[Syslog] Small draft for Syslog File Storage?

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Wed, 10 November 2010 06:24 UTC

Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id A4B5E3A68E6 for <syslog@core3.amsl.com>; Tue, 9 Nov 2010 22:24:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id nsmlY07h-dS7 for <syslog@core3.amsl.com>; Tue, 9 Nov 2010 22:23:59 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com []) by core3.amsl.com (Postfix) with ESMTP id 824763A68EA for <syslog@ietf.org>; Tue, 9 Nov 2010 22:23:54 -0800 (PST)
Received: from localhost (localhost []) by vmmail.adiscon.com (Postfix) with ESMTP id 021CE74A46D for <syslog@ietf.org>; Wed, 10 Nov 2010 07:24:20 +0100 (CET)
Received: from vmmail.adiscon.com ([]) by localhost (vmmail.adiscon.com []) (amavisd-new, port 10024) with ESMTP id dXbT6N4jTA2G for <syslog@ietf.org>; Wed, 10 Nov 2010 07:24:19 +0100 (CET)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de []) by vmmail.adiscon.com (Postfix) with ESMTPA id C4A5274A466 for <syslog@ietf.org>; Wed, 10 Nov 2010 07:24:19 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
x-cr-puzzleid: {435F3908-A628-4949-863B-181A7905EC06}
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
x-cr-hashedpuzzle: /D4= AlaA BCp3 BfgA Bsh4 ByVD CLv4 FGZz FJH4 GwZH HfHH H12R H8rG H+JF IiKy Is+E; 1; cwB5AHMAbABvAGcAQABpAGUAdABmAC4AbwByAGcA; Sosha1_v1; 7; {435F3908-A628-4949-863B-181A7905EC06}; cgBnAGUAcgBoAGEAcgBkAHMAQABoAHEALgBhAGQAaQBzAGMAbwBuAC4AYwBvAG0A; Wed, 10 Nov 2010 06:24:17 GMT; UwBtAGEAbABsACAAZAByAGEAZgB0ACAAZgBvAHIAIABTAHkAcwBsAG8AZwAgAEYAaQBsAGUAIABTAHQAbwByAGEAZwBlAD8A
Date: Wed, 10 Nov 2010 07:24:17 +0100
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD6C5@GRFEXC.intern.adiscon.com>
Thread-Topic: Small draft for Syslog File Storage?
Thread-Index: AcuAn+bP3HAgEVt4R0ibTtuACoge8Q==
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: <syslog@ietf.org>
Subject: [Syslog] Small draft for Syslog File Storage?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Nov 2010 06:24:04 -0000

Hi all,

In what we did, we specified the on-the-wire format. However, we did not
specify any format to use when persisting syslog data to a file.

Note that we were very generous when specifying the on-the-wire format, for
example we permit LF, CR, NUL and many other characters considered dangerous
in file formats.

There are many tools available which interpret syslog data stored in text
files. However, different syslog implementations may use slightly different
file formats.

Together with the control character issue, the file format question both has
interoperability AND security issues. I think these would be very easy to fix
if we write a small RFC that specifies how text is to be encoded. It would be
similar, but much smaller to RFC4627 (JSON). Actually, I think we would need
to carry over primarily its section 2.5.

I would volunteer to write an initial draft, but would first like to get some
feedback if this effort has any chance of getting through.