I have just released rsyslog 1.10.1. This release is slightly unscheduled. It orginally should have been released in a few days with some more enhancements. However, we have discovered a SQL injection vulnerability in rsyslog and decided to release a fix for the development branch as soon as possible (thankfully the code was at an interim milestone, so it was easy to do).

The most important feature of 1.10.1 obviously is the fix for the SQL injection vulnerability. Besides that, it offers a fix in handling broken MySQL connections. Feature-wise, it adds the ability to execute scripts (and other programs) on message reception. Together with the new filtering engine, this can, for example, be used to generate email alerts on important events.

The change log can be found at http://www.rsyslog.com/Article36.phtml.

I hope this release is useful. Please expect the originally scheduled feature set some time next week. Among others, it will bring additional comparison operations for the new filter engine.

Rainer

An SQL injection vulnerability was found in all rsyslog releases prior to the ones announced on 2005-09-23. An attacker can send a specifically-crafted syslog message to rsyslogd and potentially take ownership of the machine.

This can be locally exploited if rsyslogd is listening on the local socket. Wes assume it is doing this in almost all cases. It can also be exploited remotely if rsyslogd is listening on network sockets and the attacker is not blocked from sending messages to rsyslogd (e.g. if not blocked by firewalling).

The vulnerability can potentially be used to take full ownership of the computer a compromised rsyslog is running on. The extend of the compromise is depending on the permissions of the user used to connect to MySQL.

We do not know of any case where this was exploited in practice. The bug was discovered during security-testing rsyslogd.

As of this writing, fixed versions exist both for the stable and the development branch. They are named 1.0.1 and 1.10.1. They can be obtained via the following links:

For 1.0.1 stable:
http://www.rsyslog.com/Downloads-index-req-getit-lid-17.phtml

For 1.10.1 development:
http://www.rsyslog.com/Downloads-index-req-getit-lid-18.phtml

As this is a serious vulnerability, we urge all users to update to the fixed version as soon as possible.

If you have turned on NO_BACKSLASH_ESCAPES in MySQL, you MUST make changes to your configuration file. Read DETAILS below to learn more.

I am proud to announce release 1.10.0, the first development release after 1.0.0 stable. Release 1.10.0 contains major new features, most importantly the ability to filter on any syslog message property, not just facility and priority. For example, it can now be filtered based on the content of the message itself (e.g. log to a different file if it contains the string "error"). Other new features include the ability to conditionally discard messages, regular expression support inside templates, performance improvements, and more.

Rainer Gerhards

I have just released rsyslog 1.0.0, the first (official) stable version of rsyslog. Feature-wise it is no difference to 0.9.8, it just has some minor doc changes plus a very little bug fix in the usage note.

From the release point of view, however, this release is a very important achivement. It provides a solid basis for those interested in running a stable release. The 1.0.0 codebase has been run for several weeks now without any error reports. It has also been reviewed, and all issues been ironed out. 1.0.0 creates the stable branch.

Please note that the stable branch will primarily receive fixes. The unstable branch (to be created soon) will have all the new cool features.

If you run any version of rsyslog, I recommend moving to 1.0.0.

I hope this release is helpful.

Rainer Gerhards

Today, I have released rsyslog 0.9.8. This release has only minor changes compared to the previous one. Most importantly the startup and shutdown messages are now more consistent and informative. Which, of course, is not a big deal. The main reason for this release was to have one final shot before the release of the first 1.0 final. I have withhold any updated during the past 3 weeks and fortunately did not get any error reports (but there was some user activity, so it is save to assume rsyslog did receive some further testing. As I made changes, I would like to have this code run at least a little while before moving it to final. If nothing goes wrong, I'll do that towards the end of the week or early next week. Most probably, new featuers will be introduced after that.

Rainer

I have just released rsyslog 0.9.7. This release is slightly unscheduled, it addresses the issue with the new build system in 0.9.6 (and its inconsistent documentation) as well as the problem building for MySQL. This is more or less the only change, for details you can review the change log.

Originally, I wanted to ship a slightly enhanced version at the end of the week, but I have prepared the current release as it solves common trouble (sorry for that, folks). I still intend to ship another version towards the end of the week.

Rainer

Bennett Todd has just alerted me of some problems with the new release. In short: the build process seems not to work at all (nor does the install do).

This is actually a documentation issue. The way of compiling rsyslog has changed slightly but importantly. You need to CD into an distribution-specific subdirectory (use linux of in doubt) and then call make. Do NOT do this in the root directory of the rsyslog project.

I am glad to announce that I have just released rsyslog 0.9.6. This release is focussed on streamlining towards the first final 1.0 release. The documentation has been greatly enhanced and changed to html format. It now includes an installation howto. Also, samples of system startup scripts have been added, hopefully facilitating deployment.

Visit the rsyslog status page for download and link to the change log:

http://www.rsyslog.com/Documentation-/status.html.phtml

There is one important change for existing rsyslogd users: the syntax of the -r option has been changed. It now accepts the port that rsyslogd should listen to. That, however, breaks existing scripts. They must be changed to use "-r 0", which mimics the previous behaviour. I am sorry for this inconsistency, but I thought it is better to keep the command line options consistent - and at the current time changing that interface is hopefully not such a big issue. If we'd do it much later, it might have been impossible. The new syntax also provides ample opportunity for future enhancement, which then can be kept consistent with the -t tcp listener command line option.

The next steps for rsyslog will be to look at the packaging and eventually some further minor clean-ups. I would also appreciate any feedback from practical use, especially if you should run a high-volume system. I now traget the 1.0 release for early September.

There is no need to upgrade to 0.9.6 if you are happy with what you currently run.

I hope the new release is helpful.

Rainer Gerhards

I have written a new tutorial on how to store syslog messages in MySQL. The paper discusses the concepts, describes the actual steps necessary and talks about common pitfalls.

The paper is available in the documentation section, under the title of writing syslog messages to MySQL.

Rsyslog 0.9.5 supports multiple rsyslogd instances on a single machine. This can be useful for special, security-enhanced configurations. Release 0.9.5 also contains improved error message handling during startup and some bug fixes. If you are happy with version 0.9.4, there is no important reason to upgrade to this release.

For full details, see the rsyslog 0.9.5 change log.