From mailman-bounces@ietf.org Thu Jul 1 05:14:12 2004 Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA07205 for ; Thu, 1 Jul 2004 05:14:12 -0400 (EDT) Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1Bfxdz-0002vC-UJ for syslog-archive@ietf.org; Thu, 01 Jul 2004 05:14:12 -0400 Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1Bfxcv-0002W4-00 for syslog-archive@ietf.org; Thu, 01 Jul 2004 05:13:06 -0400 Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx with esmtp (Exim 4.12) id 1BfxcS-000284-00 for syslog-archive@ietf.org; Thu, 01 Jul 2004 05:12:36 -0400 Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BfxQZ-00016b-Pa for syslog-archive@ietf.org; Thu, 01 Jul 2004 05:00:19 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: lists.ietf.org mailing list memberships reminder From: mailman-owner@ietf.org To: syslog-archive@ietf.org X-No-Archive: yes Message-ID: Date: Thu, 01 Jul 2004 05:00:06 -0400 Precedence: bulk X-BeenThere: mailman@lists.ietf.org X-Mailman-Version: 2.1.5 List-Id: Mailman site list X-List-Administrivia: yes Sender: mailman-bounces@ietf.org Errors-To: mailman-bounces@ietf.org X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL,NO_REAL_NAME autolearn=no version=2.60 Content-Transfer-Encoding: 7bit This is a reminder, sent out once a month, about your lists.ietf.org mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list. You can visit the URLs to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. In addition to the URL interfaces, you can also use email to make such changes. For more info, send a message to the '-request' address of the list (for example, mailman-request@lists.ietf.org) containing just the word 'help' in the message body, and an email message will be sent to you with instructions. ********************************************************************** NOTE WELL: Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the context of an IETF activity is considered an "IETF Contribution". Such statements include oral statements in IETF sessions, as well as written and electronic communications made at any time or place, which are addressed to: o the IETF plenary session, o any IETF working group or portion thereof, o the IESG, or any member thereof on behalf of the IESG, o the IAB or any member thereof on behalf of the IAB, o any IETF mailing list, including the IETF list itself, any working group or design team list, or any other list functioning under IETF auspices, o the RFC Editor or the Internet-Drafts function All IETF Contributions are subject to the rules of RFC 3667 and RFC 3668. Statements made outside of an IETF session, mailing list or other function, that are clearly not intended to be input to an IETF activity, group or function, are not IETF Contributions in the context of this notice. Please consult RFC 3667 for details. ******************************************************************************* If you have questions, problems, comments, etc, send them to mailman-owner@lists.ietf.org. Thanks! Passwords for syslog-archive@ietf.org: List Password // URL ---- -------- syslog@lists.ietf.org abzuka https://www1.ietf.org/mailman/options/syslog/syslog-archive%40ietf.org From mailman-bounces@willers.employees.org Thu Jul 1 08:15:00 2004 Received: from willers.employees.org (willers.employees.org [192.83.249.36]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA18789 for ; Thu, 1 Jul 2004 08:15:00 -0400 (EDT) Received: from willers.employees.org (localhost.employees.org [127.0.0.1]) by willers.employees.org (Postfix) with ESMTP id 4A46F5D339 for ; Thu, 1 Jul 2004 05:01:59 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Subject: www.employees.org mailing list memberships reminder From: mailman-owner@willers.employees.org To: syslog-archive@ietf.org X-No-Archive: yes Message-ID: Date: Thu, 01 Jul 2004 05:00:43 -0700 Precedence: bulk X-BeenThere: mailman@tng.employees.org X-Mailman-Version: 2.1.4 List-Id: mailman.tng.employees.org X-List-Administrivia: yes Sender: mailman-bounces@willers.employees.org Errors-To: mailman-bounces@willers.employees.org Content-Transfer-Encoding: 7bit This is a reminder, sent out once a month, about your www.employees.org mailing list memberships. It includes your subscription info and how to use it to change it or unsubscribe from a list. You can visit the URLs to change your membership status or configuration, including