Newer versions have deprecated a couple of symbols, resulting in a lot of compiler warning. However, for older GnuTLS versions, we need the old ones. Do some configure/macro work to use what is present on the build platform.

For the time being it's cosmetic, but GnuTLS may remove the deprecated symbols some time in the future.

contribution already exists on github, for details see rsyslog mailing list. "Just" needs to be added and, I think, a manpage be added.

ratelimit.discarded and ratelimit.numratelimiters are not available for modules imudp and imtcp.
imuxsock has these metrics.

Rsyslog 7.6.0-1

With normal logfiles, the files are rotated by logrotate. rsyslog packages on most platforms do this automatically

What is the recommended solution for purging old records from MongoDB? Could you suggest a default configuration for this in packages?

Hi,

this is the same issue described in rsyslog/liblogging#15.

Version: 7.6.0

When building rsyslog from the orig tarball, I get the following errors from the lintian automated checker:

E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/rsyslog_secure_tls.html
N:
N: This package creates a privacy breach by using Google AdSense. Google
N: AdSense is a service run by Google that allows publishers of websites to
N: automatically serve advertisements. Unfortunately, it requires tracking
N: and breaching the privacy of web users.
N:
N: This tag can also indicate the use of the related obsolete privacy
N: breaching software, Urchin WebAnalytics.
N:
N: Note that using Google AdSense in a local copy of a page is a violation
N: of the Google AdSense terms of use. This violation renders this package
N: not distributable in Debian, and is thus a serious bug.
N:
N: Severity: serious, Certainty: possible
N:
N: Check: files, Type: binary, udeb
N:
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_ca.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_client.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_errmsgs.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_machine.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_scenario.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_server.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_summary.html
E: rsyslog-doc: privacy-breach-google-adsense usr/share/doc/rsyslog-doc/html/tls_cert_udp_relay.html

I know, that the rsyslog documentation is currently reworked, but please consider removing those adsense java script embeds in the mean time.

This is required for a number of use cases, with JAVA and it's required environment settings being a prime example. Note that currently this can be worked around easily by using a script, so it's not a hard or pressing requirement.

I spent hours in mongodb connection logs because, regardless of my configuration, logging never occurred. I finally tracked it down (via mongod logs) to authorization errors. I'd filled in the uid and pwd properties correctly in rsyslog.conf (as documented), but still experienced issues.

Finally, I went through the source and tracked the uid and pwd attributes. Specifically, I focused on the source at 7d509d5 (introduction of libmongo-client). It looks like the instance variables 'uid' and 'pwd' are filled and freed, but never referenced.

I do not believe libmongo-client has an authentication method, so authentication would require passing a BSON object to authenticate, which also never appears in code.

The current doc sounds at least a bit scary. We should re-write it explaining about the external plugin interface and the importance of omprog in that regard. Of course, we should continue to mention that it can be used to invoke any program, even if not written as an external plugin.

Mutex lock needs to go away. But there must be a new config option to permit using only a single instance in cases the to-be-executed program requires this.

We should probably make "multiple instances" the default, as it is highly likely almost all existing scripts can work with this.

I was wondering why OpenSuSE has a build dependency for dos2unix for rsyslog.

They are using dos2unix to convert "doc/*.html". I checked all the files and doc/generic_design.html seems to be that last file with wrong EOLs.

So if you would convert this file, dos2unix is no longer needed.

The idea would be to add the ability to declare a 'runAsUser' option for the omprog module. This would allow you to run the specified program as they required user.

This is extremely useful for things like scripts that interact with hdfs where the user needs to be a specific user that has permissions on the hdfs filesystem.

And example of it in action would be something like:

*.*      action(type="omprog"
                binary="/path/to/binary --param1 lala --param2 dada"
                template="hadoopTemplate"
                runAsUser="hdfs")

A regression from a change done long ago, ompipe has assigned the forwarding template instead of the file template which it should use.

