RE: [Syslog] delineated datagrams

Balazs Scheidler <bazsi@balabit.hu> Wed, 09 August 2006 07:46 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GAimG-0002UB-4H; Wed, 09 Aug 2006 03:46:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GAimF-0002U5-9e for syslog@ietf.org; Wed, 09 Aug 2006 03:46:55 -0400
Received: from balabit.hu ([82.141.167.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GAimC-0006ed-Su for syslog@ietf.org; Wed, 09 Aug 2006 03:46:55 -0400
Subject: RE: [Syslog] delineated datagrams
From: Balazs Scheidler <bazsi@balabit.hu>
To: John Calcote <jcalcote@novell.com>
In-Reply-To: <44D89525.37FF.0081.0@novell.com>
References: <00f801c6af25$a5423c30$8c0c6f0a@china.huawei.com> <Pine.GSO.4.63.0608040708180.13343@sjc-cde-003.cisco.com> <44D89525.37FF.0081.0@novell.com>
Content-Type: text/plain
Date: Wed, 09 Aug 2006 09:46:50 +0200
Message-Id: <1155109610.6312.10.camel@bzorp.balabit>
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: bb8f917bb6b8da28fc948aeffb74aa17
Cc: syslog@ietf.org, 'Tom Petch' <nwnetworks@dial.pipex.com>
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

On Tue, 2006-08-08 at 13:44 -0600, John Calcote wrote:
> Chris,
> 
> While I agree with you in principle that both forms of delineation are
> nice to have for interop, I _wish_ we could get rid of LF - that so
> limits the sort of data that can be sent in the message. My two
> cents...

The message you send are _already_ limited as most syslog daemons
replace "\n" character with something else as it would clobber the
message file when it is written to disk. 

In fact leaving the CR LF characters in the message could be a security
risk as that way messages can be "hidden", for instance if a daemon
writes the following message:

This is a foo message, bar=<data supplied by external entity>

Then the value for "bar" might contain CR, putting the cursor to the
beginning of the line on a usual VT100 compatible terminal, and the rest
of can pose as a regular log message, overwriting the previous one on
the screen.

Of course this can be worked around by using some form of escaping while
data is written to files, but again the LF character does not remain
intact.

syslog-ng for instance replaces CR and LF characters in the message with
a space as it comes in. I rarely heard any complaints about this
behaviour. And another fact is syslog/RAW also uses LF line terminators
when multiple messages are delivered in a single BEEP frame.

-- 
Bazsi


_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog