Re: [Syslog] Small draft for Syslog File Storage?

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Thu, 11 November 2010 16:25 UTC

Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E3AA3A6A74 for <syslog@core3.amsl.com>; Thu, 11 Nov 2010 08:25:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhGBLMBcKcHl for <syslog@core3.amsl.com>; Thu, 11 Nov 2010 08:25:27 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com [178.63.79.189]) by core3.amsl.com (Postfix) with ESMTP id 3873C3A69AA for <syslog@ietf.org>; Thu, 11 Nov 2010 08:25:27 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id 2DEF874A4DB; Thu, 11 Nov 2010 17:25:57 +0100 (CET)
Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiyEulQn6wip; Thu, 11 Nov 2010 17:25:57 +0100 (CET)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by vmmail.adiscon.com (Postfix) with ESMTPA id 0202874A4DA; Thu, 11 Nov 2010 17:25:56 +0100 (CET)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 11 Nov 2010 17:25:55 +0100
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD6E4@GRFEXC.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Small draft for Syslog File Storage?
Thread-Index: AcuBvPqhefGg/l/jSyGR8n4mMCT9EAAABRBQ
References: <9B6E2A8877C38245BFB15CC491A11DA71DD6D6@GRFEXC.intern.adiscon.com><87vd45828h.fsf@latte.josefsson.org><Pine.GSO.4.63.1011110816470.28921@sjc-cde-011.cisco.com><9B6E2A8877C38245BFB15CC491A11DA71DD6E3@GRFEXC.intern.adiscon.com> <87oc9vj09l.fsf@latte.josefsson.org>
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: "Simon Josefsson" <simon@josefsson.org>
Cc: syslog@ietf.org
Subject: Re: [Syslog] Small draft for Syslog File Storage?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 16:25:28 -0000

> -----Original Message-----
> From: Simon Josefsson [mailto:simon@josefsson.org]
> Sent: Thursday, November 11, 2010 5:25 PM
> To: Rainer Gerhards
> Cc: Chris Lonvick; syslog@ietf.org
> Subject: Re: Small draft for Syslog File Storage?
> 
> "Rainer Gerhards" <rgerhards@hq.adiscon.com>; writes:
> 
> >> -----Original Message-----
> >> From: Chris Lonvick [mailto:clonvick@cisco.com]
> >> Sent: Thursday, November 11, 2010 5:19 PM
> >> To: Simon Josefsson
> >> Cc: Rainer Gerhards; syslog@ietf.org
> >> Subject: Re: [Syslog] Small draft for Syslog File Storage?
> >>
> >> Hi Simon,
> >>
> >> On Wed, 10 Nov 2010, Simon Josefsson wrote:
> >> > Oh, and please use a timestamp format that embeds the year!  How
> >> about
> >> > the RFC 3339 format?  I hate how it is impossible to know what
> year a
> >> > log entry was written on modern Linux systems.
> >>
> >> Take a look at RFC 5424.  The timestamp is from RFC 3339.
> >
> > Sorry for the silence today. I am currently working very hard on very
> complex
> > code for log normalization.
> >
> > But one thing quickly: the timestamp is a typical example of how the
> real
> > world is hesitant to change. Rsyslog has become the default syslogd
> on almost
> > all modern linux distros. Rsyslog emits RFC3339 stamps be default,
> and also
> > uses them by default inside log files. But *all* distros have
> configured it
> > to use the old-style timestamp...
> 
> Yes, and that is annoying.  Using the RFC 3339 format for stored data
> seems like the obvious choice if this is what RFC 5424 is using
> already.

Actually, I made the switch in rsyslog roughly 4 to 5 years ago, even before
we had RFC5424... :(

Rainer