Re: [logs] RE: syslog/tcp (selp)

From: Bennett Todd (betat_private)
Date: Fri Jan 10 2003 - 10:35:57 PST

  • Next message: Andy_Bachat_private: "Re: [logs] Trial SELP client implementation"

    2003-01-09T20:09:00 Darren Reed:
    > In some mail from Andrew Ross, sie said:
    > > SELP 0000 <PRI> HOSTADDRESS MESSAGE.
    > > 
    > > Can we also specify that the HOSTADDRESS MUST be an address rather than
    > > a resolved name? It makes parsing easier and means we can do filtering
    > > on hosts a lot easier.
    > 
    > How about name AND address ?  Both have meaning at the time, that can be
    > lost when you try to do analysis later, based on one or the other.
    
    Rather than trying to solve this problem here, can we just go with
    selp.txt's proposal of name _or_ address, with the fix that the name
    can be fully qualified (as is prohibited by RFC 3164), and leave
    efforts to really provide complete info (name, address, names and
    addresses of all relayers with additional timestamps, etc.) to go
    into the MSG in the companion standard that specifies an extensible
    tagged format for it?
    
    While RFC 3164 isn't perfect in this spot (it outlaws FQDNs, which
    selp.txt fixes), I don't see it as critical to fix this; for many
    applications, a name-or-address field is satisfactory. It's not like
    the timestamp, where RFC 3164 mandates an incomplete value.
    
    -Bennett
    
    
    

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Fri Jan 10 2003 - 12:36:54 PST