Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver

"Aditya Dogra (addogra)" <> Mon, 25 February 2013 04:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4D0D921F912D; Sun, 24 Feb 2013 20:47:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id CBf6Ts0aYDcg; Sun, 24 Feb 2013 20:47:23 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 4630421F9127; Sun, 24 Feb 2013 20:47:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4144; q=dns/txt; s=iport; t=1361767643; x=1362977243; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nYrPojAbx3sVRSzv92jxiyfPfyoZR4Km0u7PutgWMPA=; b=TCbUkny+js2c+zYD3RkGa1WIOSxh+mFxFFNdxxAyZbSKlDUqu1fNWnqi xvjE8otkJt3/tMzq3YBJzgPBHFzzuYmgblxiqaqalz+Uej4Fmrw4ddM4F oHkh5bwRYpJpGf6/3fI2NK/ghPfJMp4TonhWmrcZRGN1KccIdpNhyNMl2 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.84,732,1355097600"; d="scan'208";a="180654512"
Received: from ([]) by with ESMTP; 25 Feb 2013 04:47:21 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r1P4lLYq022522 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 25 Feb 2013 04:47:21 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Sun, 24 Feb 2013 22:47:20 -0600
From: "Aditya Dogra (addogra)" <>
To: Christopher LILJENSTOLPE <>
Thread-Topic: [OPSAWG] Syslog message to Remote Rerver
Thread-Index: Ac4QUAvJ5qy04rHwSuGPQ3t4GDBIhQC8oSCAAAwtM+A=
Date: Mon, 25 Feb 2013 04:47:20 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 25 Feb 2013 14:03:02 -0800
Cc: "" <>, "" <>
Subject: Re: [Syslog] [OPSAWG] Syslog message to Remote Rerver
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Feb 2013 04:47:24 -0000

Hi Christopher,
      Sorry for not making my previous post clear. 
My point was since syslogs are tried up mostly with the base/OS layer , hence it comes pretty much earlier than the management plane comes up . And remote logging comes in picture when management plane comes up . Should syslog's be so reliable that we buffer them (in case of udp protocol) or maintain sessions (in case of tcp) (and maintain sessions during failover/switchovers) so that once management plane comes up , we send previous messages also. 

I am not talking on replacing syslogs with traps , and I agree it will be a hazard to purpose also .  My point was just like SNMP lies on management plane and hence is tightly coupled with the outgoing/exit interfaces , so it makes it more reliable in case of remote logging of traps . 
-Aditya dogra

-----Original Message-----
From: Christopher LILJENSTOLPE [] 
Sent: Monday, February 25, 2013 9:56 AM
To: Aditya Dogra (addogra)
Subject: Re: [OPSAWG] Syslog message to Remote Rerver

Greetings Aditya,

	Can I ask for a little more clarity as to what you are asking?  Are you asking the operational community for their expectations on syslog message reliability (it seems so in (a), or are you making a statement that you do not believe that the reliability is not sufficient (your earlier comments)?  Also, you mention in (b) that SNMP is there.  That is true - are you proposing that SNMP be used to augment syslog (if so, I would hazard to guess that that is already a solution that is widely deployed).


On 21Feb2013, at 08.25, Aditya Dogra (addogra) <> wrote:

> Hi All ,
> Currently syslog messages collected locally on the network device are transmitted to the remote syslog servers as per RFC 5424 (UDP protocol used for transmission) and RFC 3195 (TCP protocol used for transmission)
> However, we have observed that increasingly, customers are using syslog messages archived in the remote server for business logic .
> In some networks, it is possible that some of the syslog messages may be dropped due to link failure or other network conditions.
> However, the customers are expecting much higher resiliency for the syslog messages.
> The questions we seek clarification are:
> a)         What are the expectations from the external syslog delivery?
> b)         Should we rely on syslog's alone ? Please note that SNMP traps functionality for network management is also there.?
> Your thoughts and suggestions much appreciated.
> Regards,
> Aditya dogra
> _______________________________________________
> OPSAWG mailing list

Check my PGP key here:
Current vCard here:
Check my calendar availability: