5674
PROPOSED STANDARD
Alarms in Syslog
Authors: S. Chisholm, R. Gerhards
Date: October 2009
Area: ops
Working Group: opsawg
Stream: IETF
Abstract
This document describes how to send alarm information in syslog. It includes the mapping of ITU perceived severities onto syslog message fields. It also includes a number of alarm-specific SD-PARAM definitions from X.733 and the IETF Alarm MIB. [STANDARDS-TRACK]
RFC 5674
PROPOSED STANDARD
Network Working Group S. Chisholm
Request for Comments: 5674 Nortel
Category: Standards Track R. Gerhards
Adiscon GmbH
October 2009
<span class="h1">Alarms in Syslog</span>
Abstract
This document describes how to send alarm information in syslog. It
includes the mapping of ITU perceived severities onto syslog message
fields. It also includes a number of alarm-specific SD-PARAM
definitions from X.733 and the IETF Alarm MIB.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
<span class="grey">Chisholm & Gerhards Standards Track [Page 1]</span><span id="page-2" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-2">2</a>
<a href="#section-2">2</a>. Severity Mapping ................................................<a href="#page-2">2</a>
<a href="#section-3">3</a>. Alarm STRUCTURED-DATA Elements ..................................<a href="#page-3">3</a>
<a href="#section-3.1">3.1</a>. resource ...................................................<a href="#page-3">3</a>
<a href="#section-3.2">3.2</a>. probableCause ..............................................<a href="#page-4">4</a>
<a href="#section-3.3">3.3</a>. perceivedSeverity ..........................................<a href="#page-4">4</a>
<a href="#section-3.4">3.4</a>. eventType ..................................................<a href="#page-4">4</a>
<a href="#section-3.5">3.5</a>. trendIndication ............................................<a href="#page-4">4</a>
<a href="#section-3.6">3.6</a>. resourceURI ................................................<a href="#page-5">5</a>
<a href="#section-4">4</a>. Examples ........................................................<a href="#page-5">5</a>
<a href="#section-5">5</a>. Security Considerations .........................................<a href="#page-6">6</a>
<a href="#section-6">6</a>. IANA Considerations .............................................<a href="#page-6">6</a>
<a href="#section-7">7</a>. Acknowledgments .................................................<a href="#page-6">6</a>
<a href="#section-8">8</a>. References ......................................................<a href="#page-7">7</a>
<a href="#section-8.1">8.1</a>. Normative References .......................................<a href="#page-7">7</a>
<a href="#section-8.2">8.2</a>. Informative References .....................................<a href="#page-7">7</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
In addition to sending out alarm information asynchronously via
protocols such as the Simple Network Management Protocol (SNMP) or
the Network Configuration Protocol (Netconf), many implementations
also log alarms via syslog. This memo defines a set of SD-PARAMs to
support logging and defines a mapping of syslog severity to the
severity of the alarm.
The Alarm MIB [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>] includes mandatory alarm fields from X.733
[<a href="#ref-X.733" title=""Information Technology - Open Systems Interconnection - System Management: Alarm Reporting Function"">X.733</a>] as well as information from X.736 [<a href="#ref-X.736" title=""Information Technology - Open Systems Interconnection - System Management: Security Alarm Reporting Function"">X.736</a>]. In additional,
the Alarm MIB introduces its own alarm fields. This memo reuses
terminology and fields from the Alarm MIB.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
Alarm-related terminology is defined in [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>].
SD-ID, SD-PARAM, and other syslog-related terms are defined in
[<a href="./rfc5424" title=""The Syslog Protocol"">RFC5424</a>].
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Severity Mapping</span>
The Alarm MIB [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>] defines ITU perceived severities; it is
useful to be able to relate these to the syslog message fields,
particularly in the case where alarms are being logged. This memo
describes the representation of ITU perceived severities in
<span class="grey">Chisholm & Gerhards Standards Track [Page 2]</span><span id="page-3" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
appropriate syslog fields, which are described in [<a href="./rfc5424" title=""The Syslog Protocol"">RFC5424</a>]. Syslog
offers both a so-called SEVERITY as well as STRUCTURED-DATA. Due to
constraints in syslog, there is no one-to-one mapping possible for
SEVERITY. A STRUCTURED-DATA element is defined in this document to
allow inclusion of the unmodified ITU perceived severity.
