On Sat, Dec 28, 2002 at 01:41:34AM +1100, Darren Reed wrote: > In some email I received from Bennett Todd, sie wrote: > [...] > > I think the next step we need is to survey existing sylog-over-tcp > > implementations and see who is terminating their records how, and > > what sort of interop (if any) is available. > > Well since someone has asked, I'll volunteer some information on what > nsyslogd does over TCP :) The below is part of a text file from it. > I'm not aware of anything being interoperable with it. Log messages > are limited to somewhere just under 64k and since the message size is > passed through, there is no record delimeters used or required. > > btw, I don't think this is perfect (ms or finer resolution might be > nice for timestamps, for example).
Thanks Darren. Andrew has already sent me a proposal about his protocol, would you please resend it to the list? I think it was also Andrew who summarized the PIX TCP protocol: # Sends on TCP port 1468 by default. # Can have multiple messages in a single packet. They don't appear to be seperated by any character. New message is identified by the <PRI> tag. # TCP connection is made once, and remains open indefinately. # If the connection is broken and not able to be re-established, the PIX will stop forwarding network traffic through it's interfaces. # PIX message format changes depending on timestamp settings on the PIX. I think messages should be terminated somehow, probably with a '\n' character? Anyone with a PIX at hand can confirm this? This seem to be compatible with my previous syslog-over-TCP description (which described the way syslog-ng behaves). -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
