Hi,
I have a question concerning the semantics of the origin SD-ID defined
in section 7.2 of <draft-ietf-syslog-protocol-23.txt>. The text talks
about the "originator" of a message. The definition of "originator" is
provided in section 3:
o An "originator" generates syslog content to be carried in a
message.
I am facing a situation which looks as follows:
box A box B
+-------+ non-syslog +-------+ syslog
| | ----------------> | T | -----------> ...
+-------+ notification +-------+ message
I have an event notification originating from box A that is received
by box B via a non-syslog protocol. Box B runs a translator T turning
the non-syslog event notification into a syslog message. If I take the
text in the syslog specs literally, then the origin SD-ID likely
identifies the (syslog) originator, that is box B. However, the text
in 7.2 also says:
Specifying any of these parameters is primarily an aid to log
analyzers and similar applications.
Since the true origin of the event carried in the syslog message is
box A, a log analyzer might be better served by being able to identify
box A as the origin of the content carried in the syslog message, even
though the first hop in the forwarding chain was not really a syslog
message.
What do the syslog experts think - should the origin SD-ID identify
box A or box B in the example above?
/js
PS: The background behind this question is work proposed to the OPSAWG
on mapping SNMP notifications to SYSLOG messages and I like to
clarify in the mapping what the semantic of the origin SD-ID is in
this context (<draft-marinov-syslog-snmp-02.txt>).
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany
Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
_______________________________________________
Syslog mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/syslog