Version Tested : 7.4.10,7.4.4,7.4.9,7.6.0,7.6.1,8.2.0
ZMQ version: 4.0.4, 3.2.4

Stack Trace :

omzmq3.c:247:9: error: void value not ignored as it ought to be
if(-1 == zsocket_connect(pData->socket, (char_)pData->description)) {
^
make[2]: *_* [omzmq3_la-omzmq3.lo] Error 1
make[2]: Leaving directory /home/naveen/Downloads/rsyslog-7.6.1/plugins/omzmq3' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory/home/naveen/Downloads/rsyslog-7.6.1'
make: *** [all] Error 2

We should add the capability to access month, day, year, etc without the need to use property replacer sub-expressions. The need became clear due to this ML posting:
http://lists.adiscon.net/pipermail/rsyslog/2014-April/037338.html

The current skeleton is a start, but it is very basic. It could require some overhaul by someone who really knows how to do it in a Javaish way, including the proper callback entry points. If interested, just reply to this bug tracker and be sure we'll help you with any questions you may have. In essences, it's just a simple Java program...

Version: 7.6.0

Running ./autogen.sh && make && make distcheck I get the following failure

make[2]: Entering directory `/home/michael/git/rsyslog/tools'
make[2]: *** No rule to make target `rsgtutil.1', needed by `distdir'.  Stop.
make[2]: Leaving directory `/home/michael/git/rsyslog/tools'
make[1]: *** [distdir] Error 1
make[1]: Leaving directory `/home/michael/git/rsyslog'
make: *** [dist] Error 2

For some reason unknown to me, Python scripts seem not be able to write to the stdout pipe that rsyslog's omprog has setup for them. I have tested this with a C program writing to stdout, and everything works fine for that. Interestingly, the problem does not occur with stderr. If I execute the python script outside of rsyslog on the command line, stdout redirection seems to be working.

This is the section in omprog where the pipe is setup:

https://github.com/rsyslog/rsyslog/blob/master/plugins/omprog/omprog.c#L234

I would deeply appreciate if someone could help solve this issue. At the moment, I am stuck.

Quite a bunch of files are missing. Mentioned by Michael Biebl on ML. Needs to be fixed fast.

From Michael's original mail:
made a diff
over the file list:

