I was away for 48 hours and what happens(!)...
In some email I received from Magosanyi Arpad, sie wrote:
[...]
> > useful for central loghosts receiving packets from lots of machines. But I
> > also would like to have TCP. Unfortunately 514/tcp has already been taken
> > (by the "shell" service). Reasons for using TCP include:
> []
> > So maybe we assign a new port to nsyslog (maybe 714 tcp + udp)?
>
> I am using syslog-ng on 514/tcp, partly because the confusion value.
> I guess the port should be configureable, and the official port should
> be assigned by IANA.
514/tcp is lpd. nsyslogd doesn't care any more, what ports you do or don't
use. I use 10514/tcp for with nsyslogd, at present, as that discourages
any preconceptions, by virtue of port number, that the other end necessarily
is a nsyslogd to which you want to talk to. Strong authentication *must* be
a part of any TCP protocol which is being used here - especially over TCP for
IPv4.
> > On extensibility:
> > We all agree that the current bitmask design is way too inflexible. We
> > also want to be able to include new facilities as they are needed. My
> > suggestion is a list maintained the same way as the TCP port assignment.
> > [Excursion into implementation: you want a local /etc/facilities, which
> > can also be implemented with a NIS map, an LDAP service or anything that
> > can empower it like /etc/services]. The list shall be maintained by IANA.
> > The current bit masked values could more or less easily be integrated.
>
> Interesting idea.
> I would better like a name than a number. I guess most of the facility
> names are local to your logging system, and also have some sort of
> structure (e.g. "firewall/ftp-proxy/from-here-to-there").
There are two different things being named here:
1. priority level of message;
2. facility to which the message belongs.
For example, the other IEWG that looked into syslog (ULP) got this
horribly confused and had "security" as a priority.
I have recently changed nsyslogd to allow you to have "user defined"
facilities. This is just a complete hack, and next to useless as no
platforms will support a facility above 24.
What I'd like to see is facilities named (i.e. they are text labels).
A few people (including yourself :) have mentioned to me that this is
what they'd like to see syslog supporting. I think if you thought of
the process name that currently appears in syslog messages (for unix)
and ignored facilities, you'd be closer to what's wanted (except for
it being harder to group `like' messages).
Priorities should be a range of 0-X (X being 255/65535, etc, would make
sense) only because it is easier to compare them in this way. It might
be useful to predefine a number of priorities within whatever range is
decided to ensure that there is some consistency. I haven't really
thought about what to do with priorities.
Darren
