RE: [logs] RE: syslog/tcp (selp)

• Previous message: Mikael Olsson: "Re: [logs] Trial SELP client implementation"
• In reply to: Kyle R. Hofmann: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"
• Reply: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"
• Reply: Kyle R. Hofmann: "Re: [logs] RE: syslog/tcp (selp)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Kyle,

Your idea would work for me.

I was going to post a message along the same lines.

If we use a length field, then I suggest we use a 4 chr ASCII hex
representation. 0000 to FFFF will give us a 64K packet size.

The max message size in a UDP packet can be FFE3 which is 65507 bytes.
There will be a min value too based on the final headers we choose.
Using this size would allow us to still map TCP packets to UDP packets
if we needed to.

As another idea, if we started the message with a known header preamble,
it would make it instantly recognisable as particular protocol.

SELP 0000 <PRI> HOSTADDRESS MESSAGE.

Can we also specify that the HOSTADDRESS MUST be an address rather than
a resolved name? It makes parsing easier and means we can do filtering
on hosts a lot easier.

What about a field to signify the character set used?

Just my 2c (+GST) worth.

Andrew



-----Original Message-----
From: Kyle R. Hofmann [mailto:krhat_private] 
Sent: Friday, 10 January 2003 11:22 a.m.
To: Rainer Gerhards
Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson; Andrew
Ross; avalonat_private
Subject: Re: [logs] RE: syslog/tcp (selp) 


On Thu, 09 Jan 2003 10:47:12 +0100, "Rainer Gerhards" wrote:
> > * we should not discuss character sets, we should only state
> > that the MSG
> >   part is transmitted 8bit clean
> 
> Agree. But this still prohibits DBCS, as byte values below 0x20 can
> occur, especially CRLF. This probably confuses collectors not
expecting
> this. We could solve this with byte-counting, but I am not sure if we
go
> overboard. After all, it should be a very slight addition to
> syslog/udp...

OK, I have a simple solution.  The header will have three fields instead
of
two.  The first will be the length, the second time, and the third host.
The
length will count every octet the occurs in the header, the message, and
the
trailer.

With this, we lose no more backwards compatibility than we already have;
a
classic syslog daemon will already insert its own timestamp in front of
our
RFC 3339 one, and a new syslog daemon will know how to read the length.

This changes if we want to allow old-style timestamps, however, I think
an
RFC3339 timestamp should be a MUST for the new format.  Implementations
SHOULD
be capable of converting new-style messages to old and transmitting
old-style
messages to other hosts on a host-by-host basis.

-- 
Kyle R. Hofmann <krhat_private>

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"
• Previous message: Mikael Olsson: "Re: [logs] Trial SELP client implementation"
• In reply to: Kyle R. Hofmann: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"
• Reply: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"
• Reply: Kyle R. Hofmann: "Re: [logs] RE: syslog/tcp (selp)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 16:46:41 PST