> Are you going to put the hostname AND host address as required fields? I know it would be fine, but I would like to stick with as much of RFC3164 as possible. Last night's discussion has definitely shown you tend to open up "pandorra's box" if you do more... There is a reason that RFC3195 is as it is ;) > > If you have many remote devices from different companies who > all use say 10.0.0.1 as their host address then it is pretty > meaningless at the central syslog. The hostname could be used > to specify the actual company in this case. > > > CompanyXYZ (10.0.0.1) > CompanyABC (10.0.0.1) NAT ----> Firewall ---> NAT ----> > Network company doing remote monitoring of messages > (192.168.1.1) Company123 (10.0.0.1) > > In this case all messages arriving at the monitoring company > have the address of 10.0.0.1. The fully qualified domain name > would help identify the messages original destination. This is why I insisted on the FQDN instead of the simple host name. I, too, know this situation. It could also be solved in the payload area, and I would definitely opt to solve it there. With such, there would be numerous benefits, one of them the ability to work over plain RFC3164. I intend to consolidate some of the thoughts on payload that were on this list. It is still the other hot topic, especially with the API 0.1 codes out there... Just so much to do and so few time ;) > > Having both fields would be very helpful. See above ;) > > Also, it should be stated in the spec that a collector must > not modify the address or hostname when it forwards the > message. This will then allow us to pass it via many > collectors and still retain the original address of the sender. OK, I see the point. This is addressing relay operation. I'll try to find some wording that allows to retain the original hostname even if the parts before it can not be successfully parsed. In any case, that will be some guesswork, but I too feel guesswork is better here than how it currently is. But please keep in mind that as long as the message is well-formed, the host isn't changed - even in 3164. Well, the problem there is that I have yet to see well-formed packages due to the timestamp that virtually nobody is doing as in the RFC ;) > The peer address of the collector forwarding the message can > be obtained from the socket if required. So far no real techincal object - but I "feel" that this should not be done. To me, it sound much like breaking a key concept of 3164. I might be wrong? Any more feedback anyone? Rainer _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 10:35:34 PST