Re: [logs] Syslog payload format

From: Bennett Todd (betat_private)
Date: Mon Jan 06 2003 - 06:05:56 PST

  • Next message: Jean-Francois Zwobada: "Re: [logs] Syslog payload format"

    2003-01-04T08:06:32 Rainer Gerhards:
    > [ re syslog (RFC 3164) -vs- ISO 8601 / RFC 3339 timestamps ]
    > But it is a key question. If some of us go for a total syslog
    > replacement and new protocol, and others would prefer to stay with
    > the current RFCs (and extremely slight modifications), then we are
    > in fact splitting the goup and implementation becomes less likely.
    It would be nice if we could agree on one thing. I'm having trouble
    seeing the motivation for retaining the [deficient, partial]
    timestamp of classic syslog in the name of "interop", when we're
    defining a protocol which is profoundly not interoperable with it
    (TCP -vs- UDP). Rather than wasting space on a useless timestamp
    then putting the useful one in the "payload", let's just put a
    useful timestamp on the front of the messages.
    > Remember: if you change the timestamp, you also give up
    > compatibity with RFC3195, which I assume will become more
    > important over time.
    I don't see that at all; folks who want multiplexed MIME-encoded
    channels will go that route; and the result once again won't be
    interoperable with either traditional syslog, or with a simple
    And for heterogenous systems, it's easy to recode complete
    timestamps to make partial ones; the reverse operation,
    reconstructing full timestamps with timezone info, requires
    heuristics and external knowlege.

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private

    This archive was generated by hypermail 2b30 : Mon Jan 06 2003 - 19:49:16 PST