Hi Darren, On Sat, 14 Dec 2002, Darren Reed wrote:
> In some email I received from Rainer Gerhards, sie wrote: > > Hi all, > > > > A current discussion on the loganalysis mailing list has shown that many > > people are not quite happy with the syslog timestamp. Specifically, the > > absence of time zone information is causing problems to many > > geographically spread locations. > > > > The problem with the current [RFC3164] timestamp is that it is not > > possible to reliably consolidate log data over multiple time zones, not > > even when proper time synchronization is in place. The only way to do > > this would be to configure the central collector(s) to know each device > > generating syslog messages and be configured to adjust the reported time > > accordingly. Obviously, this is error-prone and work-intensive. > > > > As such, I am asking for a modification to the current syslog-sign > > draft, specifically section 2.2 (HEADER) where the TIMESTAMP is > > discussed. I suggest that a timestamp as described in [RFC3339] > > "date-time" format should become recommended but the [RFC3164] timestamp > > should still be allowed (but be depraciated). That way, it would be > > possible for a collector to detect both formats and act on the less > > precise accordingly. > > > > Any support for this on the WG? > > I think that this is getting into message content and that's outside > the charter for this WG. Rainer is saying that no one is following the timestamp as described in 3164 anyway so we should take this opportunity to standardize upon something suitable to the community. Making this change will entail the following: - Text will have to be provided. - A note will have to be appended in the syslog-sign ID to state that relays should be liberal in what they receive. - Another note will have to tell people deploying syslog-sign that will have to ensure that no relay will modify messages between the device and the collector. - RFC-3195 may have to be revised to state that it will accept additional time formats. Is there any violent opposition to doing this? If none, would someone propose some suitable text? Thanks, Chris
