RE: [logs] RE: syslog/tcp (selp)

From: Andrew Ross (andrewat_private)
Date: Thu Jan 09 2003 - 16:35:42 PST

  • Next message: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"

    Hi Kyle,
    Your idea would work for me.
    I was going to post a message along the same lines.
    If we use a length field, then I suggest we use a 4 chr ASCII hex
    representation. 0000 to FFFF will give us a 64K packet size.
    The max message size in a UDP packet can be FFE3 which is 65507 bytes.
    There will be a min value too based on the final headers we choose.
    Using this size would allow us to still map TCP packets to UDP packets
    if we needed to.
    As another idea, if we started the message with a known header preamble,
    it would make it instantly recognisable as particular protocol.
    Can we also specify that the HOSTADDRESS MUST be an address rather than
    a resolved name? It makes parsing easier and means we can do filtering
    on hosts a lot easier.
    What about a field to signify the character set used?
    Just my 2c (+GST) worth.
    -----Original Message-----
    From: Kyle R. Hofmann [mailto:krhat_private] 
    Sent: Friday, 10 January 2003 11:22 a.m.
    To: Rainer Gerhards
    Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson; Andrew
    Ross; avalonat_private
    Subject: Re: [logs] RE: syslog/tcp (selp) 
    On Thu, 09 Jan 2003 10:47:12 +0100, "Rainer Gerhards" wrote:
    > > * we should not discuss character sets, we should only state
    > > that the MSG
    > >   part is transmitted 8bit clean
    > Agree. But this still prohibits DBCS, as byte values below 0x20 can
    > occur, especially CRLF. This probably confuses collectors not
    > this. We could solve this with byte-counting, but I am not sure if we
    > overboard. After all, it should be a very slight addition to
    > syslog/udp...
    OK, I have a simple solution.  The header will have three fields instead
    two.  The first will be the length, the second time, and the third host.
    length will count every octet the occurs in the header, the message, and
    With this, we lose no more backwards compatibility than we already have;
    classic syslog daemon will already insert its own timestamp in front of
    RFC 3339 one, and a new syslog daemon will know how to read the length.
    This changes if we want to allow old-style timestamps, however, I think
    RFC3339 timestamp should be a MUST for the new format.  Implementations
    be capable of converting new-style messages to old and transmitting
    messages to other hosts on a host-by-host basis.
    Kyle R. Hofmann <krhat_private>
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 16:46:41 PST