2

I was reading about logs (syslog) being exported in IPFIX format. And some products which do this as well. What I didn't find, was if there is any standard/known ways of doing this ?. Like if there are any specific information-elements meant for syslog? Or, is it totally proprietary methods (like using all vendor specific fields which is allowed in IPFIX) And, for these schemes, does one use plain IPFIX, or structured-IPFIX ? TIA for any info/pointers on this.

--EDIT--

I am not looking for any info on products, only the method/standards if any for this.

Ani
  • 32
  • 12

3 Answers3

2

To export syslog information using IPFIX you want a Syslog to IPFIX mediator. General information about IPFIX medaitors can be found in draft-ietf-ipfix-mediation-protocol.

There is no restriction on sending strings like syslog messages using IPFIX. There are not currently any standard Information Elements (IEs) for syslog messages. IPFIXify uses proprietary/non-standard IEs for syslog info.

Just to be clear by proprietary I really mean "not necessarily public" or "not standard". A few exporters play their proprietary IEs very close to the vest, but details about most "proprietary" IEs is available if you look. Adding proprietary IEs is a great way to start experimenting with innovative exports. Standard IEs can also be requested by anyone (pending expert review). Every IPFIX exporter I can think of has at least some proprietary IEs.

An other point to make here is that IPFIX allows you to mix and match standard and proprietary IEs (not just send "totally proprietary" IEs). This is important because a collector can provide some reporting using the IEs it knows about and ignoring the others.

I'm not sure what you mean by plain vs. structured IPFIX?

I think that covers all your questions.

Andrew Feren
  • 21
  • 2
1

IPFIX is supposed to exchange information about network usage - packets, bytes flowing through some network device. I don't think it's possible to put custom text messages into it.

DukeLion
  • 3,239
  • 1
  • 17
  • 19
  • yea, that is what I used to think as well, but there seem to be some products out there - like IPFIXify, which do this (oh, and BTW, I am not interested in the products, all I want to understand, is the technology/workings behind it) – Ani Aug 10 '13 at 18:11
  • While IPFIX comes out of the Networking world, as an evolution of Netflow, it is more general than layer 4 data. For example, you can have it export *structured* log data for anything. Think of a structure / record definition; an IPFIX exporter can output *template records*, which is basically a structure definition, and *data records*, which are the values in a structure. An IPFIX receiver, when it receives a template record, can decode (including field names) a matching data record. So a collector could receive IPFIX, and emit like JSON records. Fields have no implicit semantic value though. – Cameron Kerr Apr 23 '17 at 21:16
1

As DukeLion says IPFIX is not supposed for general syslog data, but it's possible to export some paticular types of logs, which contain network traffic data (like Apache access logs) using standard IPFIX entities.

Illuminating message from old discussion on IETF:

In discussions with the IPFIX sub-group it was clear that they did not really desire a logging file format - this was a means to specify a format for streaming binary information to collectors and that they had additional goals which included the ability to correlate signalling information with information on media flows.

catpnosis
  • 191
  • 4