RE: [logs] Syslog payload format

From: Andrew Ross (andrewat_private)
Date: Tue Jan 07 2003 - 04:54:40 PST

  • Next message: Kyle R. Hofmann: "Re: [logs] Syslog payload format"

    >The "Internet standard" is CRLF.  Most protocols do use CRLF, but, then
    >again, most daemons also happily accept LF.  Make it an either/or for 
    >senders, where receivers MUST accept both?
    Could we make the preferred terminator CRLF and have LF as optional?
    >What about messages "terminated" by end-of-stream?
    >Assume that they're broken and shouldn't be stored, or assume that
    >EOS is a valid terminator?  (I just think that a "SHOULD" would be
    >in place, here.)
    >My suggestion: EOS means "broken message", so the "messages MUST end 
    >with (CR)LF" really means _must_.  This makes it easier for receivers;
    >if their socket layer is too hidden from view, it may be hard to 
    >differentiate between "graceful FIN handshake" and "connection b0rken".
    Agreed. Keep buffering the input stream until we get a valid terminator
    OR reach the max message size.
    What should we use for max message size? My suggestion is ~65520. Are
    you still wanting a larger message size Rainer?
    >A less-than-important thing: a standard port number would be 
    >nice, but 514/tcp is officially taken :/   
    Hmmm, good point.
    PIX uses 1468 normally. Like you say, we should keep this one separate
    and use another port.
    >Explicitly: high resolution timing is valid but optional, so
    >2003-01-05T12:08:50.12345678+01:00  and
    >2003-01-05T12:08:50+01:00  are both valid
    Yep, happy with that too.
    > - Who will support it? (this is the big one ;-))
    Count the Kiwi in too :-)
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:09:03 PST