Andrew: Good question...
Well, Rainer mentioned some Windows event Log message that he had to make into syslog message that could reach as large as 1MB if I recall correctly. Then, as we were designing fragmentation, we had to choose some size limit. I was initially looking at binary encoding, so looking at how many bits to allocate to message length. 16-bit value gave us 65k. 24-bit value gave us 16MB. This is where 16MB came from. I do not believe we can legitimately require everyone to support 16MB multi-part messages. I would never allow such default in my implementation. I would maybe allow it to be configured. For one it is really not smart to send 16MB over unreliable UDP using about 32000 UDP datagrams without any acknowledgments. I would even consider lowering the 16MB significantly. We just have to keep in mind that we are talking about a consistent message size limit for syslog-protocol regardless of the transport mapping. So, the transport may indeed be TFTP for 16MB message. Maybe it makes sense to say in syslog-protocol what the minimum size the implementations are required to support regardless of transport? Although I can see how it can come back to bite us. Anton. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Andrew Ross > Sent: Monday, May 10, 2004 12:03 AM > To: 'Rainer Gerhards'; 'Anton Okmianski'; [EMAIL PROTECTED] > Subject: RE: Transport draft preview > > > > Hi All, > > Can anyone tell me why we are talking about 16MB syslog > messages at all? > > > I thought the spirit of syslog was a quick, human readable, > single lined, informational message that can be logged to > disk and be parsed by a reporting tool. Even taking into > account UTF-8 encoding and the possibility of some binary > data, do we *really* need 16MB? 1024 bytes does nicely in > most cases, taking the max to 64KB is workable, but taking it > to 16MB is just making a rod for our own backs. Even on a > nice machine with stacks of memory, having to buffer and > rebuild 16MB multipart messages will just be a nightmare. > > If we want to send huge dumps of binary data, we should use > TFTP or FTP to transfer it. Let's keep the concept of syslog > to something that is sensible. > > Thoughts? > > Andrew > > >
