draft-ietf-opsawg-syslog-alarm-02.txt   rfc5674.txt 
Network Working Group S. Chisholm Network Working Group S. Chisholm
Internet-Draft Nortel Request for Comments: 5674 Nortel
Intended status: Standards Track R. Gerhards Category: Standards Track R. Gerhards
Expires: November 27, 2009 Adiscon GmbH Adiscon GmbH
May 26, 2009 October 2009
Alarms in SYSLOG
draft-ietf-opsawg-syslog-alarm-02.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Alarms in Syslog
Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Abstract
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This document describes how to send alarm information in syslog. It
http://www.ietf.org/ietf/1id-abstracts.txt. includes the mapping of ITU perceived severities onto syslog message
fields. It also includes a number of alarm-specific SD-PARAM
definitions from X.733 and the IETF Alarm MIB.
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 27, 2009. This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
This document describes how to send alarm information in syslog. It RFC 5674 Alarms in Syslog October 2009
includes the mapping of ITU perceived severities onto syslog message
fields and a number of alarm-specific SD-PARAM definitions from X.733
and the IETF Alarm MIB.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction ....................................................2
2. Severity Mapping . . . . . . . . . . . . . . . . . . . . . . . 4 2. Severity Mapping ................................................2
3. Alarm STRUCTURED-DATA Elements . . . . . . . . . . . . . . . . 5 3. Alarm STRUCTURED-DATA Elements ..................................3
3.1. resource . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1. resource ...................................................3
3.2. probableCause . . . . . . . . . . . . . . . . . . . . . . 5 3.2. probableCause ..............................................4
3.3. perceivedSeverity . . . . . . . . . . . . . . . . . . . . 5 3.3. perceivedSeverity ..........................................4
3.4. eventType . . . . . . . . . . . . . . . . . . . . . . . . 6 3.4. eventType ..................................................4
3.5. trendIndication . . . . . . . . . . . . . . . . . . . . . 6 3.5. trendIndication ............................................4
3.6. resourceURI . . . . . . . . . . . . . . . . . . . . . . . 6 3.6. resourceURI ................................................5
4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Examples ........................................................5
5. Security Considerations . . . . . . . . . . . . . . . . . . . 9 5. Security Considerations .........................................6
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. IANA Considerations .............................................6
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 7. Acknowledgments .................................................6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12 8. References ......................................................7
8.1. Normative References . . . . . . . . . . . . . . . . . . . 12 8.1. Normative References .......................................7
8.2. Informative References . . . . . . . . . . . . . . . . . . 12 8.2. Informative References .....................................7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
Intellectual Property and Copyright Statements . . . . . . . . . . 14
1. Introduction 1. Introduction
In addition to sending out alarm information asynchronously via In addition to sending out alarm information asynchronously via
protocols such as SNMP or Netconf, many implementations also log protocols such as the Simple Network Management Protocol (SNMP) or
alarms via syslog. This memo defines a set of SD-PARAM to support the Network Configuration Protocol (Netconf), many implementations
logging and defines a mapping of syslog severity to the severity of also log alarms via syslog. This memo defines a set of SD-PARAMs to
the alarm. support logging and defines a mapping of syslog severity to the
severity of the alarm.
The Alarm MIB (RFC 3877) included mandatory alarm fields from X.733 The Alarm MIB [RFC3877] includes mandatory alarm fields from X.733
as well as information from X.736. In additional, the Alarm MIB [X.733] as well as information from X.736 [X.736]. In additional,
introduced its own alarm fields. This memo reuses terminology and the Alarm MIB introduces its own alarm fields. This memo reuses
fields from the Alarm MIB. terminology and fields from the Alarm MIB.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
Alarm related terminology is defined in [RFC3877]. Alarm-related terminology is defined in [RFC3877].
SD-ID, SD-PARAM, and other syslog-related terms are defined in
[RFC5424].
2. Severity Mapping 2. Severity Mapping
The Alarm MIB [RFC3877] defines ITU perceived severities which are The Alarm MIB [RFC3877] defines ITU perceived severities; it is
useful to be able to relate to the syslog message fields, useful to be able to relate these to the syslog message fields,
particularly in the case where alarms are being logged. This memo particularly in the case where alarms are being logged. This memo
describes the representation of ITU perceived severities in describes the representation of ITU perceived severities in
appropriate syslog fields described in [RFC5424]. Syslog offers both
a so-called SEVERITY as well as STRUCTURED-DATA. Due to constraints
in syslog, there is no one-to-one mapping possible for SEVERITY. A
STRUCTURED-DATA element is defined to allow inclusion of the
unmodified ITU perceived severity.
