Hi, We've talked about changing the TIMESTAMP and the HOSTNAME fields which will increase them. From that, we may be pushing the length of previously valid messages over the 1024 byte limit. Perhaps an explicit statement about the length of syslog messages would be appropriate in the syslog-sign ID?
---vvv--- Currently in Section 2 ---vvv--- The full format of a syslog sign message seen on the wire has three discernible parts. The first part is called the PRI, the second part is the HEADER, and the third part is the MSG. The total length of the packet MUST be 1024 bytes or less. There is no minimum length of the syslog message although sending a syslog packet with no contents is worthless and SHOULD NOT be transmitted. ---^^^--- Currently in Section 2 ---^^^--- I believe that Eric Allman chose 1024 since that was a hardware buffer size and blobs that fit within that space could be processed more efficiently. Increasing that size may be appropriate now. We could specify some actual maximum size of syslog packets but that might not be appropriate for all cases. Somehow, it just doesn't feel right to have IP fragment syslog messages. How about stating the the default maximum size is 1024 bytes but that may be increased to be the MTU between the device and the collector when using UDP? This would cover the expansion of the HOSTNAME and TIMESTAMP fields and allow all previously valid messages to be sent without having something truncate it or fragment it. Thoughts? Thanks, Chris
