view Side-By-Side changes
INTERNET DRAFT J. Abela Expires:May 4,July 22, 1997 HSC<draft-abela-ulm-00.txt> 4 November 1996<draft-abela-ulm-01.txt> 22 January 1997 Universal Format for Logger Messages Status of this Memo This document is an Internet-Draft. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet- Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Abstract This document presents a format to describe system events for logging purpose. Some of the features presented here are in use with the common syslog facility, but most of them are lost in the crowd of syslog format freedom. Introduction At the beginning, logs were scanned by the administrator after an incident to detect the failure cause. With the increasing concern on computer security, and wide area network manangement, the need for automated log examination, extraction and reporting has grown. The Universal Logger Message (ULM) format presented here is a set of guidelines to formalize the semantics of such messages. Syntax The ABNF for ULM is: log_file::== *(log_line LF) log_line::== field *(SP field) Abela [Page 1]RFC 1INTERNET-DRAFT Universal Logger Messages4 November 199622 January 1997 field::== field_name "=" field_value field_name::== ALPHA *(ALPHA_EXT) (Case is not significant) field_value::= 1*(ALPHA_EXT)= *(ALPHA_EXT) / string string::= QUOTE *(ANY_BUT_Q / esc_quote)= QUOTEesc_quote ::= "\"*(ANY) QUOTEANY_BUT_Q ::=(inside quotes and backslashes must be escaped with a backslash) ANY = <any CHAR excludingQUOTE andall control characters (US ASCII 0-31 inclusive)> ALPHA_EXT::== ALPHA / DIGIT / "." /"_" /"-" / "_" QUOTE::== <the double quote character (ASCII decimal code 34)> ALPHA::== <any one of the 52 alphabetic characters (A through Z in upper case and a through z in lower case)> DIGIT::== <any one of the 10 numeric characters (0 through 9)> LF::== <the line-feed character (ASCII decimal code 10)> SP::== <the space character (ASCII decimal code 32)>Fields The following rules should apply regarding fields: (1) EachDue to the verbosity of ULM, fieldnamenames should beunique inchosen as short as possible: 4 characters are agiven log event. If two or more fields have the samemaximum for a field nameinelement. Here is aunique ULM, the expected resultcorrect syslog message: Jan 20 00:05:03 myhost: 10.3.2.1 tuttle from space.foo-bar.com (10.3.3.5) 3456 Its meaning isundefined. (2) The case shouldhowever context and reader dependant, and could not besignificant for field names. Thus, DATE and dAtE fields both describe the same information inparsed successfully without agiven ULM. (3) Each fieldprecise knowledge of all the typesould be registered and have an associated field value format.of messages wich could happen. An ULM for this could be: DATE=19970120000503 HOST=itesec PRG=foo-gw LVL=debug PS=3456 DST.IP=10.3.2.1 DST.USR=tuttle SRC.IP=10.3.3.5 SRC.FQDN=space.foo- bar.com Mandatory Fields The following fields should be present in any ULM:LEVEL,LVL, HOST,PROG,PRG, DATE. This requirement is not enforced through the examples of this Abela [Page 2]RFC 1INTERNET-DRAFT Universal Logger Messages4 November 1996 LEVEL22 January 1997 document. LVL value.level::== "Emergency" / "Alert" / "Error" / "Warning" / "Auth" / "Security" / "Usage" / "System" / "Important" /"Info""Debug" The level (LVL) field specifies the importance and category of the ULM. Thesignificationmeaning for the different values are: Emergency A panic condition. It should be broadcast to all users. Alert A condition that should be corrected immediately. Error A system error. This level and the previous ones are reserved for system conditions. WarningProgramA program error.TheA program has detected an incorrect behaviour of his own. To clarify the differences between these last levels: Absence of a system configuration file is an Error, failed assert is a Warning, and erroneous data given by a user is never anything more thanan Info: typing typos is justanormal behaviour.Debug (except when asked for authentication pasphrase, see below). Auth Anauthentification failed.authentication