Syslog supports Severity values different from ITU perceived
severities. These are defined in <a href="./rfc5424#section-6.2.1">Section 6.2.1 of [RFC5424]</a>. The
mapping shown in Table 1 below SHOULD be used to map ITU perceived
severities to syslog severities.
ITU Perceived Severity syslog SEVERITY (Name)
Critical 1 (Alert)
Major 2 (Critical)
Minor 3 (Error)
Warning 4 (Warning)
Indeterminate 5 (Notice)
Cleared 5 (Notice)
Table 1. ITUPerceivedSeverity to Syslog SEVERITY Mapping
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Alarm STRUCTURED-DATA Elements</span>
STRUCTURED-DATA allows the inclusion of any structured information
into a syslog message. The following are defined in this document to
support the structuring of alarm information.
o Resource Under Alarm
o Probable Cause
o Event Type
o Perceived Severity
o Trend Indication
o Resource URI
Support of the "alarm" SD-ID is optional but, once supported, some of
the SD-PARAMS are mandatory.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. resource</span>
If the "alarm" SD-ID is included, the "resource" SD-PARAM MUST be
included. This item uniquely identifies the resource under alarm
within the scope of a network element.
<span class="grey">Chisholm & Gerhards Standards Track [Page 3]</span><span id="page-4" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. probableCause</span>
If the "alarm" SD-ID is included, the "probableCause" SD-PARAM MUST
be included. This parameter is the mnemonic associated with the
IANAItuProbableCause object defined within [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>] and any
subsequent extensions defined by IANA. For example,
IANAItuProbableCause defines a transmission failure to a probable
cause of 'transmissionError (10)'. The value of the parameter in
this case would be 'transmissionError'.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. perceivedSeverity</span>
If the "alarm" SD-ID is included, the "perceivedSeverity" SD-PARAM
MUST be included. Similar to the definition of perceived severity in
[<a href="#ref-X.736" title=""Information Technology - Open Systems Interconnection - System Management: Security Alarm Reporting Function"">X.736</a>] and [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>], this object can take the following values:
o cleared
o indeterminate
o critical
o major
o minor
o warning
See <a href="#section-2">Section 2</a> for the relationship between this severity and syslog
severity.
<span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. eventType</span>
If the "alarm" SD-ID is included, the "eventType" SD-PARAM SHOULD be
included. This parameter is the mnemonic associated with the
IANAItuEventType object defined within [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>] and any subsequent
extensions defined by IANA. For example, IANAItuEventType defines an
environmental alarm to an event type of 'environmentalAlarm (6)'.
The value of the parameter in this case would be
'environmentalAlarm'.
<span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. trendIndication</span>
If the "alarm" SD-ID is included, the "trendIndication" SD-PARAM
SHOULD be included. Similar to the definition of perceived severity
in [<a href="#ref-X.733" title=""Information Technology - Open Systems Interconnection - System Management: Alarm Reporting Function"">X.733</a>] and [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>], this object can take the following values:
<span class="grey">Chisholm & Gerhards Standards Track [Page 4]</span><span id="page-5" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
o moreSevere
o noChange
o lessSevere
<span class="h3"><a class="selflink" id="section-3.6" href="#section-3.6">3.6</a>. resourceURI</span>
If the "alarm" SD-ID is included, the "resourceURI" SD-PARAM SHOULD
be included. This item uniquely identifies the resource under alarm.
The value of this field MUST conform to the URI definition in
[<a href="./rfc3986" title=""Uniform Resource Identifier (URI): Generic Syntax"">RFC3986</a>] and its updates. In the case of an SNMP resource, the
syntax in [<a href="./rfc4088" title=""Uniform Resource Identifier (URI) Scheme for the Simple Network Management Protocol (SNMP)"">RFC4088</a>] MUST be used and "resourceURI" must point to the
same resource as alarmActiveResourceId [<a href="./rfc3877" title=""Alarm Management Information Base (MIB)"">RFC3877</a>] for this alarm.
Both the "resource" and the "resourceURI" parameters point at the
resource experiencing the alarm, but the "resourceURI" has syntactic
constraint requiring it to be a URI. This makes it easy to correlate
this syslog alarm with any alarms that are received via other
protocols, such as SNMP, or to use SNMP or other protocols to get
additional information about this resource.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Examples</span>
Example 1 - Mandatory Alarm Information
<165>1 2003-10-11T22:14:15.003Z mymachine.example.com
evntslog - ID47 [exampleSDID@32473 iut="3" eventSource=
"Application" eventID="1011"][alarm resource="su root"
probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major"]
BOMAn application event log entry...
