--- 1/draft-ietf-netmod-syslog-model-13.txt 2017-03-27 04:13:36.529417744 -0700 +++ 2/draft-ietf-netmod-syslog-model-14.txt 2017-03-27 04:13:36.593419251 -0700 @@ -1,40 +1,40 @@ NETMOD WG C. Wildes, Ed. Internet-Draft Cisco Systems Inc. Intended status: Standards Track K. Koushik, Ed. -Expires: September 12, 2017 Verizon Wireless - March 13, 2017 +Expires: September 26, 2017 Verizon Wireless + March 27, 2017 A YANG Data Model for Syslog Configuration - draft-ietf-netmod-syslog-model-13 + draft-ietf-netmod-syslog-model-14 Abstract This document describes a data model for the configuration of syslog. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on September 12, 2017. + This Internet-Draft will expire on September 26, 2017. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights @@ -47,32 +47,32 @@ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 2 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 2 2. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 3 3. Design of the Syslog Model . . . . . . . . . . . . . . . . . . 3 3.1. Syslog Module . . . . . . . . . . . . . . . . . . . . . . 5 4. Syslog YANG Module . . . . . . . . . . . . . . . . . . . . . . 7 4.1. The ietf-syslog Module . . . . . . . . . . . . . . . . . . 7 - 5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . . 21 - 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 22 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 - 8. Security Considerations . . . . . . . . . . . . . . . . . . . 23 - 8.1. Resource Constraints . . . . . . . . . . . . . . . . . . . 24 - 8.2. Inappropriate Configuration . . . . . . . . . . . . . . . 24 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 9.1. Normative References . . . . . . . . . . . . . . . . . . . 24 - 9.2. Informative References . . . . . . . . . . . . . . . . . . 25 - Appendix A. Implementor Guidelines . . . . . . . . . . . . . . . . 25 - Appendix A.1. Extending Facilities . . . . . . . . . . . . . . 25 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 + 5. Usage Examples . . . . . . . . . . . . . . . . . . . . . . . . 23 + 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 24 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 + 8. Security Considerations . . . . . . . . . . . . . . . . . . . 24 + 8.1. Resource Constraints . . . . . . . . . . . . . . . . . . . 25 + 8.2. Inappropriate Configuration . . . . . . . . . . . . . . . 25 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 + 9.1. Normative References . . . . . . . . . . . . . . . . . . . 25 + 9.2. Informative References . . . . . . . . . . . . . . . . . . 26 + Appendix A. Implementor Guidelines . . . . . . . . . . . . . . . . 26 + Appendix A.1. Extending Facilities . . . . . . . . . . . . . . 26 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 27 1. Introduction Operating systems, processes and applications generate messages indicating their own status or the occurrence of events. These messages are useful for managing and/or debugging the network and its services. The BSD syslog protocol is a widely adopted protocol that is used for transmission and processing of the messages. Since each process, application and operating system was written @@ -82,22 +82,22 @@ designed to transport these event messages. No acknowledgement of the receipt is made. Essentially, a syslog process receives messages (from the kernel, processes, applications or other syslog processes) and processes those. The processing involves logging to a local file, displaying on console, and/or relaying to syslog processes on other machines. The processing is determined by the "facility" that originated the message and the "severity" assigned to the message by the facility. - We are using definitions of syslog protocol from RFC 5424 [RFC5424] - in this RFC. + We are using definitions of syslog protocol from RFC5424 [RFC5424] in + this RFC. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. 1.2. Terminology The term "originator" is defined in [RFC 5424]: an "originator" @@ -111,21 +111,21 @@ may be used to configure the syslog feature running on a system. YANG models can be used with network management protocols such as NETCONF [RFC6241] to install, manipulate, and delete the configuration of network devices. The data model makes use of the YANG "feature" construct which allows implementations to support only those syslog features that lie within their capabilities. This module can be used to configure the syslog application - conceptual layers [RFC5424] as implemented on the target system. + conceptual layers as implemented on the target system. 