Hi, I would like to second Anton's view on MSGID and SD-ID position.
In my implementation, APP-NAME, MSGID and Severity (part of PRI) are used to uniquely identify a message. With those 3 fields, we can have very good sense on the nature of the event notification at the receiver side. Even the message could have been truncated; we can use those fields to look up what could have been included in the message body. So, it's OK to live with possibility that some part of the message can be truncated. The SD section is used to carries other useful and possible some critical information which may not be directly related to the MSG itself. By keeping it where it is, i.e. before MSG (which tends to be long), will make it less likely to be truncated. Thanks, Steve > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Anton Okmianski (aokmians) > Sent: Tuesday, November 22, 2005 9:04 AM > To: Darren Reed; Rainer Gerhards > Cc: [EMAIL PROTECTED] > Subject: RE: [Syslog] New direction and proposed charter > > Darren: > > > > WG, > > > <PRI>VERSION TIMESTAMP HOSTNAME APP-NAME PROCID [SD-ID]s MSG > > > > I would put the SD-IDs after the message. > > > > The SD-IDs and detailed bits of meaning to the MSG and > > without the MSG, are irrelevant. The exception being a > > language marker. > > I would prefer SD-ID where it is in example. I would also re-iterate > suggestion of having MSGID in the header, which a number of people > supported. Those two combined are arguably more important than the MSG > part itself. For example (in abbreviated syntax: > > host.domain.com MyApp proc1234 STARTED_UP [ip=1.1.1.1]: The applications > has started > > I could live without the MSG here if it got truncated. The MSGID and SD-ID > are much more important in this case. BTW, the possible truncation of > text and its variability (possible substitutable variables) is another > reason why MSGID is so useful. It makes it easier for intelligent > receivers to do things like event correlation. > > Thanks, > Anton. > > > > > > - replace NUL with an escape sequence upon reception (e.g. <00>) > > > > Why not \0 ? > > > > Darren > > > > _______________________________________________ > > Syslog mailing list > > Syslog@lists.ietf.org > > https://www1.ietf.org/mailman/listinfo/syslog > > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