diff -u /tmp/git /tmp/tarball
--- /tmp/git 2014-02-13 19:05:13.211967423 +0100
+++ /tmp/tarball 2014-02-13 19:04:47.039968349 +0100
@@ -1,15 +1,8 @@
-action-call.dot
-action_state.dot
-batch_state.dot
bugs.html
build_from_repo.html
-confsamples
contributors.html
-cryprov_gcry.html
dataflow.png
debug.html
-design.tex
-dev_oplugins.html
dev_queue.html
direct_queue0.png
direct_queue1.png
@@ -21,140 +14,33 @@
droppriv.html
expression.html
features.html
-free_support.html
generic_design.html
-global.html
-gssapi.html
gssapi.png
-highperf.txt
history.html
how2help.html
-im3195.html
-imfile.html
-imgssapi.html
imjournal.html
-imklog.html
-imkmsg.html
-impstats.html
-imptcp.html
-imrelp.html
-imsolaris.html
-imtcp.html
-imudp.html
-imuxsock.html
index.html
install.html
ipv6.html
-licensing.html
log_rotation_fix_size.html
-lookup_tables.html
-Makefile
Makefile.am
Makefile.in
manual.html
-messageparser.html
mmanon.html
mmcount.html
-mmfields.html
-mmjsonparse.html
-mmnormalize.html
-mmpstrucdata.html
-mmrfc5424addhmac.html
mmsequence.html
-mmsnmptrapd.html
-mmutf8fix.html
modules.html
module_workflow.png
-msgflow.txt
-multi_ruleset.html
-multi_ruleset_legacy_format.html
-netstream.html
-ns_gtls.html
-ns_ptcp.html
-omelasticsearch.html
omfile.html
omfwd.html
-omhdfs.html
omjournal.html
-omlibdbi.html
-ommail.html
-ommongodb.html
-ommysql.html
-omoracle.html
ompipe.html
-omprog.html
-omrelp.html
-omruleset.html
-omsnmp.html
-omstdout.html
-omudpspoof.html
-omusrmsg.html
-omuxsock.html
-pmlastmsg.html
property_replacer.html
queue_analogy_tv.png
-queue_msg_state.dot
-queue_msg_state.jpeg
-queue_parameters.html
-queues_analogy.html
-queues.html
-queueWorkerLogic.jpg
-queueWorkerLogic_small.jpg
-rainerscript_call.html
-rainerscript.html
rfc5424layers.png
-rsconf1_abortonuncleanconfig.html
-rsconf1_actionexeconlywhenpreviousissuspended.html
-rsconf1_actionresumeinterval.html
-rsconf1_allowedsender.html
-rsconf1_controlcharacterescapeprefix.html
-rsconf1_debugprintcfsyslinehandlerlist.html
-rsconf1_debugprintmodulelist.html
-rsconf1_debugprinttemplatelist.html
-rsconf1_dircreatemode.html
-rsconf1_dirgroup.html
-rsconf1_dirowner.html
-rsconf1_dropmsgswithmaliciousdnsptrrecords.html
-rsconf1_droptrailinglfonreception.html
-rsconf1_dynafilecachesize.html
-rsconf1_escape8bitcharsonreceive.html
-rsconf1_escapecontrolcharactersonreceive.html
-rsconf1_failonchownfailure.html
-rsconf1_filecreatemode.html
-rsconf1_filegroup.html
-rsconf1_fileowner.html
-rsconf1_generateconfiggraph.html
-rsconf1_gssforwardservicename.html
-rsconf1_gsslistenservicename.html
-rsconf1_gssmode.html
-rsconf1_includeconfig.html
-rsconf1_mainmsgqueuesize.html
-rsconf1_markmessageperiod.html
-rsconf1_maxopenfiles.html
-rsconf1_moddir.html
-rsconf1_modload.html
-rsconf1_omfileforcechown.html
-rsconf1_repeatedmsgreduction.html
-rsconf1_resetconfigvariables.html
-rsconf1_rulesetcreatemainqueue.html
-rsconf1_rulesetparser.html
-rsconf1_umask.html
-rscript_abnf.html
-rsyslog_build_order
-rsyslog_conf_actions.html
-rsyslog_conf_basic_structure.html
-rsyslog_conf_filter.html
-rsyslog_conf_global.html
-rsyslog_confgraph_complex.conf
rsyslog_confgraph_complex.png
-rsyslog_confgraph_std.conf
rsyslog_confgraph_std.png
rsyslog_conf.html
-rsyslog_conf_modules.html
-rsyslog_conf_nomatch.html
-rsyslog_conf_output.html
-rsyslog_conf_sysklogd_compatibility.html
-rsyslog_conf_templates.html
rsyslog-example.conf
rsyslog_high_database_rate.html
rsyslog_mysql.html
@@ -162,34 +48,11 @@
rsyslog_packages.html
rsyslog_pgsql.html
rsyslog_php_syslog_ng.html
-rsyslog_queue_pointers2.jpeg
-rsyslog_queue_pointers.jpeg
rsyslog_recording_pri.html
rsyslog_reliable_forwarding.html
-rsyslog_secure_tls.html
rsyslog_stunnel.html
rsyslog_tls.html
-rsyslog-vers.dot
rsyslog-vers.png
-sigprov_gt.html
src
-syslog_parsing.html
syslog_protocol.html
-tls_cert_100.jpg
-tls_cert_ca.html
-tls_cert_ca.jpg
-tls_cert_client.html
-tls_cert_errmsgs.html
-tls_cert.jpg
-tls_cert_machine.html
-tls_cert_scenario.html
-tls_cert_server.html
-tls_cert_summary.html
-tls_cert_udp_relay.html
-troubleshoot.html
-v3compatibility.html
-v4compatibility.html
-v5compatibility.html
-v6compatibility.html
-v7compatibility.html
version_naming.html

Currently, there is no equivalent for runtime/parser.c legacy config statements. This is especially bad as we do not want to add additional config statements in legacy style.

The current set of legacy statements should be added to runtime/glbl.c parameters, which are configured via the global() statement. As parser.c only manipulates global variables, it should be sufficient to access the same variables from glbl.c as well. It's probably a bit tricky here to guard against setting parameters via legacy style and global(), but we may accept this weakness for a while. Parser parameters should begin with "parser." inside the global name space.

This is not part of the external plugin work, it's more for regular external programs. The idea is to be able to capture their output as a debug aid.

I just recently updated to 7.6.0 from 7.4.9.

Every time I sudo a command, /var/log/messages gets the following added to it:

Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd0: action '(null)' resumed [try http://www.rsyslog.com/e/0 ]
Feb 15 01:03:13 cray rsyslogd-3003: action '(null)' suspended, next retry is Sat Feb 15 01:03:43 2014 [try http://www.rsyslog.com/e/3003 ]

Hi,

I am currently preparing the 7.6.x release for Gentoo. While testing different configure options in combination I noticed that the commit for #52 is missing in v7-stable.

I backported the fix (I'll send a PR shortly) but then I notice that make still fails because make wants to regenerate tools/rscryutil.1 (which will fail because we detect that rscryutil.1 is available and therefore don't check for rst2man).

I regenerated the file, created a new release tarball and now everything works like expected. So it seems like tools/rscryutil.1 in the official release tarball is out-of-date and needs to be regenerated.

Haven't checked v8-stable yet.

... including all non-json (native) properties. This property is meant to be used as a generic interface to external plugins (and wherever else it may be useful).

Hi,

rsyslog-7.4.10 fails with the json-c 0.12 update (released last week). json-c 0.12 was a security bugfix release:

mmjsonparse.c: In function 'processJSON':
mmjsonparse.c:149:14: error: 'json_tokener_errors' undeclared (first use in this function)
     errMsg = json_tokener_errors[err];
              ^
mmjsonparse.c:149:14: note: each undeclared identifier is reported only once for each function it appears in
In file included from mmjsonparse.c:42:0:
mmjsonparse.c: In function 'newActInst':
../../runtime/module-template.h:326:16: warning: unused parameter 'lst' [-Wunused-parameter]
  struct nvlst *lst, void **ppModData, omodStringRequest_t **ppOMSR)\
                ^
mmjsonparse.c:211:1: note: in expansion of macro 'BEGINnewActInst'
 BEGINnewActInst
 ^
Makefile:499: recipe for target 'mmjsonparse_la-mmjsonparse.lo' failed
make[2]: *** [mmjsonparse_la-mmjsonparse.lo] Error 1

From configure.ac:

# imdiag support (so far we do not need a library, but we need to turn this on and off)
# note that we enable this be default, because an important point is to make
# it available to users who do not know much about how to handle things. It
# would complicate things if we first needed to tell them how to enable imdiag.
# rgerhards, 2008-07-25

...but imdiag isn't enabled by default, see https://github.com/rsyslog/rsyslog/blob/master/configure.ac#L932.

So please clarify if imdiag should be turned on by default (then please enable it by default) or update the comment.

This does not always occur, but there are cases where mmexternal crashes rsyslog with an invalid free. The root cause seems to be that the "inputstr" is freed, but depending on how it was obtained from the msg object, it must not be freed.

Version: 7.6.0

When using automake 1.14, I get the following warnings during autoreconf:

autoreconf: running: automake --add-missing --copy --force-missing
Makefile.am:55: warning: '%'-style pattern rules are a GNU make extension
plugins/omelasticsearch/Makefile.am:4: warning: source file 'cJSON/cjson.c' is in a subdirectory,
plugins/omelasticsearch/Makefile.am:4: but option 'subdir-objects' is disabled
automake: warning: possible forward-incompatibility.
automake: At least a source file is in a subdirectory, but the 'subdir-objects'
automake: automake option hasn't been enabled.  For now, the corresponding output
automake: object file(s) will be placed in the top-level directory.  However,
automake: this behaviour will change in future Automake versions: they will
automake: unconditionally cause object files to be placed in the same subdirectory
automake: of the corresponding sources.
automake: You are advised to start using 'subdir-objects' option throughout your
automake: project, to avoid future incompatibilities.
runtime/Makefile.am:7: warning: source file '../action.c' is in a subdirectory,
runtime/Makefile.am:7: but option 'subdir-objects' is disabled
runtime/Makefile.am:7: warning: source file '../threads.c' is in a subdirectory,
runtime/Makefile.am:7: but option 'subdir-objects' is disabled
runtime/Makefile.am:7: warning: source file '../parse.c' is in a subdirectory,
runtime/Makefile.am:7: but option 'subdir-objects' is disabled
runtime/Makefile.am:7: warning: source file '../outchannel.c' is in a subdirectory,
runtime/Makefile.am:7: but option 'subdir-objects' is disabled
runtime/Makefile.am:7: warning: source file '../template.c' is in a subdirectory,
runtime/Makefile.am:7: but option 'subdir-objects' is disabled
autoreconf: Leaving directory `.'

