Permalink 2009-05-27 21:31:00+02:00 By Pollux Category Security Tags Logs

Several new RFCs for syslog have been issued in March:

So what are the improvements since the previous RFC (3614), especially in RFC5424 1 :

  1. In section 5.1, “Minimum Required Transport Mapping”:

    All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
    Yay ! So they discovered TLS, that’s great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc. 2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets 3. Section 6.3 describes structured data (name-value pairs) 4. Section 7: Structured Data IDs
    This allows using an enterprise ID (registered to the IANA) for the structured data elements

However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.

Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events, formats etc, and given the current state of CEE, which is quite dead (3 mails on the list so far this year), it won’t improve .. There is something to be done here.

  1. Some of the features (like TLS) are already present in good implementations of syslog (like rsyslog).