rsyslog

The rocket-fast system for log processing

rsyslog on AWS – Applying Configuration Changes

By Rainer GerhardsPosted on Posted in rsyslog on Amazon Web Services (AWS Marketplace App)

Once you’ve updated the configuration of the AWS rsyslog application, it’s important to manually apply the new settings as rsyslog doesn’t do this automatically. This is to prevent partial changes from being loaded and potentially causing issues.

The AWS rsyslog AWS application provides a dedicated tool, rsyslogctl, which can be used to check and reload the configuration. During the reload process, rsyslogctl determines the most efficient way to apply the changes. For example, some changes like drop rules can be applied without interrupting message processing, while others require a full restart, causing a brief interruption.

Continue reading “rsyslog on AWS – Applying Configuration Changes”

rsyslog on AWS – S3 file structure

By Rainer GerhardsPosted on Posted in rsyslog on Amazon Web Services (AWS Marketplace App)

The EBS disk included in the product is only used for day-to-day storage of logs. Persistent log storage is kept on an S3 store. This store also contains some other data items which should persist over upgrades of the rsyslog on AWS application.

The following prefixes/folders are used by rsyslog:

  • /rsyslog.logstore/ – the actual logstore
    This is synced with data from the local EBS disk once a day for the past day (in default settings).
  • /rsyslog.config/ – config data items.
    This contains the user-based config which can be restored from here during an upgrade or on misconfiguration.

The users should select proper S3 policies based on her or his needs. Most importantly, Versioning and Retention Period should be set accordingly.

The S3 store to use can be configured during the cloud formation process and manually via the meta config.

Back to aws rsyslog overview.

New Version Release of libfastjson: Enhanced Optimization for liblognorm – Version 1.2304.0

By friedlPosted on Posted in News

We are excited to announce the latest version of libfastjson, version 1.2304.0, offering enhanced optimizations specifically tailored for liblognorm processing. This update brings not only a change in the release numbering to align with rsyslog standards but also includes a crucial security fix.

Highlights of the Release:

  • Updated Release Numbering Scheme: Adopting a release numbering scheme similar to rsyslog, we aim for greater consistency and clarity across our projects.
  • Security Enhancement: The release addresses CVE-2020-12762. We acknowledge and thank Wang Haitao for the valuable patch. It’s noteworthy that this CVE had no impact on rsyslog usage due to inherent size limits.

Changelog for Version 1.2304.0 (2023-04-18):

  1. Transition to a release numbering scheme mirroring that of rsyslog.
  2. Patch for CVE-2020-12762, reinforcing the security of the library.

Download the Latest Version:

The new version of libfastjson can be downloaded from: libfastjson 1.2304.0 Download

Checksum (sha256sum): ef30d1e57a18ec770f90056aaac77300270c6203bbe476f4181cc83a2d5dc80c

rsyslog on AWS – an Overview

By Rainer GerhardsPosted on Posted in rsyslog on Amazon Web Services (AWS Marketplace App)

Our team at Adiscon offers a comprehensive paid full-service rsyslog product, available on the AWS Marketplace. As the same team that develops and supports the rsyslog open source project, we’re dedicated to providing exceptional service and ongoing innovation.

By purchasing our AWS Marketplace product, you’re also supporting the continued development of rsyslog. This ensures that the open source project remains robust, reliable, and up-to-date.

Our full-service rsyslog offering is designed specifically for organizations seeking a seamless and hassle-free way to collect syslog data on the cloud. We provide ongoing support and maintenance, along with regular updates to ensure the highest level of performance and security.

In summary, our AWS Marketplace product is the perfect solution for organizations that value simplicity, efficiency, and reliability when it comes to collecting syslog data in the cloud.

Documentation is available (and constantly being improved). Please follow these links:

RSyslog Windows Agent 7.3 Released

By friedlPosted on Posted in Release Announcement

Release Date: 2022-11-09

Build-IDs: Service 7.3.0.221, Client 7.3.0.314

Bugfixes

  • Fix daylight detection when converting from strings to timestamps internally. Exceptions in Worker Threads under very heavy IO load.
  • Relp Action/Service: Fix a establish session problem that was caused due the last librelp version update of 1.8.0 in Version 14.0
  • librelp: Updated to version 1.10.0
  • OpenSSL: Updated to version 1.1.1q

You can download Free Trial Version of RSyslog Windows Agent.

How to perform a mass rollout?

By friedlPosted on Posted in Guides for Windows AgentTagged ,

A mass rollout in the scope of this topic is any case where the product is rolled out to more than 5 to 10 machines and this rollout is to be automated. This is described first in this article. A special case may also be where remote offices shall receive exact same copies of the product (and configuration settings) but where some minimal operator intervention is acceptable. This is described in the second half of this article.

The common thing among mass rollouts is that the effort required to set up the files for unattended distribution of the configuration file and product executable is less than doing the tasks manually. For less than 5 systems, it is often more economical to repeat the configuration on each machine, but this depends on the number of rules and their complexity. Please note that you can also export and re-import configuration settings, so a hybrid solution may be the best when a lower number of machines is to be installed (normal interactive setup plus import of pre-created configuration settings).

Automated Rollout

The basic idea behind a mass rollout is to create the intended configuration on a master (or baseline) system. This system holds the complete configuration that is later to be applied to all other systems. Once that system is fully configured, the configuration will be transferred to all others.

The actual transfer is done with simple operating system tools. The complete configuration is stored in the the registry. Thus, it can be exported to a file. This can be done with the client. In the menu, select “Computer”, then select “Export Settings to Registry File”. A new dialog comes up where the file name can be specified. Once this is done, the specified file contains an exact snapshot of that machine’s configuration.

This snapshot can then be copied to all other machines and put into their registries with the help of regedit.exe.

An example batch file to install, configure and run the service on “other” servers might be:

copy \\servershare\rsyslogcl.exe c:\some-local-dir
copy \\servershare\rsyslogcl.pem c:\some-local-dir
cd \some-local-dir
rsyslogcl -i
regedit /s \server\share\configParms.reg
net start "RSyslog Windows Agent"

The file “configParams.reg” would be the registry file that had been exported with the configuration client.

Of course, the batch file could also operate off a CD – a good example for DMZ systems which might not have Windows networking connectivity to a home server.

Please note that the above batch file fully installs the product – there is no need to run the setup program at all. All that is needed to distribute the service i.e. rsyslogcl.exe and its helper dlls, which are the core service. For a locked-down environment, this also means there is no need to allow incoming connections over Windows RPC or NETBIOS for an engine only install.

Please note that, in the example above, “c:\some-local-dir” actually is the directory where the product is being installed. The “rsyslogcl -i” does not copy any files – it assumes they are already at their final location. All “rsyslogcl -i” does is to create the necessary entries in the system registry so that the Rsyslog Windows Agent is a registered system service.

Branch Office Rollout with consistent Configuration

You can use engine-only install also if you would like to distribute a standardized installation to branch office administrators. Here, the goal is not to have everything done fully automatic, but to ensure that each local administrator can set up a consistent environment with minimal effort.

You can use the following procedure to do this:

  1. Do a complete install on one machine.
  2. Configure that installation the way you want it.
  3. Create a .reg file of this configuration (via the client program).
  4. Copy the rsyslogcl.exe, rsyslogcl.pem  and .reg file that you created to a CD (for example). Take these executable files from the install directory of the complete install done in step 1 (there is no specfic engine-only download available).
  5. Distribute the CD.
  6. Have the users create a directory where they copy all the files. This directory is where the product is installed in – it may be advisable to require a consistent name (from an admin point of view – the product does not require this).
  7. Have the users run “rsyslogcl -i” from that directory. It will create the necessary registry entries so that the product becomes a registered service.
  8. Have the users double-click on the .reg file to install the pre-configured parameters (step 3).
  9. Either reboot the machine (neither required nor recommended) or start the service (via the Windows “Servcies” manager or the “net start” command).