The following config works:

module(load="imuxsock")
module(load="omelasticsearch")
template(name="plain-syslog"
         type="list") {
           constant(value="{")
             constant(value="\"@timestamp\":\"")      property(name="timereported" dateFormat="rfc3339")
             constant(value="\",\"message\":\"")    property(name="msg" format="json")
             constant(value="\"}")
         }
*.* action(type="omelasticsearch"
           template="plain-syslog"
           #queue.type="FixedArray"
           #queue.type="LinkedList"
           queue.type="Direct"
           queue.size="100000"
)

Unless you replace the default Direct queue.type with the commented FixedArray or LinkedList. Then it just doesn't do anything. Here's the debug log snippet of a message flow (sent through imuxsock), with timestamps removed for readability:

Message from UNIX socket: #3 
imuxsock: no ratelimiter for pid 7740, creating one
main Q: qqueueAdd: entry added, size now log 1, phys 1 entries
main Q: EnqueueMsg advised worker start
--------imuxsock calling select, active file descriptors (max 3): 3  
wti 0x7f1cd1c615c0: worker awoke from idle processing
DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
doDeleteBatch: delete batch from store, new sizes: log 1, phys 1
processBATCH: batch of 1 elements must be processed 
processBATCH: next msg 0: <13>Jan 16 15:22:50 vagrant: test
    ACTION 0 [omelasticsearch:action(type="omelasticsearch" ...)]
executing action 0
Called action, logging to omelasticsearch
action 1 queue: qqueueAdd: entry added, size now log 1, phys 1 entries
action 1 queue: EnqueueMsg advised worker start
END batch execution phase, entering to commit phase
processBATCH: batch of 1 elements has been processed
regular consumer finished, iret=0, szlog 0 sz phys 1
DeleteProcessedBatch: we deleted 1 objects and enqueued 0 objects
doDeleteBatch: delete batch from store, new sizes: log 0, phys 0
regular consumer finished, iret=4, szlog 0 sz phys 0
main Q:Reg/w0: worker IDLE, waiting for work.
wti 0x7f1cd1c61520: worker awoke from idle processing
DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
doDeleteBatch: delete batch from store, new sizes: log 1, phys 1
DDDD: adding param  1 for action 0 
action 0 is transactional - executing in commit phase
regular consumer finished, iret=-2121, szlog 0 sz phys 1
DeleteProcessedBatch: we deleted 1 objects and enqueued 0 objects
doDeleteBatch: delete batch from store, new sizes: log 0, phys 0
regular consumer finished, iret=4, szlog 0 sz phys 0
action 1 queue:Reg/w0: worker IDLE, waiting for work.

I'm using rsyslog 8.1.4-devel from the official repos on 64-bit CentOS 6.5.

This has been reported in the Debian bug tracker:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721277

Is this a deliberate change in rsyslog ommongodb or a regression?

Or is it a LogAnalyzer issue (either updating it to support the new rsyslog code or just some configuration change required)?

Version: 8.2.0
Solaris: 11.1
libestr: 0.1.9
liblogging: 1.0.4

Everything installed installed in /usr/local.

Configure options: PKG_CONFIG_PATH=/usr/local/lib/pkgconfig

Output:

buildhost:~/rsyslog/rsyslog-8.2.0$ gmake
gmake  all-recursive
gmake[1]: Entering directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0'
Making all in compat
gmake[2]: Entering directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/compat'
gmake[2]: Nothing to be done for `all'.
gmake[2]: Leaving directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/compat'
Making all in runtime
gmake[2]: Entering directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/runtime'
gmake[2]: Nothing to be done for `all'.
gmake[2]: Leaving directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/runtime'
Making all in grammar
gmake[2]: Entering directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/grammar'
gmake  all-am
gmake[3]: Entering directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/grammar'
  CC       libgrammar_la-grammar.lo
In file included from rainerscript.h:5:0,
                 from grammar.y:34:
../runtime/typedefs.h:161:16: error: conflicting types for ‘off64_t’
/usr/include/stdio.h:143:22: note: previous declaration of ‘off64_t’ was here
gmake[3]: *** [libgrammar_la-grammar.lo] Error 1
gmake[3]: Leaving directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/grammar'
gmake[2]: *** [all] Error 2
gmake[2]: Leaving directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0/grammar'
gmake[1]: *** [all-recursive] Error 1
gmake[1]: Leaving directory `/data/pkgbuild/rsyslog/rsyslog-8.2.0'
gmake: *** [all] Error 2
buildhost:~/rsyslog/rsyslog-8.2.0$ 

In the current code for template.c, if a template is used to create a json object, the strings are copied without the null end character.

