Re: [Syslog] The SIMPLE SyslogMIB

[Glenn M. Keeni]

Rainer,
   There is no standard for configuration and operation for syslog.
Do there is not much of configuration supported by the MIB. The
earlier versions of the MIB had some configuration which was based
on the unix-syslog. This has been dropped in the later versions
because of its complexity and non-universality.
   However the configuration that you are suggesting is there -
the listening address/port for a syslog receiver, the transport type,
and the configuration file. This is probably the common configuration
for syslog entities that we can talk of in the absence of any document.

Glenn

 thanks for the description in plain words. At least for me, this is
 very useful.
 
 If you think about things that are common to a sufficiently large number
 of syslog applications, you can not standardize on many more properties.
 What syslog applications do with the messages is very different, as are
 the filtering capabilities.
 
 One thing I could think of is a MIB/special table (whatever in SNMP
 terms) *just* for *simple syslog *senders**. It is common for devices
 like routers, switches and firewalls to provide a limited syslog
 reporting capability. What needs to be configured here is
 
 TARGET :==
 [the receiver of the syslog message]
 - IP address or hostname
 - port on traget system
 - transport (UDP, plain tcp [not standardized], -tls, 3195, ...)
 - facility to be used for messages
 - eventually severity *level* as a filter (e.g. send only emergency
 message or
   send all except debug)
 - opionaly pointer to local config file
 
 Some devices support multiple TARGETs, some only a single one.
 
 I might have forgotten some properties, but the above description should
 be usable with a very large number of devices. It may also be that you
 can model this with the existing MIB ;) 
 
 I hope my comment is useful.
 
 Rainer
 
 -Original Message-
 From: Glenn M. Keeni [mailto:[EMAIL PROTECTED]
 Sent: Friday, January 12, 2007 9:30 AM
 To: [EMAIL PROTECTED]
 Subject: [Syslog] The SIMPLE SyslogMIB

 Hi,
I will try to address David's concern about the complexity
 and utility of the MIB.
The basic design principle has been to keep the MIB simple.
 It has gone through several iterations, each one making it
 simpler than the earlier version :-)
At present the MIB basically allows the NMS to manage the
 syslog entity (sender, receiver, relay) by looking at its
   (a) status ( up/down/suspended/unknown)
   (b) configuration
   (c) macro statistics
total number of messages (sent, received, relayed)
total number of exceptions
   ( drops, discards, malforms)
The notifications will tell the NMS about change in the
 syslog entity's status.
   That in a nutshell is what one will want to or need to do
 for basic monitoring/management.

 The MIB can provide information on multiple syslog entities.
 [Scenario: two syslogd's are running on a syslog server - one
  for experiments one for regular operations.]

 So if we want we may get a table like the following from the MIB.

   Syslog Status and Statistics Summary
   

 +-+-+--+--+-+-+-+
 |Index|Type |  Description |Status| Messages|
 | |rsR* |  |  |Sent | Recd| Dropped |
 +-+-+--+--+-+-+-+
 |  1  |r--  | SecuritySys  |  Up  |   - |  120| -   |
 |  2  |r--  | Operations   |  Up  |   - | 1234| -   |
 |  3  |r--  | Experiment-1 |  Up  |   - | 9890| -   |
 |  4  |-s-  | SenderExpt-1 |  Up  |   99|   - | 0   |
 |  4  |rsR  | Experiment-2 | Down | 1200| 2345| 0   |
 +-+-+--+--+-+-+-+
   * r: Receiver , s: Sender, R: relay

 Note that this is a sample. Several other columns are possible.
 In a similar manner the address and port of the syslog receiver,
 the number of malformed messages received etc. can be obtained.

 In more advanced usage, a syslog entity can be started [on a
 specific address and port, if it is receiver] or an existing
 syslog entity can be stopped or suspended. [I will not try to
 explain how that can be done.]

 I think that is simple as it can be. Let me know if
   a. it can be made simpler.
   b. it is too simple and more detailed information is necessary.
  e.g. facility wise statistics as follows.

   Facility-wise Syslog Statistics Summary
   ===
 +-++-+--+--+-+-+-+
 |Index|Facility|Type |  Description |Status| Messages|
 | ||rsR* |  |  |Sent | Recd| malformd|
 +-++-+--+--+-+-+-+
 |  1  |51  |r--  | SecuritySys  |  Up  |   - |  123| -   |
 |  1  |52  |r--  | SecuritySys  |  Up  |   - |   45|45   |
 |  1  |53  |r--  | SecuritySys  |  Up

[Syslog] The SIMPLE SyslogMIB

[Glenn M. Keeni]

Hi,
   I will try to address David's concern about the complexity
and utility of the MIB.
   The basic design principle has been to keep the MIB simple.
It has gone through several iterations, each one making it
simpler than the earlier version :-)
   At present the MIB basically allows the NMS to manage the
syslog entity (sender, receiver, relay) by looking at its
  (a) status ( up/down/suspended/unknown)
  (b) configuration
  (c) macro statistics
   total number of messages (sent, received, relayed)
   total number of exceptions
  ( drops, discards, malforms)
   The notifications will tell the NMS about change in the
syslog entity's status.
  That in a nutshell is what one will want to or need to do
for basic monitoring/management.

