On the Network operating systems also , the HOSTNAME is the hostname and the domain name of the originator and when we have a hop for this message, it gets appended with the new hostname .
For eg in case we have few network devices connected (device A, device B .. device X) and device X is configured as syslog relay. All devices A-W send the messages to Device X and then device X is connected with the remote server or SNMP server. In that case the message at the SNMP server will have two Hostnames : Hostname X + Hostname A : Message or so on. Regards, Aditya Dogra (addogra) -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Juergen Schoenwaelder Sent: Thursday, September 19, 2013 5:37 PM To: Tom Taylor Cc: [email protected] Subject: Re: [OPSAWG] SYSLOG architectural issue On Thu, Sep 19, 2013 at 07:00:52AM -0400, Tom Taylor wrote: > In Behave, we are dealing with a potential logging architecture where > Device A generates the content but exports it in the form of IPFIX > records. Device B reformats the content into SYSLOG event reports. > > Up to now I interpreted the first sentence of Section 6.2.4 to mean > that the HOSTNAME field in the SYSLOG header had to identify Device B. > > "The HOSTNAME field identifies the machine that originally sent the > syslog message." > > This meant that I had to define another field to identify Device A. > > However, the very next paragraph says: > > "The HOSTNAME field SHOULD contain the hostname and the domain name of > the originator in the format specified in STD 13 [RFC1034]." > > So there are grounds for identifying Device A in the HOSTNAME field. > > Any opinions one way or another? I'll go with Device A in the HOSTNAME > field unless there are objections. I can't tell what is right or wrong here but back in a day when we did RFC 5675, we decided to have the real originator of the notification encoded in the structured data element. Of course, since RFC 5675 talks about SNMP notifications, we identify the source using an SNMP context and not by a hostname. RFC 5675 actually says: The VERSION, TIMESTAMP, HOSTNAME, APP-NAME, PROCID, and MSGID fields in the SYSLOG message header are filled with values that are specific to the system on which the SNMP-to-SYSLOG translator is running. The character set used in the HEADER MUST be seven-bit ASCII in an eight- bit field, as described in [RFC5424]. I think this implies that the HOSTNAME contains the name of the host on which the translator is running, not the HOSTNAME of the SNMP agent emitting the notification (which BTW may not be known in this case since there can be SNMP proxies). I would have to dig deeper into IPFIX to understand whether you can always find out the hostname of the originator (since there might be mediators involved as well) or whether there is another reliable way to identify an IPFIX exporter. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/> _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
