[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Syslog-sec] Detailed Review Comments on Syslog Protocol -09-Part II
<below>
Tom Petch
----- Original Message -----
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: <syslog-sec@employees.org>
Sent: Wednesday, April 06, 2005 5:04 PM
Subject: RE: [Syslog-sec] Detailed Review Comments on Syslog Protocol -09-Part
II
<snip>
I think that 'SHOULD identify a specific instance' opens up a can of worms.
Identification implies uniqueness whereas the process ids I see on small systems
are small integers, which may be replicated after a few reboot/process-restarts,
perhaps on the next reboot/restart. I do not believe a process id can support
the burden of a 'SHOULD' ('MAY' perhaps). To get a 'SHOULD' over say 10
consecutive reboots, you have to start forcing some randomness into process ids,
eg basing them on a high-resolution clock (think TCP sequence numbers) or else
having non-volatile storage to record the last n values.
Perhaps some router manufacturer or producer of Linux systems can convince me
that such technology exists in low end devices but currently I am sceptical.
And, a minor point, when I first read this, the use of instance threw me; I took
it to be the identification of one box as opposed to another (as I think Sharon
did), rather than a restart of the processes within a box; but I am struggling
for a better work.
Sharon,
I am now proposing the following text for APP-INST (formerly
SENDER-INST):
####
6.2.7 APP-INST
The APP-INST field SHOULD identify a specific instance of the sender.
It is similiar to a reboot ID. It is a number or string that
identifies a given "incarnation" of the syslog sender.
On a router, it might actually be a reboot ID, generated each time
the system is reset. On a general-purpose device (with a general
purpose operating system), it identifies a specific instantiation of
the syslog sender process. In such an environment, it may be a
process ID.
The dash ("-") is a reserved APP-INST field value that MUST only be
used to indicate an unidentified instance.
APP-INST is primarily meaningful for analysis tools. Properly used,
it should enable log analyzers to detect which messages were
genereted by the same sender instance. For example, on a UNIX system
the syslog daemon (syslogd) might emit messages to the log. All
messages logged by the same instance of syslogd will bear the same
APP-INST (for example its process ID). When the syslogd is
restarted, the APP-INST changes. That enables the analysis script to
detect the syslogd restart. This information might be used to detect
unexpected restarts and/or provide some judgement over the
reliability of the received messages.
####
Rainer
_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec
_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec