RE: [logs] RE: syslog/tcp (selp)

From: Rainer Gerhards (rgerhardsat_private)
Date: Fri Jan 10 2003 - 02:38:45 PST

  • Next message: Rainer Gerhards: "RE: [logs] RE: syslog/tcp (selp)"

    > Are you going to put the hostname AND host address as required fields?
    
    I know it would be fine, but I would like to stick with as much of
    RFC3164 as possible. Last night's discussion has definitely shown you
    tend to open up "pandorra's box" if you do more... There is a reason
    that RFC3195 is as it is ;)
    > 
    > If you have many remote devices from different companies who 
    > all use say 10.0.0.1 as their host address then it is pretty 
    > meaningless at the central syslog. The hostname could be used 
    > to specify the actual company in this case.
    > 
    > 
    > CompanyXYZ (10.0.0.1)
    > CompanyABC (10.0.0.1)  NAT ----> Firewall ---> NAT ----> 
    > Network company doing remote monitoring of messages 
    > (192.168.1.1) Company123 (10.0.0.1)
    > 
    > In this case all messages arriving at the monitoring company 
    > have the address of 10.0.0.1. The fully qualified domain name 
    > would help identify the messages original destination.
    
    This is why I insisted on the FQDN instead of the simple host name. I,
    too, know this situation. It could also be solved in the payload area,
    and I would definitely opt to solve it there. With such, there would be
    numerous benefits, one of them the ability to work over plain RFC3164. I
    intend to consolidate some of the thoughts on payload that were on this
    list. It is still the other hot topic, especially with the API 0.1 codes
    out there... Just so much to do and so few time ;)
    
    > 
    > Having both fields would be very helpful.
    
    See above ;)
    
    > 
    > Also, it should be stated in the spec that a collector must 
    > not modify the address or hostname when it forwards the 
    > message. This will then allow us to pass it via many 
    > collectors and still retain the original address of the sender.
    
    OK, I see the point. This is addressing relay operation. I'll try to
    find some wording that allows to retain the original hostname even if
    the parts before it can not be successfully parsed. In any case, that
    will be some guesswork, but I too feel guesswork is better here than how
    it currently is. But please keep in mind that as long as the message is
    well-formed, the host isn't changed - even in 3164. Well, the problem
    there is that I have yet to see well-formed packages due to the
    timestamp that virtually nobody is doing as in the RFC ;)
    
    > The peer address of the collector forwarding the message can 
    > be obtained from the socket if required.
    
    So far no real techincal object - but I "feel" that this should not be
    done. To me, it sound much like breaking a key concept of 3164. I might
    be wrong? Any more feedback anyone?
    
    Rainer
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:35:34 PST