RE: [logs] Syslog payload format

• Previous message: Ed Schmollinger: "Re: [logs] SWATCH configuration"
• Reply: Bennett Todd: "Re: [logs] Syslog payload format"
• Reply: Christopher Lonvick: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Rainer Gerhards wrote:
> > 
> > > - Why not make the timestamp ISO?  The new transport obviously
> > >   requires new code, so ... ?
> > 
> > I simply still assume that we not to intend to spec a new 
> protocol. So 
> > I am thinking more or less in the boundaries of 3164. Keep 
> in mind we 
> > need to interoperate.
> 
> Welpz. I've made my point. You disagree. I won't beat this 
> particular grass-eating quadraped any more.

OK, I see you don't like any further discussion on this. But it is a key
question. If some of us go for a total syslog replacement and new
protocol, and others would prefer to stay with the current RFCs (and
extremely slight modifications), then we are in fact splitting the goup
and implementation becomes less likely.

Remember: if you change the timestamp, you also give up compatibity with
RFC3195, which I assume will become more important over time.

How does the rest of the group feel about this?


> > If we stay with 3164 (slightly enhanced for TCP), the message will 
> > never be split across two packets. There is a 1024 char 
> limit for this 
> > reason. As such, when the end of the received packet is reached and 
> > there is no LF, then *this* is the end of the message. No 
> need to wait 
> > any more hours. Of course, if you engineer a new protocol, I fully 
> > agree...
> 
> Ah, but here's the problem: there are no "packets" in TCP.
> TCP is a stream.
> 
> Sure, one single send() call usually results in one packet 
> sent, but what about retransmits?  It is entirely legal for a 
> TCP stack, when 
> retransmitting packets, to combine several small segments 
> into one large segment.  Indeed, it is even desirable to do so to 
> lower the header to data ratio, and the Nagle delay algorithm 
> accomplishes exactly this even when you aren't retransmitting.

Argh... My apologies, went way over board. Of course you are right. It
must be *terminated* with (CR)LF.

Rainer
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Ed Schmollinger: "Re: [logs] swatchrc file"
• Previous message: Ed Schmollinger: "Re: [logs] SWATCH configuration"
• Reply: Bennett Todd: "Re: [logs] Syslog payload format"
• Reply: Christopher Lonvick: "RE: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 04 2003 - 10:44:47 PST