<inline> Tom Petch ----- Original Message ----- From: "Natale, Bob" <[EMAIL PROTECTED]> To: "David Harrington" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; "Andy Bierman" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, May 02, 2007 5:57 PM Subject: [Syslog] RE: [OPS-AREA] syslog data modeling
Hi Dave, The same question that Andy asks below occurred to me when I read your note...since I have not followed the "Security Issues in Syslog" WG for some time, I checked the WG charter page and the additional info at http://www.employees.org/~lonvick/index.shtml ...and came away a bit confused about the MIB work being done there ...this confusion is still based on flimsy research, so I won't whine about a smack on the wrist if warranted. :) However, the charter calls for a Syslog Device MIB...the current version of the I-D appears to be at http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-15.txt ...but that MIB seems to be about control and monitoring of Syslog applications (nothing wrong with that!...quite the contrary) ...notes indicate that the change was made at -11 (the descriptive text on the "Additional Info" page should be updated accordingly) ...changes "process" and "device" to "entity" == "application"...fine. But what IETF MIB refers to Syslog messages themselves...along the lines of, for example, the CISCO-SYSLOG-MIB...? <tp> Bob I may be able to shed some light on this. Syslog messages are processed by thingies (bear with me and you will understand my choice of this technical term) which can be looked at in plan view, as sender, receiver or store-and-forward; or in elevation, as transport, session, presentation and such like. The terminology for these looks includes "sender" "receiver" "relay", "originator", "collector", "device", "entity", "process", "application", "facility" "sysloghost", "generator", "syslogserver"; in fact, anything but "thingie" with perhaps "device" being the commonest (after all, what else does the d in syslogd stand for :-) The same term can mean different things in different places and a different term may or may not mean the same thing elsewhere. The change you note in syslog-mib-11 was intended to make it more likely that there is a one to one mapping of concept to term across the set of I-Ds that the WG is producing, and was not a change in the information modelled by the mib module. I agree that proprietary mib modules take a different view of what should be modelled - closer for example to the work of disman - but in this regard, the syslog mib module has been consistent, focussing more on the lower layers of the stack. Tom Petch </tp> Cheers, BobN -----Original Message----- From: Andy Bierman [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 02, 2007 11:24 AM To: David Harrington Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [OPS-AREA] syslog data modeling David Harrington wrote: > Hi, > > I propose that an initial set of syslog data models be developed in > the OPS Area WG. Are you suggesting a set of standard SDEs for particular MIB objects, or the SDE encoding rules for an arbitrary MIB object? Or both? Andy > > For those who have not followed the work of the syslog WG, let me > explain. > > The syslog WG in the security area has drawn a number of syslog > implementers to work on standardizing the message format for syslog, > as an important step toward addressing security issues. The syslog WG > is scoped to address "security issues in network event logging", and > the work is drawing to a close, as three of the documents in its > charter (a message format and UDP and TLS transport mappings) are > being delivered for IESG consideration as Proposed Standards, and the > other three (a reliable transport mapping, an integrity-checking > "signature" mechanism, and a MIB module) are scheduled for WGLC within > the next two months. The co-chairs expect that the syslog WG will > close by year-end. > > One of the features of the new message format is structured data > elements (SDEs), which provide a mechanism for structuring message > content so it is more easily parsed by programs/tools. The SDE format > supplements the traditional free-form text content. There are some > proposals starting to be published for SDEs and posted to the syslog > WG, such as SDEs that map syslog severity to ITU-T perceived > severities, following the work done in the ALARM-MIB. > > The co-chairs believe it would be inappropriate for the "security > issues in network event logging" WG to deal with proposals for syslog > data modeling. The OPS area would be the likely area to work on data > modeling standards for syslog. > > A few SDEs have been defined by the syslog WG that are used in the > syslog message header, but we have not addressed the many SDEs that > could be included in syslog content. It would be good to design a set > of SDEs that are consistent with other IETF protocol information > models and data models, such as MIB-II, IF-MIB, ENTITY-MIB, standard > SNMP notification-types, and standard netconf data models, to make it > easier for operators to correlate the information in syslog messages > with the information contained in SNMP trap and informs and in netconf > notifications, and possibly ipfix information elements. The experts in > these IETF-based information and data models are found in the OPS > area. > > I propose that an initial set of SDEs be worked on within the OPSAWG. > The scope and deliverables of such work should be clearly defined > based on the correlation needs of operators, input from network > management modeling experts in the OPS area, in cooperation with the > syslog implementers from the current syslog WG. > > If you agree and would be willing to work on developing standardized > SDEs for syslog, please email me at [EMAIL PROTECTED] > > > David Harrington > [EMAIL PROTECTED] > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > > > > _______________________________________________ > OPS-AREA mailing list > [EMAIL PROTECTED] > https://www1.ietf.org/mailman/listinfo/ops-area > > _______________________________________________ OPS-AREA mailing list [EMAIL PROTECTED] https://www1.ietf.org/mailman/listinfo/ops-area _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
