RE: [Syslog] #1 - RFC3164, was: Consensus?
Darren, > > #1 testing and code review has shown that there is no point > >in trying to preserve more than ; RFC 3164 provides > >a false impression of common behaviour. > > > > This is controversal, but the facts are suggesting this is > the way it > > is. > > We should try to reach consensus on this. > > A catch here is that extending the format to be: > > VERSION > > may produce unexpected results with various syslog daemons. Please let us know which actual syslog deamons you mean (at best with platform and version information). I would also appreciate if you could do a quick test with them and post the results. If possible, please send two messages to them. One as such: "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8" the other one "<148>1 2003-10-11T22:14:15.003Z mymachine.example.com su 4711 MSGID - 'su root' failed for lonvick on /dev/pts/9" I would appreciate if you could let us know the resulting format both in log files as well as when relaying. Information about the extend of message distortion will probably help us to determine the importance of this issue. Many thanks, Rainer ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
Re: [Syslog] #1 - RFC3164, was: Consensus?
> Darren,
..
> Please let us know which actual syslog deamons you mean (at best with
> platform and version information).
>
> I would also appreciate if you could do a quick test with them and post
> the results. If possible, please send two messages to them. One as such:
>
> "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on
> /dev/pts/8"
>
> the other one
>
> "<148>1 2003-10-11T22:14:15.003Z mymachine.example.com su 4711 MSGID -
> 'su root' failed for lonvick on /dev/pts/9"
>
> I would appreciate if you could let us know the resulting format both in
> log files as well as when relaying.
>
> Information about the extend of message distortion will probably help us
> to determine the importance of this issue.
Why not just read the source code ?
Also, read down and observe what ^ is used for.
This has been forgotten in RFC 3164...
printline()
{
..
/* test for special codes */
pri = DEFUPRI;
p = msg;
if (*p == '<') {
pri = 0;
while (isdigit(*++p))
pri = 10 * pri + (*p - '0');
if (*p == '>')
++p;
}
if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
pri = DEFUPRI;
/* don't allow users to log kernel messages */
if (LOG_FAC(pri) == LOG_KERN)
pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri));
q = line;
while ((c = *p++) != '\0' &&
q < &line[sizeof(line) - 2]) {
c &= 0177;
if (iscntrl(c))
if (c == '\n')
*q++ = ' ';
else if (c == '\t')
*q++ = '\t';
else {
*q++ = '^';
*q++ = c ^ 0100;
}
else
*q++ = c;
}
*q = '\0';
logmsg(pri, line, hname, 0);
}
logmsg()
{
..
msglen = strlen(msg);
if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' ||
msg[9] != ':' || msg[12] != ':' || msg[15] != ' ')
flags |= ADDDATE;
..
}
On top of this, source code exists to map LF to "\n" and use the
\377 format for non-ASCII characters.
It would seem to me that some of our issues have been "solved" by
some vendors that need to be wide-character set savvy...
Darren
___
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
RE: [Syslog] #1 - RFC3164, was: Consensus?
Darren,
You are quoting out of context. I'v read the source - more than one (if
you read more than one, you'll notice the subtle differences ;)). BTW:
the ^ tells you that signatures are broken as soon as characters < 32
are included in the message. However, none of that relates to what you
have state. The source you state is incomplete and if you look at
everything (including forwarding rules) plus at different versions (e.g.
sysklogd 1.4.1 in debian and syslogd.c in FreeBSD) date processing is
different.
So again, can you please tell me what backs your argument?
Rainer
> -Original Message-
> From: Darren Reed [mailto:[EMAIL PROTECTED]
> Sent: Sunday, November 27, 2005 9:23 PM
> To: Rainer Gerhards
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Syslog] #1 - RFC3164, was: Consensus?
>
>
> > Darren,
> ..
> > Please let us know which actual syslog deamons you mean (at
> best with
> > platform and version information).
> >
> > I would also appreciate if you could do a quick test with them and
> > post the results. If possible, please send two messages to
> them. One
> > as such:
> >
> > "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on
> > /dev/pts/8"
> >
> > the other one
> >
> > "<148>1 2003-10-11T22:14:15.003Z mymachine.example.com su
> 4711 MSGID -
> > 'su root' failed for lonvick on /dev/pts/9"
> >
> > I would appreciate if you could let us know the resulting
> format both
> > in log files as well as when relaying.
> >
> > Information about the extend of message distortion will
> probably help
> > us to determine the importance of this issue.
>
> Why not just read the source code ?
>
> Also, read down and observe what ^ is used for.
> This has been forgotten in RFC 3164...
>
> printline()
> {
> ..
> /* test for special codes */
> pri = DEFUPRI;
> p = msg;
> if (*p == '<') {
> pri = 0;
> while (isdigit(*++p))
> pri = 10 * pri + (*p - '0');
> if (*p == '>')
> ++p;
> }
> if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
> pri = DEFUPRI;
>
> /* don't allow users to log kernel messages */
> if (LOG_FAC(pri) == LOG_KERN)
> pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri));
>
> q = line;
>
> while ((c = *p++) != '\0' &&
> q < &line[sizeof(line) - 2]) {
> c &= 0177;
> if (iscntrl(c))
> if (c == '\n')
> *q++ = ' ';
> else if (c == '\t')
> *q++ = '\t';
> else {
> *q++ = '^';
> *q++ = c ^ 0100;
> }
> else
> *q++ = c;
> }
> *q = '\0';
>
> logmsg(pri, line, hname, 0);
> }
>
> logmsg()
> {
> ..
