So there are two protocols calling themselves "syslog"; RFC 3164 "The BSD syslog Protocol" and RFC 5424 "The Syslog Protocol" which adds [idAnd structured=data] after the header, in each message.
Then there's RFC 6587 "Transmission of Syslog Messages over TCP" which the IETF declared historic, does not support TLS, etc, but basically describes BSD syslog over TCP, either with newlines as separators or with octet counting. My loose understanding, based on no scientific data whatsoever, is that almost everyone is using BSD syslog, perhaps over TCP with newline-termination on messages per 6587. I'd like to confirm/deny this for $employer, to figure out which should be used by default for something which is directly emitting syslog packets (for good reason). I see that rsyslog defaults to BSD but also supports the IETF variant. syslog-ng added support for the IETF stuff when they added TLS support. What are enterprises (or other large organisations that care about logging) actually using? Is anybody using syslog-over-TLS (RFC 5425)? Signed syslog (RFC 5848)? If using TCP, which syslog variant? "Whatever the default of the product is" or choosing something specific? And if choosing one in particular, why? Thanks for any feedback, -Phil _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
