Re: [Syslog] Legitimate \n or byte-counting

Carson Gaspar <carson@taltos.org> Fri, 18 August 2006 20:16 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEAm3-0007wf-Df; Fri, 18 Aug 2006 16:16:59 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GEAm2-0007wa-9D for syslog@ietf.org; Fri, 18 Aug 2006 16:16:58 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GEAm2-0003Bn-7Q for syslog@ietf.org; Fri, 18 Aug 2006 16:16:58 -0400
Received: from dsl081-242-052.sfo1.dsl.speakeasy.net ([64.81.242.52] helo=gandalf.taltos.org) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1GEAly-0004Lv-FT for syslog@ietf.org; Fri, 18 Aug 2006 16:16:56 -0400
Received: from gandalf.taltos.org (localhost [127.0.0.1]) by gandalf.taltos.org (Postfix) with ESMTP id EE68A21CC4 for <syslog@ietf.org>; Fri, 18 Aug 2006 13:16:48 -0700 (PDT)
X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on gandalf.taltos.org
X-Spam-Level:
X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.1.0
Received: from [192.168.1.2] (unknown [192.168.1.2]) by gandalf.taltos.org (Postfix) with ESMTP id EC67421B73 for <syslog@ietf.org>; Fri, 18 Aug 2006 13:16:48 -0700 (PDT)
Date: Fri, 18 Aug 2006 13:18:51 -0700
From: Carson Gaspar <carson@taltos.org>
To: syslog@ietf.org
Subject: Re: [Syslog] Legitimate \n or byte-counting
Message-ID: <18208CB19EAB34CE8960181B@[192.168.1.2]>
In-Reply-To: <Pine.GSO.4.63.0608180727510.12295@sjc-cde-003.cisco.com>
References: <Pine.GSO.4.63.0608180727510.12295@sjc-cde-003.cisco.com>
X-Mailer: Mulberry/4.0.4 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: -2.6 (--)
X-Scan-Signature: 79899194edc4f33a41f49410777972f8
Cc:
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

--On Friday, August 18, 2006 7:35 AM -0700 Chris Lonvick 
<clonvick@cisco.com> wrote:

> If we use LF-escaping in syslog messages, what's going to happen if a
> legitimate "\n" is sent by a sender?  An example would be:
>
>     <PRI>... BOM The offending characters are \n
>
> Will a receiver convert that into LF?  If that's the case then we should
> not be using LF-escaping.

I raised the same issue. The answer is the receiver will examine the 
protocol version and will not un-escape unless the sender is a new-style 
sender. I'm still not convinced that the installed base of TCP syslog 
deployments is large enough to care about, but, given the decision to 
maximize backwards comparability, this is "good enough" to make 
implementation possible.

-- 
Carson

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog