Hi Kyle, Your idea would work for me. I was going to post a message along the same lines. If we use a length field, then I suggest we use a 4 chr ASCII hex representation. 0000 to FFFF will give us a 64K packet size. The max message size in a UDP packet can be FFE3 which is 65507 bytes. There will be a min value too based on the final headers we choose. Using this size would allow us to still map TCP packets to UDP packets if we needed to. As another idea, if we started the message with a known header preamble, it would make it instantly recognisable as particular protocol. SELP 0000 <PRI> HOSTADDRESS MESSAGE. Can we also specify that the HOSTADDRESS MUST be an address rather than a resolved name? It makes parsing easier and means we can do filtering on hosts a lot easier. What about a field to signify the character set used? Just my 2c (+GST) worth. Andrew -----Original Message----- From: Kyle R. Hofmann [mailto:krhat_private] Sent: Friday, 10 January 2003 11:22 a.m. To: Rainer Gerhards Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson; Andrew Ross; avalonat_private Subject: Re: [logs] RE: syslog/tcp (selp) On Thu, 09 Jan 2003 10:47:12 +0100, "Rainer Gerhards" wrote: > > * we should not discuss character sets, we should only state > > that the MSG > > part is transmitted 8bit clean > > Agree. But this still prohibits DBCS, as byte values below 0x20 can > occur, especially CRLF. This probably confuses collectors not expecting > this. We could solve this with byte-counting, but I am not sure if we go > overboard. After all, it should be a very slight addition to > syslog/udp... OK, I have a simple solution. The header will have three fields instead of two. The first will be the length, the second time, and the third host. The length will count every octet the occurs in the header, the message, and the trailer. With this, we lose no more backwards compatibility than we already have; a classic syslog daemon will already insert its own timestamp in front of our RFC 3339 one, and a new syslog daemon will know how to read the length. This changes if we want to allow old-style timestamps, however, I think an RFC3339 timestamp should be a MUST for the new format. Implementations SHOULD be capable of converting new-style messages to old and transmitting old-style messages to other hosts on a host-by-host basis. -- Kyle R. Hofmann <krhat_private> _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 16:46:41 PST