From: [email protected] [mailto:[email protected]] On Behalf Of Aditya Dogra (addogra) Sent: Thursday, February 21, 2013 11:25 AM To: [email protected]; [email protected] Subject: [OPSAWG] Syslog message to Remote Rerver Hi All , Currently syslog messages collected locally on the network device are transmitted to the remote syslog servers as per RFC 5424 (UDP protocol used for transmission) and RFC 3195 (TCP protocol used for transmission) [dbh>] RFC5424 defines the IETF version of the syslog protocol message format (not the UDP transport). RFC5424 RECOMMENDS using a TLS-based transport (RFC5425) rather than a UDP-based or plain-TCP-based transport for syslog. If you use a UDP-based transport for interoperability, it should probably follow RFC5426. The IETF standard for syslog over UDP (RFC5426) states: " Network administrators and architects should be aware of the significant reliability and security issues of this transport, which stem from the use of UDP." Note that RFC6587 (plain TCP transport for syslog) is Historic, and contains an IESG Note: The IESG does not recommend implementing or deploying syslog over plain tcp, which is described in this document, because it lacks the ability to enable strong security [RFC3365]. Implementation of the TLS transport [RFC5425] is recommended so that appropriate security features are available to operators who want to deploy secure syslog. Similarly, those security features can be turned off for those who do not want them. However, we have observed that increasingly, customers are using syslog messages archived in the remote server for business logic . [dbh>] If customers are using archived messages, they might want to consider using signing syslog messages. RFC5848, Signed syslog, describes a mechanism to add origin authentication, message integrity, replay resistance, message sequencing, and detection of missing messages to the transmitted syslog messages. Signed syslog helps ensure integrity of messages both in-transit and in archived storage. I think that would be a valuable feature in support of business logic. David Harrington [email protected] +1-603-828-1401 co-chair, syslog WG In some networks, it is possible that some of the syslog messages may be dropped due to link failure or other network conditions. However, the customers are expecting much higher resiliency for the syslog messages. The questions we seek clarification are: a) What are the expectations from the external syslog delivery? b) Should we rely on syslog's alone ? Please note that SNMP traps functionality for network management is also there.? Your thoughts and suggestions much appreciated. Regards, Aditya dogra
_______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
