A.6 Audit Trail Message Transmission Profile – Syslog-TLS

This profile defines the transmission of audit trail messages. Transport Layer Security (TLS) Transport Mapping for Syslog (RFC 5425) provides the mechanisms for reliable transport, buffering, acknowledgement, authentication, identification, and encryption. The RFC5424 states that the TLS used MUST be TLS version 1.2. For this DICOM profile TLS MUST be used, and version 1.2 or later is RECOMMENDED.

Note: The words MUST and RECOMMENDED are used in accordance with the IETF specification for normative requirements.

Any implementation that claims conformance to this profile shall also conform to the Audit Trail Message Format Profile. XML audit trail messages created using the format defined in Audit Trail Message Format Profile shall be transmitted to a collection point using the syslog over TLS mechanism, defined in RFC 5425. Systems that comply with this profile shall support message sizes of at least 32768 octets.

Notes: 1. Audit messages for other purposes may also be transferred on the same syslog connection. These messages might not conform to the Audit Trail Message Format.

2. RFC 5425 specifies mandatory support for 2KB messages, strongly recommends support for at least 8KB, and does not restrict the maximum size.

3. When a received message is longer than the receiving application supports, the message might be discarded or truncated. The sending application will not be notified.

The XML audit trail message shall be inserted into the MSG portion of the SYSLOG-MSG element of the syslog message as defined in RFC 5424 “The Syslog Protocol”. The XML audit message may contain Unicode characters that are encoded using the UTF-8 encoding rules.

Note: UTF-8 avoids utilizing the control characters that are reserved by the syslog protocol, but a system that is not prepared for UTF-8 may not be able to display these messages correctly.

The PRI field shall be set using the facility value of 10 (security/authorization messages). Most messages should have the severity value of 5 (normal but significant), although applications may choose other values if that is appropriate to the more detailed information in the audit message. This means that for most audit messages the PRI field will contain the value “<85>”.

The MSGID field in the HEADER of the SYSLOG-MSG shall be set. The value “DICOM+RFC3881” may be used for messages that comply with this profile.

The MSG field of the SYSLOG-MSG shall be present and shall be an XML structure following the RFC 3881 format, as extended in the audit trail message format profile.

The syslog message shall be created and transmitted as described in RFC 5424.

Any implementation that claims conformance to this Security Profile shall describe in its conformance statement:

  1. any configuration parameters relevant to RFC 5424 and RFC 5425.

  2. Any STRUCTURED-DATA that is generated or processed.

  3. Any implementation schema or message element extensions for the audit messages.

  4. The maximum size of messages that can be sent or received.