Re: [logs] Syslog payload format

From: Kyle R. Hofmann (krhat_private)
Date: Tue Jan 07 2003 - 16:57:47 PST

  • Next message: Rainer Gerhards: "RE: [logs] Syslog payload format"

    On Tue, 07 Jan 2003 12:17:49 +0100, Mikael Olsson wrote:
    > - What about messages "terminated" by end-of-stream?
    >   Assume that they're broken and shouldn't be stored, or assume that
    >   EOS is a valid terminator?  (I just think that a "SHOULD" would be
    >   in place, here.)
    > 
    >   My suggestion: EOS means "broken message", so the "messages MUST end 
    >   with (CR)LF" really means _must_.  This makes it easier for receivers;
    >   if their socket layer is too hidden from view, it may be hard to 
    >   differentiate between "graceful FIN handshake" and "connection b0rken".
    
    If something very bad is happening, it's possible that only part of a message
    will get transmitted before the system dies (e.g., power failure).  In that
    case it would be helpful to store what you can of the message so that you
    have a record of the crash.
    
    I suggest that listeners MUST intepret EOS as CRLF while senders SHOULD always
    terminate messages with CRLF, even if they're about to close the connection.
    
    -- 
    Kyle R. Hofmann <krhat_private>
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:09:04 PST