2003-01-03T11:59:55 Rainer Gerhards: > I think we do not need to break RFC3164. - Let's stick with the > "idiot" timestamp in the header and provide an RFC3339 one as one > tag. If we're switching to TCP transport, we've broken RFC 3164. Sure, we're going to need to keep compat with RFC 3164 for the indefinite future, as long as we have any appliances whose ROMs contain code to syslog that way. So we'll run olde syslog servers to catch those UDP packets that aren't mislain, and then either the server itself, or a log-tailer will consolidate the log data; as it picks up the old log entries, it'll replace their timestamps with ISO 8601 / RFC 3339, adding the current[1] year, adding the local timezone unless the converter is configured with knowlege of a different timezone for particular sources; and converting the rest of the message into our new format, including encapsulating the plaintext part in a SYSLOGMSG tag or whatever. What benefit do you see to keeping the broken timestamp format around (and yes, I do understand that you propose an additional useful timestamp in a separate tag-marked field)? -Bennett [1] Actually, add the year associated with the nearest (in time) date that matches the fragment of info in the olde timestamp; right now, such code would assign a year of 2002 to timestamps in December, and 2003 to timestamps in January. Kinda like the window kluge for guessing what are the first two digits to prepend to a 2-digit year.
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:53:08 PST