Re: [logs] Syslog payload format

From: Bennett Todd (betat_private)
Date: Fri Jan 03 2003 - 12:00:38 PST

  • Next message: marc: "Re: [logs] Syslog payload format"

    2003-01-03T11:59:55 Rainer Gerhards:
    > I think we do not need to break RFC3164. - Let's stick with the
    > "idiot" timestamp in the header and provide an RFC3339 one as one
    > tag.
    
    If we're switching to TCP transport, we've broken RFC 3164.
    
    Sure, we're going to need to keep compat with RFC 3164 for the
    indefinite future, as long as we have any appliances whose ROMs
    contain code to syslog that way. So we'll run olde syslog servers
    to catch those UDP packets that aren't mislain, and then either
    the server itself, or a log-tailer will consolidate the log data;
    as it picks up the old log entries, it'll replace their timestamps
    with ISO 8601 / RFC 3339, adding the current[1] year, adding the
    local timezone unless the converter is configured with knowlege of a
    different timezone for particular sources; and converting the rest
    of the message into our new format, including encapsulating the
    plaintext part in a SYSLOGMSG tag or whatever.
    
    What benefit do you see to keeping the broken timestamp format
    around (and yes, I do understand that you propose an additional
    useful timestamp in a separate tag-marked field)?
    
    -Bennett
    
    [1] Actually, add the year associated with the nearest (in time)
    date that matches the fragment of info in the olde timestamp; right
    now, such code would assign a year of 2002 to timestamps in
    December, and 2003 to timestamps in January. Kinda like the window
    kluge for guessing what are the first two digits to prepend to a
    2-digit year.
    
    
    

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:53:08 PST