Glenn Mansfield Keeni

SysLog-MIB

Cyber Solutions Inc., Japan

Syslog-WG, IETF-56

March, 2003

Cyber Solutions

Purpose Monitoring Syslog operation :

Stats on messages, received, processed, relayed

System wide Parameters,

(Process-wise) Message selection and actions

(Process-wise) run-time parameters

Configuring/Control Syslog processes

Cyber Solutions

Syslog

man pages- syslogd, syslog.conf, syslog

 RFC3164

Cyber Solutions

The MIB Design

syslog System Group

syslog Process Group

syslog Control Group

Cyber Solutions

System Group

DefaultTransportDefaultServiceDefaultFacilityDefaultSeverityMaxMessageSize

Cyber Solutions

Syslog Process Group

Process Table [syslogProcessIndex]

Params Table [syslogProcessIndex]

Allowed Hosts Table [syslogProcessIndex]

Cyber Solutions

Process Table [syslogProcessIndex]

MsgsReceivedMsgsRelayedMsgsDroppedMsgsIllFormedMsgsIgnoredMsgsRejected

LastMsgRecdTimeLastMsgDeliveredTimeStartTimeLastErrorLastErrorTime

Cyber Solutions

Params Table [syslogProcessIndex]

ProcDescrBindAddrTypeBindAddrSendToAllAddressesCompressionConfFileNameFacilityTranslation

PIDFileNameDNSLookUpSeverityCompOpSecuritySpecsProcessStatus*ProcessStorageTypeRowStatus

*Process Start/Stop

Cyber Solutions

Allowed Hosts Table [syslogProcessIndex]

HostsAddrTypeHostsAddrHostsMaskLenHostsTransportHostsPortRowStatus

Cyber Solutionssyslog Control Group cf. syslog.conf

Selection Action

Selection: list of facility:level

Actions: log, display, relay, pipe

Cyber Solutions

Selection and Action

Selection

Log Action

User Action

Relay Action

Pipe Action

Cyber Solutions

Selection Table [syslogProcessIndex, ActionIndex,

SelectionIndex]

ActionIndexSelectionIndexDescrHostNameInclHostNameProgNameIncl

ProgNamePriorityInclFacilitySeveritySeverityCompOPRowStatus

Cyber Solutions

Action Tables

UserActionTable [ProcessIndex,ActionIndex,UserActionIndex]

FwdActionTable [ProcessIndex,ActionIndex,FwdActionIndex]

PipeActionTable [ProcessIndex,ActionIndex]

LogActionTable [ProcessIndex,ActionIndex]

Cyber Solutions

(ActionIndex)LogFileName,RowStatus

LogActionTable

ActionIndexSelection Parameters

selectionTable

(ActionIndex)UserActionIndexUserID,RowStatus

UserActionTable

(ActionIndex)PipeCommandName,…RowStatus

PipeActionTable(ActionIndex)FwdActionIndexSrcAddrType….,RowStatus

FwdActionTable

Cyber Solutions

Log Action Table [syslogProcessIndex,

ActionIndex]

LogActionFileNameRowStatus

Cyber SolutionsUser Action Table [syslogProcessIndex, ActionIndex,

UserActionIndex]

UserActionIndexUserIDRowStatus

Cyber SolutionsFwd Action Table [syslogProcessIndex, ActionIndex,

FwdActionIndex]

FwdActionIndexActionDescrSrcAddrTypeSrcAddrDstAddrType

DstAddrTransportPortFacilitySeverityRowStatus

Cyber Solutions

Pipe Action Table [syslogProcessIndex,

ActionIndex]

PipeActionCommandRowStatus

Cyber Solutions

Security Considerations(SET) ParamsTable : Configure, Start/Stop AllowedHostsTable: Loss/Flood of messages AllowedHostsTable: Loss/Flood of messages Selection Table: Loss of Messaages Log Action Table: Loss of messages UserActionTable: Spam a user’s console FwdActionTable: Attack a collector PipeActionTable: Invoke “sh” commands

Cyber Solutions

Security Considerations (GET)

ProcTable : Counters may reveal IDS info

Cyber Solutions

The draft

draft-ietf-syslog-device-mib-03.txt

Cyber Solutions

To Be Done

 DESCRIPTION clauses

 Editorial nits

 REFERENCE clauses

 Implement

 SET requirements