RE: [logs] RE: syslog/tcp (selp)

From: Andrew Ross (andrewat_private)
Date: Thu Jan 09 2003 - 16:35:42 PST

  • Next message: Darren Reed: "Re: [logs] RE: syslog/tcp (selp)"

    Hi Kyle,
    
    Your idea would work for me.
    
    I was going to post a message along the same lines.
    
    If we use a length field, then I suggest we use a 4 chr ASCII hex
    representation. 0000 to FFFF will give us a 64K packet size.
    
    The max message size in a UDP packet can be FFE3 which is 65507 bytes.
    There will be a min value too based on the final headers we choose.
    Using this size would allow us to still map TCP packets to UDP packets
    if we needed to.
    
    As another idea, if we started the message with a known header preamble,
    it would make it instantly recognisable as particular protocol.
    
    SELP 0000 <PRI> HOSTADDRESS MESSAGE.
    
    Can we also specify that the HOSTADDRESS MUST be an address rather than
    a resolved name? It makes parsing easier and means we can do filtering
    on hosts a lot easier.
    
    What about a field to signify the character set used?
    
    Just my 2c (+GST) worth.
    
    Andrew
    
    
    
    -----Original Message-----
    From: Kyle R. Hofmann [mailto:krhat_private] 
    Sent: Friday, 10 January 2003 11:22 a.m.
    To: Rainer Gerhards
    Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson; Andrew
    Ross; avalonat_private
    Subject: Re: [logs] RE: syslog/tcp (selp) 
    
    
    On Thu, 09 Jan 2003 10:47:12 +0100, "Rainer Gerhards" wrote:
    > > * we should not discuss character sets, we should only state
    > > that the MSG
    > >   part is transmitted 8bit clean
    > 
    > Agree. But this still prohibits DBCS, as byte values below 0x20 can
    > occur, especially CRLF. This probably confuses collectors not
    expecting
    > this. We could solve this with byte-counting, but I am not sure if we
    go
    > overboard. After all, it should be a very slight addition to
    > syslog/udp...
    
    OK, I have a simple solution.  The header will have three fields instead
    of
    two.  The first will be the length, the second time, and the third host.
    The
    length will count every octet the occurs in the header, the message, and
    the
    trailer.
    
    With this, we lose no more backwards compatibility than we already have;
    a
    classic syslog daemon will already insert its own timestamp in front of
    our
    RFC 3339 one, and a new syslog daemon will know how to read the length.
    
    This changes if we want to allow old-style timestamps, however, I think
    an
    RFC3339 timestamp should be a MUST for the new format.  Implementations
    SHOULD
    be capable of converting new-style messages to old and transmitting
    old-style
    messages to other hosts on a host-by-host basis.
    
    -- 
    Kyle R. Hofmann <krhat_private>
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 16:46:41 PST