draft-ietf-opsawg-syslog-snmp-03.txt   draft-ietf-opsawg-syslog-snmp-04.txt 
Network Working Group V. Marinov Network Working Group V. Marinov
Internet-Draft J. Schoenwaelder Internet-Draft J. Schoenwaelder
Intended status: Standards Track Jacobs University Bremen Intended status: Standards Track Jacobs University Bremen
Expires: November 16, 2009 May 15, 2009 Expires: February 7, 2010 August 6, 2009
Mapping Simple Network Management Protocol (SNMP) Notifications to Mapping Simple Network Management Protocol (SNMP) Notifications to
SYSLOG Messages SYSLOG Messages
draft-ietf-opsawg-syslog-snmp-03.txt draft-ietf-opsawg-syslog-snmp-04.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 33 skipping to change at page 1, line 33
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 16, 2009. This Internet-Draft will expire on February 7, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 31 skipping to change at page 3, line 31
specify how the SYSLOG message format should be utilized to carry the specify how the SYSLOG message format should be utilized to carry the
information contained in an SNMP notification message. A new SYSLOG information contained in an SNMP notification message. A new SYSLOG
structured data element is defined which carries the PDU portion of structured data element is defined which carries the PDU portion of
an SNMP notification message. an SNMP notification message.
1.1. Conventions 1.1. Conventions
A system which has the capability of receiving SNMP notification A system which has the capability of receiving SNMP notification
messages from an SNMP Notification Originator and sending the SNMP messages from an SNMP Notification Originator and sending the SNMP
data contained inside in a SYSLOG message format to a SYSLOG data contained inside in a SYSLOG message format to a SYSLOG
collector is referred in this memo as an "snmp-to-syslog translator". collector is referred in this memo as an "SNMP-to-SYSLOG translator".
By definition, such a system should have an SNMP Notification By definition, such a system should have an SNMP Notification
Receiver application and a SYSLOG originator running in order to be Receiver application and a SYSLOG originator running in order to be
able to perform the functions of an "snmp-to-syslog translator". able to perform the functions of an "SNMP-to-SYSLOG translator".
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
2. Background 2. Background
2.1. SNMP Notifications 2.1. SNMP Notifications
A detailed introduction to the SNMP Management Framework can be found A detailed introduction to the SNMP Management Framework can be found
skipping to change at page 5, line 20 skipping to change at page 5, line 20
If any additional variables are being included (at the option of the If any additional variables are being included (at the option of the
generating SNMP entity), then each is copied to the variable-bindings generating SNMP entity), then each is copied to the variable-bindings
field. field.
In the case of SNMPv1 or SNMPv2c notifications, the contextEngineID In the case of SNMPv1 or SNMPv2c notifications, the contextEngineID
and the contextName parameters are not present in notification and the contextName parameters are not present in notification
messages. messages.
This document assumes that notifications are in the format defined in This document assumes that notifications are in the format defined in
RFC 3416 [RFC3416]. Notifications in the SNMPv1 notification format RFC 3416 [RFC3416]. Notifications in the SNMPv1 notification format
must be translated as described in Section 3.1 of RFC 3584 [RFC3584]. MUST be translated as described in Section 3.1 of RFC 3584 [RFC3584].
2.2. SYSLOG Notifications 2.2. SYSLOG Notifications
The SYSLOG protocol is defined in [RFC5424]. The message contains a The SYSLOG protocol is defined in [RFC5424]. The message contains a
global header and a number of structured data elements. The ABNF global header and a number of structured data elements. The ABNF
[RFC4234] representation of a SYSLOG message is defined in RFC 5424 [RFC5234] representation of a SYSLOG message is defined in RFC 5424
[RFC5424]. The relevant productions for structured data elements [RFC5424]. The relevant productions for structured data elements
are: are:
STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT STRUCTURED-DATA = NILVALUE / 1*SD-ELEMENT
SD-ELEMENT = "[" SD-ID *(SP SD-PARAM) "]" SD-ELEMENT = "[" SD-ID *(SP SD-PARAM) "]"
SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34 SD-PARAM = PARAM-NAME "=" %d34 PARAM-VALUE %d34
SD-ID = SD-NAME SD-ID = SD-NAME
PARAM-NAME = SD-NAME PARAM-NAME = SD-NAME
PARAM-VALUE = UTF-8-STRING ; characters '"', '\' and PARAM-VALUE = UTF-8-STRING ; characters '"', '\' and
; ']' MUST be escaped. ; ']' MUST be escaped.
