draft-ietf-opsawg-syslog-alarm-01.txt   draft-ietf-opsawg-syslog-alarm-02.txt 
Network Working Group S. Chisholm Network Working Group S. Chisholm
Internet-Draft Nortel Internet-Draft Nortel
Intended status: Standards Track R. Gerhards Intended status: Standards Track R. Gerhards
Expires: May 6, 2009 Adiscon GmbH Expires: November 27, 2009 Adiscon GmbH
November 2, 2008 May 26, 2009
Alarms in SYSLOG Alarms in SYSLOG
draft-ietf-opsawg-syslog-alarm-01.txt draft-ietf-opsawg-syslog-alarm-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79.
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that other
other groups may also distribute working documents as Internet- groups may also distribute working documents as Internet-Drafts.
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 6, 2009. This Internet-Draft will expire on November 27, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This document describes how to send alarm information in syslog. It This document describes how to send alarm information in syslog. It
includes the mapping of ITU perceived severities onto syslog message includes the mapping of ITU perceived severities onto syslog message
fields. fields and a number of alarm-specific SD-PARAM definitions from X.733
and the IETF Alarm MIB.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Severity Mapping . . . . . . . . . . . . . . . . . . . . . . . 4 2. Severity Mapping . . . . . . . . . . . . . . . . . . . . . . . 4
3. Alarm STRUCTURED-DATA Elements . . . . . . . . . . . . . . . . 5 3. Alarm STRUCTURED-DATA Elements . . . . . . . . . . . . . . . . 5
3.1. alarmedResource . . . . . . . . . . . . . . . . . . . . . 5 3.1. resource . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. probableCause . . . . . . . . . . . . . . . . . . . . . . 5 3.2. probableCause . . . . . . . . . . . . . . . . . . . . . . 5
3.3. perceivedSeverity . . . . . . . . . . . . . . . . . . . . 5 3.3. perceivedSeverity . . . . . . . . . . . . . . . . . . . . 5
3.4. eventType . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4. eventType . . . . . . . . . . . . . . . . . . . . . . . . 6
3.5. trendIndication . . . . . . . . . . . . . . . . . . . . . 6 3.5. trendIndication . . . . . . . . . . . . . . . . . . . . . 6
3.6. resourceMapping . . . . . . . . . . . . . . . . . . . . . 6 3.6. resourceURI . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
7.1. Normative References . . . . . . . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
7.2. Informative References . . . . . . . . . . . . . . . . . . 10 8.1. Normative References . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 12
Intellectual Property and Copyright Statements . . . . . . . . . . 12 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . . . 14
1. Introduction 1. Introduction
In addition to sending out alarm information asynchronously via In addition to sending out alarm information asynchronously via
protocols such as SNMP or Netconf, many implementations also log protocols such as SNMP or Netconf, many implementations also log
alarms via syslog. This memo defines a set of SD-PARAM to support alarms via syslog. This memo defines a set of SD-PARAM to support
logging and defines a mapping of syslog severity to the severity of logging and defines a mapping of syslog severity to the severity of
the alarm. the alarm.
1.1. terminology The Alarm MIB (RFC 3877) included mandatory alarm fields from X.733
as well as information from X.736. In additional, the Alarm MIB
introduced its own alarm fields. This memo reuses terminology and
fields from the Alarm MIB.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC2119 [RFC2119]. document are to be interpreted as described in [RFC2119].
Alarm related terminology is defined in [RFC3877]. Alarm related terminology is defined in [RFC3877].
2. Severity Mapping 2. Severity Mapping
The Alarm MIB RFC3877 [RFC3877] defines ITU perceived severities The Alarm MIB [RFC3877] defines ITU perceived severities which are
which are useful to be able to relate to the syslog message fields, useful to be able to relate to the syslog message fields,
particularly in the case where alarms are being logged. This memo particularly in the case where alarms are being logged. This memo
describes the representation of ITU perceived severities in describes the representation of ITU perceived severities in
appropriate syslog fields described in [Syslog]. Syslog offers both appropriate syslog fields described in [RFC5424]. Syslog offers both
a so-called SEVERITY as well as STRUCTURED-DATA. Due to constraints a so-called SEVERITY as well as STRUCTURED-DATA. Due to constraints
in syslog, there is no one-to-one mapping possible for SEVERITY. A in syslog, there is no one-to-one mapping possible for SEVERITY. A
STRUCTURED-DATA element is defined to allow inclusion of the STRUCTURED-DATA element is defined to allow inclusion of the
unmodified ITU perceived severity. unmodified ITU perceived severity.
Syslog supports severity values different from ITU perceived Syslog supports severity values different from ITU perceived
severities. These are defined in section 6.2.1 of [Syslog]. The severities. These are defined in section 6.2.1 of [RFC5424]. The
mapping shown in table 1 below SHOULD be used to map ITU perceived mapping shown in table 1 below SHOULD be used to map ITU perceived
severities to syslog severities. severities to syslog severities.
ITU Perceived Severity syslog SEVERITY (Name) ITU Perceived Severity syslog SEVERITY (Name)
Critical 1 (Alert) Critical 1 (Alert)
Major 2 (Critical) Major 2 (Critical)
Minor 3 (Error) Minor 3 (Error)
Warning 4 (Warning) Warning 4 (Warning)
Indeterminate 5 (Notice) Indeterminate 5 (Notice)
Cleared 5 (Notice) Cleared 5 (Notice)
skipping to change at page 5, line 21 skipping to change at page 5, line 21
o Resource Under Alarm o Resource Under Alarm
o Probable Cause o Probable Cause
o Event Type o Event Type
o Perceived Severity o Perceived Severity
o Trend Indication o Trend Indication
o Resource Mapping o Resource URI
Support of the alarm SD-ID is optional, but once supported some of Support of the "alarm" SD-ID is optional, but once supported some of
the SD-PARARMS are mandatory. the SD-PARARMS are mandatory.
3.1. alarmedResource 3.1. resource
If the alarm SD-ID is supported, the alarmResource SD-PARAM MUST be If the "alarm" SD-ID is supported, the "resource" SD-PARAM MUST be
supported. This item uniquely identifies the resource under alarm supported. This item uniquely identifies the resource under alarm
within the scope of a network element. within the scope of a network element.
3.2. probableCause 3.2. probableCause
If the alarm SD-ID is supported, the probableCause SD-PARAM MUST be If the "alarm" SD-ID is supported, the "probableCause" SD-PARAM MUST
supported. This parameter is the mnemonic associated with the be supported. This parameter is the mnemonic associated with the
IANAItuProbableCause object defined within [RFC3877] and any IANAItuProbableCause object defined within [RFC3877] and any
subsequent extensions defined by IANA. For example, subsequent extensions defined by IANA. For example,
IANAItuProbableCause defines a transmission failure to a probable IANAItuProbableCause defines a transmission failure to a probable
cause of 'transmissionError (10)'. The value of the parameter in cause of 'transmissionError (10)'. The value of the parameter in
this case would be 'transmissionError'" this case would be 'transmissionError'"
3.3. perceivedSeverity 3.3. perceivedSeverity
If the alarm SD-ID is supported, the perceivedSeverity SD-PARAM MUST If the "alarm" SD-ID is supported, the "perceivedSeverity" SD-PARAM
be supported. Similar to the definition of perceived severity in MUST be supported. Similar to the definition of perceived severity
[X.736] and [RFC3877], this object can take the following values: in [X.736] and [RFC3877], this object can take the following values:
o cleared o cleared
o indeterminate o indeterminate
o critical o critical
o major o major
o minor o minor
o warning o warning
See section 2 for the relationship between this severity and syslog See section 2 for the relationship between this severity and syslog
severity. severity.
3.4. eventType 3.4. eventType
If the alarm SD-ID is supported, the eventType SD-PARAM SHOULD be If the "alarm" SD-ID is supported, the "eventType" SD-PARAM SHOULD be
supported. This parameter is the mnemonic associated with the supported. This parameter is the mnemonic associated with the
IANAItuEventType object defined within [RFC3877] and any subsequent IANAItuEventType object defined within [RFC3877] and any subsequent
extensions defined by IANA. For example, IANAItuEventType defines a extensions defined by IANA. For example, IANAItuEventType defines a
environmental alarm to a event type of 'environmentalAlarm (6)'. The environmental alarm to a event type of 'environmentalAlarm (6)'. The
value of the parameter in this case would be 'environmentalAlarm'" value of the parameter in this case would be 'environmentalAlarm'"
3.5. trendIndication 3.5. trendIndication
If the alarm SD-ID is supported, the trendIndication SD-PARAM SHOULD If the "alarm" SD-ID is supported, the "trendIndication" SD-PARAM
be supported. Similar to the definition of perceived severity in SHOULD be supported. Similar to the definition of perceived severity
[X.733] and [RFC3877], this object can take the following values: in [X.733] and [RFC3877], this object can take the following values:
o moreSevere o moreSevere
o noChange o noChange
o lessSevere o lessSevere
3.6. resourceMapping 3.6. resourceURI
If the alarm SD-ID is supported, the resourceMapping SD-PARAM SHOULD If the "alarm" SD-ID is supported, the "resourceURI" SD-PARAM SHOULD
be supported. This item uniquely identifies the resource under alarm be supported. This item uniquely identifies the resource under
within the scope of a network element. This must be the same value alarm.
as alarmActiveResourceId [RFC3877] for this alarm or follow similar
semantics if the Alarm MIB is not supported.
4. Security Considerations The value of this field MUST conform to the URI definition in
[RFC1738] and its updates. In the case of an SNMP resource, the
syntax in [RFC4088] MUST be used and "resourceURI" must point to the
same resource as alarmActiveResourceId [RFC3877] for this alarm.
Both the "resource" and the "resourceURI" parameters point at the
resource experiencing the alarm, but the "resourceURI" has syntactic
constraint requiring it to be a URI. This makes it easy to correlate
this syslog alarm with any alarms that are received via other
protocols, such as SNMP or to use SNMP or other protocols to get
additional information about this resource.
