RE: Syslog message size, internationalization and IHE

[Rainer Gerhards <rgerhards@hq.adiscon.com>]

Hi Doug,

thanks for your interesting mail. I will reply in more detail when I am
through with the papers (looks like it takes some time), but I have an
immediate comment...

> The Integrating the Healthcare Enterprise (IHE) initiative
> has specified the use of syslog as the mechanism for logging
> audit record messages. The specification allows up to 32Kb
> messages, the content of the MSG field is XML with a
> specified XML schema and it uses UTF-8 encodings.

There is a good reason for the current 1k limit on syslog messages. This
1k is on most networks being transmitted in a single packet, which will
remove any fragmentation or multi-packet issues. With 32k, the data will
definitely travel in more than one packet (in almost all cases). So with
UDP, you are seeing challenges in in-order delivery and partial packet
loss.

I am trying to address this (at least partly) in the syslog-protocol
spec. In there, the idea is to basically stick with the 1k transport
limitation but - on an upper layer - support fragmentation and longer
messages with what we currently call a "cookie". This approach will
allow you to at least

a) detect missing packetc
b) reassmeble packets that were delivered out-of-order
   (with some burden on the reciver)

To be more precise, in b) we reassamble an upper-layer message that was
sent via multiple packets. That upper layer is what your application is
talking to.

More comments when I have read the other docs.

I would also like to use this message to whish all WG members a merry
xmas, a great new year and a peaceful holiday season. I hope it is
eventless from the infosec community point of view ;)

Rainer