RE: [logs] RE: syslog/tcp (selp)

• Previous message: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: syslog/tcp (selp)"
• Reply: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sounds good to me.

Are you going to put the hostname AND host address as required fields?

If you have many remote devices from different companies who all use say
10.0.0.1 as their host address then it is pretty meaningless at the
central syslog. The hostname could be used to specify the actual company
in this case.


CompanyXYZ (10.0.0.1)
CompanyABC (10.0.0.1)  NAT ----> Firewall ---> NAT ----> Network company
doing remote monitoring of messages (192.168.1.1)
Company123 (10.0.0.1)

In this case all messages arriving at the monitoring company have the
address of 10.0.0.1. The fully qualified domain name would help identify
the messages original destination.

Having both fields would be very helpful.

Also, it should be stated in the spec that a collector must not modify
the address or hostname when it forwards the message. This will then
allow us to pass it via many collectors and still retain the original
address of the sender.

The peer address of the collector forwarding the message can be obtained
from the socket if required.

Cheers

Andrew



-----Original Message-----
From: Rainer Gerhards [mailto:rgerhardsat_private] 
Sent: Friday, 10 January 2003 10:02 p.m.
To: Kyle R. Hofmann; Andrew Ross
Cc: Balazs Scheidler; loganalysisat_private; Mikael Olsson;
avalonat_private; betat_private
Subject: RE: [logs] RE: syslog/tcp (selp) 


Hi all,

Thanks for the great discussion. I have now become clear that
yesterday's suggestion was definintely going over board. BTW: it could
also have raised other conderns which could have led to the need for a
acknowledgment from the receiver...

Having said that, I think Kyle has perfectly worded it:

> TCP and CRLFs and RFC3339 timestamps [timestamp merged in from other
mail]
> are the minimum to have a working protocol.  I 
> think we should punt on the other issues, discuss them in 
> "Security Concerns", and recommend syslog-reliable for serious work.

I think this is the route to take and I will carry on with the document
based on this idea. I'll drop the extended format totally. I will just
add fully qualified host names (including domain) if there is no violent
opposition against this.

Regarding the DBCS issue, if you really would like to have it, you again
should go the RFC3195 way, which perfectly handles this issue. However,
I think I will put a little background section on DBCS into the spec so
that implementors are warned that there is a chance for non-US-ANSI
chracters to be in the stream and they should be prepared to deal
gracefully with them. Same should go for the CRLF issue. I still think
it should be a MUST but the usual "be conservative in what you send and
liberal in what you accept" clause should be brought in here - and an
explicit warning that PIX does LF, only.

How does this sound?

Rainer

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] syslog/tcp (selp)"
• Previous message: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Next in thread: Rainer Gerhards: "RE: [logs] RE: syslog/tcp (selp)"
• Reply: Mikael Olsson: "Re: [logs] RE: syslog/tcp (selp)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:22:22 PST