This is quite dangerous :-).

When ommongodb try to get those strings, the string is extracted but with a wrong length.
So I'm not sure that this will not give a memory violation in some circumstances...

patch:

diff --git a/template.c b/template.c
index 9cefa05..3123e42 100644
--- a/template.c
+++ b/template.c
@@ -361,7 +361,7 @@ tplToJSON(struct template *pTpl, msg_t *pMsg, struct json_object **pjson, struct
                                                           pTpe->data.field.propName,  &propLen,
                                                           &bMustBeFreed, ttNow);
                                if(pTpe->data.field.options.bMandatory || propLen > 0) {
-                                       jsonf = json_object_new_string_len((char*)pVal, propLen);
+                                       jsonf = json_object_new_string_len((char*)pVal, propLen+1);
                                        json_object_object_add(json, (char*)pTpe->fieldName, jsonf);
                                }
                                if(bMustBeFreed) { /* json-c makes its own private copy! */

Alain

While working on #52 I deleted tools/rsyslogd.8 from the source tarball to enforce the re-creating. But it seems like there's no rule for rebuilding the man files?

make[2]: *** No rule to make target 'rsyslogd.8', needed by 'all-am'.  Stop.

make dist will fail with the same error. So am I doing something wrong to re-create the man pages or is this a bug and a rule is missing?

In other words: I don't see where RST2MAN is used in rsyslog's Makefiles and how/where man pages will be created at all.

Reported by Michael Biebl:

When trying to compile the rfc3195 module in rsyslog via --enable-rfc3195 we use

PKG_CHECK_MODULES(LIBLOGGING, liblogging >= 0.7.1)

The latest changes in liblogging 1.0.0 have broken this configure check since the pkg-config file is now named liblogging-rfc3195

We should either check for both names or update the pkg-config check to

PKG_CHECK_MODULES(LIBLOGGING, liblogging-rfc3195 >= 1.0.0)

This is a non-pressing, longer term byline activity. The need for libestr came from libee, which we no longer need. As such, we can remove libestr as well. This will offer a reduced malloc/free rate and as such be benefitial to performance.

The intent is to mitigate the slowdown caused by frequent cache misses. The entry should be cached as "does not resolve" with a moderate time to live. Probably it makes sense to extend this time when multiple resolves fail (just like is done in action suspension).

I just noticed a (kind of) problem with #55:

When the .rst files are present when ./configure is run, then make clean is done, then make fails. The reason is that during configure it is detected that no man files need to be generated, so rst2man is not configured (was it shall do).

Probably it would make sense to add a --rebuild-man-pages configure switch where we can force configure to check for rst2man. That's most probably mostly of interest for rsyslog developers.

This is basically a clone of rsyslog/liblogging#14 to track progress of porting this patch to rsyslog.

The default template that can be found on documentation website is not working with LogAnalyzer but if you use it, surprising it works! so I guess BSON is not the real canned default template.

I have translated it to list formated templated (a cleaner way to publish it):

template(name="JSON" type="list") {
constant(value="{ ")
constant(value=""sys" : "")
property(name="hostname")
constant(value="", ")
constant(value=""time" : "")
property(name="timereported" Dateformat="rfc3339")
constant(value="", ")
constant(value=""time_gen" :")
property(name="timegenerated" Dateformat="rfc3339")
constant(value="", ")
constant(value=""msg" : "")
property(name="msg")
constant(value="", ")
constant(value=""syslog_fac" : "")
property(name="syslogfacility")
constant(value="", ")
constant(value=""syslog_sever" : "")
property(name="syslogseverity")
constant(value="", ")
constant(value=""syslog_tag" : "")
property(name="syslogtag")
constant(value="", ")
constant(value=""procid" : "")
property(name="programname")
constant(value="", ")
constant(value=""pid" : "")
property(name="procid")
constant(value="", ")
constant(value=""level" : "")
property(name="syslogpriority-text")
constant(value="" } ")
}

I have found this: http://lists.adiscon.net/pipermail/rsyslog/2014-February/036412.html so maybe my template example is wreong in dateformmating.

could anyone post the real default template to add some custom values to it???

Thx.

This is basically a clone of rsyslog/liblogging#12 for rsyslog to track progress in rsyslog (there will be a PR very soon).

