Internet-Drafts | 2 Jul 12:56 2003
Picon

I-D ACTION:draft-ietf-syslog-device-mib-04.txt

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF.

	Title		: Syslog MIB
	Author(s)	: G. Keeni, B. Pape
	Filename	: draft-ietf-syslog-device-mib-04.txt
	Pages		: 54
	Date		: 2003-7-1

This memo provides a MIB module that can be used to monitor and manage
syslog processes. It defines objects that allow the collection of
information related to syslog processes, it also defines objects that
can be used to monitor and/or control syslog processes.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-04.txt

To remove yourself from the IETF Announcement list, send a message to
ietf-announce-request with the word unsubscribe in the body of the message.

Internet-Drafts are also available by anonymous FTP. Login with the username
"anonymous" and a password of your e-mail address. After logging in,
type "cd internet-drafts" and then
	"get draft-ietf-syslog-device-mib-04.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.
(Continue reading)

Chris Lonvick | 9 Jul 21:55 2003
Picon

Where we're at - 9 July

Hi Folks,

Summer Vacation Time is upon us again and I know what you're thinking.  You've
got to spend some quality time with your family on that long vacation trip and
you'd really like to get something meaningful accomplished when you're not
putting in that "quality time".  So why not take along a copy of our current
IDs?  You can thoughtfully review them while your "significant other" and/or
kids are out shopping at the Disney store.  What could be more restful and
relaxing - the true value of a vacation?   :-)

At your liesure you could send us comments on the syslog-sign ID:

  http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-11.txt

This is the latest version from Jon and John.  Albert Meitus has offered
these comments (available in the maillist archive):
  http://www.mail-archive.com/syslog-sec%40employees.org/msg01141.html
and
  http://www.mail-archive.com/syslog-sec%40employees.org/msg01138.html
(I believe that the Fragment Length integer should be expressed as that
integer as well but wasn't converted over from the base64 with other
fields in an earlier draft.)

You could also think about sending in comments on the syslog-mib ID:

  http://www.ietf.org/internet-drafts/draft-ietf-syslog-device-mib-04.txt

Glenn got this in just before the Vienna meeting ID cutoff date.

I'd also like to start some discussions about "internationalization" of
(Continue reading)

Rainer Gerhards | 11 Jul 12:43 2003

Syslog Internationalization - Message size

Hi all,

I am taking up on Chris' call for syslog internationalization.

If we look into languages with a huge character set (e.g. Japanese,
Chineese and Korean), we obviously need to encode this characters with
more than a single byte (octet, to be precise). Depending on the
encoding, between 2 and 5 bytes are needed for a single character.
Obviously, we have some issues with the encoding as this is not
printable in an US ANSI sense. But let's postpone this discussion. I
would just like to look at the message *size*.

It is fair to say that we need at least twice as much bytes as with US
ANSI. Thus, the usable message size drops dramatically to around 500
characters. If we look at the actual encoding, it can get even worse:
one approach (though probably not a clever one, not really thought this
out yet) could be to use base64 encoding on 8bit character streams. That
would fit nicely in "traditional" and current RFC interop. BUT with
bass64, we have even lengthier messages and as such the usable
"character message size" (payload) would probably be reduced to a point
where it is simply unsuable (read: too short to do something useful).

Thus it would make sense to allow for larger syslog message, BUT

- we run into interop issues with existing syslog implementations / RFCs
- this raises UDP fragmentation concerns which can mess up the whole
syslog message

I have no good answer on how this could be solved.

(Continue reading)

Darren New | 11 Jul 17:31 2003
Picon

Re: Syslog Internationalization - Message size

Rainer Gerhards wrote:
> Comments are highly appreciated. Hopefully I am overlooking something
> obvious.

It's not obvious that a character set like Chinese taking (say) 3 bytes
per character is going to lead to messages three times as long. If one
character represents "email" and one character represents "message" and
one character represents "failure", that's just 9 bytes.

Just a passing thought...

--

-- 
Darren New, San Diego CA USA (PST)
Things to be thankful for, #187:
  There is no Chinese tradition of changing from
  shoes to slippers to get off an escalator.

Rainer Gerhards | 11 Jul 17:51 2003

RE: Syslog Internationalization - Message size

Darren,

Good point. I may actually be overlooking the obvious ;) Let me check my
logs, I have seen that the message size grow much when using with
Japanese. But maybe this is due to the fact that we mostly deal with MS
Windows messages and they may be even phonier on Japanese Win32 ;)

Rainer

> -----Original Message-----
> From: Darren New [mailto:dnew <at> san.rr.com]
> Sent: Friday, July 11, 2003 5:31 PM
> To: Rainer Gerhards
> Cc: syslog-sec <at> employees.org
> Subject: Re: Syslog Internationalization - Message size
>
>
> Rainer Gerhards wrote:
> > Comments are highly appreciated. Hopefully I am overlooking
> something
> > obvious.
>
> It's not obvious that a character set like Chinese taking
> (say) 3 bytes
> per character is going to lead to messages three times as
> long. If one
> character represents "email" and one character represents
> "message" and
> one character represents "failure", that's just 9 bytes.
>
(Continue reading)

Tom Perrine | 11 Jul 20:56 2003
Picon

Re: Syslog Internationalization - Message size

I think that the internationlization is yet another last nail in the
coffin of UDP syslog.