happened. Potential senders for such an ULM could be su and login. The STAT field may give more informations; if not specified, an authentication failure is assumed, as in: PRG=su LVL=Auth PS=2894 SRC.USR=tuttle DST.USR=root PRG=su LVL=Auth PS=2895 SRC.USR=tuttle DST.USR=root STAT=Success Security A standard protection was raised against what could be an Abela [Page 3] INTERNET-DRAFT Universal Logger Messages 22 January 1997 intrusion. A connection denial based on the remote network address falls into this category. The STAT field may give more informations; if not specified, a failure is assumed, as in: PRG=tcpwrapper LVL=Security SRC.NAME=evil.foo-bar.com Usage Normal, standard, authorized day-to-day usage information. If an application has to report delayed information about what is used, it should be reported as debugging information first (for crashproof logging), then summaried into an only usage message. DATE=19970120000503 PRG=www-client LVL=Debug STAT=Start DATE=19970120000551 PRG=www-client LVL=Debug STAT=End DATE=19970120000551 PRG=www-client LVL=Usage DUR=48 System Tangible usage, but not traceable to any user. Automated processus or system batch jobs fall into this category. PRG=sshd LVL=System PS=175 MSG="RSA key generation" DUR=37 ImportantAbela [Page 3] RFC 1 Universal Logger Messages 4 November 1996Important information which couldbebecome critical, but is not yet. A configuration changeismay be an important information.InfoDebug TheInfoDebug levelis for somewhat superfluous informations. These informationsULMs are nothot, they are not to be accounted, they are not to be billed. If a daemon says it has reloaded it's configuration file after receiving a signal,interesting at all in thelog level for that eventnormal course of life, they add no information when everything isInfo.in order. HOST value.host::== string The HOST field contains the name of the host which issues the ULM. PROG Abela [Page 4] INTERNET-DRAFT Universal Logger Messages 22 January 1997 value.prog::== string The PROG field contains the name of the software component which issues the ULM. If a software component is a member of a software suite, it should be expressed in ahierachical,hierarchical, as in: "suite.component.subcomponent". DATE value.date::== <YYYY> <MM> <DD> <hh> <mm> <ss> [ ( '+' / '-' ) <hh> <mm> ] The DATE field contains the instantaneous date of the event. If the eventlastlasts a sufficient amount of time, different ULM sould be issued, each marked with its own date. The given date must either be in GMT, or include a timezone information. Optional Fields The following fields could be added in any ULM. Any application reading log files shouldbe aware of these: DURATION, PROCESS,understand them: DUR, PS, ID,SOURCE.IP, SOURCE.FQDN, SOURCE.NAME, SOURCE.PORT, SOURCE.USER, DEST.IP, DEST.FQDN, DEST.NAME, DEST.PORT, DEST.USER, SENT.VOLUME, SENT.COUNT, RECEIVED.VOLUME, RECEIVED.COUNT,SRC.IP, SRC.FQDN, SRC.NAME, SRC.PORT, SRC.USR, SRC.MAIL, DST.*, REL.*, VOL, VOL.SENT, VOL.RCVD, CNT, CNT.SENT, CNT.RCVD, STAT, TTY,DOCUMENT, MESSAGE. DURATIONDOC, PROT, CMD, MSG. DUR value.duration::= [[[<DDDD>] <hh>] <mm>] <ss>= integer The DURATION indicates the duration (in seconds) of the eventwhosewhich end isAbela [Page 4] RFC 1 Universal Logger Messages 4 November 1996given by the DATE field. This field is mandatory if the ULM announces the end of an event for which another ULM was issued at the beginning.PROCESSPS value.process::== integer In a multi-tasking environment, this field specifies the process id which issueddethe ULM. On some systems, this id may not be unique, but it should however be unique on the specified HOST, over the specifiedDURATION,DUR, if appropriate. Thus, the ULM announcing the end of a session shouldspecifiyspecify the duration of the session, and guarantee that all the ULM issued between the beginning of the session and this ULM with the same HOST value and the samePROCESSPS values concernto thisthat session. Abela [Page 5] INTERNET-DRAFT Universal Logger Messages 22 January 1997 ID value.id::== string The ID field is a system reference to the concerned document. It could be a mail or Usenet news message-id, or an incremented counter. It should not be mistaken with theDOCUMENTDOC field, which a user-level name.SOURCE.IPSRC.IP value.source.ip::== ipv4 / ipv6ipv4 ::= byte- integer "." byte-integer "." byte-integer "." byte-integerTheSOURCE.IPSRC.IP field contains the IP number of the source host. OtherSOURCE.