RFC 3871           Operational Security Requirements      September 2004

   Warnings.

      None.

2.11.  Event Logging Requirements

2.11.1.  Logging Facility Uses Protocols Subject To Open Review

   Requirement.

      The device MUST provide a logging facility that is based on

      protocols subject to open review.  See Section 1.8.  Custom or

      proprietary logging protocols MAY be implemented provided the same

      information is made available.

   Justification.

      The use of logging based on protocols subject to open review

      permits the operator to perform archival and analysis of logs

      without relying on vendor supplied software and servers.

   Examples.

      This requirement may be satisfied by the use of one or more of

      syslog [RFC3164], syslog with reliable delivery [RFC3195], TACACS+

      [RFC1492] or RADIUS [RFC2865].

   Warnings.

      While [RFC3164] meets this requirement, it has many security

      issues and by itself does not meet the requirements of Section

      2.1.1.  See the security considerations section  of [RFC3164] for

      a list of issues.  [RFC3195] provides solutions to most/all of

      these issues....however at the time of this writing there are few

      implementations.  Other possible solutions might be to tunnel

      syslog over a secure transport...but this often raises difficult

      key management and scalability issues.

      The current best solution seems to be the following:

      *  Implement [RFC3164].

      *  Consider implementing [RFC3195].

Jones                        Informational                     [Page 48]