> 1). Solaris 8 sends messages in the following format... > <38>Apr 2 11:41:25 sshd[12345]: [ID 54321 auth.info]
> It is missing the hostname field in the header, but has a > valid PID. What do we do here? I think, it depends on "where" the messages does come from. The RFC describes the protocol over TCP/IP only. Unix systems often use "/var/log" (or similar), a "pipe", to send messages from a process to the syslogd-daemon. Although it would be logically to use the same protocol there, the RFC does NOT demand it. This means "syslogd" is the 'device' for syslog; the original process/application isn't! So, you are allowed to "improve" the message. Within this line of thought, it is even mandatory to do so. For such a socket-connection, it makes even sense to "not include" the hostname, As tt will never change! It is more-or-less a constant. Syslogd is frequently seen as a 'relay' within syslog terminology, and personally I think that is correct. However, in the real world, it is often a 'device'. And, for a 'device', it is up to you, to make a good design. I would say: always write RFC-correct messages; which in you case probably means rewrite the line. Note however, that this design also means that extensions like syslog-sign, also will be places in syslogd, not the (libc code within the) application. (or you need to be flexible) When you receive the messages over a TCP/IP link, the RFC is clear: NEVER change it. When you do change it, it will break all security checks that depend on it. Like syslog-sign! --ALbert sent mail to [EMAIL PROTECTED], to address me personal. sent mail to [EMAIL PROTECTED], to address me for businesses
