RE: [Syslog] delineated datagrams

"John Calcote" <> Wed, 09 August 2006 19:21 UTC

Received: from [] ( by with esmtp (Exim 4.43) id 1GAtcM-0005D1-BG; Wed, 09 Aug 2006 15:21:26 -0400
Received: from [] ( by with esmtp (Exim 4.43) id 1GAtcK-0005AU-Nt for; Wed, 09 Aug 2006 15:21:24 -0400
Received: from ([] by with esmtp (Exim 4.43) id 1GAtQN-0006s0-3G for; Wed, 09 Aug 2006 15:09:03 -0400
Received: from ([]) by with esmtp (Exim 4.43) id 1GAtQJ-00019x-Hp for; Wed, 09 Aug 2006 15:09:02 -0400
Received: from INET-PRV-MTA by with Novell_GroupWise; Wed, 09 Aug 2006 13:08:50 -0600
Message-Id: <>
X-Mailer: Novell GroupWise Internet Agent 7.0.1
Date: Wed, 09 Aug 2006 13:06:44 -0600
From: John Calcote <>
To: Balazs Scheidler <>
Subject: RE: [Syslog] delineated datagrams
References: <00f801c6af25$a5423c30$> <> <> <1155109610.6312.10.camel@bzorp.balabit>
In-Reply-To: <1155109610.6312.10.camel@bzorp.balabit>
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Spam-Score: -2.3 (--)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc:, 'Tom Petch' <>
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>


Thanks. You're right of course. I've been considering using a
compressed form of XML for our messages anyway because I don't like the
chatty nature of XML in a logging protocol. One compression technique is
as simple as removing all of the \r\n\t and space characters, and then
removing the closing tag names (eg., </done> becomes </>) as parsers
don't need the tag name in the close tag anyway. This alone would solve
a few problems.


>>> Balazs Scheidler <> 8/9/2006 1:46 AM >>>
On Tue, 2006-08-08 at 13:44 -0600, John Calcote wrote:
> Chris,
> While I agree with you in principle that both forms of delineation
> nice to have for interop, I _wish_ we could get rid of LF - that so
> limits the sort of data that can be sent in the message. My two
> cents...

The message you send are _already_ limited as most syslog daemons
replace "\n" character with something else as it would clobber the
message file when it is written to disk. 

In fact leaving the CR LF characters in the message could be a
risk as that way messages can be "hidden", for instance if a daemon
writes the following message:

This is a foo message, bar=<data supplied by external entity>

Then the value for "bar" might contain CR, putting the cursor to the
beginning of the line on a usual VT100 compatible terminal, and the
of can pose as a regular log message, overwriting the previous one on
the screen.

Of course this can be worked around by using some form of escaping
data is written to files, but again the LF character does not remain

syslog-ng for instance replaces CR and LF characters in the message
a space as it comes in. I rarely heard any complaints about this
behaviour. And another fact is syslog/RAW also uses LF line
when multiple messages are delivered in a single BEEP frame.


Syslog mailing list