From addogra@cisco.com Thu Feb 21 08:25:36 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B312521F887F; Thu, 21 Feb 2013 08:25:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.598 X-Spam-Level: X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TBCjRYZYjtiq; Thu, 21 Feb 2013 08:25:34 -0800 (PST) Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 6D02B21F88F1; Thu, 21 Feb 2013 08:25:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7661; q=dns/txt; s=iport; t=1361463932; x=1362673532; h=from:to:subject:date:message-id:mime-version; bh=fOo+uI61mB9Xb32dZpr9V7EL07aY3K92avUix2xQMNs=; b=E7KPuFctXSQgtSbpsaDehXNOqSiOawk8q+DI0SgfOkcQmhl2wdE6vGHi WnEC3zYZEvJAHJdiEYosiWWSOHexWSH92ramMNGylagQD0XmIFy/jWzPV kUK6TL8FHD9n0Q5zMj0YrjA+csTtbBz+aGqoHoYiLlGOfwfSmOcmCdN6P 0=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFAF1JJlGtJV2b/2dsb2JhbABFgkO+OIEFFnOCIQEELV4BKlYmAQQBGogKvw+OXYMXYQOnFIMHgic X-IronPort-AV: E=Sophos;i="4.84,710,1355097600"; d="scan'208,217";a="179730651" Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP; 21 Feb 2013 16:25:30 +0000 Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r1LGPU5C020776 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 21 Feb 2013 16:25:30 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-rcd-x04.cisco.com ([173.37.183.78]) with mapi id 14.02.0318.004; Thu, 21 Feb 2013 10:25:29 -0600 From: "Aditya Dogra (addogra)" To: "syslog@ietf.org" , "opsawg@ietf.org" Thread-Topic: Syslog message to Remote Rerver Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQ== Date: Thu, 21 Feb 2013 16:25:29 +0000 Message-ID: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.65.71.189] Content-Type: multipart/alternative; boundary="_000_94383E83699D0F4D9040CEFAE204B40719E2A5xmbalnx11ciscocom_" MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 21 Feb 2013 08:34:47 -0800 Subject: [Syslog] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Feb 2013 16:26:49 -0000 --_000_94383E83699D0F4D9040CEFAE204B40719E2A5xmbalnx11ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi All , Currently syslog messages collected locally on the network device are trans= mitted to the remote syslog servers as per RFC 5424 (UDP protocol used for = transmission) and RFC 3195 (TCP protocol used for transmission) However, we have observed that increasingly, customers are using syslog mes= sages archived in the remote server for business logic . In some networks, it is possible that some of the syslog messages may be dr= opped due to link failure or other network conditions. However, the customers are expecting much higher resiliency for the syslog = messages. The questions we seek clarification are: a) What are the expectations from the external syslog delivery? b) Should we rely on syslog's alone ? Please note that SNMP traps f= unctionality for network management is also there.? Your thoughts and suggestions much appreciated. Regards, Aditya dogra --_000_94383E83699D0F4D9040CEFAE204B40719E2A5xmbalnx11ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi All ,

 

Currently syslog messages collected loc= ally on the network device are transmitted to the remote syslog servers as = per RFC 5424 (UDP protocol used for transmission) and RFC 3195 (TCP protocol used for transmission)

 

However, we have observed that increasi= ngly, customers are using syslog messages archived in the remote server for= business logic .

 

In some networks, it is possible that s= ome of the syslog messages may be dropped due to link failure or other netw= ork conditions.

However, the customers are expecting mu= ch higher resiliency for the syslog messages.

 

 

The questions we seek clarification are= :

 

a)      &= nbsp;  What are the expectations from the external syslog delivery?

 

b)      &= nbsp;  Should we rely on syslog's alone ? Please note that SNMP traps = functionality for network management is also there.?

 

 

Your thoughts and suggestions much appr= eciated.

 

 

Regards,

Aditya dogra

 

 

