-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I said:
| I'm happy to do this - if people want to send me their syslog gripes
| by personal email, I'll summarise to the list in ~24 hours or so.
Well, it's a bit later than that :-) But here goes...
I've tried to categorise the comments I received, and list (the number
in brackets) how many people raised each point. Since I got a few
directly implementation related comments too, I've included them for
good measure.
Hope this helps to concentrate people's minds! Thanks again to those
who responded.
Cheers,
Martin
Protocol gripes
===============
Firewalls/proxies:
No standardised way of relaying messages through a firewall (x 4)
Unreliable:
No guarantee that a syslog packet will be received, and no
facilities for retransmission (x 5)
Insecure:
UDP packets are easily spoofed (x 4)
syslog packets are in-the-clear, hence easily sniffed (x 3)
Need for authentication/encryption, of the clients and server (x 2)
No congestion control with UDP (x 2)
Packets may be altered undetectably in transit (x 1)
Gaps in the message sequence can't be detected by receiver (x 1)
Bogus messages can be sent to the logging host (x 1)
Timestamping:
It should be a requirement that the timestamp specified in the
protocol (both by the client, in the packet; and in the server,
when the message is logged) are recorded (x 3)
Log message formatting/structure:
Hard wired (and small) set of facilities/priorities (x 3)
No standard way of formatting of message text and separating various
arguments of the log message (x 4)
Priority/facility are encoded in a not particularly human-readable
way, but then sent in text form. This has the worst features of
binary protocols (not human-readable) and text protocols
(inefficient use of bandwidth - and just to make this one worse,
the first byte of every packet is constant!)
Standardisation:
syslog is not standardised, which makes it more difficult than it
should be to produce interoperable implementations (x 2)
Implementation woes
===================
Need to have inviolability of the log itself (x 3)
There is no way for a loghost to control from where messages are
received, making it vulnerable to denial-of-service attacks (x 3)
Facilities/priority should be logged (x 2)
"...repeated N times" doesn't show up until a different line comes
along, which is a pain if you're watching the log and thus think only
one event happened when actually N+1 happened and you don't yet know
N. (I'd like to see a timeout, so that after (say) 10 seconds, it
logs the "repeated" line anyway.)
Problems with multiple syslog.conf lines that name the same file.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.4 and Gnu Privacy Guard <http://www.gnupg.org/>
iD8DBQE4FvuOVw+hz3xBJfQRAvC/AJ0XYKsSME8owTEjKF3RvVPWBi+QpwCgod33
mpYkIMbuIth94uNN4+gcFBI=
=a9L/
-----END PGP SIGNATURE-----