unsubscribing, setting digest-style delivery or disabling delivery altogether (e.g., for a vacation), and so on. In addition to the URL interfaces, you can also use email to make such changes. For more info, send a message to the '-request' address of the list (for example, mailman-request@www.employees.org) containing just the word 'help' in the message body, and an email message will be sent to you with instructions. If you have questions, problems, comments, etc, send them to mailman-owner@www.employees.org. Thanks! Passwords for syslog-archive@lists.ietf.org: List Password // URL ---- -------- syslog-sec@www.employees.org widuza http://www.employees.org/mailman/options/syslog-sec/syslog-archive%40lists.ietf.org From syslog-sec-bounces@willers.employees.org Tue Jul 13 14:03:48 2004 Received: from willers.employees.org (willers.employees.org [192.83.249.36]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA29575 for ; Tue, 13 Jul 2004 14:03:46 -0400 (EDT) Received: from willers.employees.org (localhost.employees.org [127.0.0.1]) by willers.employees.org (Postfix) with ESMTP id 5BE595C72D; Tue, 13 Jul 2004 11:03:39 -0700 (PDT) X-Original-To: syslog-sec@employees.org Delivered-To: syslog-sec@employees.org Received: from mail.hq.adiscon.com (mail.hq.adiscon.com [217.6.190.188]) by willers.employees.org (Postfix) with ESMTP id A40565C79C for ; Mon, 12 Jul 2004 09:18:09 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mail.hq.adiscon.com (Postfix) with ESMTP id D12849C757 for ; Mon, 12 Jul 2004 18:29:55 +0200 (CEST) Received: from mail.hq.adiscon.com ([127.0.0.1]) by localhost (grfdeb [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09459-08 for ; Mon, 12 Jul 2004 18:29:46 +0200 (CEST) Received: from grfint2.intern.adiscon.com (unknown [172.19.0.6]) by mail.hq.adiscon.com (Postfix) with ESMTP id E3C089C755 for ; Mon, 12 Jul 2004 18:29:46 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 12 Jul 2004 18:18:49 +0200 Message-ID: <577465F99B41C842AAFBE9ED71E70ABA014427@grfint2.intern.adiscon.com> Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0 Thread-Topic: syslog-protocol Thread-Index: AcRoK+oZ2o45tFjeQcaKWvcVoXr8qA== From: "Rainer Gerhards" To: X-Virus-Scanned: by amavisd-new-20030616-p5 (Debian) at adiscon.com X-Mailman-Approved-At: Tue, 13 Jul 2004 11:03:38 -0700 Subject: [Syslog-sec] syslog-protocol X-BeenThere: syslog-sec@www.employees.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: syslog-sec.www.employees.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: syslog-sec-bounces@willers.employees.org Errors-To: syslog-sec-bounces@willers.employees.org Content-Transfer-Encoding: quoted-printable Hi list, I am more or less finished with my next edit (which hopefully brings us very close to a final version). However there is one thing that I would one again like to bring to the attention of the list - simply because it is much that needs to be changed: Anton suggested: > I know you wanted to keep some resemblance of the old ad-hoc syslog > format, but two separate fields for TAG would make life much easier > then having to find the last [ and only if there is ] at the end. If > we make two fields, they would be APP-NAME (or PROCESS-NAME) and > PROCESS-ID. This is much more intuitive then describing it as static > vs. dynamic. And this is what people are after in the end. We could > allow for say "-" for unknown process ID. But I think requiring > APP-NAME is a must. What do you think? I responded: >That sounds good - I actually did not have this good idea. If there is >no objection, I'll change it to this in the next draft. I am still of the opinion that this is a good idea - especially as it also solves some parsing nightmare with the colon characters. It just finally breaks the legacy TAG ... but that would be easily to re-create in change a process needs to relay to a RFC 3164 collector. So I, too, would opt for 2 "TAG" fields separated by SP. I'm not sure if the above names would be the most appropriate, maybe TAG-NAME and TAG-PID would be better to tie them back to the 3164 TAG. I'd appreciate feedback on this issue. I definitely plan to submit the next draft before the cutoff date at the end of this week. Rainer =09 _______________________________________________ Syslog-sec mailing list Syslog-sec@www.employees.org http://www.employees.org/mailman/listinfo/syslog-sec From syslog-sec-bounces@willers.employees.org Wed Jul 14 14:28:03 2004 Received: from willers.employees.org (willers.employees.org [192.83.249.36]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA04647 for ; Wed, 14 Jul 2004 14:28:03 -0400 (EDT) Received: from willers.employees.org (localhost.employees.org [127.0.0.1]) by willers.employees.org (Postfix) with ESMTP id EAE1C5C785; Wed, 14 Jul 2004 11:28:02 -0700 (PDT) X-Original-To: syslog-sec@employees.org Delivered-To: syslog-sec@employees.org Received: from postal.sdsc.edu (postal.sdsc.edu [132.249.20.114]) by willers.employees.org (Postfix) with ESMTP id 552D95C72B for ; Tue, 13 Jul 2004 16:57:38 -0700 (PDT) Received: from empire.sdsc.edu (IDENT:930l4Jkwf7RdMFlsQzbSv+6owurmcqRQ@empire.sdsc.edu [132.249.32.108]) by postal.sdsc.edu (8.11.7/8.11.7/server/67) with ESMTP id i6DNvbh15503; Tue, 13 Jul 2004 16:57:37 -0700 (PDT) Received: (from devink@localhost) by empire.sdsc.edu (8.12.8/8.12.8/submit/l/4) id i6DNvafK022109; Tue, 13 Jul 2004 16:57:36 -0700 Date: Tue, 13 Jul 2004 16:57:36 -0700 From: Devin Kowatch To: Rainer Gerhards Subject: Re: [Syslog-sec] syslog-protocol Message-ID: <20040713235736.GK21360@SDSC.EDU> Mail-Followup-To: Devin Kowatch , Rainer Gerhards , syslog-sec@employees.org References: <577465F99B41C842AAFBE9ED71E70ABA014427@grfint2.intern.adiscon.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <577465F99B41C842AAFBE9ED71E70ABA014427@grfint2.intern.adiscon.com> User-Agent: Mutt/1.4.2.1i X-Mailman-Approved-At: Wed, 14 Jul 2004 11:28:01 -0700 Cc: syslog-sec@employees.org X-BeenThere: syslog-sec@www.employees.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: syslog-sec.www.employees.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: syslog-sec-bounces@willers.employees.org Errors-To: syslog-sec-bounces@willers.employees.org On Mon, Jul 12, 2004 at 06:18:49PM +0200, Rainer Gerhards wrote: > Hi list, > > I am more or less finished with my next edit (which hopefully brings us > very close to a final version). However there is one thing that I would > one again like to bring to the attention of the list - simply because it > is much that needs to be changed: > > Anton suggested: > > I know you wanted to keep some resemblance of the old ad-hoc syslog > > format, but two separate fields for TAG would make life much easier > > then having to find the last [ and only if there is ] at the end. If > > we make two fields, they would be APP-NAME (or PROCESS-NAME) and > > PROCESS-ID. This is much more intuitive then describing it as static > > vs. dynamic. And this is what people are after in the end. We could > > allow for say "-" for unknown process ID. But I think requiring > > APP-NAME is a must. What do you think? > > I responded: > >That sounds good - I actually did not have this good idea. If there is > >no objection, I'll change it to this in the next draft. > > I am still of the opinion that this is a good idea - especially as it > also solves some parsing nightmare with the colon characters. It just > finally breaks the legacy TAG ... but that would be easily to re-create > in change a process needs to relay to a RFC 3164 collector. With out actually verifing anything. My experiences on Linux and Solaris suggest that it may not matter one way or the other. Both syslogd's only parse the message enough to add a time stamp or insert the host name after the time stamp. IIRC, RFC 3164 only allows something like alphanumerics in the TAG field and everything else is considered the message/content anyway. I believe this is the reason that SDSC Syslog will consider [] as part of the content. The only area in which it may cause problems is that many existing syslogd's will write out the message more or less as recieved, which may cause syslog log file parsers to break. But anyone who writes that sort of thing should be fairly used to it breaking :) > > So I, too, would opt for 2 "TAG" fields separated by SP. I'm not sure if > the above names would be the most appropriate, maybe TAG-NAME and > TAG-PID would be better to tie them back to the 3164 TAG. > > I'd appreciate feedback on this issue. I definitely plan to submit the > next draft before the cutoff date at the end of this week. > > Rainer > > _______________________________________________ > Syslog-sec mailing list > Syslog-sec@www.employees.org > http://www.employees.org/mailman/listinfo/syslog-sec -- Devin Kowatch devink@sdsc.edu _______________________________________________ Syslog-sec mailing list Syslog-sec@www.employees.org http://www.employees.org/mailman/listinfo/syslog-sec From syslog-sec-bounces@willers.employees.org Fri Jul 16 08:08:37 2004 Received: from willers.employees.org (willers.employees.org [192.83.249.36]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA25170 for ; Fri, 16 Jul 2004 08:08:37 -0400 (EDT) Received: from willers.employees.org (localhost.employees.org [127.0.0.1]) by willers.employees.org (Postfix) with ESMTP id 1FEB95C78A; Fri, 16 Jul 2004 05:08:32 -0700 (PDT) X-Original-To: syslog-sec@employees.org Delivered-To: syslog-sec@employees.org Received: from ietf.org (odin.ietf.org [132.151.1.176]) by willers.employees.org (Postfix) with ESMTP id 20C2A5C79E for ; Thu, 15 Jul 2004 12:25:51 -0700 (PDT) Received: from CNRI.Reston.VA.US (localhost [127.0.0.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA16818; Thu, 15 Jul 2004 15:25:48 -0400 (EDT) Message-Id: <200407151925.PAA16818@ietf.org> Mime-Version: 1.0 Content-Type: Multipart/Mixed; Boundary="NextPart" To: i-d-announce@ietf.org From: Internet-Drafts@ietf.org Date: Thu, 15 Jul 2004 15:25:48 -0400 X-Mailman-Approved-At: Fri, 16 Jul 2004 05:08:30 -0700 Cc: syslog-sec@employees.org Subject: [Syslog-sec] I-D ACTION:draft-ietf-syslog-protocol-05.txt X-BeenThere: syslog-sec@www.employees.org X-Mailman-Version: 2.1.4 Precedence: list List-Id: syslog-sec.www.employees.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: syslog-sec-bounces@willers.employees.org Errors-To: syslog-sec-bounces@willers.employees.org --NextPart A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : The syslog Protocol Author(s) : R. Gerhards Filename : draft-ietf-syslog-protocol-05.txt Pages : 40 Date : 2004-7-15 This document describes the syslog protocol. The syslog protocol has been used throughout the years to convey event notifications. This documents describes a layered architecture for an easily extensible syslog protocol. It also describes the basic message format and structured elements used to provide meta-information about the message. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-protocol-05.txt To remove yourself from the I-D Announcement list, send a message to i-d-announce-request@ietf.org with the word unsubscribe in the body of the message. You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce to change your subscription settings. Internet-Drafts are also available by anonymous FTP. Login with the username "anonymous" and a password of your e-mail address. After logging in, type "cd internet-drafts" and then "get draft-ietf-syslog-protocol-05.txt". A list of Internet-Drafts directories can be found in http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt Internet-Drafts can also be obtained by e-mail. Send a message to: mailserv@ietf.org. In the body type: "FILE /internet-drafts/draft-ietf-syslog-protocol-05.txt". NOTE: The mail server at ietf.org can return the document in MIME-encoded form by using the "mpack" utility. To use this feature, insert the command "ENCODING mime" before the "FILE" command. To decode the response(s), you will need "munpack" or a MIME-compliant mail reader. Different MIME-compliant mail readers exhibit different behavior, especially when dealing with "multipart" MIME messages (i.e. documents which have been split up into multiple messages), so check your local documentation on how to manipulate these messages. Below is the data which will enable a MIME compliant mail reader implementation to automatically retrieve the ASCII version of the Internet-Draft. --NextPart Content-Type: Multipart/Alternative; Boundary="OtherAccess" --OtherAccess Content-Type: Message/External-body; access-type="mail-server"; server="mailserv@ietf.org" Content-Type: text/plain Content-ID: <2004-7-15152235.I-D@ietf.org> ENCODING mime FILE /internet-drafts/draft-ietf-syslog-protocol-05.txt --OtherAccess Content-Type: Message/External-body; name="draft-ietf-syslog-protocol-05.txt"; site="ftp.ietf.org"; access-type="anon-ftp"; directory="internet-drafts" Content-Type: text/plain Content-ID: <2004-7-15152235.I-D@ietf.org> --OtherAccess-- --NextPart Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-Transfer-Encoding: 7bit _______________________________________________ Syslog-sec mailing list Syslog-sec@www.employees.org http://www.employees.org/mailman/listinfo/syslog-sec --NextPart--