--_000_94383E83699D0F4D9040CEFAE204B40719E2A5xmbalnx11ciscocom_-- From ietfdbh@comcast.net Sun Feb 24 22:54:56 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C80521F91E2 for ; Sun, 24 Feb 2013 22:54:56 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.416 X-Spam-Level: X-Spam-Status: No, score=-100.416 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, HTML_MESSAGE=0.001, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nw4oONanSckq for ; Sun, 24 Feb 2013 22:54:43 -0800 (PST) Received: from qmta12.westchester.pa.mail.comcast.net (qmta12.westchester.pa.mail.comcast.net [IPv6:2001:558:fe14:44:76:96:59:227]) by ietfa.amsl.com (Postfix) with ESMTP id 1015421F91E1 for ; Sun, 24 Feb 2013 22:54:42 -0800 (PST) Received: from omta20.westchester.pa.mail.comcast.net ([76.96.62.71]) by qmta12.westchester.pa.mail.comcast.net with comcast id 4Wui1l0011YDfWL5CWuirZ; Mon, 25 Feb 2013 06:54:42 +0000 Received: from JV6RVH1 ([71.233.85.150]) by omta20.westchester.pa.mail.comcast.net with comcast id 4Wuh1l00J3Ecudz3gWuhUZ; Mon, 25 Feb 2013 06:54:42 +0000 From: "ietfdbh" To: "'Aditya Dogra \(addogra\)'" , , References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> In-Reply-To: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> Date: Mon, 25 Feb 2013 01:54:14 -0500 Message-ID: <004301ce1324$ecb29500$c617bf00$@comcast.net> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0044_01CE12FB.03DF4C20" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQFvPKhnBeHB2YGabgDQ3u8+JIZqvJlHx4eA Content-Language: en-us DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1361775282; bh=dDuDpSKuPGBlqh8DxXeK3xj5R6NSQmluCJjosfC5WOA=; h=Received:Received:From:To:Subject:Date:Message-ID:MIME-Version: Content-Type; b=LuzRyoS8t2CRci30ix+HdfTzgmyaA+TXTfDCssOmtbgC7DtPXuu2mcxR5wMEiodlI QWNZoIZ4VVR86qD2EtNafvIFuAMFCxujXwERspZ48Uzd3bJXt9JL+1k6itRdvo1+NW YOI0kFxfuyjQjxHbCxaUBth6r90e7y96Eu2PnTpLa29g+GJ5k7szmxoee1gKDqBWTP D9ZdlXZpv+IVLwFQpJGeg6/U05bdsan7rR/WXDZrqWj8dzs6CvFViDWnSksHlAkovO l6qUnCoc/izqBYCMbKRR3r05QYS0BEJo0ULdrAQpIIT/uFSwwUy67YihUSgB/LyCfJ qjIDnvUdY201w== Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 06:54:56 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0044_01CE12FB.03DF4C20 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit From: opsawg-bounces@ietf.org [mailto:opsawg-bounces@ietf.org] On Behalf Of Aditya Dogra (addogra) Sent: Thursday, February 21, 2013 11:25 AM To: syslog@ietf.org; opsawg@ietf.org Subject: [OPSAWG] Syslog message to Remote Rerver Hi All , Currently syslog messages collected locally on the network device are transmitted to the remote syslog servers as per RFC 5424 (UDP protocol used for transmission) and RFC 3195 (TCP protocol used for transmission) [dbh>] RFC5424 defines the IETF version of the syslog protocol message format (not the UDP transport). RFC5424 RECOMMENDS using a TLS-based transport (RFC5425) rather than a UDP-based or plain-TCP-based transport for syslog. If you use a UDP-based transport for interoperability, it should probably follow RFC5426. The IETF standard for syslog over UDP (RFC5426) states: " Network administrators and architects should be aware of the significant reliability and security issues of this transport, which stem from the use of UDP." Note that RFC6587 (plain TCP transport for syslog) is Historic, and contains an IESG Note: The IESG does not recommend implementing or deploying syslog over plain tcp, which is described in this document, because it lacks the ability to enable strong security [RFC3365]. Implementation of the TLS transport [RFC5425] is recommended so that appropriate security features are available to operators who want to deploy secure syslog. Similarly, those security features can be turned off for those who do not want them. However, we have observed that increasingly, customers are using syslog messages archived in the remote server for business logic . [dbh>] If customers are using archived messages, they might want to consider using signing syslog messages. RFC5848, Signed syslog, describes a mechanism to add origin authentication, message integrity, replay resistance, message sequencing, and detection of missing messages to the transmitted syslog messages. Signed syslog helps ensure integrity of messages both in-transit and in archived storage. I think that would be a valuable feature in support of business logic. David Harrington ietfdbh@comcast.net +1-603-828-1401 co-chair, syslog WG In some networks, it is possible that some of the syslog messages may be dropped due to link failure or other network conditions. However, the customers are expecting much higher resiliency for the syslog messages. The questions we seek clarification are: a) What are the expectations from the external syslog delivery? b) Should we rely on syslog's alone ? Please note that SNMP traps functionality for network management is also there.? Your thoughts and suggestions much appreciated. Regards, Aditya dogra ------=_NextPart_000_0044_01CE12FB.03DF4C20 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

 

From:= = opsawg-bounces@ietf.org [mailto:opsawg-bounces@ietf.org] On Behalf Of = Aditya Dogra (addogra)
Sent: Thursday, February 21, 2013 = 11:25 AM
To: syslog@ietf.org; = opsawg@ietf.org
Subject: [OPSAWG] Syslog message to Remote = Rerver

 

Hi All = ,

 

Currently = syslog messages collected locally on the network device are transmitted = to the remote syslog servers as per RFC 5424 (UDP protocol used for = transmission) and RFC 3195 (TCP protocol used for transmission) =

 

[dbh>] RFC5424 defines the = IETF version of the syslog protocol message format (not the UDP = transport).

RFC5424 RECOMMENDS = using a TLS-based transport (RFC5425) rather than a UDP-based or = plain-TCP-based transport for syslog.

 

If you use a = UDP-based transport for interoperability, it should probably follow = RFC5426.

The IETF standard = for syslog over UDP (RFC5426) states:

“   = Network administrators and architects should be aware of = the

   = significant reliability and security issues of this transport, = which

   stem = from the use of UDP.”

 

Note that RFC6587 = (plain TCP transport for syslog) is Historic, and contains an IESG = Note:

 

   The = IESG does not recommend implementing or deploying syslog = over

   plain = tcp, which is described in this document, because it lacks = the

   = ability to enable strong security [RFC3365].

 

   = Implementation of the TLS transport [RFC5425] is recommended so = that

   = appropriate security features are available to operators who want = to

   deploy = secure syslog.  Similarly, those security features can = be

   turned = off for those who do not want them.

 

 

However, we have observed that increasingly, customers = are using syslog messages archived in the remote server for business = logic .

 

[dbh>] If customers are = using archived messages, they might want to consider using signing = syslog messages.

      =  RFC5848, = Signed syslog,  describes a = mechanism to add origin authentication,

   = message integrity, replay resistance, message sequencing, = and

   = detection of missing messages to the transmitted syslog = messages.

Signed syslog helps = ensure integrity of messages both in-transit and in archived = storage.

I think that would = be a valuable feature in support of business = logic.

 

David Harrington

ietfdbh@comcast.net

+1-603-828-1401

co-chair, syslog = WG

 

In some networks, it is possible that some of the = syslog messages may be dropped due to link failure or other network = conditions.

