RE: [Syslog-sec] cooked messages max size

[SFBZH@aol.com]

Sorry for that but I have to insist. Could anyone please have have a look
on that issue?

I really need to know how IETF interpret RFC 3195:
Are Syslog Cooked messages allowed to be longer than 1024 characters?
I have read RFC 3195 and 3164 several times and I have not found any
undeniable specification about that.

Best Regards

MC

>
My question is based on RFC 3195 & 3164.
In those RFC, it is clearly specified that BSD & RAW messages can't be
longer than 1024 characters. Otherwise, the syslog servers & relays
ignore the end of the message. What about cooked messages?

The part of the cooked message which could get long is the CDATA of the
entry element. In RFC 3195, we can read this:
  The character data for the element is the unstructured syslog event
  message being logged.  If the original device delivers the message
  for the first time via the COOKED profile, it may have any structure
  inside the CDATA.  However, for maximum compatibility, the device
  SHOULD format the CDATA of the message in accordance with Sections
  4.2.1 through 4.2.3 of [1].
[1] is RFC 3164.
First, sections 4.2.1 to 4.2.3 in RFC 3164 don't exist. I assume that
RFC 3195 refers to sections 4.1.1 to 4.1.3 of RFC 3164. (Since many
sites have copied RFC 3195, it will probably be difficult to catch up
that error.)

The limit of BSD messages size is not defined in those sections. It is
defined just before it, between the 4.1 title and the 4.1.1 title. The
result is that, technicaly, no size limit seems to be defined for cooked
messages.
I suppose that, for backward compatibility reasons, cooked messages have
to be shorter than 1024 characters. Could anyone confirm this, please?

MC
<
_______________________________________________
Syslog-sec mailing list
Syslog-sec@www.employees.org
http://www.employees.org/mailman/listinfo/syslog-sec