Wednesday, January 21, 2009

RFC 3195 back in the game?

RFC 3195 was thought to be the solution for reliable syslog. It is based on TCP and the BEEP protocol. It was written in November 2001 but never gained much attention. The premier reason everyone tells you is complexity of BEEP (and lack of toolkits). A few years ago, I wrote my own logging-related RFC 3195 toolkit, liblogging. It, too, did not get much momentum.

Anyhow, I used a modified version of liblogging to offer RFC 3195 support under Windows as part of the MonitorWare product line. Again, we never heard much of this feature. In rsylog, I created an input plugin for RFC 3195. At that time, however, I already had the feeling 3195 was a failure. So I was hesitant to implement an output plugin, too. And, as expected: nobody every cared, except for some folks building packages. And these not for practical needs but for the sake of getting packages for everything...

So up until now, I would conclude that 3195 is indeed a failure. However, there seems to be some increasing interest. At least, I got a couple of questions the past weeks on RFC3195 and Adiscon, my company, just got a not-so-small order of its EventReporter product which explicitly has RFC 3195 put into the requirements. Is this a sign of increasing interest? Or is just somebody filling check mark items? This remains to be seen.

So, there seems to be a slight chance that RFC 3195 is getting revived. Maybe it took just some year so that the idea could ripen. In any case, I am prepared for RFC 3195 demand. Maybe finally doing all that work begins to pay off...

4 comments:

Adrian said...

Fortinet firewalls have recently implemented RFC3195 logging. Looks like I've found a friend in rsyslog. Was just about to go for a syslog-ng setup.

Rainer said...

Very interesting. While 3195 is not my priority at this time, I would be very interested in any results you may get.

Alex said...

Tried to compile rsyslog with im3195 and finally could get it installed with all libraries (libee, liestr).

Howerver when rsyslog receives the first SYN it dies.

As you said there is no big interest in RFC 3195, and therefore not so much tools to test.

Alex

Alex said...

Tried to compile rsyslog with im3195 and finally could get it installed with all libraries (libee, liestr).

Howerver when rsyslog receives the first SYN it dies.

As you said there is no big interest in RFC 3195, and therefore not so much tools to test.

Alex