[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Transport draft preview

To: <andrew@kiwisyslog.com>, "'Rainer Gerhards'" <rgerhards@hq.adiscon.com>, <syslog-sec@employees.org>
Subject: RE: Transport draft preview
From: "Anton Okmianski" <aokmians@cisco.com>
Date: Mon, 10 May 2004 11:23:07 -0400
Delivered-to: archive-syslog-sec@lists.adiscon.com
Importance: Normal
In-reply-to: <001601c43643$a980b630$1101a8c0@Kiwi2000>
Sender: owner-syslog-sec@employees.org

Andrew:

Good question...

Well, Rainer mentioned some Windows event Log message that he had to
make into syslog message that could reach as large as 1MB if I recall
correctly.  Then, as we were designing fragmentation, we had to choose
some size limit. I was initially looking at binary encoding, so
looking at how many bits to allocate to message length.  16-bit value
gave us 65k. 24-bit value gave us 16MB. This is where 16MB came from.

I do not believe we can legitimately require everyone to support 16MB
multi-part messages.  I would never allow such default in my
implementation.  I would maybe allow it to be configured.  For one it
is really not smart to send 16MB over unreliable UDP using about 32000
UDP datagrams without any acknowledgments.

I would even consider lowering the 16MB significantly.  We just have
to keep in mind that we are talking about a consistent message size
limit for syslog-protocol regardless of the transport mapping. So, the
transport may indeed be TFTP for 16MB message.  Maybe it makes sense
to say in syslog-protocol what the minimum size the implementations
are required to support regardless of transport? Although I can see
how it can come back to bite us.

Anton.

> -----Original Message-----
> From: owner-syslog-sec@employees.org
> [mailto:owner-syslog-sec@employees.org] On Behalf Of Andrew Ross
> Sent: Monday, May 10, 2004 12:03 AM
> To: 'Rainer Gerhards'; 'Anton Okmianski'; syslog-sec@employees.org
> Subject: RE: Transport draft preview
>
>
>
> Hi All,
>
> Can anyone tell me why we are talking about 16MB syslog
> messages at all?
>
>
> I thought the spirit of syslog was a quick, human readable,
> single lined, informational message that can be logged to
> disk and be parsed by a reporting tool. Even taking into
> account UTF-8 encoding and the possibility of some binary
> data, do we *really* need 16MB? 1024 bytes does nicely in
> most cases, taking the max to 64KB is workable, but taking it
> to 16MB is just making a rod for our own backs. Even on a
> nice machine with stacks of memory, having to buffer and
> rebuild 16MB multipart messages will just be a nightmare.
>
> If we want to send huge dumps of binary data, we should use
> TFTP or FTP to transfer it. Let's keep the concept of syslog
> to something that is sensible.
>
> Thoughts?
>
> Andrew
>
>
>

References:
- RE: Transport draft preview
  - From: "Andrew Ross" <andrew@kiwisyslog.com>

Prev by Date: RE: Transport draft preview
Next by Date: RE: Transport draft preview
Previous by thread: RE: Transport draft preview
Next by thread: RE: Transport draft preview
Index(es):
- Date
- Thread