Hi,

1. Make an error in your rsyslog configuration file.
2. No run rsyslogd in config check mode, rsyslogd -N 999 -f /etc/rsyslog.conf

You will see the detected error, but rsyslogd will end with exit code 0.

Tested with v7.6.3.

PS: I was wondering because I tested this feature before and it was working, I got an non-zero exit code. But now, while testing another configuration, it didn't... Seems like it is currently only working for really fatal errors:

*.=debug;\
auth,authpriv.none;\
news.none;mail.none action(
    type="omfile"
    File="/var/log/debug"
)

which will result in

rsyslogd: version 7.6.3, config validation run (level 999), master config /etc/rsyslog.conf
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 13: invalid character '(' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 13: invalid character '1' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 13: invalid character '4' in object definition - is there an invalid escape sequence somewhere? [try http://www.rsyslog.com/e/2207 ]
rsyslogd: error during parsing file /etc/rsyslog.conf, on or before line 13: syntax error on token ')' [try http://www.rsyslog.com/e/2207 ]
rsyslogd: CONFIG ERROR: could not interpret master config file '/etc/rsyslog.conf'. [try http://www.rsyslog.com/e/2207 ]
rsyslogd: run failed with error -2207 (see rsyslog.h or try http://www.rsyslog.com/e/2207 to learn what that number means)

output.

But it would be nice if rsyslogd would always exit with a non-zero exit code when there's an error in the configuration when running in config test mode (`-N``). That's how other daemon's config test mode behaves (see nginx, apache2).

Nobody has yet asked, so this is probably not that important...

The configure script says that you can disable zlib (--disable-zlib). But building with --disable-zlib will fail:

rsyslog-7.6.3/configure --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info -
-datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --disable-silent-rules --disable-dependency-tracking --docdir=/usr/share/doc/rsyslog-7.6.3 --enable-shared
--disable-static --disable-libdbi --disable-ommongodb --disable-mysql --disable-oracle --disable-pgsql --disable-klog --disable-omhiredis --disable-debug --disable-rtinst --disable-diagtools --disable-memc
heck --disable-valgrind --disable-libgcrypt --disable-gssapi-krb5 --disable-mmnormalize --disable-omudpspoof --disable-omrabbitmq --disable-relp --disable-rfc3195 --disable-mmrfc5424addhmac
--disable-snmp --disable-mmsnmptrapd --disable-gnutls --disable-imjournal --disable-omjournal --disable-usertools --disable-imzmq3 --disable-omzmq3 --disable-zlib --with-systemdsystemunitdir
=/usr/lib/systemd/system

[...]

****************************************************
rsyslog will be compiled with the following settings:

    Large file support enabled:               yes
    Networking support enabled:               yes
    Regular expressions support enabled:      yes
    Zlib compression support enabled:         no
    rsyslog runtime will be built:            yes
    rsyslogd will be built:                   yes
    GUI components will be built:             no
    have to generate man pages:               no
    Unlimited select() support enabled:       no
    uuid support enabled:                     yes
    Log file signing support:                 no
    Log file encryption support:              no
    anonymization support enabled:            no
    message counting support enabled:         no
    mmfields enabled:                         no

---{ input plugins }---
    Klog functionality enabled:               no
    /dev/kmsg functionality enabled:          no
    plain tcp input module enabled:           no
    threaded plain tcp input module enabled:  no
    imdiag enabled:                           no
    file input module enabled:                no
    Solaris input module enabled:             no
    periodic statistics module enabled:       no
    imzmq3 input module enabled:              no
    imjournal input module enabled:           no

---{ output plugins }---
    Mail support enabled:                     no
    omprog module will be compiled:           no
    omstdout module will be compiled:         no
    omjournal module will be compiled:        no
    omhdfs module will be compiled:           no
    omelasticsearch module will be compiled:  no
    omruleset module will be compiled:        no
    omudpspoof module will be compiled:       no
    omuxsock module will be compiled:         no
    omzmq3 module will be compiled:           no
    omrabbitmq module will be compiled:       no

---{ parser modules }---
    pmrfc3164sd module will be compiled:      no
    pmlastmsg module will be compiled:        no
    pmcisconames module will be compiled:     no
    pmaixforwardedfrom module w.be compiled:  no
    pmsnare module will be compiled:          no