*SRC.* fields could describe network sourceaddressaddresses in other realms (IPX, X25, ...). TheSOURCE.*SRC.* fields all contain informations about thehostconnected, connecting, or trying toconnect. SOURCE.FQDNconnect host. SRC.FQDN value.source.fqdn::== string Fully Qualified Domain Name for the source host.SOURCE.NAMESRC.NAME value.source.name::== stringAbela [Page 5] RFC 1 Universal Logger Messages 4 November 1996Generic name qualifying thesource host,source: a host name if fqdn is notavailable. For example, "local" qualifiesavailable, or ahost, but is not an FQDN. SOURCE.PORTfull user name. SRC.PORT value.source.port::== integer Port number for TCP, UDP or another protocol.SOURCE.USERSRC.USR value.source.user::== string User name or user id.DEST.IP DEST.FQDN DEST.NAME DEST.PORT DEST.USERSRC.MAIL value.source.mail = string Abela [Page 6] INTERNET-DRAFT Universal Logger Messages 22 January 1997 E-mail address. DST.IP DST.FQDN DST.NAME DST.PORT DST.USR DST.MAIL All theDEST.*DST.* fields have the samesignificationmeaning as theSOURCE.*SRC.* fields, except that they qualify the destination.SENT.VOLUME SENT.COUNT RECEIVED.VOLUME RECEIVED.COUNT NnumberREL.IP REL.FQDN REL.NAME REL.PORT REL.USR REL.MAIL All the REL.* fields have the same meaning as the SRC.* fields, except that they qualify a proxy, or relayer, or some sort ofbytesman-in-the-middle. VOL VOL.SENT VOL.RCVD CNT CNT.SENT CNT.RCVD Volume (number of bytes) and count (of articles,or files)files, events) sent, and received, from the source point of view. CNT=1 is always implicit. These fields allow ULM to be merged together, in which case, the VOL and CNT fields may be added together, if the other ones match. STAT The STAT field describes the state or status of the designed process. Possible values for this field may include "Failure", "Success", "Start", "End". TTY value.tty::== string The tty field describes the user's physical connectionof a userto the host.DOCUMENTDOC value.document::== string The document (DOC) field is the name of an accessed document, like the path of an ftp file, the name of a newsgroup, or the non-host part of an URL.MESSAGEPROT value.protocol = string The protocol (PROT) field specifies the protocol used. Abela [Page 7] INTERNET-DRAFT Universal Logger Messages 22 January 1997 PRG=sendmail VOL=2238 PROT=ESMTP PRG=sshd PROT=RSA LVL=Auth STAT=Success CMD value.command = string The command (CMD) field is an issued command, as in: PRG=cron LVL=Usage SRC.USR=news CMD="/local/news/bin/news.daily expireover delayrm" DUR=927 PRG=ftpd LVL=Usage PS=10359 CMD=RETR DOC=x11.tar.gz MSG value.message::== string TheMESSAGEmessage (MSG) field is the only field which should contain arbitrary data. Any important informationwhichthat doesn't fit anyAbela [Page 6] RFC 1 Universal Logger Messages 4 November 1996of the other standard fieldscouldmay be stored here.Use ofUsing the message field foraninformationwhich does fit anotherfitting in standard field is forbidden. Other more fields Any other field of interest could be added, but itsouldshould be registered first to the Internet Assigned Number Authority (IANA). Security Considerations ULM includes no security functions. However, sites should worry about the vulnerabilites of their logging architecture, especially when networks are used to transport ULM, as these messages may be critical for the security. Author's Address Jerome Abela Herve SchauerConsultantConsultants 142, rue de Rivoli7503975001 Pariscedex 01France Phone:(+33)+33 146 388 990 Fax: +33 14638 89 90380 505 Abela [Page 8] INTERNET-DRAFT Universal Logger Messages 22 January 1997 EMail: Jerome.Abela@hsc.fr Abela [Page7]9] ----