Hi Glen, thanks for the message. Let me start on an overview level: if you look at the evolution of the draft, you will see that earlier versions were quite specific on what to do if the message was malformed. However, based on dicussion, one after another of these rules were deleted. The reason was always that MUSTs here are not actually needed to ensure interoperability.
You can get a glimpse of this discussion by looking at http://www.syslog.cc/ietf/why-indepth.html This is a very old page. For more recent samples, you should consult the mailing list archives. There are (too) plenty samples of this being discussed to point to anything specific. The bottom line behind the current draft is that we do not necessarily specify what happens if the message is malformed. This is not vital for interoperability. Also, implementors will provide different solutions (most probably operator-configurable) to address real-world needs. For example, we could specify that a message with leap seconds in it MUST be discarded - but if the operator insists that he needs such a message, an implementor will always create a way to process it. We are specific on invalid UTF-8 sequences. This must not be interpreted, because this is a big security issue. However, even than it might be OK for an implementation to store the invalid UTF-8 sequence. If that is consensus, we can add the statement "the handling of non-compliant messages will be implementation dependent" which very precisely describes the list consensus. Rainer > -----Original Message----- > From: Glenn M. Keeni [mailto:[EMAIL PROTECTED] > Sent: Friday, January 05, 2007 12:32 PM > To: [EMAIL PROTECTED] > Subject: [Syslog] Syslog Protocol doubts > > Hi, > I have been trying to figure out the error conditions > that a syslog receiver will need to anticipate and the > corresponding actions that it is expected to take. I do > not see this clearly spelt out in the protocol document. > There are several MUST clauses, I understand that a > compliant syslog sender WILL always send messages that > meet the MUST clauses. But the document does not spell > out clearly what a compliant syslog receiver will do > when it gets a non-compliant message. Possible actions > could be: > a. discard whole message > b. discard non-compliant part ( assuming the non- > compliant part can be isolated) > c. rectify the non-compliance e.g. > - truncate message: [this is mentioned in 6.1] > - truncate the long-fields (software, > swVersion etc.) > d. implementation dependent > > Is this a problem ? I have listed the MUST conditions > in the attached document. My take is that we may have to > address each one of these. Or we can include a sweeping > statement like " non-compliant messages will be discarded" > or "the handling of non-compliant messages will be > implementation dependent". > > Glenn > > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog