RE: [Syslog-sec] Truncate field and sender

["Rainer Gerhards" <rgerhards@hq.adiscon.com>]

list: sorry, accidently only sent via personal mail. Discovered this
today...

Rainer
--------------------------------
Hello Didier,

well... I think there are some subleties in here.

>From the API perspective, you definitely have a message that is
potentially truncated. From the protocol perspective, the initial sender
(the syslogd in this case) does NOT truncate the message - because the
initial sender is what (theoretically) generates the message. The real
issue here is that what you call the sender is in reality more a relay
than the originator.

If you look at the message flow

app calls API -A-> API writes to unix domain socket -B-> syslogd reads
message from  domain socket -C-> syslogd transfers message on network

The truncation can happen at both A, B and C. If it is in A, I would
expect the API to come back with an error or warning state. If it is at
B, I would think of it as a realy operation. The same applies to C.

OK, enough of these subleties... In practice, it looks like we can have
APIs that pass messages longer than the syslog subsystem (or its
configuration!) supports. So we can have truncation right at the sender.
So, yes, it must be allowed at the initial sender, too.

If we take that route, it would probably make sense to define an
addition value (4) in the TRUNCATE field. That value should tell that
the truncation occured at the initial sender. That information could be
helpful so that the receiver might know that digital signatures (written
by the inital sender) are still valid, even though the message was
truncated (I am assuming signatures are always done by the syslog
components and not provided as part of the API - this might NOT be a
valid assumption).

Are there any concerns?
Rainer

> -----Original Message-----
> From: syslog-sec-bounces@www.employees.org 
> [mailto:syslog-sec-bounces@www.employees.org] On Behalf Of 
> Didier DALMASSO
> Sent: Wednesday, May 11, 2005 5:16 PM
> To: syslog-sec@employees.org
> Subject: [Syslog-sec] Truncate field and sender
> 
> Hi,
> 
> Maybe this topic is a bit out of scope of the working group, but as an
> implementor I'm wordering one thing about truncation.
> 
> Syslog-protocol defines use of the truncate field for relays and
> collectors but says nothing about senders. In POSIX world, an userland
> developer call syslog(int priority, const char *msg); libc write a
> RFC 3164 message into /dev/log and then the syslog deamon catch it.
> 
> What the syslog daemon is supposed to do when a locally 
> received message need to
> be truncated. I see two possibility:
> 
> 1/ Truncate field is only used to indicate truncations 
> occurring during
> transport. The sender always put 0 a truncate value
> 
> 2/ Truncate field is also used to indicate truncation by sender
> 
> I'm thinking the second one is a better choice but I'm 
> interested to know
> your opinion.
> 
> Thanks
> -- 
>           Didier Dalmasso
> _______________________________________________
> Syslog-sec mailing list
> Syslog-sec@www.employees.org
> http://www.employees.org/mailman/listinfo/syslog-sec
> 
_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec