> WG, > > there has not been much discussion about the header fields and their > order recently. I think this is a sign the issue has been settled. To > make sure I got the right understanding of the resulting consensus, I > propose that we use the following format: > > <PRI>VERSION SP TIMESTAMP SP HOSTNAME SP APP-NAME SP PROCID SP MSGID SP > [SD-ID]s SP MSG > > That is the format that also proven to be quite useful during my > proof-of-concept implementation. > > If somebody objects, please do that now.
In your other email, you say that "-" is for a missing field - I was curious about whether all fields were mandatory or what was to be done if you wanted to miss one out, but you've answered that. The "HOSTNAME" field should be constrained, in its definition, to match that accepted for FQDNs. "PRINTUSASCII" is too wide. I believe you need to read RFC 1035. Similarly, I'd like to see APP-NAME, PROCID and MSGID refined to be less than the entire character set. A contradiction in syslog-protocol is allowing PRINTUSASCII for fields but a field of "-" is used to indicate it is not there. The only thing I would like to see considered is keeping a ':' to mark end of headers and start of message. Or is this pointless ? I'm thinking from a perspective of parsing them with awk/grep. If, for example, I can search for either ']: ' or '-: ' and know that what follows would be the message....is that sensible ? Darren _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
