Lower Bound for Queue Sizes
The queue.size parameter permits to specify the maximum queue size in number of messages. While not technically enforced, there is a lower limit on this parameter. Setting it to very low values (roughly below 100 messages) is not supported and can lead to unpredictable results. Also, future version my automatically adjust to a safe lower bound and/or decide to fail queue startup in those cases. So if you use very low values, do so at your own risk.
Howto anonymize messages that go to specific files
Rsyslog’s mmanon module is used to anonymize data. It is important to keep in you mind that mmanon actually modifies the message. So, as stated in the module documentation, the original, non-anonymized message can no longer be obtained once mmanon has been applied (except, of course, if the message was stored to a variable before calling mmanon). Continue reading “Howto anonymize messages that go to specific files”
How to add a module global parameter
In this git commit, two new module parameters are being added to omfile. They replace some hard-coded defaults for action parameters. This commit shows
- how to add module parameters
- how to apply them as defaults to action parameters
Please be sure to note the difference between module and action parameters.
Note that the new module parameters do not modify behavior of legacy (pre-v6) config statements. This is done intentionally to prevent complication with upward compatibility of old-style config files.
This commit is intentionally minimal in order to show the most important aspects. For a proper commit, the ChangeLog as well as the module documentation need to be updated as well. An example commit for the doc parts can be found here. It is usually suggested to do both tasks in a single commit (as they obviously closely belong together).
How to obtain a specific Doc Version?
There are very many rsyslog versions out in the wild. Each of these versions have different capabilities and consequently there is also different documentation required to match an exact version.
The rsyslog site always contains documentation for the latest development version (sometimes even features that just reside in git). While chances are good that the online doc can be used to solve a specific question, this is not guaranteed. Most importantly, older versions may have quite different rsyslog.conf formats that they support. As such, folks tend to ask how they can obtain a version of the documentation that exactly matches their version.
The answer is quite straightforward: most of the doc on the site comes from rsyslog’s project doc set, and that doc set is contained in each release tarball. So if you have e.g. 5.8.10 installed and want it’s doc, simply go ahead and download the relevant tarball. The full doc is contained in the “./doc” subdirectory. It’s in HTML format, so all you need to do is to point your browser at ./doc/index.html.
In many distributions it is even simpler, as there is a package rsyslog-doc (or similarly named), which contains that exact doc folder.
librelp 1.2.0
librelp 1.2.0 [download]
This version offers support for epoll() on platforms that provide it. This provides both better performance and the ability to handle many more connections.
Version 1.2.0 – 2013-07-15
– support for epoll() added
platforms that do not support it fall back to select()
– API extension: relpEngineSetOnGenericErr
sha256sum: 5a8870fd2ae496be08d100ef8a65807311f11d6976ed37b8e0cd8024872c31e5
librelp 1.1.5
librelp 1.1.5 [download]
This is a bug-fixing release that takes care of a memory leak on connection close as well as potential misadressing on session close.
Version 1.1.5 – 2013-07-05
– bugfix: memory leak on connection close
around 60 bytes of memory were lost on each connection close at the
server side (when the client initiated a close)
– bugfix: potential misadressing on session close
This can happen if also a write was outstanding, a quite unusable
situation. In that case, already freed memory was being accessed.
sha256sum: 2322d771bd6036dd11519509177722baa36bc0e61a5d6748cbce0addf7f43243
librelp 1.1.4
librelp 1.1.4 [download]
This version of the library provides certificate wildcard name checks. It also supports enhanced performance options (burst support, requires support from the caller). It also contains some bug fixes, especially for BSD.
Version 1.1.4 – 2013-07-03
– fix build problems on BSD
Thanks to Christiano for analysis and patch suggestion.
– add ability to specify a non-standard RELP Window size
– add burst support to the client API
With this, we remove the unconditional performance improvement
done in 1.1.3 – it is better to call the APIs explicitely.
– wildcards are now supported in TLS name peer authentication
They follow RFC5425 recommandations, e.g.
*.example.com, client*.example.com, client01.*.com
– new APIs: relpCltHintBurstBegin, relpCltHintBurstEnd,
relpCltSetWindowSize
sha256: 85df54b14d53525612c3c592f9121f16e0f694d32d69d4c82261ecd513014e50
librelp 1.1.3
librelp 1.1.3 [download]
Version 1.1.3 – 2013-06-26
– increased performance of RELP connection
– bugfix: potential segfault if no GnuTLS priority string was set
sha256sum: c07a6805ed90127c7270bece0fe60908bd5f6f9612bbbdd26fabb15588306b57
librelp 1.1.2
librelp 1.1.2 [download]
This release most importantly includes certificate-based mutual peer authentication in TLS mode. It also provides finer-grained control over the GnuTLS settings by permitting to directly specify the so-called “priority string”. With this string, important details like ciphers to be supported can be specified. To implement these features, a number of API extensions was done.
– add capability to specify the GnuTLS priority string
This gives callers complete control over crypto parameters, like
ciphers to use.
– add certificate-based authentication
– add capability to specify number of Diffie-Hellman bits to use
– API extension: relpSrvSetDHBits, relpSrvSetGnuTLSPriString,
relpSrvSetGnuTLSPriString, relpCltSetGnuTLSPriString
relpEngineSetOnAuthErr, relpCltSetUsrPtr,
relpSrvSetAuthMode, relpCltSetAuthMode
recent librelp development
I thought I share some news on what I have been busy with and intend to be in the future. In the past days, I have added more config options to librelp, which now supports GnuTLS compression methods as well as provides the ability to set the Diffie-Hellman key strength (number of bits) and – for experts – to set the GnuTLS priorities, which select the cipher methods and other important aspects of TLS handling.
This is done now and I also added rsyslog facilities to use these new features. Some of this stuff is not yet released, but will soon be.
The next big step is preventing man-in-the-middle attacks. I will most probably use SSH-type fingerprint authentication, so that no full PKI is necessary to make this work. I guess implementing this feature set will probably take a couple of days and will keep you posted on how things progress.
(cross-posted from Rainer’s blog)