However, = the customers are expecting much higher resiliency for the syslog = messages.

 

The = questions we seek clarification are:

 

a)         = What are the expectations from the external syslog delivery? =

 

b)         = Should we rely on syslog's alone ? Please note that SNMP traps = functionality for network management is also = there.?

 

 

 

Your = thoughts and suggestions much appreciated.

 

 

Regards,

Aditya = dogra

 

 

------=_NextPart_000_0044_01CE12FB.03DF4C20-- From liljenstolpe@gmail.com Sun Feb 24 20:26:30 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC4C21F91A1; Sun, 24 Feb 2013 20:26:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Te-oAN6LibSJ; Sun, 24 Feb 2013 20:26:29 -0800 (PST) Received: from mail-da0-f46.google.com (mail-da0-f46.google.com [209.85.210.46]) by ietfa.amsl.com (Postfix) with ESMTP id 76C9521F912F; Sun, 24 Feb 2013 20:26:29 -0800 (PST) Received: by mail-da0-f46.google.com with SMTP id z8so49276dad.19 for ; Sun, 24 Feb 2013 20:26:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:content-type:mime-version:subject:from:in-reply-to:date :cc:content-transfer-encoding:message-id:references:to:x-mailer; bh=3jMXhDn0okQ/XpDUv3Af4nPW92BoKYRYOOASMW173s4=; b=AzDU7K9NyIbM8a6qqdus1Ztuzxxq+S8RMjuyRBJVrDd6FOUAEEF4ZF4luG0Io5X6Jk kocQm6E9HxCXzroOtBjkVVmhaGpHZevuvhp2ip9U+PVTSn8ZykY+TZR+iQzsPUUShrfD vCu+dRBu/C4Uq0tHHcfNSlFK67JtReTOyvP4BzOxhMpqk1YJVCSDhD+aWtN/nc+DyoYu G0JZIJhVuTUtV3Vk7EgoAQ6T3ByW+RJf1mnHohk7ea6bMwSkuMqulsVmiPtXEwUvk9b6 K85IDxoTX4uf5o9gCrePEDfZqemMNZHdlvo89MxxjhKl71G+aspAQBvNnbXCBXflUOm0 aA+A== X-Received: by 10.66.139.129 with SMTP id qy1mr16594651pab.179.1361766389157; Sun, 24 Feb 2013 20:26:29 -0800 (PST) Received: from [204.29.150.161] (50-76-34-185-ip-static.hfc.comcastbusiness.net. [50.76.34.185]) by mx.google.com with ESMTPS id iv3sm11266168pbc.40.2013.02.24.20.26.27 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 24 Feb 2013 20:26:28 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\)) From: Christopher LILJENSTOLPE In-Reply-To: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> Date: Sun, 24 Feb 2013 20:26:25 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: <1A3C0CDF-552E-4C93-A38B-44EFCB3DA52F@gmail.com> References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> To: Aditya Dogra (addogra) X-Mailer: Apple Mail (2.1499) X-Mailman-Approved-At: Mon, 25 Feb 2013 14:03:02 -0800 Cc: "syslog@ietf.org" , "opsawg@ietf.org" Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 04:26:30 -0000 Greetings Aditya, Can I ask for a little more clarity as to what you are asking? = Are you asking the operational community for their expectations on = syslog message reliability (it seems so in (a), or are you making a = statement that you do not believe that the reliability is not sufficient = (your earlier comments)? Also, you mention in (b) that SNMP is there. = That is true - are you proposing that SNMP be used to augment syslog (if = so, I would hazard to guess that that is already a solution that is = widely deployed). Thank's, Christopher On 21Feb2013, at 08.25, Aditya Dogra (addogra) = wrote: > Hi All , >=20 > Currently syslog messages collected locally on the network device are = transmitted to the remote syslog servers as per RFC 5424 (UDP protocol = used for transmission) and RFC 3195 (TCP protocol used for transmission) >=20 > However, we have observed that increasingly, customers are using = syslog messages archived in the remote server for business logic . >=20 > In some networks, it is possible that some of the syslog messages may = be dropped due to link failure or other network conditions. > However, the customers are expecting much higher resiliency for the = syslog messages. >=20 >=20 > The questions we seek clarification are: >=20 > a) What are the expectations from the external syslog = delivery? >=20 > b) Should we rely on syslog's alone ? Please note that SNMP = traps functionality for network management is also there.? >=20 >=20 > Your thoughts and suggestions much appreciated. >=20 >=20 > Regards, > Aditya dogra >=20 >=20 > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg -- =20 =E6=9D=8E=E6=9F=AF=E7=9D=BF Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf Check my calendar availability: https://tungle.me/cdl From addogra@cisco.com Sun Feb 24 20:44:21 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7038721F9125 for ; Sun, 24 Feb 2013 20:44:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.405 X-Spam-Level: X-Spam-Status: No, score=-10.405 tagged_above=-999 required=5 tests=[AWL=0.193, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gKmf9n52On+X for ; Sun, 24 Feb 2013 20:44:21 -0800 (PST) Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) by ietfa.amsl.com (Postfix) with ESMTP id E028A21F9124 for ; Sun, 24 Feb 2013 20:44:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2560; q=dns/txt; s=iport; t=1361767461; x=1362977061; h=from:to:subject:date:message-id:mime-version; bh=W3BUTZQ+s0Bze3qynp5f2BjZgfixta3d6ipV5y6t0n4=; b=f6smS/TZXX8MHIaoCeY5sMXZyqKqHRrAXsYeUkl+qJw6jm4GiO7GXTUb VZXeNAF5z/3Jz+iiMkyyAi9doaQ8heJ390CeRo0AJtfS99X2QF8zFjNGM /F+R+aVQ988Op4PKRASXwt6NBNFzXBAjXtUrWFpQf4aPWLGYEv2wzWP5Q s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgAFALbqKlGtJV2c/2dsb2JhbABFgkO/D4ESFnOCIQEEGRReAQweAlQmAQQbiAudC6AqjXlkgxdhA6cigweCJw X-IronPort-AV: E=Sophos;i="4.84,732,1355097600"; d="scan'208,217";a="180685247" Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-3.cisco.com with ESMTP; 25 Feb 2013 04:44:20 +0000 Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id r1P4iKP0002509 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Mon, 25 Feb 2013 04:44:20 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0318.004; Sun, 24 Feb 2013 22:44:20 -0600 From: "Aditya Dogra (addogra)" To: "syslog@ietf.org" Thread-Topic: Subscribe Thread-Index: Ac4TEsWc+IA7vO0ISRyrnAnCVEdh5Q== Date: Mon, 25 Feb 2013 04:44:19 +0000 Message-ID: <94383E83699D0F4D9040CEFAE204B4071A0212@xmb-aln-x11.cisco.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.142.104.110] Content-Type: multipart/alternative; boundary="_000_94383E83699D0F4D9040CEFAE204B4071A0212xmbalnx11ciscocom_" MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 25 Feb 2013 14:03:02 -0800 Subject: [Syslog] Subscribe X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 04:44:21 -0000 --_000_94383E83699D0F4D9040CEFAE204B4071A0212xmbalnx11ciscocom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Regards, Aditya dogra --_000_94383E83699D0F4D9040CEFAE204B4071A0212xmbalnx11ciscocom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

