RE: [Syslog] delineated datagrams

"Nagaraj Varadharajan \(nagarajv\)" <> Fri, 11 August 2006 19:50 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GBd1u-0008Ha-6P; Fri, 11 Aug 2006 15:50:50 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1GBd1q-00083w-9P for; Fri, 11 Aug 2006 15:50:46 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GBd1o-0002KG-Jx for; Fri, 11 Aug 2006 15:50:45 -0400
Received: from ([]) by with ESMTP; 11 Aug 2006 12:50:45 -0700
X-IronPort-AV: i="4.08,115,1154934000"; d="scan'208"; a="311256241:sNHT38742988"
Received: from ( []) by ( with ESMTP id k7BJoi1S003636 for <>; Fri, 11 Aug 2006 12:50:44 -0700
Received: from ( []) by (8.12.10/8.12.6) with ESMTP id k7BJoiHm014268 for <>; Fri, 11 Aug 2006 12:50:44 -0700 (PDT)
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.1830); Fri, 11 Aug 2006 12:50:43 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Syslog] delineated datagrams
Date: Fri, 11 Aug 2006 12:50:43 -0700
Message-ID: <>
Thread-Topic: [Syslog] delineated datagrams
Thread-Index: Aca8We44KDRAF0sETvmLoLVEiES1iQAopC+gACB59WA=
From: "Nagaraj Varadharajan (nagarajv)" <>
X-OriginalArrivalTime: 11 Aug 2006 19:50:43.0801 (UTC) FILETIME=[6E70A490:01C6BD7F]
DKIM-Signature: a=rsa-sha1; q=dns; l=1546; t=1155325844; x=1156189844; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;;; z=From:=22Nagaraj=20Varadharajan=20\(nagarajv\)=22=20<> |Subject:RE=3A=20[Syslog]=20delineated=20datagrams;; b=m6xQd9XvIJH4hUiRHaC2zj2uYTqkqDg+jLZIQPcm3cY1cLWCYgmTeRT+7BpAqiald9boWKt2 tWxACVz5vTH1osRZayYbv330liy+jzTTqz3ogUX1EkyGhPTe4g0RKvo2;
Authentication-Results:;; dkim=pass ( sig from verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

Sorry for jumping in late on this topic and also pardon me if I have not
understood the discussion correctly.

My thought is that the easiest way syslog over tls will be implemented
will be by existing apps taking what they have for syslog over TCP and
adding the TLS layer. So in terms of easy implementation and adoption,
it may be good to support whatever is being done for tcp syslogs now. I
believe that LF as a separator is quite common  currently. 
However, I do agree that this is a good opportunity to upgrade to a
better method. My only concern is that this should not force
applications to drastically change their underlying syslog


-----Original Message-----
From: Rainer Gerhards [] 
Sent: Thursday, August 10, 2006 9:22 PM
To: Balazs Scheidler
Cc:; Tom Petch
Subject: RE: [Syslog] delineated datagrams

> Maybe this already has been said ;)
> This makes sense. What about other control characters?

We need to differentiate between on-the-wire format and storage format.
On-the-wire, I would escape only LF and the escape character. In
storage, I would escape any control character (which can be quite tricky
with Unicode). Our current scope (and IETF scope) is on-the-wire. So I
propose not to mangle any more characters than absolutely necessary.


Syslog mailing list

Syslog mailing list