Sounds good to me. Are you going to put the hostname AND host address as required fields? If you have many remote devices from different companies who all use say 10.0.0.1 as their host address then it is pretty meaningless at the central syslog. The hostname could be used to specify the actual company in this case. CompanyXYZ (10.0.0.1) CompanyABC (10.0.0.1) NAT ----> Firewall ---> NAT ----> Network company doing remote monitoring of messages (192.168.1.1) Company123 (10.0.0.1) In this case all messages arriving at the monitoring company have the address of 10.0.0.1. The fully qualified domain name would help identify the messages original destination. Having both fields would be very helpful. Also, it should be stated in the spec that a collector must not modify the address or hostname when it forwards the message. This will then allow us to pass it via many collectors and still retain the original address of the sender. The peer address of the collector forwarding the message can be obtained from the socket if required. Cheers Andrew -----Original Message----- From: Rainer Gerhards [mailto:rgerhardsat_private] Sent: Friday, 10 January 2003 10:02 p.m. To: Kyle R. Hofmann; Andrew Ross Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson; avalonat_private; betat_private Subject: RE: [logs] RE: syslog/tcp (selp) Hi all, Thanks for the great discussion. I have now become clear that yesterday's suggestion was definintely going over board. BTW: it could also have raised other conderns which could have led to the need for a acknowledgment from the receiver... Having said that, I think Kyle has perfectly worded it: > TCP and CRLFs and RFC3339 timestamps [timestamp merged in from other mail] > are the minimum to have a working protocol. I > think we should punt on the other issues, discuss them in > "Security Concerns", and recommend syslog-reliable for serious work. I think this is the route to take and I will carry on with the document based on this idea. I'll drop the extended format totally. I will just add fully qualified host names (including domain) if there is no violent opposition against this. Regarding the DBCS issue, if you really would like to have it, you again should go the RFC3195 way, which perfectly handles this issue. However, I think I will put a little background section on DBCS into the spec so that implementors are warned that there is a chance for non-US-ANSI chracters to be in the stream and they should be prepared to deal gracefully with them. Same should go for the CRLF issue. I still think it should be a MUST but the usual "be conservative in what you send and liberal in what you accept" clause should be brought in here - and an explicit warning that PIX does LF, only. How does this sound? Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:22:22 PST