Date: Fri, 14 Feb 2003 04:53:41 -0800 (PST) From: Chris Lonvick Subject: Where we're at Hi Folks, Just a quick summary: - - Glenn Mansfield Keeni has the syslog-mib draft here: http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-02.txt and is looking for comments. - - John Kelsey and Jon Callas have the syslog-sign draft here: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-08.txt They are incorporating the recent set of comments into a new draft and also looking for comments. The IANA Considerations and the Security Concerns sections need to be filled in. (Anyone feel like volunteering text? :-) Our most recent discussions around syslog-sign include: - should there be two spaces after the tag field? - what do we need to do with the length of syslog messages? Further comments on those subjects will be welcome. We are going to meet at the San Francisco IETF. It appears that we are scheduled for 1 hour on Tuesday afternoon. Currently the only agenda item we have is for Glenn to review the syslog-mib ID. Thanks, Chris ------------------------------ Date: Fri, 14 Feb 2003 13:51:35 -0800 From: Mike MacFaden Subject: Re: Where we're at On Fri, Feb 14, 2003 at 04:53:41AM -0800, Chris Lonvick wrote: >- Glenn Mansfield Keeni has the syslog-mib draft here: > http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-02.txt >and is looking for comments. fwiw... 1) One syntax error in this mib module: smilint 0.4.1 reports one syntax error: syslogAllowedHostsTable : SEQUENCE OF type does not match row type Should read as follows syslogAllowedHostsTable OBJECT-TYPE SYNTAX SEQUENCE OF SyslogAllowedHostsEntry 2) For the counter objects such as syslogProcMsgsReceived, I don't see what object one would poll to discover discontinuities. example: ifCounterDiscontinuityTime/rfc2863 I'd like to throw out invalid samples if a proc dies and then restarts between polls for some syslogProcIndex. I suggest using something like syslogProcStartedAt SYNTAX TimeStamp MAX-ACCESS read-only STATUS current DESCRIPTION "The time which this process was started." ::= { syslogProcEntry 7 } Some implementations will set syslogProcIndex to an underlying process id (pid), but pids might be reused. 3) I'd prefer having two objects instead of one for syslogProcMsgsIgnored. Tracking badly formed messages versus a configuration error should be easier for operators to debug. 4) I recommend adding REFERENCE clauses to your objects. That way two implementations will have a higher probability of reporting consistent results that way. See section 3.13.3 of the document listed below. 5) syslogParamsProcDescr: is this a user definable string or something an implementation is supposed to define? 6) syslogParamsConfFileName/syslogParamsPIDFileName: what should be stored if the config is loaded into memory (embedded system?). Hint: See RMON rfc2021/1757 OwnerString for example. 7) I don't see a way to adminstratively disable/enable a given syslog processes. (like send a SIGTSTP signal) or to report present state of process (maybe that would be in hrSWRunTable/rfc2790? If so, maybe need to have a foreign key object to access that table. Also maybe a foreign key to access the udpTable or tcpConnTable 8) Please change the name from DRAFT-IETF-SYSLOG-MIB to just SYSLOG-MIB 9) Not sure how this mib module can report a failure condition if it fails to save a config to a given file as defined in a typical syslog.conf See section 3.11 in the document listed below. 10) I would specify if objects are modifiable when rowStatus = active (see rfc1757 for example). See section 3.7 in the document listed below. 11) On IP routers, one often wants to set the source ip address to use when sending via udp. Don't see how to set that here. There might be other useful hints in Section 3 of: http://www.ietf.org/internet-drafts/draft-ietf-snmpconf-bcp-12.txt Regards, Mike MacFaden ------------------------------ Date: Thu, 27 Feb 2003 07:45:22 -0500 From: Internet-Drafts@ietf.org Subject: I-D ACTION:draft-ietf-syslog-sign-09.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Syslog-Sign Protocol Author(s) : J. Kelsey, J. Callas Filename : draft-ietf-syslog-sign-09.txt Pages : 30 Date : 2003-2-26 This document describes syslog-sign, a mechanism adding origin authentication, message integrity, replay-resistance, message sequencing, and detection of missing messages to syslog. Syslog-sign provides these security features in a way that has minimal requirements and minimal impact on existing syslog implementations. It is possible to support syslog-sign and gain some of its security attributes by only changing the behavior of the devices generating syslog messages. Some additional processing of the received syslog messages and the syslog-sign messages on the relays and collectors may realize additional security benefits. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-09.txt To remove yourself from the IETF Announcement list, send a message to ietf-announce-request with the word unsubscribe in the body of the message. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-syslog-sign-09.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-syslog-sign-09.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. ------------------------------