Hi Anton, On Tue, 10 Feb 2004, Anton Okmianski wrote:
> Rainer: > > I am really struggling with that restriction not to standardize syslog > storage in IETF. It diminishes the value of the syslog protocol as > people can't write a standard syslog parser. > > It would be nice if we could find another standards body which could be > used to address that aspect. I assume log analysis mailing list is not > affiliated with a standards body, or is it? I wonder if there is good > precedent out there of two standards bodies working in tandem like this. > Maybe W3C? It may be that the IETF will accept that work. However, it outside of our current charter and that's not going to change until after we complete the work we have going on in: - syslog-protocol - syslog-transport - syslog-sign One could argue that without guidance from these documents, the question of storage is rather ambiguous; what are you receiving to store and what protection mechanisms are available with them. I would also think that if such work is undertaken in the future and it finds a problem with one of these standards, then the standard may be changed. However, at this point, we need to put a stake in the ground and complete what's in front of us. If you really want to find another spot in the IETF, approach the OAM Area Directors with a proposal. If you'd like to go outside, I'd suggest NRIC or T1M1 (through ATIS). > > Somebody suggested to me an idea that maybe a bit wild, but could > address this. A protocol for syslog server to return messages it has > stored. It could be UDP-based. How much less efficient would that be > than reading a file? I don't think the difference will be huge as I/O > will likely be the bigger bottleneck anyway. Essentially, the messages > could be returned using the same -protocol & -transport and we just need > to add some request/response semantics. This does sound pretty wild, > but desperate times call for desperate measures :) and I thought I would > just pass it along. Actually, I think I'd like to see what comes out of Netconf before this WG looks down that path. Thanks, Chris > > Anton. > > > -----Original Message----- > > From: Rainer Gerhards [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, February 10, 2004 12:15 PM > > To: Andrew Ross; Harrington, David; Anton Okmianski; > > [EMAIL PROTECTED] > > Subject: RE: -international: trailer > > > > > > Hi All, > > > > I am a bit sad that I use Andrew's message to say this... but > > Andrew has just made an important point that enlightens me on > > David's thought that those CLRs (crappy little rules [I like > > this term]) really cause trouble. So Andrew please don't take > > my objection personally, I see your reasoning behind it... > > > > ... but this is an excellent sample on how granting one > > exception (the 0x00 case) leads to calls for further > > exceptions (0x0a in this case). I have to admit I didn't > > think well enough about this. > > > > Also, I was technically incorrect in insisting on 0x00 to be > > too hard for C. Actually, I worked out a surprisingly easy, > > obvious and well-known escaping mechanism to handle 0x00 once > > the message is received. It looks like I was just too > > narrow-minded to think with an open enough mind to solve it. > > Thanks to all who kept pushing me :) > > > > But, honestly, even if I would not see an easy solution for > > the C case, I think we should follow David's advise and avoid > > any such rules (like the 0x00 exception). In the long term, > > they cause more trouble in the long term than the solve initially. > > > > So I, too, now vote that we must support any valid UTF-8 > > sequence in the MSG part, which includes 0x00. If nobody > > objects, I will change -protocol to specify this. If you have > > objections, I would appreciate if you could reply relatively > > quickly, as I try to get -03 out before Seoul. > > > > Now let me come to the C implementation and other things, > > like syslog storage format. As we have discussed on this > > list, these things are - at least at first look - not > > relevant to IETF work. This is because they simply don't talk > > about on-the-wire protocols. And only this is scope of the > > IETF. Anyhow, it would definitely be a positive undertaking > > to reach concensus among implementors how those things should > > be addressed. To have a "least common denominator approach" > > that customers could expect to be in syslog products they > > purchase/use. Even for the implementors among us, such an > > approach would simplify things when it comes to the parsing > > and analysis stage. > > > > I have talked to Chris as well as Tina Bird, who is the > > moderator of the loganalysis mailing list > > (http://lists.shmoo.com/mailman/listinfo/logan> alysis). We > > have agreed that we can move discussion for > > non-IETF topics over to loganalysis. The big plus in this is > > that there are also many, many administrators on the list, so > > we will most probably get a lot of feedback from the end user > > camp, too. I think this is extremely valuable. > > > > I plan, however, to focus just some few days on -protocol and > > not directly start this other discussion. I think this serves > > our deadlines (Seoul meeting) better than doing too much in > > parallel. After that, I plan to post an initial message for > > those topics on the loganalysis list. If Chris permits, I > > would cross-post these message here to the WG list (together > > with my whish to only reply to loganalysis;)). > > > > I hope this is a good proposal, one that will allow us to > > make syslog even more interoperable than it is today. > > > > Rainer > > > > > -----Original Message----- > > > From: Andrew Ross [mailto:[EMAIL PROTECTED] > > > Sent: Sunday, February 08, 2004 12:52 AM > > > To: Rainer Gerhards; 'Harrington, David'; 'Anton Okmianski'; > > > [EMAIL PROTECTED] > > > Subject: RE: -international: trailer > > > > > > > > > It is not just the 0x00 that we have to worry about. For > > TCP transport > > > mappings, we need to have a stream delimiter. Currently it is > > > generally agreed that it is LF (0x0A). If we don't escape that > > > character, we will > > > have to resort to a byte length field. Please don't make me > > > have to drag > > > out my old Syslog over TCP proposal :-) > > > > > > Cheers > > > > > > Andrew > > > > > > > > > > > > > > >
