syslog-protocol

[back] [Raw Mail Archive]

Abstract

Syslog-protocol describes the syslog protocol. The syslog protocol has been used throughout the years to convey event notifications. The document describes a layered architecture for an easily extensible syslog protocol. It also describes the basic message format and structured elements used to provide meta-information about the message.

This page tracks discussion topics/issues during the creation of syslog-protocol. Syslog-protocol shall become a standards-track RFC.

IDs/RFCS (includes all drafts, most current first):

• draft-ietf-syslog-protocol-23 [2007-09-05]
• draft-ietf-syslog-protocol-16 [2006-01-03]
• draft-ietf-syslog-protocol-15 [2005-10-21]
• draft-ietf-syslog-protocol-14 [2005-07-12]
• draft-ietf-syslog-protocol-13 [2005-06-28]
• draft-ietf-syslog-protocol-12 [2005-06-01]
• draft-ietf-syslog-protocol-11 [2005-04-18]
• draft-ietf-syslog-protocol-10 [2005-02-18]
• draft-ietf-syslog-protocol-09 [2005-01-14]
• draft-ietf-syslog-protocol-08 [2004-11-16]
• draft-ietf-syslog-protocol-07 [2004-10-22]
• draft-ietf-syslog-protocol-06 [2004-09-24]
• draft-ietf-syslog-protocol-05 [2004-07-15]
• draft-ietf-syslog-protocol-04 [2004-04-29]
• draft-ietf-syslog-protocol-03 [2004-02-16]
• draft-ietf-syslog-protocol-02 [2004-02-02]
• draft-ietf-syslog-protocol-01 [2004-01-19]
• draft-ietf-syslog-protocol-00 [2003-12-02]

Issues after Vancouver Meeting (2005)

Below, there are some references to specific mailing list threads. While the author honestly thinks these are the relevant posts, the selection is obviously subjective. It is suggested that one scans the complete mailing list archive to find posts not specifically mentioned.

The WG charter shall be modified to keep the WG focused and also limit the expectations of what syslog-protocol should do. The latest proposal is:

==== MODIFIED Version of Chris's v2 of proposed charter ===
Syslog is a de-facto standard for logging system events. However, the protocol component of this event logging system has not been formally documented. While the protocol has been very useful and scalable, it has some known security problems which were documented in RFC 3164. The goal of this working group is to address the security and integrity problems, and to standardize the syslog protocol, transport, and a select set of mechanisms in a manner that considers the ease of migration between and the co-existence of existing versions and the standard. syslog has traditionally been transported over UDP and this WG has already defined RFC 3195 for the reliable transport for the syslog messages. The WG will separate the UDP transport from the protocol so that others may define additional transports in the future.

• A document will be produced that describes a standardized syslog protocol. A mechanism will also be defined in this document that will provide a means to convey structured data. While compatibility with existing syslog systems is desirable, research shows that these are so diverse that there is nothing in common amongst them apart from <PRI> so that whilst that field will be retained, other fields may not be.
• A document will be produced that describes a standardized UDP transport for syslog.
• A document will be produced that describes a standardized mechanism to sign syslog messages to provide integrity checking and source authentication.
• A MIB definition for syslog will be produced.

=====   ======

For charter discussion, see http://www.mail-archive.com/syslog%40lists.ietf.org/msg00242.html.

There are also discussions on the syslog-protocol I-D. This is a rather quick tracker of current discussions. For a glimpse at how this list was constructed, see http://www.mail-archive.com/syslog%40lists.ietf.org/msg00226.html. This status given below has been compiled on 2005-11-30, around 11a UTC. It might have changed after that. Many decisions and suggestions are backed by lab testing, code review of existing open source syslogd  implementation and a proof-of-concept implementation of syslog-protocol in rsyslog. Rsyslog is an open source project, so interested parties can pull the source and check it out. Please be warned that at the time of this writing the syslog-protocol proof must be obtained from CVS (see web site) because it has not yet been officially released as a source tarball.