 

Regards,

Aditya dogra

 

 

--_000_94383E83699D0F4D9040CEFAE204B4071A0212xmbalnx11ciscocom_-- From addogra@cisco.com Sun Feb 24 20:47:24 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D0D921F912D; Sun, 24 Feb 2013 20:47:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CBf6Ts0aYDcg; Sun, 24 Feb 2013 20:47:23 -0800 (PST) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 4630421F9127; Sun, 24 Feb 2013 20:47:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4144; q=dns/txt; s=iport; t=1361767643; x=1362977243; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nYrPojAbx3sVRSzv92jxiyfPfyoZR4Km0u7PutgWMPA=; b=TCbUkny+js2c+zYD3RkGa1WIOSxh+mFxFFNdxxAyZbSKlDUqu1fNWnqi xvjE8otkJt3/tMzq3YBJzgPBHFzzuYmgblxiqaqalz+Uej4Fmrw4ddM4F oHkh5bwRYpJpGf6/3fI2NK/ghPfJMp4TonhWmrcZRGN1KccIdpNhyNMl2 s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUFAEbrKlGtJV2d/2dsb2JhbABFFoY5uwMNgQUWc4IfAQEBAwEBAQEgEToLBQcEAgEGAhEEAQEDAgYdAwICAh8GCxQBCAgBAQQOBQgMB4dmAwkGDJBBmwOIAQ2JQgSBI4sUgiYmCwcGgicyYQOUYI0rhReDB4In X-IronPort-AV: E=Sophos;i="4.84,732,1355097600"; d="scan'208";a="180654512" Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by rcdn-iport-7.cisco.com with ESMTP; 25 Feb 2013 04:47:21 +0000 Received: from xhc-aln-x09.cisco.com (xhc-aln-x09.cisco.com [173.36.12.83]) by rcdn-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id r1P4lLYq022522 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 25 Feb 2013 04:47:21 GMT Received: from xmb-aln-x11.cisco.com ([169.254.6.203]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.02.0318.004; Sun, 24 Feb 2013 22:47:20 -0600 From: "Aditya Dogra (addogra)" To: Christopher LILJENSTOLPE Thread-Topic: [OPSAWG] Syslog message to Remote Rerver Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQC8oSCAAAwtM+A= Date: Mon, 25 Feb 2013 04:47:20 +0000 Message-ID: <94383E83699D0F4D9040CEFAE204B4071A0238@xmb-aln-x11.cisco.com> References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> <1A3C0CDF-552E-4C93-A38B-44EFCB3DA52F@gmail.com> In-Reply-To: <1A3C0CDF-552E-4C93-A38B-44EFCB3DA52F@gmail.com> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.142.104.110] Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-Mailman-Approved-At: Mon, 25 Feb 2013 14:03:02 -0800 Cc: "syslog@ietf.org" , "opsawg@ietf.org" Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Feb 2013 04:47:24 -0000 SGkgQ2hyaXN0b3BoZXIsDQogICAgICBTb3JyeSBmb3Igbm90IG1ha2luZyBteSBwcmV2aW91cyBw b3N0IGNsZWFyLiANCk15IHBvaW50IHdhcyBzaW5jZSBzeXNsb2dzIGFyZSB0cmllZCB1cCBtb3N0 bHkgd2l0aCB0aGUgYmFzZS9PUyBsYXllciAsIGhlbmNlIGl0IGNvbWVzIHByZXR0eSBtdWNoIGVh cmxpZXIgdGhhbiB0aGUgbWFuYWdlbWVudCBwbGFuZSBjb21lcyB1cCAuIEFuZCByZW1vdGUgbG9n Z2luZyBjb21lcyBpbiBwaWN0dXJlIHdoZW4gbWFuYWdlbWVudCBwbGFuZSBjb21lcyB1cCAuIFNo b3VsZCBzeXNsb2cncyBiZSBzbyByZWxpYWJsZSB0aGF0IHdlIGJ1ZmZlciB0aGVtIChpbiBjYXNl IG9mIHVkcCBwcm90b2NvbCkgb3IgbWFpbnRhaW4gc2Vzc2lvbnMgKGluIGNhc2Ugb2YgdGNwKSAo YW5kIG1haW50YWluIHNlc3Npb25zIGR1cmluZyBmYWlsb3Zlci9zd2l0Y2hvdmVycykgc28gdGhh dCBvbmNlIG1hbmFnZW1lbnQgcGxhbmUgY29tZXMgdXAgLCB3ZSBzZW5kIHByZXZpb3VzIG1lc3Nh