Rob Cermak wrote:
> [...]
> Your /etc/syslog.conf better be simmilar on all your machines if a binary
> protocol is chosen for tag to integer matchup. Are we sending text over
> tcp/udp to specify facility and service?
>
> If you use a unique facility/priority naming convention, those poor
> hackers better have a copy of /etc/syslog.conf to figure out which is
> which...
Binary is fine on the wire for the level (it is an ordered set, after all) and for
the timestamp (but 32 bits is not enough if we want to avoid the 2038 problem, etc.)
However, I'd really like to see the facility name as plain text. I don't want to
have to maintain the integer->facility-name mapping on every machine. I don't want
the programs generating the logs to have to do a mapping lookup before they can log
(esp. the kernel). I don't want to even think about what happens when two
departments merge and they decide to merge their logging infrastructure, but they
find lots of duplicate/conflicting facility numbers in use.
Yes, this puts more bits on the wire, how many, really? Sites/vendors that are
really concerned can keep facility names to a few characters to save bandwidth.
--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
[EMAIL PROTECTED]
.
