This profile defines the transmission of audit trail messages. Transmission of Syslog Messages over UDP (RFC5426) provides the mechanisms for rapid transport of audit messages. It is the standardized successor to the informative standard “The BSD syslog protocol (RFC3164)”, which is widely used in a variety of settings.
The syslog port number shall be configurable, with the port number (514) as the default.
The underlying UDP transport might not accept messages longer than the MTU size minus the UDP header length. This may result in longer syslog messages being truncated. When these messages are truncated the resulting XML may be incorrect. Because of this potential for truncated messages and other security concerns, the transmission of syslog messages over TLS may be preferred (see section A.6).
The PRI field shall be set using the facility value of 10 (security/authorization messages). Most messages should have the severity value of 5 (normal but significant), although applications may choose values of 4 (warning condition) if that is appropriate to the more detailed information in the audit message. This means that for most audit messages the PRI field will contain the value “<85>”. Audit repositories shall be prepared to deal appropriately with any incoming PRI value.
The MSGID field in the HEADER of the SYSLOG-MSG shall be set. The value “DICOM+RFC3881” may be used for messages that comply with this profile.
The MSG field of the SYSLOG-MSG shall be present and shall be an XML structure following the RFC 3881 format, as extended in this profile.
The syslog message shall be created and transmitted as described in RFC 5424.
Any implementation that claims conformance to this Security Profile shall describe in its conformance statement:
any configuration parameters relevant to RFC 5424 and RFC 5426.
Any STRUCTURED-DATA that is generated or processed.
Any implementation schema or message element extensions for the audit messages.
The maximum size of messages that can be sent or received.