[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Syslog-sec] syslog message truncation

To: <syslog-sec@employees.org>
Subject: [Syslog-sec] syslog message truncation
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
Date: Tue, 15 Feb 2005 11:33:29 +0100
Cc:
Delivered-to: archive-syslog-sec@lists.adiscon.com
Delivered-to: syslog-sec@employees.org
List-archive: <http://www.employees.org/pipermail/syslog-sec>
List-help: <mailto:syslog-sec-request@www.employees.org?subject=help>
List-id: "Mailing list for the syslog Working Group in the IETF." <syslog-sec.www.employees.org>
List-post: <mailto:syslog-sec@www.employees.org>
List-subscribe: <http://www.employees.org/mailman/listinfo/syslog-sec>, <mailto:syslog-sec-request@www.employees.org?subject=subscribe>
List-unsubscribe: <http://www.employees.org/mailman/listinfo/syslog-sec>, <mailto:syslog-sec-request@www.employees.org?subject=unsubscribe>
Sender: syslog-sec-bounces@www.employees.org
Thread-index: AcUTScohlOv/myssRcSMC6bi3+ztqg==
Thread-topic: syslog message truncation

Hi WG,

Sharon has provided the following good comment:

###
> S3. In section 6.1, we need some guidelines on how to truncate
> SD-BOUNDARIES. 
> Can the structured data become non-compliant or must it still 
> be valid? If
> within the message part, is it just arbitrary?  Should we indicate
> truncation has occurred in the header or at the very end of 
> the message? Do
> we need to leave room for some extra characters at the end to 
> signify the
> message has been truncated?
###

I've thought and re-thought about this, but I do not have a clear
preferrence, so I would like to bring this up on the WG mailing list.

I think the best solution would be to NOT allow truncation of structured
data elements. I personally think it would complicate things at the
analysis end if we allow truncation of structured data. Keep in mind
that we currently ALLOW such truncations, because we have set up no
specific rules for that. If we now go ahead and disallow it, it might
become more complicated for a relay to carry out the necessary
truncation. This, some might say, is an unnecessary burden. As you can
see, there are pros and cons for each scenario.

The same goes for indication of message (not only structured data)
truncation. I am tempted to add a header field "message truncated".
However, I am not sure if that is something that we actually need. Or,
better said, that is worth it. Keep in mind that we have very limited
space inside the message and such a header would cost additional 2
octets (from a 480 octet minimum size). If we indicate truncation, I
would strongly opt to add this to the header and NOT at the end of the
message (indication at the end of the message would make a MSG delimiter
mandatory, which we do not have currently).

Any comments are deeply appreciated.

Rainer
_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec

Prev by Date: RE: [Syslog-sec] syslog-protocol and RFC 3164 (BSD Syslog)
Next by Date: RE: [Syslog-sec] syslog-protocol and RFC 3164 (BSD Syslog)
Previous by thread: [Syslog-sec] -protocol severity values
Next by thread: RE: [Syslog-sec] syslog message truncation
Index(es):
- Date
- Thread