Re: [logs] Syslog payload format

• Previous message: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Next in thread: Andrew Ross: "RE: [logs] Syslog payload format"
• Reply: Andrew Ross: "RE: [logs] Syslog payload format"
• Reply: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Rainer Gerhards wrote:
> 
> Is there agreement on only a slight extension to
> support TCP? Let me sum up:
> 
> It is RFC3164 except:
> 
> - TCP is the transport
> - messages MUST end with (CR)LF - should it be LF or CRLF?

The "Internet standard" is CRLF.  Most protocols do use CRLF, but, then
again, most daemons also happily accept LF.  Make it an either/or for 
senders, where receivers MUST accept both?

> - the timestamp MUST be RFC3339
> - there MAY be multiple messages within a single TCP stream
> - client and/or server are free to disconnect the stream when they see
> fit

Agree. A couple of things:

- What about messages "terminated" by end-of-stream?
  Assume that they're broken and shouldn't be stored, or assume that
  EOS is a valid terminator?  (I just think that a "SHOULD" would be
  in place, here.)

  My suggestion: EOS means "broken message", so the "messages MUST end 
  with (CR)LF" really means _must_.  This makes it easier for receivers;
  if their socket layer is too hidden from view, it may be hard to 
  differentiate between "graceful FIN handshake" and "connection b0rken".


- A less-than-important thing: a standard port number would be 
  nice, but 514/tcp is officially taken :/   


- Explicitly: high resolution timing is valid but optional, so
    2003-01-05T12:08:50.12345678+01:00  and
    2003-01-05T12:08:50+01:00  are both valid
   
  (This is in full compliance with rfc3339, but I think it 
   deserves to be mentioned.)


> - not compliant with what PIX does!!! (should we allow an alternate
> termination to take care of this -- I would suggest so as the PIX is
> definetely important and chances are great we'll write code to support
> it anyhow...)

I'd say "use a different port for PIX logging".
Cisco's scheme is, as far as I understand it: 
  <123>event 1 blah blah blah <123>event 2 blah blah <123>event 3 ...
This works for a single source->destination scenario, but not for 
a source->relay->destination scenario, so I for one don't want to 
bless it officially.  (Hi, Chris. :))


> - Who will support it? (this is the big one ;-))

One firewall and one minimalistic syslogd here 
(the latter not public yet ... soon, though).


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] EventLog library"
• Previous message: Rainer Gerhards: "RE: [logs] Syslog payload format"
• Next in thread: Andrew Ross: "RE: [logs] Syslog payload format"
• Reply: Andrew Ross: "RE: [logs] Syslog payload format"
• Reply: Kyle R. Hofmann: "Re: [logs] Syslog payload format"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 08 2003 - 08:09:06 PST