On Thu, 2006-01-12 at 10:45 +0100, Rainer Gerhards wrote: > Anton & all, > > You have good points and I have to admit I am still thinking what is the > best way. I would appreciate if some other WG members could express > their thoughts...
My pragmatic view is that overly long messages should be split instead of truncated. Of course splitting rules are similar to truncating rules in a sense, but the question of generating the syslog header also comes up, e.g. <16>Jun 12 13:45:54 host app[12345]: This is a too long message should become: <16>Jun 12 13:45:54 host app[12345]: This is a too... <16>Jun 12 13:45:54 host app[12345]: long message This way we don't lose information while still limiting the message size. Of course this will still confuse log analysis applications but it can be solved simply by lifting the message size limit if that is configurable in the syslog application. Maybe we should indicate in an SD-ID that message truncation happened so there would be no ambiguity. Another question whether we allow relays to modify the SD-ID part of the message or it must be done by the sender alone? -- Bazsi _______________________________________________ Syslog mailing list [email protected] https://www1.ietf.org/mailman/listinfo/syslog
