Re: [sip-clf] A primer on syslog.

"Rainer Gerhards" <> Wed, 03 February 2010 20:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DE1D23A672F for <>; Wed, 3 Feb 2010 12:06:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.499
X-Spam-Status: No, score=-2.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 5sbyE2ROtJXh for <>; Wed, 3 Feb 2010 12:06:19 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 876063A68C3 for <>; Wed, 3 Feb 2010 12:06:19 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2F6E7241C006; Wed, 3 Feb 2010 20:35:28 +0100 (CET)
Received: from ([]) by localhost (localhost []) (amavisd-new, port 10024) with ESMTP id V1xMtUPgp+yj; Wed, 3 Feb 2010 20:35:28 +0100 (CET)
Received: from ( []) by (Postfix) with ESMTP id E41F3241C005; Wed, 3 Feb 2010 20:35:27 +0100 (CET)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Wed, 3 Feb 2010 21:07:05 +0100
Message-ID: <>
Thread-Topic: [sip-clf] A primer on syslog.
Thread-Index: Acqk8HGw9hmy+vMRTBW+9/JjIJoFBgADdXdwAAMirpA=
References: <><00ce01caa41e$fe5a5ef0$><><><01eb01caa4ec$0fbe0930$><> <023501caa50a$16943c70$>
From: "Rainer Gerhards" <>
To: "David Harrington" <>, "Spencer Dawkins" <>, "Vijay K. Gurbani" <>, <>
Subject: Re: [sip-clf] A primer on syslog.
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Common Log File format discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2010 20:06:21 -0000

> -----Original Message-----
> From: [] On
> Behalf Of David Harrington
> Sent: Wednesday, February 03, 2010 8:50 PM
> To: 'Spencer Dawkins'; 'Vijay K. Gurbani';
> Subject: [sip-clf] A primer on syslog.
> Hi,
> For those unacquainted with syslog, let me try to summarize how it
> works. I will focus on the forwarding and filtering and security
> mechanisms, since I think those will be important considerations for
> SIP logging.
> Rainer is the guy I go to when I have a question about syslog. He has
> answered Vijay's concern in considerable detail in another email. I
> don't personally deploy syslog, so Rainer can feel free to correct
> anything I get wrong. ;-)

Thanks David, that is an excellent primer. Just one note... 

> ---- The forwarding mechanism ----
> Syslog allows log information for both kernel processes and user
> processes to be forwarded to a file, a set of users, or another node
> in a network.

While this is beyond the scope of the IETF, current mainstream implementation
supports many more options. Popular options are writing to databases and
passing messages to another application. Rsyslog, for example, has an open
plug-in architecture and every now and then I hear about plugins written for
custom projects that I would never have envisioned.

> IETF syslog provides support for UDP, TLS, and (soon) DTLS. It is
> designed to allow additional transports to be defined, so could also
> be used in non-IP environments, I suppose.

It definitely is. The most prominent non-IP "transport" is Unix local domain
sockets. But real non-IP transports are used quite seldom, now that almost
every device runs IP. In former days, we had log sources (PBXs mostly) that
sent messages via RS232 to a syslog relay which forwarded the messages via IP
to the final destination.