In this example, extended from [<a href="./rfc5424" title=""The Syslog Protocol"">RFC5424</a>], the VERSION is 1 and the
Facility has the value of 4. The severity is 2. The message was
created on 11 October 2003 at 10:14:15pm UTC, 3 milliseconds into the
next second. The message originated from a host that identifies
itself as "mymachine.example.com". The APP-NAME is "evntslog" and
the PROCID is unknown. The MSGID is "ID47". We have included both
the structured data from the original example, a single element with
the value "[exampleSDID@32473 iut="3" eventSource="Application"
eventID="1011"]", and a new element with the alarm information
defined in this memo. The alarm SD-ID contains the mandatory SD-
PARAMS of resource, probableCause, and preceivedSeverity. The MSG
itself is "An application event log entry..." The BOM at the
beginning of the MSG indicates UTF-8 encoding.
<span class="grey">Chisholm & Gerhards Standards Track [Page 5]</span><span id="page-6" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
Example 2 - Additional Alarm Information
<165>1 2004-11-10T20:15:15.003Z mymachine.example.com
evntslog - ID48 [alarm resource="interface 42"
probableCause="unauthorizedAccessAttempt"
perceivedSeverity="major"
eventType="communicationsAlarm"
resourceURI="snmp://example.com//1.3.6.1.2.1.2.2.1.1.42"]
In this example, we include two optional alarm fields: eventType and
resourceURI.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Security Considerations</span>
In addition to the general syslog security considerations discussed
in [<a href="./rfc5424" title=""The Syslog Protocol"">RFC5424</a>], the information contained with alarms may provide
hackers with helpful information about parts of the system currently
experiencing stress as well as general information about the system,
such as inventory.
Users should not have access to information in alarms that their
normal access permissions would not permit if the information were
accessed in another manner.
There is no standardized access control model for syslog, and hence
the ability to filter alarms based on a notion of a receiver identity
is, at best, implementation specific.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IANA Considerations</span>
IANA registered the syslog Structured Data ID values and PARAM-NAMEs
shown below:
SD-ID PARAM-NAME
alarm OPTIONAL
resource MANDATORY
probableCause MANDATORY
perceivedSeverity MANDATORY
eventType OPTIONAL
trendIndication OPTIONAL
resourceURI OPTIONAL
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Acknowledgments</span>
Thanks to members of the Syslog and OPSAWG work group who contributed
to this specification. We'd also like to thank Juergen
Schoenwaelder, Dave Harrington, Wes Hardaker, and Randy Presuhn for
their reviews.
<span class="grey">Chisholm & Gerhards Standards Track [Page 6]</span><span id="page-7" ></span>
<span class="grey"><a href="./rfc5674">RFC 5674</a> Alarms in Syslog October 2009</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC3877">RFC3877</a>] Chisholm, S. and D. Romascanu, "Alarm Management
Information Base (MIB)", <a href="./rfc3877">RFC 3877</a>, September 2004.
[<a id="ref-RFC3986">RFC3986</a>] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
<a href="./rfc3986">RFC 3986</a>, January 2005.
[<a id="ref-RFC4088">RFC4088</a>] Black, D., McCloghrie, K., and J. Schoenwaelder, "Uniform
Resource Identifier (URI) Scheme for the Simple Network
Management Protocol (SNMP)", <a href="./rfc4088">RFC 4088</a>, June 2005.
[<a id="ref-RFC5424">RFC5424</a>] Gerhards, R., "The Syslog Protocol", <a href="./rfc5424">RFC 5424</a>, March 2009.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-X.733">X.733</a>] ITU-T, "Information Technology - Open Systems
Interconnection - System Management: Alarm Reporting
Function", ITU-T X.733, 1992.
[<a id="ref-X.736">X.736</a>] ITU-T, "Information Technology - Open Systems
Interconnection - System Management: Security Alarm
Reporting Function", ITU-T X.736, 1992.
Authors' Addresses
Sharon Chisholm
Nortel
3500 Carling Ave
Nepean, Ontario K2H 8E9
Canada
EMail: [email protected]
Rainer Gerhards
Adiscon GmbH
Mozartstrasse 21
Grossrinderfeld, BW 97950
Germany
EMail: [email protected]
Chisholm & Gerhards Standards Track [Page 7]
Annotations
Select text to annotate