> That is unrelated to syslog because it is simply a log transport mechanism.
Only partially, RFC5424 defines the structured data format (that unfortunately is not widely used)
syslog is also the syslog() interface, and as far as I know there is no reference implementation for encoding structured data in the format the RFC describes.
Personally I'd rather it be something like json.
I could patch openssh to log using json, but the chances of that ever getting merged are probably 0.
Adding a year to the date was "not consistent with the original intent of the order and format of the fields". 5424 at least says "Use this specific form of RFC3339"
> Switches/routers/appliances cause even more issue because the custom implementations tend to not format messages perfectly for any of the RFC
Ugh, I know it. As I said in another comment, we run syslog collection as a service so we receive logs from a large number of different devices not under our direct control.
I found syslog design to be well done about that, ignoring whether it was accidental or not :D
+1 for json. Format messages as JSON for logging. Update/reconfigure applications to write json logs.
The structured data headers of syslog can be used for enriching log messages with metadata (instance id, instance ip, tags, environment, etc...).
The RFC 5xxx design allows to manage the message (application's responsibility) and the metadata (relay's responsibility) separately, so it's nice.
[Note: If ALL messages were JSON logs and the tooling could manipulate json messages directly to add/remove fields, there would be no need for a different metadata channel.]
> That is unrelated to syslog because it is simply a log transport mechanism.
Only partially, RFC5424 defines the structured data format (that unfortunately is not widely used)
syslog is also the syslog() interface, and as far as I know there is no reference implementation for encoding structured data in the format the RFC describes.
Personally I'd rather it be something like json.
I could patch openssh to log using json, but the chances of that ever getting merged are probably 0.
> See two independent specifications for example:
Well, RFC5424 says it obsoletes 3164 at least. 3164 is just embarrassing, especially the section on timestamps: https://tools.ietf.org/html/rfc3164#section-5.1
Adding a year to the date was "not consistent with the original intent of the order and format of the fields". 5424 at least says "Use this specific form of RFC3339"
> Switches/routers/appliances cause even more issue because the custom implementations tend to not format messages perfectly for any of the RFC
Ugh, I know it. As I said in another comment, we run syslog collection as a service so we receive logs from a large number of different devices not under our direct control.