In some email I received from Bennett Todd, sie wrote:
[...]
> I think the next step we need is to survey existing sylog-over-tcp
> implementations and see who is terminating their records how, and
> what sort of interop (if any) is available.
Well since someone has asked, I'll volunteer some information on what
nsyslogd does over TCP :) The below is part of a text file from it.
I'm not aware of anything being interoperable with it. Log messages
are limited to somewhere just under 64k and since the message size is
passed through, there is no record delimeters used or required.
btw, I don't think this is perfect (ms or finer resolution might be
nice for timestamps, for example).
Darren
TCP usage.
----------
TCP is used for encrypted and authenticated communication between two
hosts. A shared secret (stored on disk in plain text :-() is used for
peer authentication by each host. Messages exchanged are sent using
a binary protocol - structures are sent straight out with no regard
as to translating them into text.
TCP protocol.
-------------
The protocol used is made up of messages. The minimum size for a message
is 4 bytes - 2 bytes for a command and 2 bytes for any operands. Commands
are currently recognised as being 0x0000-0x00ff. Errors are indicated by
sending back the message header with the MSB set (0x8000). ACK's to
messages are inidcated by setting 0x4000 in the reply header. A message
which is longer than just 4 bytes is indicated by setting 0x2000 and the
operand to the length of data following.
Currently supported commands:
0 - NULL, operand = 0
1 - HASH function (used to negoiate which to use), operand = hash function
choice
2 - encryption function (not supported)
3 - nonce (sent to the other end for peer authentication), operand = length
of nonce.
4 - hash (result of hashing the nonce with the shared secret - peer
authentication depends on this), operand = length of hash
5 - message (syslog message details), operand = length of data
6 - message hash (not supported, possibly even deprecated)
7 - H0 (not yet supported)
8 - SSL (SSL is encapsulated in message blocks. This was done so that
OpenSSL could be used within the scope of the program without making
too many wholesale changes to either).
The client drives the connection, telling the server what hash function
to use, etc. If no hash function is agreed to then it falls back to a
null-hash function. Authentication is performed by both parties and of
the other.
The actual format of messages is as follows:
byte purpose
0 version (current is 1)
1 hash type found at the end
2 - 3 reserved (should be zero)
4 - 7 original source IP#
8 - 11 total length of this message
12 - 15 length of the log message
16 - 19 length of the hash after the message
20 - 23 facility|priority of message
24 - 27 time message was received (seconds since epoch)
28 - x text syslog message
x+1 - x+n hash of all the above fields.
