Re: [Syslog] Small draft for Syslog File Storage?

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Thu, 11 November 2010 16:21 UTC

Return-Path: <rgerhards@hq.adiscon.com>
X-Original-To: syslog@core3.amsl.com
Delivered-To: syslog@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0FD763A6A85 for <syslog@core3.amsl.com>; Thu, 11 Nov 2010 08:21:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwX0Dy43LGja for <syslog@core3.amsl.com>; Thu, 11 Nov 2010 08:21:14 -0800 (PST)
Received: from vmmail.adiscon.com (vmmail.adiscon.com [178.63.79.189]) by core3.amsl.com (Postfix) with ESMTP id 024C13A6822 for <syslog@ietf.org>; Thu, 11 Nov 2010 08:21:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by vmmail.adiscon.com (Postfix) with ESMTP id BE6CA74A4DB; Thu, 11 Nov 2010 17:21:41 +0100 (CET)
Received: from vmmail.adiscon.com ([127.0.0.1]) by localhost (vmmail.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tc72dwRK3Quu; Thu, 11 Nov 2010 17:21:41 +0100 (CET)
Received: from GRFEXC.intern.adiscon.com (pd95c774a.dip0.t-ipconnect.de [217.92.119.74]) by vmmail.adiscon.com (Postfix) with ESMTPA id 9834A74A4DA; Thu, 11 Nov 2010 17:21:41 +0100 (CET)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Thu, 11 Nov 2010 17:21:40 +0100
Message-ID: <9B6E2A8877C38245BFB15CC491A11DA71DD6E3@GRFEXC.intern.adiscon.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] Small draft for Syslog File Storage?
Thread-Index: AcuBvC8OvDPl90MTQjG4Q4J3YI++egAABwFw
References: <9B6E2A8877C38245BFB15CC491A11DA71DD6D6@GRFEXC.intern.adiscon.com> <87vd45828h.fsf@latte.josefsson.org> <Pine.GSO.4.63.1011110816470.28921@sjc-cde-011.cisco.com>
From: "Rainer Gerhards" <rgerhards@hq.adiscon.com>
To: "Chris Lonvick" <clonvick@cisco.com>, "Simon Josefsson" <simon@josefsson.org>
Cc: syslog@ietf.org
Subject: Re: [Syslog] Small draft for Syslog File Storage?
X-BeenThere: syslog@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/syslog>
List-Post: <mailto:syslog@ietf.org>
List-Help: <mailto:syslog-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Nov 2010 16:21:18 -0000

> -----Original Message-----
> From: Chris Lonvick [mailto:clonvick@cisco.com]
> Sent: Thursday, November 11, 2010 5:19 PM
> To: Simon Josefsson
> Cc: Rainer Gerhards; syslog@ietf.org
> Subject: Re: [Syslog] Small draft for Syslog File Storage?
> 
> Hi Simon,
> 
> On Wed, 10 Nov 2010, Simon Josefsson wrote:
> > Oh, and please use a timestamp format that embeds the year!  How
> about
> > the RFC 3339 format?  I hate how it is impossible to know what year a
> > log entry was written on modern Linux systems.
> 
> Take a look at RFC 5424.  The timestamp is from RFC 3339.

Sorry for the silence today. I am currently working very hard on very complex
code for log normalization.

But one thing quickly: the timestamp is a typical example of how the real
world is hesitant to change. Rsyslog has become the default syslogd on almost
all modern linux distros. Rsyslog emits RFC3339 stamps be default, and also
uses them by default inside log files. But *all* distros have configured it
to use the old-style timestamp...

Rainer