---{ message modification modules }---
    mmnormalize module will be compiled:      no
    mmjsonparse module will be compiled:      no
    mmjaduit module will be compiled:         no
    mmsnmptrapd module will be compiled:      no
    mmutf8fix enabled:                        no
    mmrfc5424addhmac enabled:                 no
    mmpstrucdata enabled:                     no
    mmsequence enabled:                       no

---{ strgen modules }---
    sm_cust_bindcdr module will be compiled:  no

---{ database support }---
    MySql support enabled:                    no
    libdbi support enabled:                   no
    PostgreSQL support enabled:               no
    mongodb support enabled:                  no
    hiredis support enabled:                  no
    Oracle (OCI) support enabled:             no

---{ protocol support }---
    GnuTLS network stream driver enabled:     no
    GSSAPI Kerberos 5 support enabled:        no
    RELP support enabled:                     no
    SNMP support enabled:                     no

---{ debugging support }---
    Testbench enabled:                        yes
    Extended Testbench enabled:               no
    MySQL Tests enabled:                      no
    Debug mode enabled:                       no
    Runtime Instrumentation enabled:          no
    (total) debugless mode enabled:           no
    Diagnostic tools enabled:                 no
    End-User tools enabled:                   no
    Enhanced memory checking enabled:         no
    Valgrind support settings enabled:        no

[...]

rsyslogd-omfwd.o: In function `doZipFinish':
rsyslog-7.6.3/tools/omfwd.c:564: undefined reference to `deflate'
rsyslog-7.6.3/tools/omfwd.c:573: undefined reference to `deflateEnd'
rsyslogd-omfwd.o: In function `TCPSendBufCompressed':
rsyslog-7.6.3/tools/omfwd.c:519: undefined reference to `deflate'
rsyslog-7.6.3/tools/omfwd.c:499: undefined reference to `deflateInit_'
collect2: error: ld returned 1 exit status
Makefile:666: recipe for target 'rsyslogd' failed
make[2]: *** [rsyslogd] Error 1
make[2]: Leaving directory 'rsyslog-7.6.3/work/rsyslog-7.6.3/tools'
Makefile:921: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory 'rsyslog-7.6.3'
Makefile:674: recipe for target 'all' failed
make: *** [all] Error 2

From my testing it seems like --enable-rsyslogd is using rsyslogd-omfwd.o. So the question is:

1. Is this fixable? I.e. is there a way to build rsyslogd without zlib?
2. If it isn't fixable, we should either remove the possibility to disable zlib, so zlib becomes a general requirement or add a check for zlib when --enable-rsyslogd is set in configure.

We should emit a warning message if non-default queue parameters are set BUT the queue type is not (or better said is set to "direct", in which case all other parameters have no real meaning.

I don't understand why --disable-fsstnd was ever added but it looks like it was only used in https://github.com/rsyslog/rsyslog/blob/master/tools/syslogd.c

But because the code looks like deactivated, the option seems to be obsolete. Maybe it is time to get rid of the option and the commented-out code?

I got this via a private bug report. Circumstances are not yet clear. If you experience this as well, please provide info.

(this bug was report on #systemd by user nirik)

When the system date is changed (accidentally or by purpose), the rsyslog imjournal module pulls old log entries again, even if they have been "imported" already.

In nirik's case, setting back the clock caused lots of duplicated entries.

The imjournal module should keep track of which journal entries it has received from systemd-journald and not rely on the clock.

1. Create /etc/rsyslog.conf with the following content:

   $AbortOnUncleanConfig on
   
   module(load="imuxsock")
   
   module(
     load="builtin:omfile"
     Template="RSYSLOG_TraditionalFileFormat"
     FileCreateMode="0644"
     DirCreateMode="0755"
   )
   
   *.* action(
     type="omfile"
     File="/var/log/test.log"
     FileOwner="root"
     FileGroup="adm"
     anError="true"
   )
   

2. Now try to start rsyslogd: /usr/sbin/rsyslogd -n -f /etc/rsyslog.conf

3. rsyslog will report a configuration error

   error during parsing file /etc/rsyslog.conf, on or before line 18: parameter 'anError' not known -- typo in config file? [try http://www.rsyslog.com/e/2207 ]
   

   but will continue to start

Expected result: rsyslogd should exit with an error due to $AbortOnUncleanConfig on

...and BTW: You cannot quit rsyslogd with CTRL+C when running with -n without -d for example.

Tested with v7.6.3.