First, let me say that I'm sorry to not send this comment earlier, As
I already noticed them in *-6 (which is the 1st I saw), but I hope my
bits help.
Some comments
General
=======
I think the RFC becomes a lot clearer when the syslog message is
described in three parts, instead of as 2 parts.
Now, the message is described as (informally)
syslog := PRI MSG
PRI := "<" up-to-3-digits ">"
MSG := [ 3-header-parts ] free-text
Then, in text is explained that the "3-header-parts" (timestamp,
host and tag) are more or less default [my interpretation]
I suggest to rewrite this, so that the message consist of 3 parts, of
which 1 is optional. Like (again informal)
syslog := PRI HEADER CONTEXT
PRI := "<" up-to-3-digits ">" -- as before
HEADER := "" -- empty, not recommended
:or: 3-header-parts -- as before
CONTEXT := free-text
Basically, the "HEADER" part is inserted into the description
(notice: not to the protocol) This way, it becomes clearer how a
message is buildup (read: as it should be build-up).
Details
=======
4.2.4 (HOSTNAME size)
---------------------
I'm missing a hint/recommendation about the maximal size of the
HOSTNAME part. Although this RFC will not specify the size of a
hostname; its size is important.
Maybe a RECOMMENDED on the max HOSTNAME length (how about 32 bytes)
can be included. With this is added, a (recommended) minimal size of
the CONTEXT can be calculated
CONTEXT (is this right?)
------------------------
As I'm not a native speaker of English, I can be wrong. But I'm
thinking tha CONTEXT is a misleading word. I usually mixup "context"
en "content". But I'm quite sure the latter word is more appropriate
within syslog's rfc.
And just maybe, the word "message" or "error" is even better.
(Hope not to (re)start a flamewar:-)
HOSTNAME, with/without domain (several places)
----------------------------------------------
* In 4.2.3 is stated that HOSTNAME MUST NOT include the domainname (New
in *-07, I think).
* Whereas, in 5.2 can be found (I quote)
"... Traditionally, however, only the hostname
has been included in the HOSTNAME field."
This can be misleading; especially as 5.2 describes the FQDN (so
including the domain) is a good idea (in the content part)
* Example 4 includes a domainname in the (not valid) HEADER part. This
example is about a non-valid TIMESTAMP, so the use of the FQDN can
give the wrong impression about hostnames. Either use a hostname only
or add a paraphrase about the invalid HOSTNAME part
* In 4.2.1 is stated that the HOSTNAME is "as it knows itself". Many systems
know them-self including the domainname (e.g use `hostname` on a un*x
system). Please add something like "only the systemname, not including
a domainname"
HOSTNAME, for relays
--------------------
4.2.2 says that a relay should (sometimes) add a HOSTNAME, or a
IPno, when the device's HOSTNAME isn't known. What is the IPno of the
(sending) device isn't known (which probably is only possible in
theory).
Also add something like "The IPno of the sending interface, when the
device has serval interfaces"
4.2.2, CONTEXT truncation, for relays
Sometimes, a relay MUST truncate the package. However it isn't
specified HOW this should be done, nor an advise is given. I think
"removal of an appropriate number of bytes on the right-side" is
meant. But this can be specified.
On the other hand, removal of bugus HEADER bytes (so the left side of
the newly CONTEXT field) is possible wiser.
Hope my bits help, and with excuses for some misuse of the English language
Albert Mietus
PTS Software BV, Holland
GSM +31 6 53732 336
[EMAIL PROTECTED]