Syslog supports severity values different from ITU perceived RFC 5674 Alarms in Syslog October 2009
severities. These are defined in section 6.2.1 of [RFC5424]. The
mapping shown in table 1 below SHOULD be used to map ITU perceived appropriate syslog fields, which are described in [RFC5424]. Syslog
offers both a so-called SEVERITY as well as STRUCTURED-DATA. Due to
constraints in syslog, there is no one-to-one mapping possible for
SEVERITY. A STRUCTURED-DATA element is defined in this document to
allow inclusion of the unmodified ITU perceived severity.
Syslog supports Severity values different from ITU perceived
severities. These are defined in Section 6.2.1 of [RFC5424]. The
mapping shown in Table 1 below SHOULD be used to map ITU perceived
severities to syslog severities. severities to syslog severities.
ITU Perceived Severity syslog SEVERITY (Name) ITU Perceived Severity syslog SEVERITY (Name)
Critical 1 (Alert) Critical 1 (Alert)
Major 2 (Critical) Major 2 (Critical)
Minor 3 (Error) Minor 3 (Error)
Warning 4 (Warning) Warning 4 (Warning)
Indeterminate 5 (Notice) Indeterminate 5 (Notice)
Cleared 5 (Notice) Cleared 5 (Notice)
Table 1. ITUPerceivedSeverity to syslog SEVERITY mapping. Table 1. ITUPerceivedSeverity to Syslog SEVERITY Mapping
3. Alarm STRUCTURED-DATA Elements 3. Alarm STRUCTURED-DATA Elements
STRUCTURED-DATA allows to include any structured information into a STRUCTURED-DATA allows the inclusion of any structured information
syslog message. The following are defined to support structuring into a syslog message. The following are defined in this document to
alarm information. support the structuring of alarm information.
o Resource Under Alarm o Resource Under Alarm
o Probable Cause o Probable Cause
o Event Type o Event Type
o Perceived Severity o Perceived Severity
o Trend Indication o Trend Indication
o Resource URI o Resource URI
Support of the "alarm" SD-ID is optional, but once supported some of Support of the "alarm" SD-ID is optional but, once supported, some of
the SD-PARARMS are mandatory. the SD-PARAMS are mandatory.
3.1. resource 3.1. resource
If the "alarm" SD-ID is supported, the "resource" SD-PARAM MUST be If the "alarm" SD-ID is included, the "resource" SD-PARAM MUST be
supported. This item uniquely identifies the resource under alarm included. This item uniquely identifies the resource under alarm
within the scope of a network element. within the scope of a network element.
RFC 5674 Alarms in Syslog October 2009
3.2. probableCause 3.2. probableCause
If the "alarm" SD-ID is supported, the "probableCause" SD-PARAM MUST If the "alarm" SD-ID is included, the "probableCause" SD-PARAM MUST
be supported. This parameter is the mnemonic associated with the be included. This parameter is the mnemonic associated with the
IANAItuProbableCause object defined within [RFC3877] and any IANAItuProbableCause object defined within [RFC3877] and any
subsequent extensions defined by IANA. For example, subsequent extensions defined by IANA. For example,
IANAItuProbableCause defines a transmission failure to a probable IANAItuProbableCause defines a transmission failure to a probable
cause of 'transmissionError (10)'. The value of the parameter in cause of 'transmissionError (10)'. The value of the parameter in
this case would be 'transmissionError'" this case would be 'transmissionError'.
3.3. perceivedSeverity 3.3. perceivedSeverity
If the "alarm" SD-ID is supported, the "perceivedSeverity" SD-PARAM If the "alarm" SD-ID is included, the "perceivedSeverity" SD-PARAM
MUST be supported. Similar to the definition of perceived severity MUST be included. Similar to the definition of perceived severity in
in [X.736] and [RFC3877], this object can take the following values: [X.736] and [RFC3877], this object can take the following values:
o cleared o cleared
o indeterminate o indeterminate
o critical o critical
o major o major
o minor o minor
o warning o warning
See section 2 for the relationship between this severity and syslog See Section 2 for the relationship between this severity and syslog
severity. severity.
3.4. eventType 3.4. eventType
If the "alarm" SD-ID is supported, the "eventType" SD-PARAM SHOULD be If the "alarm" SD-ID is included, the "eventType" SD-PARAM SHOULD be
supported. This parameter is the mnemonic associated with the included. This parameter is the mnemonic associated with the
IANAItuEventType object defined within [RFC3877] and any subsequent IANAItuEventType object defined within [RFC3877] and any subsequent
extensions defined by IANA. For example, IANAItuEventType defines a extensions defined by IANA. For example, IANAItuEventType defines an
environmental alarm to a event type of 'environmentalAlarm (6)'. The environmental alarm to an event type of 'environmentalAlarm (6)'.
value of the parameter in this case would be 'environmentalAlarm'" The value of the parameter in this case would be
'environmentalAlarm'.
3.5. trendIndication 3.5. trendIndication
If the "alarm" SD-ID is supported, the "trendIndication" SD-PARAM If the "alarm" SD-ID is included, the "trendIndication" SD-PARAM
SHOULD be supported. Similar to the definition of perceived severity SHOULD be included. Similar to the definition of perceived severity
in [X.733] and [RFC3877], this object can take the following values: in [X.733] and [RFC3877], this object can take the following values:
RFC 5674 Alarms in Syslog October 2009
o moreSevere o moreSevere
o noChange o noChange
o lessSevere o lessSevere
3.6. resourceURI 3.6. resourceURI
If the "alarm" SD-ID is supported, the "resourceURI" SD-PARAM SHOULD If the "alarm" SD-ID is included, the "resourceURI" SD-PARAM SHOULD
be supported. This item uniquely identifies the resource under be included. This item uniquely identifies the resource under alarm.
alarm.
The value of this field MUST conform to the URI definition in The value of this field MUST conform to the URI definition in
[RFC1738] and its updates. In the case of an SNMP resource, the [RFC3986] and its updates. In the case of an SNMP resource, the
syntax in [RFC4088] MUST be used and "resourceURI" must point to the syntax in [RFC4088] MUST be used and "resourceURI" must point to the
same resource as alarmActiveResourceId [RFC3877] for this alarm. same resource as alarmActiveResourceId [RFC3877] for this alarm.
Both the "resource" and the "resourceURI" parameters point at the Both the "resource" and the "resourceURI" parameters point at the
resource experiencing the alarm, but the "resourceURI" has syntactic resource experiencing the alarm, but the "resourceURI" has syntactic
constraint requiring it to be a URI. This makes it easy to correlate constraint requiring it to be a URI. This makes it easy to correlate
this syslog alarm with any alarms that are received via other this syslog alarm with any alarms that are received via other
protocols, such as SNMP or to use SNMP or other protocols to get protocols, such as SNMP, or to use SNMP or other protocols to get
additional information about this resource. additional information about this resource.
4. Examples 4. Examples
Example 1 - Mandatory Alarm Information Example 1 - Mandatory Alarm Information
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com <165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource= evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=
"Application" eventID="1011"][alarm resource="su root" "Application" eventID="1011"][alarm resource="su root"
probableCause="unauthorizedAccessAttempt" probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major"] perceivedSeverity="major"]
BOMAn application event log entry... BOMAn application event log entry...
In this example, extended from [Syslog], the VERSION is 1 and the In this example, extended from [RFC5424], the VERSION is 1 and the
Facility has the value of 4. The severity is 2. The message was Facility has the value of 4. The severity is 2. The message was
created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the
next second. The message originated from a host that identifies next second. The message originated from a host that identifies
itself as "mymachine.example.com". The APP-NAME is "su" and the itself as "mymachine.example.com". The APP-NAME is "evntslog" and
PROCID is unknown. The MSGID is "ID47". We have included both the the PROCID is unknown. The MSGID is "ID47". We have included both
structured data from the original example, a single element with the the structured data from the original example, a single element with
value "[exampleSDID@0 iut="3" eventSource="Application" the value "[exampleSDID@32473 iut="3" eventSource="Application"
eventID="1011"]" and a new one with the alarm information defined in eventID="1011"]", and a new element with the alarm information
this memo. The alarm SD-ID contains the mandatory SD-PARAMS of defined in this memo. The alarm SD-ID contains the mandatory SD-
resource, probableCause and preceivedSeverity. The MSG itself is "An PARAMS of resource, probableCause, and preceivedSeverity. The MSG
application event log entry..." The BOM at the beginning of MSG itself is "An application event log entry..." The BOM at the
indicates UTF-8 encoding. beginning of the MSG indicates UTF-8 encoding.
RFC 5674 Alarms in Syslog October 2009
Example 2 - Additional Alarm Information Example 2 - Additional Alarm Information
<165>1 2004-11-10T20:15:15.003Z mymachine.example.com <165>1 2004-11-10T20:15:15.003Z mymachine.example.com
evntslog - ID48 [alarm resource="interface 42" evntslog - ID48 [alarm resource="interface 42"
probableCause="unauthorizedAccessAttempt" probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major" perceivedSeverity="major"
eventType="communicationsAlarm" eventType="communicationsAlarm"
resourceURI ="snmp://example.com//1.3.6.1.2.1.2.2.1.1.42"] resourceURI="snmp://example.com//1.3.6.1.2.1.2.2.1.1.42"]
In this example, we include two optional alarm fields - eventType and In this example, we include two optional alarm fields: eventType and
resourceURI. resourceURI.
5. Security Considerations 5. Security Considerations
In addition to general syslog security considerations discussed in In addition to the general syslog security considerations discussed
[RFC5424], the information contained with alarms may provide hackers in [RFC5424], the information contained with alarms may provide
with helpful information about parts of the system currently hackers with helpful information about parts of the system currently
experiencing stress as well as general information about the system experiencing stress as well as general information about the system,
such as inventory. such as inventory.
Users should not have access to information in alarms that their Users should not have access to information in alarms that their
normal access permissions would not permit if the information was normal access permissions would not permit if the information were
accessed in another manner. accessed in another manner.
There is no standardized access control model for SYSLOG and hence There is no standardized access control model for syslog, and hence
the ability to filter alarms based on a notion of a receiver identity the ability to filter alarms based on a notion of a receiver identity
is at best implementation specific. is, at best, implementation specific.
6. IANA Considerations 6. IANA Considerations
IANA is requested to register the SD-IDs and PARAM-NAMEs shown below: IANA registered the syslog Structured Data ID values and PARAM-NAMEs
shown below:
SD-ID PARAM-NAME SD-ID PARAM-NAME
alarm OPTIONAL alarm OPTIONAL
resource MANDATORY resource MANDATORY
probableCause MANDATORY probableCause MANDATORY
perceivedSeverity MANDATORY perceivedSeverity MANDATORY
eventType OPTIONAL eventType OPTIONAL
trendIndication OPTIONAL trendIndication OPTIONAL
resourceURI OPTIONAL resourceURI OPTIONAL
7. Acknowledgments 7. Acknowledgments
Thanks to members of the Syslog and OPSAWG work group who contributed Thanks to members of the Syslog and OPSAWG work group who contributed
to this specification. We'd also like to thank Juergen to this specification. We'd also like to thank Juergen
Schoenwaelder, Dave Harrington, Wes Hardaker and Randy Presuhn for Schoenwaelder, Dave Harrington, Wes Hardaker, and Randy Presuhn for
their reviews. their reviews.
RFC 5674 Alarms in Syslog October 2009
8. References 8. References
8.1. Normative References 8.1. Normative References
[RFC1738] Berners-Lee, T., Masinter, L., and M. McCahill, "Uniform [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Resource Locators (URL)", RFC 1738, December 1994. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119] Bradner, s., "Key words for RFCs to Indicate Requirements
Levels", RFC 2119, March 1997.
[RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management [RFC3877] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", RFC 3877, September 2004. Information Base (MIB)", RFC 3877, September 2004.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC4088] Black, D., McCloghrie, K., and J. Schoenwaelder, "Uniform [RFC4088] Black, D., McCloghrie, K., and J. Schoenwaelder, "Uniform
Resource Identifier (URI) Scheme for the Simple Network Resource Identifier (URI) Scheme for the Simple Network
Management Protocol (SNMP)", RFC 4088, June 2005. Management Protocol (SNMP)", RFC 4088, June 2005.
[RFC5424] Gerhards, R., "The syslog Protocol", RFC 5424, March 2009. [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
8.2. Informative References 8.2. Informative References
[X.733] ITU-T, ""Information Technology - Open Systems [X.733] ITU-T, "Information Technology - Open Systems
Interconnection - System Management: Alarm Reporting Interconnection - System Management: Alarm Reporting
Function"", ITU-T X.733, 1992. Function", ITU-T X.733, 1992.
[X.736] ITU-T, ""Information Technology - Open Systems [X.736] ITU-T, "Information Technology - Open Systems
Interconnection - System Management: Security Alarm Interconnection - System Management: Security Alarm
Reporting Function"", ITU-T X.736, 1992. Reporting Function", ITU-T X.736, 1992.
Authors' Addresses Authors' Addresses
Sharon Chisholm Sharon Chisholm
Nortel Nortel
3500 Carling Ave 3500 Carling Ave
Nepean, Ontario K2H 8E9 Nepean, Ontario K2H 8E9
Canada Canada
Email: schishol@nortel.com EMail: schishol@nortel.com
Rainer Gerhards Rainer Gerhards
Adiscon GmbH Adiscon GmbH
Mozartstrasse 21 Mozartstrasse 21
Grossrinderfeld, BW 97950 Grossrinderfeld, BW 97950
Germany Germany
Email: rgerhards@adiscon.com EMail: rgerhards@adiscon.com
 End of changes. 54 change blocks. 
137 lines changed or deleted 144 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/