RE: [logs] RE: syslog/tcp (selp)

From: Andrew Ross (andrewat_private)
Date: Fri Jan 10 2003 - 02:15:23 PST

  • Next message: Rainer Gerhards: "RE: [logs] syslog/tcp (selp)"

    Sounds good to me.
    
    Are you going to put the hostname AND host address as required fields?
    
    If you have many remote devices from different companies who all use say
    10.0.0.1 as their host address then it is pretty meaningless at the
    central syslog. The hostname could be used to specify the actual company
    in this case.
    
    
    CompanyXYZ (10.0.0.1)
    CompanyABC (10.0.0.1)  NAT ----> Firewall ---> NAT ----> Network company
    doing remote monitoring of messages (192.168.1.1)
    Company123 (10.0.0.1)
    
    In this case all messages arriving at the monitoring company have the
    address of 10.0.0.1. The fully qualified domain name would help identify
    the messages original destination.
    
    Having both fields would be very helpful.
    
    Also, it should be stated in the spec that a collector must not modify
    the address or hostname when it forwards the message. This will then
    allow us to pass it via many collectors and still retain the original
    address of the sender.
    
    The peer address of the collector forwarding the message can be obtained
    from the socket if required.
    
    Cheers
    
    Andrew
    
    
    
    -----Original Message-----
    From: Rainer Gerhards [mailto:rgerhardsat_private] 
    Sent: Friday, 10 January 2003 10:02 p.m.
    To: Kyle R. Hofmann; Andrew Ross
    Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson;
    avalonat_private; betat_private
    Subject: RE: [logs] RE: syslog/tcp (selp) 
    
    
    Hi all,
    
    Thanks for the great discussion. I have now become clear that
    yesterday's suggestion was definintely going over board. BTW: it could
    also have raised other conderns which could have led to the need for a
    acknowledgment from the receiver...
    
    Having said that, I think Kyle has perfectly worded it:
    
    > TCP and CRLFs and RFC3339 timestamps [timestamp merged in from other
    mail]
    > are the minimum to have a working protocol.  I 
    > think we should punt on the other issues, discuss them in 
    > "Security Concerns", and recommend syslog-reliable for serious work.
    
    I think this is the route to take and I will carry on with the document
    based on this idea. I'll drop the extended format totally. I will just
    add fully qualified host names (including domain) if there is no violent
    opposition against this.
    
    Regarding the DBCS issue, if you really would like to have it, you again
    should go the RFC3195 way, which perfectly handles this issue. However,
    I think I will put a little background section on DBCS into the spec so
    that implementors are warned that there is a chance for non-US-ANSI
    chracters to be in the stream and they should be prepared to deal
    gracefully with them. Same should go for the CRLF issue. I still think
    it should be a MUST but the usual "be conservative in what you send and
    liberal in what you accept" clause should be brought in here - and an
    explicit warning that PIX does LF, only.
    
    How does this sound?
    
    Rainer
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:22:22 PST