Z2VzIGFsc28uIA0KDQpJIGFtIG5vdCB0YWxraW5nIG9uIHJlcGxhY2luZyBzeXNsb2dzIHdpdGgg dHJhcHMgLCBhbmQgSSBhZ3JlZSBpdCB3aWxsIGJlIGEgaGF6YXJkIHRvIHB1cnBvc2UgYWxzbyAu ICBNeSBwb2ludCB3YXMganVzdCBsaWtlIFNOTVAgbGllcyBvbiBtYW5hZ2VtZW50IHBsYW5lIGFu ZCBoZW5jZSBpcyB0aWdodGx5IGNvdXBsZWQgd2l0aCB0aGUgb3V0Z29pbmcvZXhpdCBpbnRlcmZh Y2VzICwgc28gaXQgbWFrZXMgaXQgbW9yZSByZWxpYWJsZSBpbiBjYXNlIG9mIHJlbW90ZSBsb2dn aW5nIG9mIHRyYXBzIC4gDQogIA0KLUFkaXR5YSBkb2dyYQ0KDQotLS0tLU9yaWdpbmFsIE1lc3Nh Z2UtLS0tLQ0KRnJvbTogQ2hyaXN0b3BoZXIgTElMSkVOU1RPTFBFIFttYWlsdG86bGlsamVuc3Rv bHBlQGdtYWlsLmNvbV0gDQpTZW50OiBNb25kYXksIEZlYnJ1YXJ5IDI1LCAyMDEzIDk6NTYgQU0N ClRvOiBBZGl0eWEgRG9ncmEgKGFkZG9ncmEpDQpDYzogc3lzbG9nQGlldGYub3JnOyBvcHNhd2dA aWV0Zi5vcmcNClN1YmplY3Q6IFJlOiBbT1BTQVdHXSBTeXNsb2cgbWVzc2FnZSB0byBSZW1vdGUg UmVydmVyDQoNCkdyZWV0aW5ncyBBZGl0eWEsDQoNCglDYW4gSSBhc2sgZm9yIGEgbGl0dGxlIG1v cmUgY2xhcml0eSBhcyB0byB3aGF0IHlvdSBhcmUgYXNraW5nPyAgQXJlIHlvdSBhc2tpbmcgdGhl IG9wZXJhdGlvbmFsIGNvbW11bml0eSBmb3IgdGhlaXIgZXhwZWN0YXRpb25zIG9uIHN5c2xvZyBt ZXNzYWdlIHJlbGlhYmlsaXR5IChpdCBzZWVtcyBzbyBpbiAoYSksIG9yIGFyZSB5b3UgbWFraW5n IGEgc3RhdGVtZW50IHRoYXQgeW91IGRvIG5vdCBiZWxpZXZlIHRoYXQgdGhlIHJlbGlhYmlsaXR5 IGlzIG5vdCBzdWZmaWNpZW50ICh5b3VyIGVhcmxpZXIgY29tbWVudHMpPyAgQWxzbywgeW91IG1l bnRpb24gaW4gKGIpIHRoYXQgU05NUCBpcyB0aGVyZS4gIFRoYXQgaXMgdHJ1ZSAtIGFyZSB5b3Ug cHJvcG9zaW5nIHRoYXQgU05NUCBiZSB1c2VkIHRvIGF1Z21lbnQgc3lzbG9nIChpZiBzbywgSSB3 b3VsZCBoYXphcmQgdG8gZ3Vlc3MgdGhhdCB0aGF0IGlzIGFscmVhZHkgYSBzb2x1dGlvbiB0aGF0 IGlzIHdpZGVseSBkZXBsb3llZCkuDQoNCglUaGFuaydzLA0KCUNocmlzdG9waGVyDQoNCk9uIDIx RmViMjAxMywgYXQgMDguMjUsIEFkaXR5YSBEb2dyYSAoYWRkb2dyYSkgPGFkZG9ncmFAY2lzY28u Y29tPiB3cm90ZToNCg0KPiBIaSBBbGwgLA0KPiANCj4gQ3VycmVudGx5IHN5c2xvZyBtZXNzYWdl cyBjb2xsZWN0ZWQgbG9jYWxseSBvbiB0aGUgbmV0d29yayBkZXZpY2UgYXJlIHRyYW5zbWl0dGVk IHRvIHRoZSByZW1vdGUgc3lzbG9nIHNlcnZlcnMgYXMgcGVyIFJGQyA1NDI0IChVRFAgcHJvdG9j b2wgdXNlZCBmb3IgdHJhbnNtaXNzaW9uKSBhbmQgUkZDIDMxOTUgKFRDUCBwcm90b2NvbCB1c2Vk IGZvciB0cmFuc21pc3Npb24pDQo+IA0KPiBIb3dldmVyLCB3ZSBoYXZlIG9ic2VydmVkIHRoYXQg aW5jcmVhc2luZ2x5LCBjdXN0b21lcnMgYXJlIHVzaW5nIHN5c2xvZyBtZXNzYWdlcyBhcmNoaXZl ZCBpbiB0aGUgcmVtb3RlIHNlcnZlciBmb3IgYnVzaW5lc3MgbG9naWMgLg0KPiANCj4gSW4gc29t ZSBuZXR3b3JrcywgaXQgaXMgcG9zc2libGUgdGhhdCBzb21lIG9mIHRoZSBzeXNsb2cgbWVzc2Fn ZXMgbWF5IGJlIGRyb3BwZWQgZHVlIHRvIGxpbmsgZmFpbHVyZSBvciBvdGhlciBuZXR3b3JrIGNv bmRpdGlvbnMuDQo+IEhvd2V2ZXIsIHRoZSBjdXN0b21lcnMgYXJlIGV4cGVjdGluZyBtdWNoIGhp Z2hlciByZXNpbGllbmN5IGZvciB0aGUgc3lzbG9nIG1lc3NhZ2VzLg0KPiANCj4gDQo+IFRoZSBx dWVzdGlvbnMgd2Ugc2VlayBjbGFyaWZpY2F0aW9uIGFyZToNCj4gDQo+IGEpICAgICAgICAgV2hh dCBhcmUgdGhlIGV4cGVjdGF0aW9ucyBmcm9tIHRoZSBleHRlcm5hbCBzeXNsb2cgZGVsaXZlcnk/ DQo+IA0KPiBiKSAgICAgICAgIFNob3VsZCB3ZSByZWx5IG9uIHN5c2xvZydzIGFsb25lID8gUGxl YXNlIG5vdGUgdGhhdCBTTk1QIHRyYXBzIGZ1bmN0aW9uYWxpdHkgZm9yIG5ldHdvcmsgbWFuYWdl bWVudCBpcyBhbHNvIHRoZXJlLj8NCj4gDQo+IA0KPiBZb3VyIHRob3VnaHRzIGFuZCBzdWdnZXN0 aW9ucyBtdWNoIGFwcHJlY2lhdGVkLg0KPiANCj4gDQo+IFJlZ2FyZHMsDQo+IEFkaXR5YSBkb2dy YQ0KPiANCj4gDQo+IF9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fDQo+IE9QU0FXRyBtYWlsaW5nIGxpc3QNCj4gT1BTQVdHQGlldGYub3JnDQo+IGh0dHBzOi8v d3d3LmlldGYub3JnL21haWxtYW4vbGlzdGluZm8vb3BzYXdnDQoNCi0tICANCuadjuafr+edvw0K Q2hlY2sgbXkgUEdQIGtleSBoZXJlOiBodHRwczovL3d3dy5hc2dhYXJkLm9yZy9+Y2RsL2NkbC5h c2MNCkN1cnJlbnQgdkNhcmQgaGVyZTogaHR0cHM6Ly93d3cuYXNnYWFyZC5vcmcvfmNkbC9jZGwu dmNmDQpDaGVjayBteSBjYWxlbmRhciBhdmFpbGFiaWxpdHk6IGh0dHBzOi8vdHVuZ2xlLm1lL2Nk bA0KDQo= From rgerhards@hq.adiscon.com Tue Feb 26 02:34:52 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB3D021F8949; Tue, 26 Feb 2013 02:34:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1+KaQtuFVMp; Tue, 26 Feb 2013 02:34:52 -0800 (PST) Received: from vmmail.adiscon.com (vmmail.adiscon.com [176.9.56.141]) by ietfa.amsl.com (Postfix) with ESMTP id BE5D121F868B; Tue, 26 Feb 2013 02:34:50 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id 300EA74A37B; Tue, 26 Feb 2013 11:33:40 +0100 (CET) Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Adrm+8IDQhmf; Tue, 26 Feb 2013 11:33:40 +0100 (CET) Received: from vmexch2.intern.adiscon.com (vmvpn.adiscon.com [188.40.57.185]) by vmmail.adiscon.com (Postfix) with ESMTPSA id 1B7FF74A358; Tue, 26 Feb 2013 11:33:40 +0100 (CET) Received: from VMEXCH2.intern.adiscon.com ([fe80::8cb1:e14c:5f97:b29b]) by vmexch2.intern.adiscon.com ([fe80::8cb1:e14c:5f97:b29b%10]) with mapi id 14.02.0342.003; Tue, 26 Feb 2013 11:34:48 +0100 From: Rainer Gerhards To: "Aditya Dogra (addogra)" Thread-Topic: [Syslog] Syslog message to Remote Rerver Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQDtHheA Date: Tue, 26 Feb 2013 10:34:47 +0000 Message-ID: <1361874887.37195.8.camel@localhost> References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> In-Reply-To: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> Accept-Language: de-DE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [217.92.119.74] Content-Type: text/plain; charset="utf-8" Content-ID: <05DFFC775AE5FB4D9A9C125A506E4903@ADISCON.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Cc: "syslog@ietf.org" , "opsawg@ietf.org" Subject: Re: [Syslog] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2013 10:34:53 -0000 c29ycnkgZm9yIHRoZSBsYXRlIHJlcGx5LCBoYXZlIGJlZW4gb2ZmIHRvIGEgY29uZmVyZW5jZS4u Lg0KDQpPbiBUaHUsIDIwMTMtMDItMjEgYXQgMTY6MjUgKzAwMDAsIEFkaXR5YSBEb2dyYSAoYWRk b2dyYSkgd3JvdGU6DQoNCj4gQ3VycmVudGx5IHN5c2xvZyBtZXNzYWdlcyBjb2xsZWN0ZWQgbG9j YWxseSBvbiB0aGUgbmV0d29yayBkZXZpY2UgYXJlDQo+IHRyYW5zbWl0dGVkIHRvIHRoZSByZW1v dGUgc3lzbG9nIHNlcnZlcnMgYXMgcGVyIFJGQyA1NDI0IChVRFAgcHJvdG9jb2wNCj4gdXNlZCBm b3IgdHJhbnNtaXNzaW9uKQ0KDQpSRkM1NDI0IGRvZXMgTk9UIHNwZWNpZnkgVURQIHRyYW5zcG9y dC4gSW4gZmFjdCwgaXQgZG9lcyBub3Qgc3BlY2lmeSBhbnkNCnRyYW5zcG9ydCBhdCBhbGwsIGl0 IGp1c3QgZGVzY3JpYmVzIHRoZSBmb3JtYXQgYW5kIHRoZSBzdGFjay4gVHJhbnNwb3J0DQptYXBw aW5ncyBhcmUgZG9uZSBpbg0KDQpSRkM1NDI1IC0gVExTIChUQ1ApLCB0aGUgcmVjb21tZW5kZWQg cHJvdG9jb2wNClJGQzU0MjYgLSBVRFANCg0KdGhlcmUgaXMgYWxzbyBoaXN0b3JpYyBSRkM2NTg3 IG9uIGluZHVzdHJ5IHN0YW5kYXJkIHBsYWluIHRjcCwgYnV0IHRoaXMNCmlzIGp1c3QgZm9yIGlu dGVyb3BlcmF0aW5nIHdpdGggbGVnYWN5IHN5c3RlbXMsIG5vdCBmb3IgbmV3DQppbXBsZW1lbnRh dGlvbi4gSXQgaXMgc3Ryb25nbHkgZGlzY291cmFnZWQgdG8gdXNlIHRoYXQgaW4gbmV3IHN5c3Rl bXMuDQoNCj4gIGFuZCBSRkMgMzE5NSAoVENQIHByb3RvY29sIHVzZWQgZm9yIHRyYW5zbWlzc2lv