Its just Really Time To Move On.

SDSC Syslog, syslog-ng and so many others have proven that TCP syslog
is workable, practical and effective.  There is just no more room on
the tired old cardboard box of UDP syslog for any more duct tape.

That's about $0.04 worth.

--tep

--

-- 
Tom E. Perrine <tep <at> SDSC.EDU> |
http://www.sdsc.edu/~tep/     |

Marshall Glen | 11 Jul 21:56 2003
Picon

RE: Syslog Internationalization - Message size


From the perspective of the healthcare IT industry, a reliable transport for
syslog is not only a Good Thing, it will also improve patient safety and
perhaps save a few lives.  The next time you or someone you care about is
attached to a medical instrumentation device, wouldn't you feel a bit better
if it was being monitored via a reliable protocol?

  _____

SIEMENS Medical Solutions - Health Services
Glen F. Marshall
Advisory System Designer, Technology & Innovation
51 Valley Stream Parkway, A08, Malvern, PA, 19355-1406
Phone: 	+01 610 219 3938
Fax: 	+01 610 219 3124
E-Mail: 	glen.f.marshall <at> siemens.com
  _____

-----Original Message-----
From: Tom Perrine [mailto:tep <at> sdsc.edu]
Sent: Friday, July 11, 2003 2:56 PM
To: dnew <at> san.rr.com
Cc: rgerhards <at> hq.adiscon.com; syslog-sec <at> employees.org
Subject: Re: Syslog Internationalization - Message size

I think that the internationlization is yet another last nail in the
coffin of UDP syslog.

Its just Really Time To Move On.

(Continue reading)

ALbert Mietus (thuis | 11 Jul 22:48 2003
Picon

Re: Syslog Internationalization /UDP


> I think that the internationlization is yet another last nail in the
> coffin of UDP syslog.

> Its just Really Time To Move On.

> [...] TCP syslog is workable, practical and effective.
> There is just no more room [..] UDP syslog

I don't agree!

UDP syslog is fine in a lot of cases.

The question is where internationlization is always a good case. I don't thinks so
Yes, it is needed for "user applications, no we don't need it in technical
complex systems!

E.g. a Unix-kernel, of the RT core of a router is will be written in
"englisch-C"  there is no need for i18n. Often, there will be no room for ir either.
However, it's need logging. UPD-syslog will do fine!

My idea is to think about "syslog" as a concept, without (hard) limit's.  It is
a header with a prio, a timestamp etc and "a short line of message".

With UDP syslog, the line is upto 1K (Biut face it, I hardly see line abouve 80
chars. So with i18n, 3 thime 80 will fit.

TCP syslog, syslog-"whatever" doesn;'t need to inherite that limit. Just the
concept. But that doesn't mean UDP-syslog can't bee used any more!

(Continue reading)

Eric Fitzgerald | 12 Jul 01:56 2003
Picon

RE: Syslog Internationalization - Message size

> one approach (though probably not a clever one, not really thought
this out yet)
> could be to use base64 encoding on 8bit character streams. That would
fit nicely
> in "traditional" and current RFC interop. BUT with bass64, we have
even lengthier

Why not use Unicode UCS-2 with UTF-8 encoding?
http://www.unicode.org/faq/utf_bom.html
ftp://ftp.rfc-editor.org/in-notes/rfc2279.txt

UTF-8 encoding would be backwards-compatible with ASCII in many (most?)
cases for syslog.

Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

Richard E. Perlotto II | 13 Jul 02:55 2003
Picon

RE: Syslog Internationalization /UDP

I have to agree with the TCP argument for syslog.  If we are really
talking
about the next generation of logging why limit ourselves to a protocol
that
has proved to be limited in many ways.  We are now monitoring and
logging
devices that are much more pervasive than just on our edges.  In fact
many
times we are attempting to receive logs that in network spaces that we
may
only have limited access and control over.  UDP as its nature has proved
to
be unreliable.

TCP offers a lot of advantages and a certain amount of overhead.  But I
believe that it is time to move to a more robust logging protocol.

Richard

> -----Original Message-----
> From: owner-syslog-sec <at> employees.org
> [mailto:owner-syslog-sec <at> employees.org] On Behalf Of ALbert
> Mietus (thuis)
> Sent: Friday, July 11, 2003 1:48 PM
> To: syslog-sec <at> employees.org
> Subject: Re: Syslog Internationalization /UDP
>
>
>
> > I think that the internationlization is yet another last
(Continue reading)


Gmane