On Thu, Dec 12, 2002 at 12:26:24PM +1100, Darren Reed wrote:
> In some mail from Balazs Scheidler, sie said:
> > Using TCP provides additional benefits:
> [...]
>
> I'm not arguing that TCP is better, I'm arguing that just layering
> syslog over it is not a "winning situation" that buys you a whole lot.
TCP solves the worst of the problems, and is simple.
>
> > I think depending on a complex library to support a protocol (beepcore for
> > example) might be a worse security decision than using '\n' terminated
> > lines.
>
> Personally, I like the idea that everything is a known and bounded size.
> You can allocate data for it, you know where it starts or stops, you
> know if you can handle it, etc.
but how do you impose a limit on the message size? limit it to 1024 chars?
>
> The "use \n" situation is not very comforting (how long is this message
> going to be ?) and means you cannot send messages with \n in them (easily).
messages are limited in size, this limit is tunable at runtime.
(log_msg_size() global option) you can have 8192 bytes length messages if
you like that.
the 1024 bytes limit was something again that needed to be eliminated.
messages with '\n' are not possible, but '\n' is escaped in output files
anyway.
>
> [...]
> > channel. The protocol used by syslog-ng (and nsyslogd if it wasn't changed)
> > is sending data one way only, in fact it could also be shut down for writing
> > only.
>
> Except for connection establishment where there's bidirectional
> authentication.
Of course.
>
> > Some of my users deployed syslog-ng where sender hosts were located in
> > different time zones, they told me that they wanted timezones. And as I
> > don't have installations like those myself, I believe them.
>
> Sure! But do you send GMT + TZ name or send localtime + TZ name ?
I don't send anything yet, the currently released syslog-ng do not change
the syslog on-wire protocol, so a simple (without year/tz) is sent instead.
As I'm working on syslog-ng 2, I would want to add something like this.
Syslog-ng currently assigns the current year to the received messages,
"current" means the actual date on the server. This is obviously not the
best situation.
I think I would go for UTC+TZoffset
>
> Oh, my other goal with nsyslogd was not to disrupt the file format
> of the "standard" logfile because there's just too much guff out
> there, today that expects it, to justify creating a new, arbitrary,
> one (IMHO).
you don't _have_ to modify the file format, but you have a possibility if
you _want_ to. the received stamp can also be appended to the end of the
line, so programs which doesn't get the new format will take it as a part of
the message.
destination d_messages {
file("messages"
template("$DATE $HOST $MSG [stamps: $R_ISODATE, $S_ISODATE]\n"));
};
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 08:56:01 PST