Re: [logs] syslog/tcp (selp)

From: Mikael Olsson (mikael.olssonat_private)
Date: Thu Jan 09 2003 - 15:09:08 PST

  • Next message: Kyle R. Hofmann: "Re: [logs] RE: syslog/tcp (selp)"

    Rainer Gerhards wrote:
    > Based on the discussion, I am currently thinking about one BIG change in
    > the protocol. Discussion has show that non-ANSI characters are something
    > we should have in there but has also shown that there are severe issues
    > with the CRLF trailer as soon as we allow this. The main reason is that
    > e.g. in DBCS charsets CRLF can be part of the "normal" message - not the
    > terminator. 
    > [length field scheme to work around unwanted crlf termination]
    I read this over, and, at first, it seemed like a good compromise.
    In fact, the "forensic" receive mode of the small remote-only syslog 
    daemon that I'm coding on in my free time does exactly this.
    (A "small" thing actually taking time says something about my 
     free time :/ )
    However, on second thought, it scared me senseless, when I started
    thinking about the consequences.
    - There is no record of which charset or encoding we're using.
      DBCS? UTF-8? Quoted-printable?
      US-ASCII? ISO-8859-1? Windows-1250? Shift_JIS? GB2312?
      Think about the nightmare you'd have with centralized collecting / 
      alerting servers.
    - The security problems relating to all the possible various
      parsings resulting from this, and to ways that different
      relays may end up misinterpreting the data. 
      (Bennett had some good points here, too)
      An unusually clued admin might be able to avoid it, but, really,
      most won't. IMHO, we'd be doing the world a disservice.
    I don't want this. Really. Plain old syslog doesn't handle it,
    and I for one don't want to handle it in this protocol; it'd
    literally be reinventing BEEP.
    Mikael Olsson, Clavister AB
    Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
    Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
    Fax: +46 (0)660 122 50       WWW:
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 15:34:47 PST