The MIB can provide information on multiple syslog entities.
[Scenario: two syslogd's are running on a syslog server - one
 for experiments one for regular operations.]

So if we want we may get a table like the following from the MIB.

  Syslog Status and Statistics Summary
  

+-+-+--+--+-+-+-+
|Index|Type |  Description |Status| Messages|
| |rsR* |  |  |Sent | Recd| Dropped |
+-+-+--+--+-+-+-+
|  1  |r--  | SecuritySys  |  Up  |   - |  120| -   |
|  2  |r--  | Operations   |  Up  |   - | 1234| -   |
|  3  |r--  | Experiment-1 |  Up  |   - | 9890| -   |
|  4  |-s-  | SenderExpt-1 |  Up  |   99|   - | 0   |
|  4  |rsR  | Experiment-2 | Down | 1200| 2345| 0   |
+-+-+--+--+-+-+-+
  * r: Receiver , s: Sender, R: relay

Note that this is a sample. Several other columns are possible.
In a similar manner the address and port of the syslog receiver,
the number of malformed messages received etc. can be obtained.

In more advanced usage, a syslog entity can be started [on a
specific address and port, if it is receiver] or an existing
syslog entity can be stopped or suspended. [I will not try to
explain how that can be done.]

I think that is simple as it can be. Let me know if
  a. it can be made simpler.
  b. it is too simple and more detailed information is necessary.
 e.g. facility wise statistics as follows.

  Facility-wise Syslog Statistics Summary
  ===
+-++-+--+--+-+-+-+
|Index|Facility|Type |  Description |Status| Messages|
| ||rsR* |  |  |Sent | Recd| malformd|
+-++-+--+--+-+-+-+
|  1  |51  |r--  | SecuritySys  |  Up  |   - |  123| -   |
|  1  |52  |r--  | SecuritySys  |  Up  |   - |   45|45   |
|  1  |53  |r--  | SecuritySys  |  Up  |   - |6| -   |
|  2  |51  |r--  | Operations   |  Up  |   - |  789| -   |
|  2  |52  |r--  | Operations   |  Up  |   - |   10|10   |
+-++-+--+--+-+-+-+

  * r: Receiver , s: Sender, R: relay

I will not recommend tables for
- facility-wise and severity-wise statistics
- facility-wise, severity-wise and host-wise statistics.
for details like that one should probably use custom applications.

Now, talking of MIB complexity. The present MIB is simple and its
implementation is simple. ( Yes. I have implemented it.) We need to
hear - something like I want to do 'XYZ' - how do I do it with
the MIB?.

   Glenn


___
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog

Re: [Syslog] The SIMPLE SyslogMIB

[Juergen Schoenwaelder]

On Fri, Jan 12, 2007 at 11:19:50AM +0100, Rainer Gerhards wrote:
 Glenn,
 
 thanks for the description in plain words. At least for me, this is
 very useful.
 
 If you think about things that are common to a sufficiently large number
 of syslog applications, you can not standardize on many more properties.
 What syslog applications do with the messages is very different, as are
 the filtering capabilities.
 
 One thing I could think of is a MIB/special table (whatever in SNMP
 terms) *just* for *simple syslog *senders**. It is common for devices
 like routers, switches and firewalls to provide a limited syslog
 reporting capability. What needs to be configured here is

[...]
 
 Some devices support multiple TARGETs, some only a single one.

The question really is who is interested to configure syslog
originators typically found on network elements via SNMP. If there are
people interested in this, they better speak up now and tell us what
information they need to get the syslogs on their products configured.

If nobody speaks up with concrete input and implementation plans, we
should perhaps drop syslog configuration via SNMP and just focus on
monitoring (and leave syslog configuration to future MIB work or leave
this to NETCONF once they have figured out to write data models).

I personally would vote for a very basic syslog monitoring MIB which
allows me to track syslog activities and to identify discrepancies
between originated syslog messages and actually received syslog
messages. Ideally, an implementation of such a MIB would hook into an
SNMP master agent via AgentX (of a similar mechanism) so I can
transparently access the MIB by talking to the main SNMP agent on the
device.

/js

-- 
Juergen Schoenwaelder{International|Jacobs} University Bremen
http://www.eecs.iu-bremen.de/  P.O. Box 750 561, 28725 Bremen, Germany

___
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog