RE: [logs] RE: syslog/tcp (selp)

From: Andrew Ross (andrewat_private)
Date: Fri Jan 10 2003 - 00:42:05 PST

  • Next message: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"

    The more I think about it, the idea of binary data and non ASCII chr
    sets should be left for the BEEP or syslog reliable implementations. The
    SELP protocol should be a very simple change and not allow for non ASCII
    chrs or binary. Therefore we can just stick with a delimiter and not
    worry about a length chunk. It also means I don't have to code for non
    ASCII chr sets just yet :-)
    
    On the topic of delimiters. We discovered today that the PIX actually
    sends a single LF at the end of its messages. It does this for both UDP
    and TCP messages. I'm using version 6.2(1) of the PIX IOS. From memory,
    earlier versions of the IOS didn't delimit the data. (Version 4 and 5).
    Does anyone have access to old software to confirm this?
    
    We have been discussing the delimiter recently as being CRLF. Can I
    throw the cat amongst the pigeons and suggest we make it just LF? LF is
    the Unix standard delimiter for files and streams. CRLF is more of a
    Windows convention.
    
    Would it not be easier (and more code efficient) to search for just LF?
    
    Someone mentioned that CRLF is the Internet standard, can someone point
    me to a URL that defines this? I always thought the Internet was more
    Unix driven than Windows.
    
    Cheers
    
    Andrew
    
    
    
    On Fri, 10 Jan 2003 13:35:42 +1300, "Andrew Ross" wrote:
    > As another idea, if we started the message with a known header
    preamble,
    > it would make it instantly recognisable as particular protocol.
    > 
    > SELP 0000 <PRI> HOSTADDRESS MESSAGE.
    
    Unfortunately a classical syslog daemon won't like it.  It'll assume the
    default facility and priority for that message--"user" and "notice"--and
    proceed to put it wherever such messages go instead of where this
    message
    should go.
    
    In a way this isn't really a problem, because a new syslog daemon has to
    be
    changed to use TCP and to send CRLFs at the end of messages; but in
    another
    sense it is, because we're trying to make it easy for implementors to
    convert
    their old syslog daemons to this protocol, and the more requirements we
    impose
    on them, the more reluctant they'll be.  If this is to get any
    acceptance
    outside of the loganalysis list, then we have to make it *very* *very*
    *very*
    easy to implement.
    
    TCP and CRLFs are the minimum to have a working protocol.  I think we
    should
    punt on the other issues, discuss them in "Security Concerns", and
    recommend
    syslog-reliable for serious work.
    
    -- 
    Kyle R. Hofmann <krhat_private>
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:13:35 PST