc
Current vCard here: http://www.asgaard.org/cdl/cdl.vcf
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