> msglen = strlen(msg);
> if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' ||
> msg[9] != ':' || msg[12] != ':' || msg[15] != ' ')
> flags |= ADDDATE;
> ..
> }
>
> On top of this, source code exists to map LF to "\n" and use
> the \377 format for non-ASCII characters.
>
> It would seem to me that some of our issues have been
> "solved" by some vendors that need to be wide-character set savvy...
>
> Darren
>
___
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
RE: [Syslog] #1 - RFC3164, was: Consensus?
Which system is this source from?
On Solaris, if you send \r\n characters, you will see "^M\n" in the log.
Anton.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed
> Sent: Sunday, November 27, 2005 3:23 PM
> To: Rainer Gerhards
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Syslog] #1 - RFC3164, was: Consensus?
>
> > Darren,
> ..
> > Please let us know which actual syslog deamons you mean (at
> best with
> > platform and version information).
> >
> > I would also appreciate if you could do a quick test with them and
> > post the results. If possible, please send two messages to
> them. One as such:
> >
> > "<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on
> > /dev/pts/8"
> >
> > the other one
> >
> > "<148>1 2003-10-11T22:14:15.003Z mymachine.example.com su
> 4711 MSGID -
> > 'su root' failed for lonvick on /dev/pts/9"
> >
> > I would appreciate if you could let us know the resulting
> format both
> > in log files as well as when relaying.
> >
> > Information about the extend of message distortion will
> probably help
> > us to determine the importance of this issue.
>
> Why not just read the source code ?
>
> Also, read down and observe what ^ is used for.
> This has been forgotten in RFC 3164...
>
> printline()
> {
> ..
> /* test for special codes */
> pri = DEFUPRI;
> p = msg;
> if (*p == '<') {
> pri = 0;
> while (isdigit(*++p))
> pri = 10 * pri + (*p - '0');
> if (*p == '>')
> ++p;
> }
> if (pri &~ (LOG_FACMASK|LOG_PRIMASK))
> pri = DEFUPRI;
>
> /* don't allow users to log kernel messages */
> if (LOG_FAC(pri) == LOG_KERN)
> pri = LOG_MAKEPRI(LOG_USER, LOG_PRI(pri));
>
> q = line;
>
> while ((c = *p++) != '\0' &&
> q < &line[sizeof(line) - 2]) {
> c &= 0177;
> if (iscntrl(c))
> if (c == '\n')
> *q++ = ' ';
> else if (c == '\t')
> *q++ = '\t';
> else {
> *q++ = '^';
> *q++ = c ^ 0100;
> }
> else
> *q++ = c;
> }
> *q = '\0';
>
> logmsg(pri, line, hname, 0);
> }
>
> logmsg()
> {
> ..
> msglen = strlen(msg);
> if (msglen < 16 || msg[3] != ' ' || msg[6] != ' ' ||
> msg[9] != ':' || msg[12] != ':' || msg[15] != ' ')
> flags |= ADDDATE;
> ..
> }
>
> On top of this, source code exists to map LF to "\n" and use the
> \377 format for non-ASCII characters.
>
> It would seem to me that some of our issues have been
> "solved" by some vendors that need to be wide-character set savvy...
>
> Darren
>
> ___
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
>
___
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog
Re: [Syslog] #1 - RFC3164, was: Consensus?
[ Charset ISO-8859-1 unsupported, converting... ] > Which system is this source from? BSD > On Solaris, if you send \r\n characters, you will see "^M\n" in the log. Yes and Solaris allows for non-ascii data through the use of escaping. Darren ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
RE: [Syslog] #1 - RFC3164, was: Consensus?
Darren & WG: I have used this morning to compile a short list of currently existing and deployed syslogds. As I suggested, I have sent several messages to them. I suggest you have a look at the results at http://www.syslog.cc/ietf/existing-syslog.html I do not see much in that result backing the theory that retaining the old-style timestamp would do any good. Maybe I am overlooking the obvious, so you can point me. Ah, yes: Of course I see that sometimes the 3164 timestamp survives in the first column of the log entry where the -protocol formatted does not. But when I look at relaying, I think it is far better to have the timestamp replaced by the time of reception than to have it throw away. In most cases, digital signatures would be borken anyhow. Surprisingly, the -protocol formatted message has a better chance to survive being relayed by existing syslogd than the RFC 3164 formatted message. I propose that we accept this testing as proof of irrelevance of sticking with the rfc 3164 timestamp. Anybody with a different view please object. Rainer > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed > Sent: Tuesday, November 29, 2005 7:39 AM > To: Anton Okmianski (aokmians) > Cc: [EMAIL PROTECTED] > Subject: Re: [Syslog] #1 - RFC3164, was: Consensus? > > [ Charset ISO-8859-1 unsupported, converting... ] > > Which system is this source from? > > BSD > > > On Solaris, if you send \r\n characters, you will see > "^M\n" in the log. > > Yes and Solaris allows for non-ascii data through the use of escaping. > > Darren > > ___ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > ___ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