bikgDQpSRkMzMTk1IGlzIGEgYml0IGRhdGVkIGFuZCB3b3VsZCBuZWVkIHRvIGJlIGNoYW5nZWQg dG8gYmFzZSBvbiBSRkM1NDI0Lg0KVGhpcyBoYXMgbm90IHlldCBiZWVuIGRvbmUgYXMgdGhlcmUg d2FzIG5vIG5vdGFibGUgaW1wbGVtZW50YXRpb24gb2YNClJGQzMxOTUuDQoNCj4gDQo+IEhvd2V2 ZXIsIHdlIGhhdmUgb2JzZXJ2ZWQgdGhhdCBpbmNyZWFzaW5nbHksIGN1c3RvbWVycyBhcmUgdXNp bmcNCj4gc3lzbG9nIG1lc3NhZ2VzIGFyY2hpdmVkIGluIHRoZSByZW1vdGUgc2VydmVyIGZvciBi dXNpbmVzcyBsb2dpYyAuDQo+IA0KPiAgDQo+IA0KPiBJbiBzb21lIG5ldHdvcmtzLCBpdCBpcyBw b3NzaWJsZSB0aGF0IHNvbWUgb2YgdGhlIHN5c2xvZyBtZXNzYWdlcyBtYXkNCj4gYmUgZHJvcHBl ZCBkdWUgdG8gbGluayBmYWlsdXJlIG9yIG90aGVyIG5ldHdvcmsgY29uZGl0aW9ucy4gDQo+IA0K PiBIb3dldmVyLCB0aGUgY3VzdG9tZXJzIGFyZSBleHBlY3RpbmcgbXVjaCBoaWdoZXIgcmVzaWxp ZW5jeSBmb3IgdGhlDQo+IHN5c2xvZyBtZXNzYWdlcy4gDQo+IA0KPiAgDQo+IA0KPiAgDQo+IA0K PiBUaGUgcXVlc3Rpb25zIHdlIHNlZWsgY2xhcmlmaWNhdGlvbiBhcmU6IA0KPiANCj4gIA0KPiAN Cj4gYSkgICAgICAgICBXaGF0IGFyZSB0aGUgZXhwZWN0YXRpb25zIGZyb20gdGhlIGV4dGVybmFs IHN5c2xvZw0KPiBkZWxpdmVyeT8gDQoNClRoZXJlIGlzIGEgdmVyeSBzbWFsbCB3aW5kb3cgb2Yg ZXhwb3N1cmUsIHNlZSBzZWN0aW9uIDUuMyBvZiBSRkM1NDI1LiBJDQphbHNvIHdyb3RlIGEgc29t ZXdoYXQgbW9yZSBlbGFib3JhdGUgYmxvZyBwb3N0IG9uIHRoaXMgcHJvYmxlbSwgd2hpY2gNCm1h eSBiZSB1c2VmdWwgZm9yIHlvdToNCg0KaHR0cDovL2Jsb2cuZ2VyaGFyZHMubmV0LzIwMDgvMDQv b24tdW5yZWxpYWJpbGl0eS1vZi1wbGFpbi10Y3Atc3lzbG9nLmh0bWwNCj4gDQo+ICANCj4gDQo+ IGIpICAgICAgICAgU2hvdWxkIHdlIHJlbHkgb24gc3lzbG9nJ3MgYWxvbmUgPyBQbGVhc2Ugbm90 ZSB0aGF0IFNOTVANCj4gdHJhcHMgZnVuY3Rpb25hbGl0eSBmb3IgbmV0d29yayBtYW5hZ2VtZW50 IGlzIGFsc28gdGhlcmUuPw0KDQp0aGF0J3Mgc29tZXRoaW5nIHRoYXQgeW91IG5lZWQgdG8gYW5z d2VyIGJhc2VkIG9uIHlvdXIgdXNlIGNhc2VzIGFuZA0KcmVxdWlyZW1lbnRzLiBBcyBmYXIgYXMg bXkgcGVyc29uYWwgZXhwZXJpZW5jZSBnb2VzLCB0aGUgbG9zcyBwb3RlbnRpYWwNCmlzIHZlcnkg c2xpbSwgYW5kIGxvdCdzIG9mIG91ciBjdXN0b21lcnMgdXNlIHRoZSBSRkMgcHJvdG9jb2xzIHRv IGRvIGJpeg0KY3JpdGljYWwgdGhpbmdzLiBTb21lIHVzZSBvdGhlciBwcm90b2NvbHMgaW4gYWRk aXRpb24uIA0KDQpzaWRlLW5vdGU6IG1vZGVybi1kYXkgc3lzbG9nZCBpbXBsZW1lbnRhdGlvbnMg ZG8gbm90IHJlbHkgb24gdGhlIHN5c2xvZw0KcHJvdG9jb2wgYWxvbmUuIFRoZXkgYWNjZXB0IGlu cHV0IGZyb20gYSB3aWRlIHZhcmlldHkgb2Ygc291cmNlcywNCmluY2x1ZGluZyBTTk1QLg0KDQpI VEgNClJhaW5lcg0KDQo= From wherrin@gmail.com Tue Feb 26 13:28:28 2013 Return-Path: X-Original-To: syslog@ietfa.amsl.com Delivered-To: syslog@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADE6821F8586; Tue, 26 Feb 2013 13:28:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wBuvakHKVm2Z; Tue, 26 Feb 2013 13:28:27 -0800 (PST) Received: from mail-ve0-f174.google.com (mail-ve0-f174.google.com [209.85.128.174]) by ietfa.amsl.com (Postfix) with ESMTP id 3AB5221F8578; Tue, 26 Feb 2013 13:28:27 -0800 (PST) Received: by mail-ve0-f174.google.com with SMTP id pb11so4398475veb.33 for ; Tue, 26 Feb 2013 13:28:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=GZC7QG4J+OXNRvqSeLMLoz95zqCRLdIC6UrW1o0S/sY=; b=oanJNVgGWFFgfjSLBc6pZ7gt5/lUvhPSmI4cTP6m5w0byjrrdzc8sjEK2/gRmci4CW gDpvs8419gZfjyNac9vsYlWHrtwXwt2VYAW/QiSGKNuosu1KCfyPguSquK8J7DVeNxd7 TJrooaf4DYZdXKvgGUlDBdDjpqvEOwN23OBxPhhZSTMBBvqk/hDGYzpBVM9Dzrb+RTb5 YfjINbQuCcsoWu0cys2w6Lw1toIpAtIioeuD9ELQNyALiqIxAfaWnbJYrsV/fLp8A8Sj 