Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)

"t.petch" <> Mon, 01 November 2010 18:04 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3365B3A6A51 for <>; Mon, 1 Nov 2010 11:04:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1Q38O5NJv9bu for <>; Mon, 1 Nov 2010 11:04:04 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E5CCB3A6A50 for <>; Mon, 1 Nov 2010 11:04:03 -0700 (PDT)
Received: from (HELO pc6) ([]) by with SMTP id AMH03334; Mon, 01 Nov 2010 18:03:51 +0000 (GMT)
Message-ID: <001101cb79e6$8d321620$>
From: "t.petch" <>
To: "Chris Lonvick" <>, <>
References: <>
Date: Mon, 1 Nov 2010 18:01:49 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Mirapoint-IP-Reputation: reputation=Neutral-1, source=Queried, refid=tid=0001.0A0B0302.4CCF0107.0016, actions=tag
X-Junkmail-Status: score=10/50,
X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B0201.4CCF0112.0242, ss=1, fgs=0, ip=, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=single engine
X-Junkmail-IWF: false
Subject: Re: [Syslog] New Version Notification for draft-gerhards-syslog-plain-tcp-05 (fwd)
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Nov 2010 18:04:05 -0000


I had not noticed before but this seems to have changed direction during the
summer; Informational not Standards Track, and stressing byte-counting more,
byte-stuffing less.

I do find it less clear.  I think that the Introduction needs more work in the
light of the changes to the rest of the document. I read
"This specification includes descriptions of both
   format options in an attempt to ensure that standardized syslog
   transport receivers can receive and properly interpret messages sent
   from legacy syslog senders."
got to the end of the document and thought 'oh no it does not!' and then
realised that this is now an Appendix whereas before it was in the main body.
Of course, if you never knew it was in the body, you might not be as confused as

But really, the emphasis on standardised and legacy syslog seems misplaced.  The
carriage over TCP is the same whether the carried is SYSLOG-3164 or SYSLOG-MSG
so the distinction seems spurious.  And SYSLOG-3164 does not appear in any RFC
or I-D I can find.

Rather, you have two forms of adaptation to carry a message, and what that
message is is mostly academic.

Separately, I think that more is needed on Security.  It is easier to sabotage
TCP than it is UDP; spurious FIN, RST etc.

And I think more is needed on closing the session.  The transport receiver
detects a format error (well, the transport sender is not going to) sends FIN,
gets FIN-ACK and ....  the transport sender carries merrily on.  I think that
there should be a recommendation that the transport sender closes the connection
and reopens it if it wants to.

Tom Petch
----- Original Message -----
From: "Chris Lonvick" <>
To: <>
Sent: Friday, October 01, 2010 9:16 PM
Subject: [Syslog] New Version Notification for
draft-gerhards-syslog-plain-tcp-05 (fwd)

> Hi Folks,
> While this is a non-WG item, there are some people interested.  I've
> updated the syslog/tcp draft and I'll invite reviews and comments.
> Thanks,
> Chris
> ---------- Forwarded message ----------
> Date: Thu, 30 Sep 2010 09:04:15 -0700 (PDT)
> From: IETF I-D Submission Tool <>
> To:
> Cc:
> Subject: New Version Notification for draft-gerhards-syslog-plain-tcp-05
> A new version of I-D, draft-gerhards-syslog-plain-tcp-05.txt has been
successfully submitted by Chris Lonvick and posted to the IETF repository.
> Filename: draft-gerhards-syslog-plain-tcp
> Revision: 05
> Title: Transmission of Syslog Messages over TCP
> Creation_date: 2010-09-30
> WG ID: Independent Submission
> Number_of_pages: 14
> Abstract:
> There have been many implementations and deployments of legacy syslog
> over TCP for many years.  That protocol has evolved without being
> standardized and has proven to be quite interoperable in practice.
> The aim of this specification is to document three things: how to
> transmit standardized syslog over TCP, how TCP has been used as a
> transport for legacy syslog, and how to correlate these usages.
> The IETF Secretariat.
> _______________________________________________
> Syslog mailing list