skipping to change at page 6, line 9 skipping to change at page 6, line 9
OCTET = %d00-255 OCTET = %d00-255
SP = %d32 SP = %d32
PRINTUSASCII = %d33-126 PRINTUSASCII = %d33-126
NILVALUE = "-" NILVALUE = "-"
3. Mapping SNMP Notifications to SYSLOG Messages 3. Mapping SNMP Notifications to SYSLOG Messages
In this section, we define how the scopedPDU portion from a SNMP In this section, we define how the scopedPDU portion from a SNMP
notification message is used to generate a message in the SYSLOG notification message is used to generate a message in the SYSLOG
format. The notification receiver application at the snmp-to-syslog format. The notification receiver application at the SNMP-to-SYSLOG
translator is listening for incoming notifications. After a translator is listening for incoming notifications. After a
notification is received by the SNMP engine the data portion is notification is received by the SNMP engine the data portion is
forwarded to the notification receiver application. The data portion forwarded to the notification receiver application. The data portion
contains the scopedPDU of the message which is used by the SYSLOG contains the scopedPDU of the message which is used by the SYSLOG
originator on the snmp-to-syslog translator to generate a SYSLOG originator on the SNMP-to-SYSLOG translator to generate a SYSLOG
message and send it to a SYSLOG collector (or proxy). Note that message and send it to a SYSLOG collector (or proxy). Note that
every SNMP notification maps to exactly one SYSLOG message. every SNMP notification maps to exactly one SYSLOG message.
+------------+ +------------------+ +------------+ +------------------+
|snmp | snmp | | syslog +---------+ |snmp | snmp | | syslog +---------+
|notification| notification | +------------+ | message |syslog | |notification| notification | +------------+ | message |syslog |
|originator |------------->| |syslog | |-------->|collector| |originator |------------->| |syslog | |-------->|collector|
+------------+ | |originator | | +---------+ +------------+ | |originator | | +---------+
+------------+ | +------------+ | +------------+ | +------------+ |
|snmp | snmp | +------------+ | syslog +---------+ |snmp | snmp | +------------+ | syslog +---------+
|notification| notification | |snmp | | message |syslog | |notification| notification | |snmp | | message |syslog |
|originator |------------->| |notification| |-------->|collector| |originator |------------->| |notification| |-------->|collector|
+------------+ | |receiver | | +---------+ +------------+ | |receiver | | +---------+
+------------+ | +------------+ | +------------+ | +------------+ |
|snmp | snmp | | |snmp | snmp | |
|notification| notification | snmp-to-syslog | |notification| notification | SNMP-to-SYSLOG |
|originator |------------->| translator | |originator |------------->| translator |
+------------+ +------------------+ +------------+ +------------------+
A common deployment scenario is shown above. There can be many SNMP Figure 1: SNMP-to-SYSLOG translator deployment
notification originators which send SNMP event notifications to a
snmp-to-syslog translator. The snmp-to-syslog translator extracts A common deployment scenario is shown in Figure 1. There can be many
SNMP notification originators which send SNMP event notifications to
a SNMP-to-SYSLOG translator. The SNMP-to-SYSLOG translator extracts
the data portion of the notification, generates a SYSLOG message, and the data portion of the notification, generates a SYSLOG message, and
send the SYSLOG message to a SYSLOG collector, which is responsible send the SYSLOG message to a SYSLOG collector, which is responsible
for collecting and storing all notification messages. for collecting and storing all notification messages. The arrows in
Figure 1 indicate message flows, not individual messages.
The snmp-to-syslog translator is not transparent for a SYSLOG The SNMP-to-SYSLOG translator is not transparent for a SYSLOG
collector. The global header of the SYSLOG message generated by the collector. The global header of the SYSLOG message generated by the
snmp-to-syslog translator is filled with parameters that are specific SNMP-to-SYSLOG translator is filled with parameters that are specific
for the system running the snmp-to-syslog translator such as its for the system running the SNMP-to-SYSLOG translator such as its
hostname, time stamp, etc. The data portion (scopedPDU for SNMPv3 or hostname, time stamp, etc. The data portion (scopedPDU for SNMPv3 or
PDU for SNMPv1/SNMPv2c) of the SNMP notification message is contained PDU for SNMPv1/SNMPv2c) of the SNMP notification message is contained
in the structured data of the SYSLOG message. in the structured data of the SYSLOG message.