1Fg40AZcUdCA1ttQiQRwuGL4B1uG6isQ93iHYALx4c2i5AmGoutpteGa7A+k9Zz0Z1cF UaZg== X-Received: by 10.52.99.1 with SMTP id em1mr10913470vdb.48.1361914106536; Tue, 26 Feb 2013 13:28:26 -0800 (PST) MIME-Version: 1.0 Sender: wherrin@gmail.com Received: by 10.52.179.40 with HTTP; Tue, 26 Feb 2013 13:28:06 -0800 (PST) In-Reply-To: <94383E83699D0F4D9040CEFAE204B4071A0238@xmb-aln-x11.cisco.com> References: <94383E83699D0F4D9040CEFAE204B40719E2A5@xmb-aln-x11.cisco.com> <1A3C0CDF-552E-4C93-A38B-44EFCB3DA52F@gmail.com> <94383E83699D0F4D9040CEFAE204B4071A0238@xmb-aln-x11.cisco.com> From: William Herrin Date: Tue, 26 Feb 2013 16:28:06 -0500 X-Google-Sender-Auth: c_xcA49D0xYBV_S350uZWDTq7p0 Message-ID: To: "Aditya Dogra (addogra)" Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Wed, 27 Feb 2013 08:09:05 -0800 Cc: Christopher LILJENSTOLPE , "syslog@ietf.org" , "opsawg@ietf.org" Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver X-BeenThere: syslog@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Issues in Network Event Logging List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Feb 2013 21:28:28 -0000 On Sun, Feb 24, 2013 at 11:47 PM, Aditya Dogra (addogra) wrote: > My point was since syslogs are tried up mostly with > the base/OS layer , hence it comes pretty much earlier > than the management plane comes up . And remote > logging comes in picture when management plane > comes up . Should syslog's be so reliable that we > buffer them (in case of udp protocol) or maintain > sessions (in case of tcp) (and maintain sessions > during failover/switchovers) so that once management > plane comes up , we send previous messages also. Hi Aditya, I have had servers fail with processes blocked on a syslogger stuck trying to forward logs to a network syslog server that was no longer available. Or trying to output logs to a serial console at 9600 bps. The syslog blocks and then everything else blocks waiting for the syslog. The equipment's overall reliability comes _way_ before the reliable transmission of any particular log line. I want the logger to quickly dispose of the message and then accept the next one so that the processes generating those logs don't A colleague of mine has something he calls "reliable UDP". The idea goes like this: 1. Transmit the message with a sequence number AND add it to a local ring buffer. 2. If the receiver receives an out-of-sequence message, it requests the retransmission of the missing sequence numbers. 3. If the sender receives a retransmission request, it examines the ring buffer and retransmits if the message is still available. 4. The ring buffer overwrites its own tail as additional messages are sent. If retransmission isn't requested before the message is overwritten then the message is lost. That sort of thing might be handy for syslog messages, but it the logger is trying much harder than that, I think it risks getting in the way of the much more important processes generating the logs. Regards, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: Falls Church, VA 22042-3004