Hi Doug, thanks for your interesting mail. I will reply in more detail when I am through with the papers (looks like it takes some time), but I have an immediate comment...
> The Integrating the Healthcare Enterprise (IHE) initiative > has specified the use of syslog as the mechanism for logging > audit record messages. The specification allows up to 32Kb > messages, the content of the MSG field is XML with a > specified XML schema and it uses UTF-8 encodings. There is a good reason for the current 1k limit on syslog messages. This 1k is on most networks being transmitted in a single packet, which will remove any fragmentation or multi-packet issues. With 32k, the data will definitely travel in more than one packet (in almost all cases). So with UDP, you are seeing challenges in in-order delivery and partial packet loss. I am trying to address this (at least partly) in the syslog-protocol spec. In there, the idea is to basically stick with the 1k transport limitation but - on an upper layer - support fragmentation and longer messages with what we currently call a "cookie". This approach will allow you to at least a) detect missing packetc b) reassmeble packets that were delivered out-of-order (with some burden on the reciver) To be more precise, in b) we reassamble an upper-layer message that was sent via multiple packets. That upper layer is what your application is talking to. More comments when I have read the other docs. I would also like to use this message to whish all WG members a merry xmas, a great new year and a peaceful holiday season. I hope it is eventless from the infosec community point of view ;) Rainer