Implementations MUST drop invalid SNMP messages before they are Implementations MUST drop invalid SNMP messages before they are
passed to the snmp-to-syslog translator. passed to the SNMP-to-SYSLOG translator.
3.1. SYSLOG Header 3.1. SYSLOG Header
The snmp-to-syslog translator fills the HEADER field of a SYSLOG The SNMP-to-SYSLOG translator fills the HEADER field of a SYSLOG
message with parameters specific to the system on which it is message with parameters specific to the system on which it is
running. The default facility level for SYSLOG messages containing running. The default facility level for SYSLOG messages containing
SNMP notifications should be 3, which corresponds to messages SNMP notifications SHOULD be 3, which corresponds to messages
generated by system daemons. The default severity level should be 5, generated by system daemons. The default severity level SHOULD be 5,
which correponds to "Notice: normal but significant condition". If which correponds to "Notice: normal but significant condition". If
the snmp-to-syslog translator has a notion of the type of the SNMP-to-SYSLOG translator has a notion of the type of
notification that has been received it might choose other values for notification that has been received it might choose other values for
facility and severity level. facility and severity level.
The VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID and MSGID fields The VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID and MSGID fields
in the SYSLOG message header are filled with values that are specific in the SYSLOG message header are filled with values that are specific
to the system on which the snmp-to-syslog translator is running. The to the system on which the SNMP-to-SYSLOG translator is running. The
character set used in the HEADER MUST be seven-bit ASCII in an eight- character set used in the HEADER MUST be seven-bit ASCII in an eight-
bit field as described in [RFC5424]. bit field as described in [RFC5424].
3.2. Structured Data 3.2. Structured Data
The STRUCTURED-DATA field of a SYSLOG message will contain the The STRUCTURED-DATA field of a SYSLOG message carries the ScopedPDU
ScopedPDU (or PDU) portion of the SNMP notification message. For the (or PDU) portion of an SNMP notification message. For the purpose of
purpose of carrying SNMP notification data, a new SD-ID element is carrying SNMP notification data, a new SD-ID element is defined. The
defined. The ABNF [RFC4234] representation of the new structured ABNF [RFC5234] representation of the new structured element is:
element is:
SNMP-SD-ELEMENT = "[" SNMP-SD-ID [CTX] *VARBIND "]" SNMP-SD-ELEMENT = "[" SNMP-SD-ID [CTX] *VARBIND "]"
SNMP-SD-ID = %x73.6E.6D.70 ; snmp SNMP-SD-ID = %x73.6E.6D.70 ; snmp
CTX = CTXENGINE CTXNAME CTX = CTXENGINE CTXNAME
CTXENGINE = SP "ctxEngine=" %d34 HEXSTRING %d34 CTXENGINE = SP "ctxEngine=" %d34 HEXSTRING %d34
CTXNAME = SP "ctxName=" %d34 PARAM-VALUE %d34 CTXNAME = SP "ctxName=" %d34 PARAM-VALUE %d34
VARBIND = SP VARNAME [SP VARLABEL] SP VARVALUE [SP VALSTRING] VARBIND = SP VARNAME [SP VARLABEL] SP VARVALUE [SP VALSTRING]
VARNAME = %d118 NUM "=" %d34 OID %d34 ; "vN=" VARNAME = %d118 NUM "=" %d34 OID %d34 ; "vN="
VARLABEL = %d108 NUM "=" %d34 PARAM-VALUE %d34 ; "lN=" VARLABEL = %d108 NUM "=" %d34 PARAM-VALUE %d34 ; "lN="
VARVALUE = VALOID / VALHEXSTRING / VALCOUNTER32 / VALCOUNTER64 VARVALUE = VALOID / VALHEXSTRING / VALCOUNTER32 / VALCOUNTER64
skipping to change at page 8, line 36 skipping to change at page 8, line 37
/ "2" %d48-52 DIGIT ; 200-249 / "2" %d48-52 DIGIT ; 200-249
/ "25" %d48-53 ; 250-255 / "25" %d48-53 ; 250-255
HEX = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f HEX = DIGIT / %x41-46 / %x61-66 ; 0-9 / A-F / a-f
NONZERODIGIT = %d49-57 NONZERODIGIT = %d49-57
ZERO = %d48 ZERO = %d48
DIGIT = ZERO / NONZERODIGIT DIGIT = ZERO / NONZERODIGIT
SP = %d32 SP = %d32
Each SNMP-SD-ELEMENT starts with the SD-ID "snmp". The first two Each SNMP-SD-ELEMENT starts with the SD-ID "snmp". The first two
SD-ID parameters are "ctxEngine" and "ctxName". They must be present SD-ID parameters are "ctxEngine" and "ctxName". The context MUST be
in an SNMPv3 notification and therefore they must be present in a present in an SNMPv3 notification and therefore they MUST be present
SYSLOG message generated by an snmp-to-syslog translator from an in a SYSLOG message generated by an SNMP-to-SYSLOG translator from an
SNMPv3 notification. The contexdEngineID is encoded as an SNMPv3 notification. The contexdEngineID is encoded as an
hexadecimal string while the contextName is encoded as a UTF8 string. hexadecimal string while the contextName is encoded as a UTF8 string.
The remaining parameters in the "snmp" SD-ID correspond to the The remaining parameters in the "snmp" SD-ID correspond to the
varbind list elements contained in the SNMP PDU. The name of a varbind list elements contained in the SNMP PDU. The name of a
varbind is encoded as an OID in dotted notation. The rendered OID is varbind is encoded as an OID in dotted notation. The rendered OID is
carried in a "vN" parameter, where N identifies the position of the carried in a "vN" parameter, where N identifies the position of the
varbind in the varbind list of the SNMP message (the first varbind varbind in the varbind list of the SNMP message (the first varbind
having the position 1). A MIB aware implementation may in addition having the position 1). A MIB aware implementation may in addition
generate a parameter "lN" carrying the descriptor of the associated generate a parameter "lN" carrying the descriptor of the associated
skipping to change at page 9, line 24 skipping to change at page 9, line 25
where M is some number, a MIB aware implementation can choose to where M is some number, a MIB aware implementation can choose to
include the "aN" parameter and to suppress the corresponding "xN" include the "aN" parameter and to suppress the corresponding "xN"
parameter. This special case allows to save space for textual parameter. This special case allows to save space for textual
objects. A receiver receiving a "aN" parameter without a matching objects. A receiver receiving a "aN" parameter without a matching
value at position N can unambiguously convert the value carried in value at position N can unambiguously convert the value carried in
the "aN" parameter back to an OCTET STRING value. the "aN" parameter back to an OCTET STRING value.
While the inclusion of additional parameters carrying OID labels or While the inclusion of additional parameters carrying OID labels or
alternate value representations increases human readability, this alternate value representations increases human readability, this
comes at the cost of increased message size which may cause comes at the cost of increased message size which may cause
truncation of SYSLOG message. Therefore, implementations should truncation of SYSLOG message. Therefore, implementations SHOULD
provide a configuration mechanism to enable/disable the generation of provide a configuration mechanism to enable/disable the generation of
parameters carrying OID labels or alternate value representations. parameters carrying OID labels or alternate value representations.