3. Design of the Syslog Model The syslog model was designed by comparing various syslog features implemented by various vendors' in different implementations. This draft addresses the common leafs between implementations and creates a common model, which can be augmented with proprietary features, if necessary. This model is designed to be very simple for maximum flexibility. @@ -205,32 +205,32 @@ 3.1. Syslog Module A simplified graphical representation of the data model is used in this document. The meaning of the symbols in these diagrams is defined in [RFC6087]. module: ietf-syslog +--rw syslog! +--rw actions +--rw console! {console-action}? - | +--rw selector + | +--rw facility-filter | +--rw facility-list* [facility severity] | | +--rw facility union | | +--rw severity union | | +--rw advanced-compare {select-adv-compare}? | | +--rw compare? enumeration | | +--rw action? enumeration | +--rw pattern-match? string {select-match}? +--rw file {file-action}? | +--rw log-file* [name] | +--rw name inet:uri - | +--rw selector + | +--rw facility-filter | | +--rw facility-list* [facility severity] | | | +--rw facility union | | | +--rw severity union | | | +--rw advanced-compare {select-adv-compare}? | | | +--rw compare? enumeration | | | +--rw action? enumeration | | +--rw pattern-match? string {select-match}? | +--rw structured-data? boolean {structured-data}? | +--rw file-rotation | +--rw number-of-files? uint32 {file-limit-size}? @@ -239,73 +239,102 @@ | +--rw retention? uint32 {file-limit-duration}? +--rw remote {remote-action}? +--rw destination* [name] +--rw name string +--rw (transport) | +--:(tcp) | | +--rw tcp | | +--rw address? inet:host | | +--rw port? inet:port-number | +--:(udp) - | +--rw udp - | +--rw address? inet:host + | | +--rw udp + | | +--rw address? inet:host + | | +--rw port? inet:port-number + | +--:(tls) + | +--rw tls + | +--rw server-auth + | | +--rw trusted-ca-certs? -> /ks:keystore/trusted-certificates/name + | | +--rw trusted-server-certs? -> /ks:keystore/trusted-certificates/name + | +--rw client-auth + | | +--rw (auth-type)? + | | +--:(certificate) + | | +--rw certificate? -> /ks:keystore/keys/key/certificates/certificate/name + | +--rw hello-params {tls-client-hello-params-config}? + | | +--rw tls-versions + | | | +--rw tls-version* identityref + | | +--rw cipher-suites + | | +--rw cipher-suite* identityref | +--rw port? inet:port-number - +--rw selector + +--rw facility-filter | +--rw facility-list* [facility severity] | | +--rw facility union | | +--rw severity union | | +--rw advanced-compare {select-adv-compare}? | | +--rw compare? enumeration | | +--rw action? enumeration | +--rw pattern-match? string {select-match}? +--rw structured-data? boolean {structured-data}? +--rw facility-override? identityref +--rw source-interface? if:interface-ref {remote-source-interface}? +--rw signing-options! {signed-messages}? + +--rw cert-sign + | +--rw cert-signers* [name] + | +--rw name string + | +--rw certificate? -> /ks:keystore/keys/key/certificates/certificate/name + | +--rw cert-hash-function? enumeration +--rw cert-initial-repeat uint16 +--rw cert-resend-delay uint16 +--rw cert-resend-count uint16 +--rw sig-max-delay uint16 +--rw sig-number-resends uint16 +--rw sig-resend-delay uint16 +--rw sig-resend-count uint16 Figure 2. ietf-syslog Module Tree 4. Syslog YANG Module 4.1. The ietf-syslog Module - This module imports typedefs from [RFC6021] and [RFC7223], and it - references [RFC5424], [RFC5425], [RFC5426], [RFC6587], and [RFC5848]. + This module imports typedefs from [RFC6021], [RFC7223], [RFC draft + ietf-tls-client], and [RFC draft ietf-keystore], and it references + [RFC5424], [RFC5425], [RFC5426], [RFC6587], and [RFC5848]. file "ietf-syslog.yang" module ietf-syslog { namespace "urn:ietf:params:xml:ns:yang:ietf-syslog"; prefix syslog; import ietf-inet-types { prefix inet; } import ietf-interfaces { prefix if; } + import ietf-tls-client { + prefix tlsc; + } + + import ietf-keystore { + prefix ks; + } + organization "IETF NETMOD (NETCONF Data Modeling Language) Working Group"; contact "WG Web: WG List: Editor: Kiran Agrahara Sreenivasa - + Editor: Clyde Wildes "; description "This module contains a collection of YANG definitions for syslog configuration. Copyright (c) 2016 IETF Trust and the persons identified as authors of the code. All rights reserved. @@ -320,25 +349,28 @@ NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in the module text are to be interpreted as described in RFC 2119 (http://tools.ietf.org/html/rfc2119). This version of this YANG module is part of RFC XXXX (http://tools.ietf.org/html/rfcXXXX); see the RFC itself for full legal notices."; reference "RFC 5424: The Syslog Protocol + RFC 5425: Transport Layer Security (TLS) Transport Mapping for Syslog RFC 5426: Transmission of Syslog Messages over UDP RFC 6587: Transmission of Syslog Messages over TCP - RFC 5848: Signed Syslog Messages"; + RFC 5848: Signed Syslog Messages + RFC xxxx: Keystore Management + RFC xxxx: Transport Layer Security (TLS) Client"; - revision 2017-03-13 { + revision 2017-03-27 { description "Initial Revision"; reference "RFC XXXX: Syslog YANG Model"; } feature console-action { description "This feature indicates that the local console action is supported."; @@ -698,31 +731,29 @@ specifies the type of the compare that is done and the action leaf specifies the intended result. Example: compare->equals and action-> no-match means messages that have a severity that is not equal to the specified severity will be logged."; } } grouping selector { description "This grouping defines a syslog selector which is used to - select log messages for the log-action (console, file, + select log messages for the log-actions (console, file, remote, etc.). Choose one or both of the following: facility [ ...] pattern-match regular-expression-match-string - If both facility and pattern-match are specified, both must match in order for a log message to be selected."; - container selector { + container facility-filter { description - "This container describes the log selector parameters - for syslog."; + "This container describes the syslog filter parameters."; list facility-list { key "facility severity"; ordered-by user; description "This list describes a collection of syslog facilities and severities."; leaf facility { type union { type identityref { base syslog-facility; @@ -909,20 +941,38 @@ the remote host. One of the following must be specified: an ipv4 address, an ipv6 address, or a host name."; } leaf port { type inet:port-number; default 514; description "This leaf specifies the port number used to deliver messages to the remote server."; + + } + } + } + case tls { + container tls { + description + "This container describes the TLS transport options."; + reference + "RFC 5425: Transport Layer Security (TLS) Transport + Mapping for Syslog "; + uses tlsc:tls-client-grouping; + leaf port { + type inet:port-number; + default 6514; + description + "TCP port 6514 has been allocated as the default + port for syslog over TLS."; } } } } uses selector; uses structured-data; leaf facility-override { type identityref { base syslog-facility; } @@ -944,20 +994,62 @@ container signing-options { if-feature signed-messages; presence "If present, syslog-signing options is activated."; description "This container describes the configuration parameters for signed syslog messages as described by RFC 5848."; reference "RFC 5848: Signed Syslog Messages"; + container cert-sign { + description + "This container describes the signing certificate + configuration"; + list cert-signers { + key "name"; + description + "This list describes a collection of syslog message + signers."; + leaf name { + type string; + description + "This leaf specifies the name of the syslog message + signer."; + } + leaf certificate { + type leafref { + path "/ks:keystore/ks:keys/ks:key/ks:certificates" + + "/ks:certificate/ks:name"; + } + description + "A certificate to be used for signing syslog messages."; + } + leaf cert-hash-function { + type enumeration { + enum SHA1 { + value 1; + description + "This enum describes the SHA1 algorithm."; + } + enum SHA256 { + value 2; + description + "This enum describes the SHA256 algorithm."; + } + } + description + "This leaf describes the syslog signer hash + algorithm used."; + } + } + } leaf cert-initial-repeat { type uint16; mandatory true; description "This leaf specifies the number of times each Certificate Block should be sent before the first message is sent."; } leaf cert-resend-delay { type uint16;