10 Nov 2010 20:26
Re: Small draft for Syslog File Storage?
Heinbockel, Bill <heinbockel <at> mitre.org>
2010-11-10 19:26:13 GMT
2010-11-10 19:26:13 GMT
Sounds like a good idea to me The biggest step that you need to make from the on-the-wire RFC5424 Syslog is the specification of a Syslog record separator. In most Syslog log files (as well as CSV and other multi-record file formats), the typical record separator is LF or CRLF. Regardless, in order to define the record separator, you will have to add at least one more encoding or Syslog syntax requirement on top of the existing RFC5424 specification, as currently all characters are valid in a Syslog message portion. The specification would be fairly straight-forward, as you could just standardize on the approaches taken by rsyslog and Syslog-ng. Also, RFC5424 provides enough flexibility in character escaping to build on further escaping for control characters (U+0000 through U+001F) to make this a possibility In addition, I would like to suggest the addition of an optional file header for Syslog files. This would allow for easy versioning of the file, allow a place for products to include additional information, and be able to hold information such as the vendor, name, and version of the application producing the log. This would be an especially nice feature when digging through and parsing old Syslog records Regardless of the outcome of this discussion, I would like to see a couple of more optional encodings added to the RFC5424 specification to handle U+0000 through U+001F characters maybe: \n, \r, \t, and some generic hex encoding for the others \x00 \x01 ... \x1F > -----Original Message----- > From: syslog-bounces at ietf.org > [mailto:syslog-bounces at ietf.org] On Behalf Of Rainer Gerhards > Sent: Wednesday, November 10, 2010 2:24 PM > To: syslog at ietf.org > Subject: [Syslog] Small draft for Syslog File Storage? > > Hi all, > > In what we did, we specified the on-the-wire format. However, > we did not > specify any format to use when persisting syslog data to a file. > > Note that we were very generous when specifying the > on-the-wire format, for > example we permit LF, CR, NUL and many other characters > considered dangerous > in file formats. > > There are many tools available which interpret syslog data > stored in text > files. However, different syslog implementations may use > slightly different > file formats. > > Together with the control character issue, the file format > question both has > interoperability AND security issues. I think these would be > very easy to fix > if we write a small RFC that specifies how text is to be > encoded. It would be > similar, but much smaller to RFC4627 (JSON). Actually, I > think we would need > to carry over primarily its section 2.5. > > I would volunteer to write an initial draft, but would first > like to get some > feedback if this effort has any chance of getting through. > > Rainer > _______________________________________________ > Syslog mailing list > Syslog at ietf.org > https://www.ietf.org/mailman/listinfo/syslog
_______________________________________________ Syslog mailing list Syslog <at> ietf.org https://www.ietf.org/mailman/listinfo/syslog