1. testing and code review has shown that there is no point in trying to preserve more than <PRI>; RFC 3164 provides a false impression of common behaviour.
   • The proposed charter acknowledges that only <PRI> is worth keeping.
   • Lab test results can be found at http://www.syslog.cc/ietf/existing-syslog.html
   • My explanation why rfc 3164 does not properly describe reality can be found in http://www.mail-archive.com/syslog%40lists.ietf.org/msg00261.html
2. The max message length issue resurfaces. There seems to be a fragile consensus that we can life with the compromise in  syslog-protocol and eventualy open a debate if we (ever) go to a TCP transport.
   • there seems to be consensus to stick with the existing wording, which is limiting things while keeping the door open for future uses
   • for discussion see http://www.mail-archive.com/syslog%40lists.ietf.org/msg00253.html
3. There is a question if NUL octets are to be supported in the MSG content.
   • it is proposed that NUL be allowed, but to recommend to avoid it.
   • discussion and details: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00254.html
4. There seems to be a fragile consensus that MSG should primarily contain textual data, including XMLified content. On the contrary, pure binary data should not be used.
   • some use cases for binary have surfaced.
   • it is suggested to allow this (but recommend not to do it)
   • discussion and details: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00254.html
5. Character encoding in MSG: due to my proof-of-concept implementation, I have raised the (ugly) question if we need to allow encodings other than UTF-8. Please note that this question arises from needs introduced by e.g. POSIX. So we can't easily argue them away by whishful thinking ;)
   • There seems to be consensus that non-UTF-8 encodings must be supported, a SD-ID has been proposed for specifying the encoding
   • POSIX is a big reason: non-UTF-8 must be supported because the API does not provide encoding information
   • for discussion, see http://www.mail-archive.com/syslog%40lists.ietf.org/msg00241.html
6. field order
   • issues has been merged with 7
7. Header fields: there seems to be a fragile consensus that MSGID, PROCID, APP-NAME, and VERSION should be in the header and TRUNCATE should not be in it.
   • lab testing and proof-of-concept implementation have shown that a somewhat modified message format provides useful results
   • it seems to be consensus to use that definition
   • POSIX also has some implications on the header fields: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00167.html
   • discussion: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00256.html
8. MSG-octet counting and/or trailer is resurfacing. I think this item is not well understood and well discussed.
   • it is proposed this happens as part of the solution for #3 and #4 (above)
   • discussion and details: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00254.html
   • further discussion has shown that octet-couting as part of #3/#4 is not useful: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00320.html
   • as orginally agreed upon, octet-couting, if any, will happen as part of the transport layer framing
9. I have found some minor items not already discussed during my proof-of-concept implementation (like "drop requirements" and such). These are not absolutely vital, but should be considered before a final text is issued (or even the next revision).
   • it is proposed to adjust syslog-protocol in respect to the minor issues found (those not being explicitely discussed as one of the other issues)
   • that should be discussed when the next I-D version is published
   • suggestion & discussion: http://www.mail-archive.com/syslog%40lists.ietf.org/msg00255.html
10. STRUCTURED-DATA: there has been surprisingly few discussion about STRUCTURED-DATA. I conclude that this is non-controversal.
    • WG chair has declared consensus on the use of structured data as discribed in syslog-protocol-15
    • no objections against this, so it seems to be solved

     

Previous Issues (2004 discussion)

• Issue 16: TAG Semantics [2004-02-11] SOLVED
• Issue 15: Describe Relay Mode? [2004-02-24] SOLVED
• Issue 14: Allow unqualified Hostname? [2004-02-18] SOLVED
• Issue 13: Precise or Lax? [2004-02-18] SOLVED
• Issue 12: Time Zone Info Required? [2004-02-11] SOLVED
• Issue 11: Message Size [2004-02-11] SOLVED
• Issue 10: Transport Mappings? [2004-02-03] SOLVED
• Issue 9: Control Characters in MSG? [2004-01-28] SOLVED
• Issue 8: structured data anywhere in MSG [2004-01-28] SOLVED
• Issue 7: enterprise ID [2004-01-28] SOLVED
• Issue 6: Should there be a TRAILER [2004-01-28] SOLVED
• Issue 5: Should semantics for FACILITY be defined? [2004-01-28] SOLVED
• Issue 4: Backward Compatibility [2004-01-22] SOLVED
• Issue 3: Cookie Name [2003-12-18] SOLVED
• Issue 2: Cookie in XML Format? [2003-12-17] SOLVED
• Issue 1: TAG incompatibility [2003-12-15] SOLVED

Presentations

• February 2004 presentation on syslog-protocol-03 by Rainer Gerhards (this one was created for the 2004 Seoul IETF meeting)
• November 2003 presentation on syslog-protocol by Rainer Gerhards:
  OpenOffice: http://www.employees.org/~lonvick/attachments/syslog-protocol.sxi
  PDF: http://www.employees.org/~lonvick/attachments/syslog-protocol.pdf

Other Material

• Presentation on syslog-protocol by Rainer Gerhards:
  OpenOffice: http://www.employees.org/~lonvick/attachments/syslog-protocol.sxi
  PDF: http://www.employees.org/~lonvick/attachments/syslog-protocol.pdf
• There was an important post by Anton Okmianski in favor of a layered architecture http://www.mail-archive.com/syslog-sec%40employees.org/msg01206.html
• my raw archive of the syslog-sec mailing list, including a search engine

Other things to do

This is a reminder section for Rainer ;)

• spell and grammer checks... I've spared them because text changes so frequently and they take so much time for the non-natives among us ;)

This page last updated: Sat Nov 17 17:54:07 2007.
For content issues, contact rgerhards-at-adiscon.com - for legal issues, please contact Adiscon who is the legal owner and publisher of this web site.
Visit our topic pages for practical information on syslog.
Raw Mail Archive: [threaded] [by date] [search]