Hi Everyone. Hi Chris,
if we suggest to include in syslog messages informations as time-stamps,
FQDN/IP address and process information, we do it "to give the recipient
some clue of their origin and nature" - as you correctly pointed out in
section 4 (Conventions) introduction.
It's true also that net devices usually don't have a really univocal ID.
So we should use all these informations to identify as much as possible
the origin of an event.
This is particularly important when logging to a centralized log service
(the multiple sources to a destination case).
In fact, an administrator can act/supply only if he or she knows exactly
where and when an event been logged occured, and who procuded it. Just
reading/parsing the logs.
In particular, IMO, FQDN and IP address should never be disjoined.
Think to them as mutually exclusive present drawbacks.
The cases when is desirable to use the FQDN along with the IP address
are very common. IP addresses dynamically assigned through DHCP are
just one of these cases and not the more relevant one.
Many FQDN have more than one A record. (and often each single IP address
denote an host)
A simple example:
$ host -t a irc.openprojects.net
irc.openprojects.net has address 216.234.231.220
irc.openprojects.net has address 216.91.225.9
irc.openprojects.net has address 212.43.237.28
irc.openprojects.net has address 209.197.224.15
irc.openprojects.net has address 198.186.203.27
irc.openprojects.net has address 209.207.224.214
irc.openprojects.net has address 216.10.32.10
Ambiguities can arise if all the hosts with the A record for a given FQDN
send their own logs to a centralized log service.
Not only. Just think to boxes in housing and/or domain in hosting.
If someone choose to change the ISP for his/her box/domain (eg.
www.foobar.tld) he/she will incur in the change of the associated IP
address; while the FQDN is constant.
Log messages with only FQDN in the body becames less useful than the ones
with either FQDN or IP address.
So I'd rather prefer in section 4.2 (Domain Name and Address) something
like:
It is, however, RECOMMENDED that the messages contain either
the fully qualified domain name (FQDN) or the device IP address
used to route the message through.
I would change also the suggested policy for devices having multiple
addresses:
In the case of the device having multiple addresses - such as
a router - it would be preferable if it used the IP address
used to route the message through, if it cannot use also its
FQDN or hostname.
Sincerely,
alfonso
--
Alfonso De Gregorio, [EMAIL PROTECTED] [EMAIL PROTECTED]