+--------------------+------------+--------------------------+ +--------------------+------------+--------------------------+
| SNMP Type | PARAM-NAME | Value Encoding | | SNMP Type | PARAM-NAME | Value Encoding |
+--------------------+------------+--------------------------+ +--------------------+------------+--------------------------+
| OBJECT IDENTIFIER | oN | dotted-decimal notation | | OBJECT IDENTIFIER | oN | dotted-decimal notation |
| OCTET STRING | xN | hexadecimal string | | OCTET STRING | xN | hexadecimal string |
| Counter32 | cN | unsigned decimal number | | Counter32 | cN | unsigned decimal number |
| Counter64 | CN | unsigned decimal number | | Counter64 | CN | unsigned decimal number |
| Unsigned32 | uN | unsigned decimal number | | Unsigned32 | uN | unsigned decimal number |
| INTEGER, Integer32 | dN | signed decimal number | | INTEGER, Integer32 | dN | signed decimal number |
| IpAddress | iN | dotted quad notation | | IpAddress | iN | dotted quad notation |
| Opaque | pN | hexadecimal (BER) string | | Opaque | pN | hexadecimal (BER) string |
| TimeTicks | tN | unsigned decimal number | | TimeTicks | tN | unsigned decimal number |
| NULL | nN | zero-length string | | NULL | nN | zero-length string |
+--------------------+------------+--------------------------+ +--------------------+------------+--------------------------+
Table 1: Mapping of SNMP Types to SD Params Table 1: Mapping of SNMP Types to SD Params
The SYSLOG message generated by the snmp-to-syslog translator may The SYSLOG message generated by the SNMP-to-SYSLOG translator may, in
include other structured data elements in its structured part in addition to the SNMP-SD-ELEMENT, include other structured data
addition to the SNMP-SD-ELEMENT. These structured data elements are elements in its structured data part. These additional structured
included in the SYSLOG message by the SYSLOG originator at the snmp- data elements MUST comply with the specification in [RFC5424].
to-syslog translator and must be compliant to the specification in
[RFC5424].
In particular, the parameters in the "origin" SD-ID should identify In particular, the parameters in the "origin" SD-ID SHOULD identify
the originator of the SNMP notification. A suitable value for the the originator of the SNMP notification. A suitable value for the
"ip" parameter may be taken from the snmpTrapAddress varbind if "ip" parameter MAY be taken from the snmpTrapAddress varbind if
present and a suitable value for the "enterpriseId" parameter may be present and a suitable value for the "enterpriseId" parameter MAY be
extracted from snmpTrapOID varbind. extracted from snmpTrapOID varbind.
3.3. MSG Data 3.3. MSG Data
The MSG part of the SYSLOG message is optional and may contain a The MSG part of the SYSLOG message is optional and may contain a
free-form message that provides a textual description of the SNMP free-form message that provides a textual description of the SNMP
event notification. The character set used in MSG SHOULD be UNICODE, event notification. The character set used in MSG SHOULD be UNICODE,
encoded using UTF-8 as specified in [RFC3629]. If the originator can encoded using UTF-8 as specified in [RFC3629]. If the originator can
not encode the MSG in Unicode, it MAY use any other encoding. not encode the MSG in Unicode, it MAY use any other encoding.
skipping to change at page 11, line 11 skipping to change at page 11, line 11
retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular retrieve the missing parameters from the SYSLOG-MSG-MIB. Regular
polling of the SYSLOG-MSG-MIB can be used to take care of any lost polling of the SYSLOG-MSG-MIB can be used to take care of any lost
SNMP notifications. SNMP notifications.
5. Usage Example 5. Usage Example
Here we provide an example how an SNMP linkUp trap message is mapped Here we provide an example how an SNMP linkUp trap message is mapped
into a SYSLOG message by using the mappings defined in Section 3.1 into a SYSLOG message by using the mappings defined in Section 3.1
and Section 3.2. and Section 3.2.
The linkUp notification is defined in [RFC2863]: The linkUp notification is defined in [RFC2863] as follows:
linkUp NOTIFICATION-TYPE linkUp NOTIFICATION-TYPE
OBJECTS { ifIndex, ifAdminStatus, ifOperStatus } OBJECTS { ifIndex, ifAdminStatus, ifOperStatus }
STATUS current STATUS current
DESCRIPTION DESCRIPTION
"A linkUp trap signifies that the SNMP entity, acting in an "A linkUp trap signifies that the SNMP entity, acting in an
agent role, has detected that the ifOperStatus object for agent role, has detected that the ifOperStatus object for
one of its communication links left the down state and one of its communication links left the down state and
transitioned into some other state (but not into the transitioned into some other state (but not into the
notPresent state). This other state is indicated by the notPresent state). This other state is indicated by the
skipping to change at page 12, line 4 skipping to change at page 12, line 4
06:09:2B:06:01:06:03:01:01:05:04 linkUp } 06:09:2B:06:01:06:03:01:01:05:04 linkUp }
30:0F SEQUENCE { 30:0F SEQUENCE {
06:0A:2B:06:01:02:01:02:02:01:01:03 ifIndex.3 06:0A:2B:06:01:02:01:02:02:01:01:03 ifIndex.3
02:01:03 3 } 02:01:03 3 }
30:0F SEQUENCE { 30:0F SEQUENCE {
06:0A:2B:06:01:02:01:02:02:01:07:03 ifAdminStatus.3 06:0A:2B:06:01:02:01:02:02:01:07:03 ifAdminStatus.3
02:01:01 up(1) } 02:01:01 up(1) }
30:0F SEQUENCE { 30:0F SEQUENCE {
06:0A:2B:06:01:02:01:02:02:01:08:03 ifOperStatus.3 06:0A:2B:06:01:02:01:02:02:01:08:03 ifOperStatus.3
02:01:01 up(1) } } } } 02:01:01 up(1) } } } }
The corresponding SYSLOG message generated by the snmp-to-syslog The corresponding SYSLOG message generated by the SNMP-to-SYSLOG
translator is shown below. (SYSLOG examples should be considered to translator is shown below. (SYSLOG examples should be considered to
be on one line. They are wrapped on multiple lines in this document be on one line. They are wrapped on multiple lines in this document
for readability purposes only.) for readability purposes only.)
<29>1 2003-10-11T22:14:15.003Z mymachine.example.com snmptrapd - ID47 <29>1 2003-10-11T22:14:15.003Z mymachine.example.com snmptrapd - ID47
[snmp ctxEngine="800002b804616263" ctxName="ctx1" [snmp ctxEngine="800002b804616263" ctxName="ctx1"
v1="1.3.6.1.2.1.1.3.0" l1="sysUpTime.0" d1="94860" v1="1.3.6.1.2.1.1.3.0" l1="sysUpTime.0" d1="94860"
v2="1.3.6.1.6.3.1.1.4.1.0" l2="snmpTrapOID.0" v2="1.3.6.1.6.3.1.1.4.1.0" l2="snmpTrapOID.0"
o2="1.3.6.1.6.3.1.1.5.4" a2="linkUp" o2="1.3.6.1.6.3.1.1.5.4" a2="linkUp"
v3="1.3.6.1.2.1.2.2.1.1.3" d3="3" v3="1.3.6.1.2.1.2.2.1.1.3" d3="3"
v4="1.3.6.1.2.1.2.2.1.7.3" d4="1" a4="up" v4="1.3.6.1.2.1.2.2.1.7.3" d4="1" a4="up"
v5="1.3.6.1.2.1.2.2.1.8.3" d5="1" a5="up"] v5="1.3.6.1.2.1.2.2.1.8.3" d5="1" a5="up"]
The corresponding SYSLOG message has a priority value of 29 which The corresponding SYSLOG message has a priority value of 29 which
means a facility level of 3 (system daemons) and a severity level of means a facility level of 3 (system daemons) and a severity level of
5 (Notice: Normal but significant condition) according to the 5 (Notice: Normal but significant condition) according to the
algorithm for calculation of priority value specified in Section algorithm for calculation of priority value specified in Section
6.2.1 of [RFC5424]. The rest of the fields in the header of the 6.2.1 of [RFC5424]. The rest of the fields in the header of the
SYSLOG message are parameters that are specific to the system running SYSLOG message are parameters that are specific to the system running
the snmp-to-syslog translator. The SYSLOG version is 1 and the the SNMP-to-SYSLOG translator. The SYSLOG version is 1 and the
message was generated at 22:14:15.003Z on 2003-10-11T by the host message was generated at 22:14:15.003Z on 2003-10-11T by the host
"mymachine.example.com". The application on the snmp-to-syslog "mymachine.example.com". The application on the SNMP-to-SYSLOG
translator that generated the message was "snmptrapd", there is no translator that generated the message was "snmptrapd", there is no
information about the process id and the message on the snmp-to- information about the process id and the message on the SNMP-to-
syslog system is identified with the MSGID of ID47. SYSLOG system is identified with the MSGID of ID47.
