Hi Jürgen, the upcoming syslog rfc series is still missing two documents, I think: one on relay behavior and one on gateway behavior. So let me express my personal view as I can not cite anything that underwent discussion.
In the gateway case you describe, I would think that the origin SD-ID should contain identification of the original originator, provided that this identification is known with sufficient trust (which it is in case of SNMP, I think). Also thanks for making me aware of draft-marinov-syslog-snmp-02.txt, this looks like useful work. Rainer > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Juergen Schoenwaelder > Sent: Thursday, October 02, 2008 9:42 AM > To: [email protected] > Subject: [Syslog] semantics of the origin SD-ID > > Hi, > > I have a question concerning the semantics of the origin SD-ID defined > in section 7.2 of <draft-ietf-syslog-protocol-23.txt>. The text talks > about the "originator" of a message. The definition of "originator" is > provided in section 3: > > o An "originator" generates syslog content to be carried in a > message. > > I am facing a situation which looks as follows: > > box A box B > +-------+ non-syslog +-------+ syslog > | | ----------------> | T | -----------> ... > +-------+ notification +-------+ message > > I have an event notification originating from box A that is received > by box B via a non-syslog protocol. Box B runs a translator T turning > the non-syslog event notification into a syslog message. If I take the > text in the syslog specs literally, then the origin SD-ID likely > identifies the (syslog) originator, that is box B. However, the text > in 7.2 also says: > > Specifying any of these parameters is primarily an aid to log > analyzers and similar applications. > > Since the true origin of the event carried in the syslog message is > box A, a log analyzer might be better served by being able to identify > box A as the origin of the content carried in the syslog message, even > though the first hop in the forwarding chain was not really a syslog > message. > > What do the syslog experts think - should the origin SD-ID identify > box A or box B in the example above? > > /js > > PS: The background behind this question is work proposed to the OPSAWG > on mapping SNMP notifications to SYSLOG messages and I like to > clarify in the mapping what the semantic of the origin SD-ID is in > this context (<draft-marinov-syslog-snmp-02.txt>). > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/> > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
