rsyslog

The rocket-fast system for log processing

Author : Adiscon Support

Changelog for 7.5.8 (v7-devel)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , ,

Version 7.5.8 [v7-release candidate] 2014-01-09

  • add exec_template() RainerScript function
  • add debug.onShutdown and debug.logFile global paramters
    These enebale the new “debug on shutdown” mode, which can be used to track hard to find problems that occur during system shutdown.
  • Add directives for numerically specifying GIDs/UIDs
    The already present directives (FileOwner, FileGroup, DirOwner, DirGroup) translate names to numerical IDs, which depends on the user information being available during rsyslog’s startup. This can fail if the information is obtained over a network or from a service such as SSSD. The new directives provide a way to specify the numerical IDs directly and bypass the lookup.
    Thanks to Tomas Heinrich for the patch.
  • actions now report if they suspend and resume themselves
    this is by default on and controllable by the action.reportSuspension global parameter
  • bugfix: omelasticsearch fail.es stats counter was improperly maintained
  • bugfix: mmrfc5424addhmac: “key” parameter was not properly processed
  • add new impstats action counters:
    •   * suspended
    •   * suspended.duration
    •   * resumed

Changelog for 7.4.8 (v7-stable)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , ,

Version 7.4.8  [v7.4-stable] 2014-01-08

  • rsgtutil provides better error messages on unfinished signature blocks
  • bugfix: guard against control characters in internal (error) messages
    Thanks to Ahto Truu for alerting us.
  • bugfix: immark did emit messages under kern.=info instead of syslog.=info
    Note that his can potentially break exisiting configurations that rely on immark sending as kern.=info. Unfortunately, we cannot leave this unfixed as we never should emit messages under the kern facilit

Error message when verifying signed logs

By Adiscon SupportPosted on Posted in FAQTagged , , , ,

rsyslog provides the ability to sign logs through GuardTime. You can verify the logs with a provided tool called rsgtutil. We have identified two reasons why the signing process could fail and thus verifying the log signature is not possible.

Note on legacy API: The old API libgt would create files with the endings .gtsig and .gtstate. These are different from the current and recommended API libksi.

When signing logs with rsyslog and GuardTime, three files will be created.

logfile # holds the log messages
logfile.ksisig # holds the hash chain data
logfile.ksistate # holds GuardTime signature hash

When verifying the logs through rsgtutil, the .ksistate file is needed because it holds the signature hash from GuardTime. Without this file, verification is not possible. Now there are two reasons why this file might not be present and thus a verification fails with:

# ./rsgtutil --verify --show-verified /var/log/logfile
error 1 (i/o error) processing file /var/log/logfile

1. rsyslog is still running

The .ksistate file is created when shutting down rsyslog. At shutdown, a signature request will be sent to GuardTime and will then be returned with the signature hash, which will be stored into this file. If rsyslog is still running, the file will not be created, resulting in an unsuccesful verification.

Even if the .ksistate file is present, it might not be current. So please make sure to stop rsyslog before trying to verify the logs.

2. Timeout on shutdown

On Ubuntu we had the problem, that upstart automatically kills the process after 5 seconds if the SIGTERM signal wasn’t fully executed until then. We now realized, that requesting the signature through GuardTime can take some time, depending on the system, thus exceeding the 5 second timeout and rsyslog getting killed before writing the .ksistate file. Again this resulted in unverifyable logs. This is also a problem for other parts of rsyslog (e.g. DA queues not being completely written to disk).

Upon changing the timeout value in the upstart script for rsyslog, we could circumvent the default timeout and rsyslog could fully complete the signature request and write the .ksistate file. This is at least valid for Ubuntu and may also be valid for other distributions.

To change the timeout go to this file:

/etc/init/rsyslog.conf

Now add

kill timeout 30

right after

expect fork

This should result in the following:

description     “system logging daemon”

start on filesystem
stop on runlevel [06]

expect fork
kill timeout 30
respawn

pre-start script
/lib/init/apparmor-profile-load usr.sbin.rsyslogd
end script

script
. /etc/default/rsyslog
exec rsyslogd $RSYSLOGD_OPTIONS
end script

With the upstart script changed like this, rsyslog should not suffer from a too strict shutdown timeout and thus being able to complete the shutdown successfully. This change will also go in the startup and upstart scripts of the upcoming RPMs and Repo’s.

Side note

In the current versions, rsgtutil gives out a inappropriate error message. It currently states it is an I/O error. In reality it is an EOF error. In the upcoming versions (7.4.8, 7.5.8 and 8.1.4) this will be fixed.

Changelog for 7.4.7 (v7-stable)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , , ,

Version 7.4.7  [v7.4-stable] 2013-12-10

  • bugfix: limiting queue disk space did not work properly
    •   queue.maxdiskspace actually initializes queue.maxfilesize
    •   total size of queue files was not checked against queue.maxdiskspace for disk assisted queues.

    Thanks to Karol Jurak for the patch.

  • bugfix: linux kernel-like ratelimiter did not work properly with all inputs (for example, it did not work with imdup). The reason was that the PRI value was used, but that needed parsing of the message, which was done too late.
  • bugfix: disk queues created files in wrong working directory if the $WorkDirectory was changed multiple times, all queues only used the last value set.
  • bugfix: legacy directive $ActionQueueWorkerThreads was not honored
  • bugfix: segfault on startup when certain script constructs are used
    e.g. “if not $msg …”
  • bugfix: imuxsock: UseSysTimeStamp config parameter did not work correctly
    Thanks to Tomas Heinrich for alerting us and provinding a solution suggestion.
  • bugfix: $SystemLogUseSysTimeStamp/$SystemLogUsePIDFromSystem did not work
    Thanks to Tomas Heinrich for the patch.
  • improved checking of queue config parameters on startup
  • bugfix: call to ruleset with async queue did not use the queue
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=443
  • bugfix: if imtcp is loaded and no listeners are configured (which is uncommon), rsyslog crashes during shutdown.

rsyslog 8.1.3 (v8-devel) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , , ,

We have just released 8.1.3 of the v8-devel branch.

This release contains further performance improvements. Note that both the output module interface and strgen interface have been changed and (some) modules may need to be modified. For the v8 supported rsyslog provided modules this has already be done (see v8 compatibility document for a list of supported modules). This release also detects failed actions more precisely. Finally, there are a couple of bug fixes in this release.

Note that this release can be considered a “normal” devel version, with moderate risk associated to it. Experience in the past weeks suggest so. Special thanks to Pavel Levshin for all his work and tests. Still note that there is a considerably higher risk running the devel version than the stable one.

ChangeLog:

http://www.rsyslog.com/changelog-for-8-1-3-v8-devel/

Download:

http://www.rsyslog.com/rsyslog-8-1-3-v8-devel/

Feedback is *very much* appreciated.

Best regards,
Florian Riedl

Scroll to top