New Syslog RFCs
Several new RFCs for syslog have been issued in March:
- RFC5424: The Syslog Protocol
- RFC5425: Transport Layer Security (TLS) Transport Mapping for Syslog.
- RFC5426: Transmission of Syslog Messages over UDP.
- RFC5427: Textual Conventions for Syslog Management.
So what are the improvements since the previous RFC (3614), especially in RFC5424 1 :
-
In section 5.1, “Minimum Required Transport Mapping”:
All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
Yay ! So they discovered TLS, that’s great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc. 2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets 3. Section 6.3 describes structured data (name-value pairs) 4. Section 7: Structured Data IDs
This allows using an enterprise ID (registered to the IANA) for the structured data elements
However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.
Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events, formats etc, and given the current state of CEE, which is quite dead (3 mails on the list so far this year), it won’t improve .. There is something to be done here.