Tom,
Fully agree ;)
> 1) is RFC 3195 (syslog-reliable) so broken that we shold punt and
> spend another few years trying to write YALS (yet another log
> standard), or do we just go with it and plan to do a version 2
> protocol eventually?
Basically, I think the weak point of [RFC3195] is that it relies on
BEEP. *If* there would be libraries for BEEP (working (not only on *nix)
ones, especially those that can also be used in closed-source
projects...) things might be much better - but so far I have only found
BEEPcore and Roadrunner - anyone know any more implementations.
Interesingly, I found some work that seems to be closely related in an
IETF WG:
http://www.ietf.org/html.charters/idwg-charter.html
Problem - in my point of view - is again, that it relies heavily on
BEEP. I just wonder how the recent sys-admin related IETF work is so
focussed on BEEP with it actually being unavailable? Sure, we can go
ahead and implement "the" new BEEP lib, but honestly this not our scope
- I prefer to create better data/event gatherer instead (especially as
BEEP looks like a whole (lengthy) project/product in itself to me ;)).
Having said all this, I would opt not for a V2 of [RFC3195] but a V2 of
[RFC3164], the "orginal" syslog RFC. In my opinion it should most
importantly include TCP transport as well as some enhancements to the
header and a much larger allowed message size. There are a myriad of
other things I would like to see in it, but I fear that if too much is
included, we will have a nice standard, but nobody's implementing it
(sounds familiar...?).
Actually, I am looking for something like SSRP - the Simple Syslog
Reliable Protocol ;) [creating acronyms always makes a good start of the
day ;)]
> 2) If (1) has solved the transport+integrity problem, then its on to
> the semantic questions: When and what do we log? What is an
> "event"? We started down this road last month?, but got
> sidetracked (again) on sytax (fixed fields vs attribute/value
> pairs, and what about XML, etc.).
>
> 3) Once we get (2), THEN we can start to worry about the syntax.
I am not sure - does it hurt to start discussing on the syntax? Even if
syslog as it is is not that great, it basically works, doesn't it? And
it would definitely be an improvement to have some semantecs inside the
message. BTW: have you noticed that there is not a single written word
about the message contents? This also means that we are free to
introduce any format we find useful ;)
So I think it makes sense to define the syntax/semantics _now_ - if only
it is not to leave any excuse for not doing it ;)
I am prepared to help with the effort. Once done, we could propose it to
the IETF - and see how long it will take until our implementations will
adhere to a kind of standard ;)
Any thoughts? Chris: an unofficial opionon on the potential of a simple
TCP based syslog protocol? I am specifically asking because I remember
the last time someone attempted to suggest the on the WG list - the
responses were not very pleasant ;) And yes, I will post on this issue
on the WG list soon - haven't had so much bad feedback these days, looks
like it is getting time for some ;)
Rainer Gerhards
Adiscon
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 10:30:09 PST