Re: So, what's wrong with syslog ? :-)

Mon, 10 Apr 2000 10:49:12 -0700 

 >   No standardised way of relaying messages through a firewall (x 4)

Can you explain what would be a standardized way of relaying messages
through a firewall, other than by enabling UDP port 514?

 >   UDP packets are easily spoofed (x 4)

This is misleading.  IP packets are easily spoofed perhaps.  But UDP is no
more easily spoofed than TCP aside from the sequence number.  Syslog could
implement this in the application layer however it's debatable whether a
sequence number is needed.  The majority of syslog packets are not
connection oriented and wouldn't normally be sequenced. 

Also, UDP is, in most cases, a better protocol than TCP over congested
networks because it requires less overhead. 

 >   No congestion control with UDP (x 2)

Does the syslog protocol really need to be concerned with network layer
congestion control?  Many have argued that syslog should not become a
heavyweight, all-singing and all-dancing application.

 >   Packets may be altered undetectably in transit (x 1)

This is redundant, and is addressed by encryption.  Virtually any
unencrypted packet can be undetectably altered in transit. 

 >   Gaps in the message sequence can't be detected by receiver (x 1)

See above.

 >   Bogus messages can be sent to the logging host (x 1)

See above.

 >   No standard way of formatting of message text and separating various
 >     arguments of the log message (x 4)

You might want to clarify the meaning of "message text" here.  There are
formatted and unformatted fields in the existing syslog.  I have not heard
anyone recommend changing this.  Most seems to agree that the number of
formatted fields should be expanded.

 >   syslog is not standardised, which makes it more difficult than it
 >   should be to produce interoperable implementations (x 2)

This seems unnecessarily vague.  Syslog is currently interoperable and
standardized though there are some variations.

Otherwise it seems like a good start.  I'd add:

   * Performance issues with log file opening/closing (reading and
     writing the entire logfile) once per message.

   * No ability to define daemon's fsync() behavior.

   * Limited configuration file syntax.

   * No standardized logging directory (/var/log, /var/adm, ...)

   * No log entry when messages are not delivered to remote
     loghosts.

--
Roger Marquis
Roble Systems Consulting
http://www.roble.com/

Reply via email to