Important: The directory created in step 6 actually is the program directory. Do not delete this directory or the files contained in it once you are finished. If you would do, this would disable the product (no program files would be left on the system).

If you need to update an engine-only installation, you will probably only upgrade the master installation and then distribute the new exe files and configuration in the same way you distributed the original version. Please note that it is not necessary to uninstall the application first for an upgrade – at least not as long as the local install directory remains the same. It is, however, vital to stop the service, as otherwise the files can not be overwritten.

RSyslog Windows Agent 7.2a Released

By friedlPosted on Posted in Release AnnouncementTagged , , No Comments on RSyslog Windows Agent 7.2a Released

Release Date: 2022-03-03

Build-IDs: Service 7.2.0.219, Client 7.2.0.312

Bugfixes

  • EventLog Monitor V2: Fix an issue with events, that cannot be formatted properly.
  • EventLog Monitor V2: Fix loading enabled state for Event Channels when either Debug or Admin channels are enabled/disabled.
  • EventLog Monitor V2: Fix the default Channel enabled state for disabled channel types.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.2 Released

By friedlPosted on Posted in Release AnnouncementTagged , , , ,

Release Date: 2022-01-18

Build-IDs: Service 7.2.0.217, Client 7.2.0.310

Features

  • Syslog Service: Added configurable option to detect Year in RFC3164 Syslog Header. If enabled, the service will try to detect a Year after the usual RFC3164 Date Header.
  • Syslog Service: Added configurable message size limit for syslog tcp messages. The default is 1MB which is far more as defined in syslog rfcs.

Bugfixes

  • EventLog Monitor v2: Fix handling of empty Debug/analytic channels.
  • TLS: Fix a problem with X509 Certificate Checking (Server Side).
  • File Config: Fixed a problem loading big numbers (Signed/Unsigned).
  • Queue Engine: Add limit to queue full warnings/errors events  to avoid spamming the eventlog.
  • Engine: Increased stability.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.1 Released

By friedlPosted on Posted in Release AnnouncementTagged , , , , , , No Comments on RSyslog Windows Agent 7.1 Released

Release Date: 2021-07-14

Build-IDs: Service 7.1.0.214, Client 7.1.0.300

Features

  • EventLog Monitor V2: Add support to monitor Analytic and Debug Channels. These channels will only work in polling mode and detection of the last record is limited due the nature of analytic / debug channels.
  • EventLog Monitor V2: Added new “Copy Messageformat into property” option to copy a second output format into a custom property.
  • File Monitor: Added support for batched processing which is a huge improvement regarding processing speed.

Bugfixes

  • EventLog Monitor v2: Removed unnecessary spaces within LOGSIEM JSON format.
  • File Monitor: Fixed a race condition saving the correct file position on action failure.
  • Status Actions: Fixed an issue calculating wrong values when multiple compute status actions were executed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.0 Released

By friedlPosted on Posted in Release AnnouncementTagged , , , , , , No Comments on RSyslog Windows Agent 7.0 Released

Release Date: 2021-03-09

Build-IDs: Service 7.0.0.213, Client 7.0.0.297

Features

  • Filter Engine: Add support to filter by IPv6 addresses.
  • Eventlog Monitor V2: Added support to for LogPoint SIEM JSON Format.
  • Eventlog Monitor V2: Added support for the following EventLog properties (if available):
    Providerguid, processed, threaded, version, opcode, eventtype, nxseverityvalue (required for Severity Mapping in LogPoint SIEM JSON Format)
  • Action Caching: Added support for caching / queuing in RELP Action when Action processing fails.
  • Filter Engine: Added support to store filter results when using the global Status Variable type filters.
  • Queue Engine: Added Warning/Error events which are generated when the queue gets full.
  • Librelp: Updated librelp to v1.8.0.
  • Openssl: Updated to version 1.1.1g.

Bugfixes

  • Filter Engine: Fixed SaveIntoProperty handling when using the Status Type Filter.
  • Queue Engine: Fixed an issue that caused an internal exception
    STATUS_STACK_BUFFER_OVERRUN when two TCP Syslog Sessions where closed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

Scroll to top