4. Examples
Example 1 - Mandatory Alarm Information
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=
"Application" eventID="1011"][alarm resource="su root"
probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major"]
BOMAn application event log entry...
In this example, extended from [Syslog], the VERSION is 1 and the
Facility has the value of 4. The severity is 2. The message was
created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the
next second. The message originated from a host that identifies
itself as "mymachine.example.com". The APP-NAME is "su" and the
PROCID is unknown. The MSGID is "ID47". We have included both the
structured data from the original example, a single element with the
value "[exampleSDID@0 iut="3" eventSource="Application"
eventID="1011"]" and a new one with the alarm information defined in
this memo. The alarm SD-ID contains the mandatory SD-PARAMS of
resource, probableCause and preceivedSeverity. The MSG itself is "An
application event log entry..." The BOM at the beginning of MSG
indicates UTF-8 encoding.
Example 2 - Additional Alarm Information
<165>1 2004-11-10T20:15:15.003Z mymachine.example.com
evntslog - ID48 [alarm resource="interface 42"
probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major"
eventType="communicationsAlarm"
resourceURI ="snmp://example.com//1.3.6.1.2.1.2.2.1.1.42"]
In this example, we include two optional alarm fields - eventType and
resourceURI.
5. Security Considerations
In addition to general syslog security considerations discussed in In addition to general syslog security considerations discussed in
[Syslog], the information contained with alarms may provide hackers [RFC5424], the information contained with alarms may provide hackers
with helpful information about parts of the system currently with helpful information about parts of the system currently
experiencing stress as well as general information about the system experiencing stress as well as general information about the system
such as inventory. such as inventory.
Users should not have access to information in alarms that their Users should not have access to information in alarms that their
normal access permissions would not permit if the information was normal access permissions would not permit if the information was
accessed in another manner. accessed in another manner.
5. IANA Considerations There is no standardized access control model for SYSLOG and hence
the ability to filter alarms based on a notion of a receiver identity
is at best implementation specific.
6. IANA Considerations
IANA is requested to register the SD-IDs and PARAM-NAMEs shown below: IANA is requested to register the SD-IDs and PARAM-NAMEs shown below:
SD-ID PARAM-NAME SD-ID PARAM-NAME
alarm OPTIONAL alarm OPTIONAL
alarmedResource MANDATORY resource MANDATORY
probableCause MANDATORY probableCause MANDATORY
perceivedSeverity MANDATORY perceivedSeverity MANDATORY
eventType OPTIONAL eventType OPTIONAL
trendIndication OPTIONAL trendIndication OPTIONAL
resourceMapping OPTIONAL resourceURI OPTIONAL
6. Acknowledgments 7. Acknowledgments
Thanks to members of the Syslog and OPSAWG work group who contributed Thanks to members of the Syslog and OPSAWG work group who contributed
to this specification. to this specification. We'd also like to thank Juergen
Schoenwaelder, Dave Harrington, Wes Hardaker and Randy Presuhn for
their reviews.
7. References 8. References
7.1. Normative References 8.1. Normative References
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform
Resource Locators (URL)", RFC 1738, December 1994.
[RFC2119] Bradner, s., "Key words for RFCs to Indicate Requirements [RFC2119] Bradner, s., "Key words for RFCs to Indicate Requirements
Levels", RFC 2119, March 1997. Levels", RFC 2119, March 1997.
[RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", RFC 3877, September 2004. Information Base (MIB)", RFC 3877, September 2004.
[Syslog] Gerhards, Rainer., "The syslog Protocol", [RFC4088] Black, D., McCloghrie, K., and J. Schoenwaelder, "Uniform
ID draft-ietf-syslog-protocol-19.txt, November 2006. Resource Identifier (URI) Scheme for the Simple Network
Management Protocol (SNMP)", RFC 4088, June 2005.
7.2. Informative References [RFC5424] Gerhards, R., "The syslog Protocol", RFC 5424, March 2009.
8.2. Informative References
[X.733] ITU-T, ""Information Technology - Open Systems [X.733] ITU-T, ""Information Technology - Open Systems
Interconnection - System Management: Alarm Reporting Interconnection - System Management: Alarm Reporting
Function"", ITU-T X.733, 1992. Function"", ITU-T X.733, 1992.
[X.736] ITU-T, ""Information Technology - Open Systems [X.736] ITU-T, ""Information Technology - Open Systems
Interconnection - System Management: Security Alarm Interconnection - System Management: Security Alarm
Reporting Function"", ITU-T X.736, 1992. Reporting Function"", ITU-T X.736, 1992.
Authors' Addresses Authors' Addresses
skipping to change at page 12, line 4 skipping to change at line 333
Email: schishol@nortel.com Email: schishol@nortel.com
Rainer Gerhards Rainer Gerhards
Adiscon GmbH Adiscon GmbH
Mozartstrasse 21 Mozartstrasse 21
Grossrinderfeld, BW 97950 Grossrinderfeld, BW 97950
Germany Germany
Email: rgerhards@adiscon.com Email: rgerhards@adiscon.com
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 37 change blocks. 
61 lines changed or deleted 128 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/