Syslog TCP/IP Frames
• Mark Eschbach
I left off with the TCP/IP framing incorrect. The PaperTrail target as a result dropped the message which is kind of an unforunate event since it should have just logged it according to the invalid message rules of RFC5424. It tooks some sleuthing, however I found RFC6587 which descirbes the transmission and framing for Syslog/TCP/IP. The underlying cause of using TCP is the continous stream doesn’t allow for frame termination. To get around this there are two methods: transparent and octect counting. Octect, as speced in 3.4.1, is the ascii digits counting the number of octects in the frame. Sounds simple enough, however I’ve already expirimented with the transparent frames using the linefeed character and that worked as expected. Each frame, as per 3.4.2, is terminated via a linefeed (char 10) or null (char 0). As a note it doesn look like PaperTrail is complying with the RFC by dropping the incomplete inflight frame as per 3.5 of the RFC.
Alrighty, now that I’ve got stream delimiters setup properly I’ve run into an additional issue: PaperTrail will only accept log messages in Zulu time. Time to figure out how to make that work. I’ve come across this SO post but I was hoping to use the formatter for input and output, following Postel’s law. Unforunately PaperTrail wants Zulu time. Additionally PoperTrail was requires host names shorter than 30 characetrs but it’s happy with 17.
Alrighty, I’ve got it logging successfuly; time to move on.