The SYSLOG message contains one structured data element with a SD-ID The SYSLOG message contains one structured data element with a SD-ID
of "snmp" which means that this is the scopedPDU portion of an SNMP of "snmp" which means that this is the scopedPDU portion of an SNMP
event notification message. The data which is contained in the event notification message. The data which is contained in the
notification is associated with the ContextEngineID "123456" and notification is associated with the ContextEngineID "123456" and
ContextName "ctx1". The request-id of the SNMP notification message ContextName "ctx1". The request-id of the SNMP notification message
was "7145575". Then follows the data portion of the scopedPDU. The was "7145575". Then follows the data portion of the scopedPDU. The
first two variables contained in the data portion are always the first two variables contained in the data portion are always the
sysUpTime.0 and snmpTrapOID.0. An snmpTrapOID.0 with a value of sysUpTime.0 and snmpTrapOID.0. An snmpTrapOID.0 with a value of
"1.3.6.1.6.3.1.1.5.4" means that this is a linkUp trap. The "1.3.6.1.6.3.1.1.5.4" means that this is a linkUp trap. The
skipping to change at page 13, line 37 skipping to change at page 13, line 37
t<N> OPTIONAL t<N> OPTIONAL
a<N> OPTIONAL a<N> OPTIONAL
7. Security Considerations 7. Security Considerations
The security considerations discussed in [RFC5424] apply to this The security considerations discussed in [RFC5424] apply to this
document. document.
The SNMP architecture supports an access control mechanism ensuring The SNMP architecture supports an access control mechanism ensuring
that SNMP notifications are only sent to receivers who are authorized that SNMP notifications are only sent to receivers who are authorized
to receive the notification. Users of this mapping of SNMP to receive the notification. Network operators using this mapping of
notifications to SYSLOG messages should enforce a consistent policy SNMP notifications to SYSLOG messages should enforce a consistent
preventing people from accessing SNMP notifications via the SYSLOG policy preventing people from accessing SNMP notifications via the
mapping that would otherwise not be accessible. SYSLOG mapping that would otherwise not be accessible.
8. Acknowledgments 8. Acknowledgments
The authors wish to thank Martin Bjorklund, Washam Fan, Rainer The editors wish to thank the following individuals for providing
Gerhards, Tom Petch and all other people who commented on various helpful comments on various versions of this document: Martin
versions of this proposal. Bjorklund, Washam Fan, Rainer Gerhards, Tom Petch, and Dan Romascanu.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-opsawg-syslog-msg-mib] [I-D.ietf-opsawg-syslog-msg-mib]
Schoenwaelder, J., Clemm, A., and A. Karmakar, Schoenwaelder, J., Clemm, A., and A. Karmakar,
"Definitions of Managed Objects for Mapping SYSLOG "Definitions of Managed Objects for Mapping SYSLOG
Messages to Simple Network Management Protocol (SNMP) Messages to Simple Network Management Protocol (SNMP)
Notifications", Internet Draft (work in progress), Notifications", Internet Draft (work in progress),
skipping to change at page 14, line 44 skipping to change at page 14, line 44
[RFC3418] Presuhn, R., "Management Information Base (MIB) for the [RFC3418] Presuhn, R., "Management Information Base (MIB) for the
Simple Network Management Protocol (SNMP)", STD 62, Simple Network Management Protocol (SNMP)", STD 62,
RFC 3418, December 2002. RFC 3418, December 2002.
[RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen, [RFC3584] Frye, R., Levi, D., Routhier, S., and B. Wijnen,
"Coexistence between Version 1, Version 2, and Version 3 "Coexistence between Version 1, Version 2, and Version 3
of the Internet-standard Network Management Framework.", of the Internet-standard Network Management Framework.",
BCP 74, RFC 3584, August 2003. BCP 74, RFC 3584, August 2003.
[RFC4234] Crocker, D. and P. Overell, "Augmented BNF for Syntax [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005. Specifications: ABNF", RFC 5234, January 2008.
[RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009. [RFC5424] Gerhards, R., "The Syslog Protocol", RFC 5424, March 2009.
9.2. Informative References 9.2. Informative References
[RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder, [RFC2578] McCloghrie, K., Perkins, D., and J. Schoenwaelder,
"Structure of Management Information Version 2 (SMIv2)", "Structure of Management Information Version 2 (SMIv2)",
RFC 2578, STD 58, April 1999. RFC 2578, STD 58, April 1999.
[RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group [RFC2863] McCloghrie, K. and F. Kastenholz, "The Interfaces Group
 End of changes. 33 change blocks. 
56 lines changed or deleted 56 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/