rsyslog on AWS – an Overview

Our team at Adiscon offers a comprehensive paid full-service rsyslog product, available on the AWS Marketplace. As the same team that develops and supports the rsyslog open source project, we’re dedicated to providing exceptional service and ongoing innovation.

By purchasing our AWS Marketplace product, you’re also supporting the continued development of rsyslog. This ensures that the open source project remains robust, reliable, and up-to-date.

Our full-service rsyslog offering is designed specifically for organizations seeking a seamless and hassle-free way to collect syslog data on the cloud. We provide ongoing support and maintenance, along with regular updates to ensure the highest level of performance and security.

In summary, our AWS Marketplace product is the perfect solution for organizations that value simplicity, efficiency, and reliability when it comes to collecting syslog data in the cloud.

The AWS product ist currently in limited beta phase. If you are interesting in joining the beta, please email support@adiscon.com.

Some Documentation is already available (and being improved during the beta phase). Please follow these links:

RSyslog Windows Agent 7.3 Released

Release Date: 2022-11-09

Build-IDs: Service 7.3.0.221, Client 7.3.0.314

Bugfixes

  • Fix daylight detection when converting from strings to timestamps internally. Exceptions in Worker Threads under very heavy IO load.
  • Relp Action/Service: Fix a establish session problem that was caused due the last librelp version update of 1.8.0 in Version 14.0
  • librelp: Updated to version 1.10.0
  • OpenSSL: Updated to version 1.1.1q

You can download Free Trial Version of RSyslog Windows Agent.

How to perform a mass rollout?

A mass rollout in the scope of this topic is any case where the product is rolled out to more than 5 to 10 machines and this rollout is to be automated. This is described first in this article. A special case may also be where remote offices shall receive exact same copies of the product (and configuration settings) but where some minimal operator intervention is acceptable. This is described in the second half of this article.

The common thing among mass rollouts is that the effort required to set up the files for unattended distribution of the configuration file and product executable is less than doing the tasks manually. For less than 5 systems, it is often more economical to repeat the configuration on each machine, but this depends on the number of rules and their complexity. Please note that you can also export and re-import configuration settings, so a hybrid solution may be the best when a lower number of machines is to be installed (normal interactive setup plus import of pre-created configuration settings).

Automated Rollout

The basic idea behind a mass rollout is to create the intended configuration on a master (or baseline) system. This system holds the complete configuration that is later to be applied to all other systems. Once that system is fully configured, the configuration will be transferred to all others.

The actual transfer is done with simple operating system tools. The complete configuration is stored in the the registry. Thus, it can be exported to a file. This can be done with the client. In the menu, select “Computer”, then select “Export Settings to Registry File”. A new dialog comes up where the file name can be specified. Once this is done, the specified file contains an exact snapshot of that machine’s configuration.

This snapshot can then be copied to all other machines and put into their registries with the help of regedit.exe.

An example batch file to install, configure and run the service on “other” servers might be:

copy \\servershare\rsyslogcl.exe c:\some-local-dir
copy \\servershare\rsyslogcl.pem c:\some-local-dir
cd \some-local-dir
rsyslogcl -i
regedit /s \server\share\configParms.reg
net start "RSyslog Windows Agent"

The file “configParams.reg” would be the registry file that had been exported with the configuration client.

Of course, the batch file could also operate off a CD – a good example for DMZ systems which might not have Windows networking connectivity to a home server.

Please note that the above batch file fully installs the product – there is no need to run the setup program at all. All that is needed to distribute the service i.e. rsyslogcl.exe and its helper dlls, which are the core service. For a locked-down environment, this also means there is no need to allow incoming connections over Windows RPC or NETBIOS for an engine only install.

Please note that, in the example above, “c:\some-local-dir” actually is the directory where the product is being installed. The “rsyslogcl -i” does not copy any files – it assumes they are already at their final location. All “rsyslogcl -i” does is to create the necessary entries in the system registry so that the Rsyslog Windows Agent is a registered system service.

Branch Office Rollout with consistent Configuration

You can use engine-only install also if you would like to distribute a standardized installation to branch office administrators. Here, the goal is not to have everything done fully automatic, but to ensure that each local administrator can set up a consistent environment with minimal effort.

You can use the following procedure to do this:

  1. Do a complete install on one machine.
  2. Configure that installation the way you want it.
  3. Create a .reg file of this configuration (via the client program).
  4. Copy the rsyslogcl.exe, rsyslogcl.pem  and .reg file that you created to a CD (for example). Take these executable files from the install directory of the complete install done in step 1 (there is no specfic engine-only download available).
  5. Distribute the CD.
  6. Have the users create a directory where they copy all the files. This directory is where the product is installed in – it may be advisable to require a consistent name (from an admin point of view – the product does not require this).
  7. Have the users run “rsyslogcl -i” from that directory. It will create the necessary registry entries so that the product becomes a registered service.
  8. Have the users double-click on the .reg file to install the pre-configured parameters (step 3).
  9. Either reboot the machine (neither required nor recommended) or start the service (via the Windows “Servcies” manager or the “net start” command).

Important: The directory created in step 6 actually is the program directory. Do not delete this directory or the files contained in it once you are finished. If you would do, this would disable the product (no program files would be left on the system).

If you need to update an engine-only installation, you will probably only upgrade the master installation and then distribute the new exe files and configuration in the same way you distributed the original version. Please note that it is not necessary to uninstall the application first for an upgrade – at least not as long as the local install directory remains the same. It is, however, vital to stop the service, as otherwise the files can not be overwritten.

RSyslog Windows Agent 7.2a Released

Release Date: 2022-03-03

Build-IDs: Service 7.2.0.219, Client 7.2.0.312

Bugfixes

  • EventLog Monitor V2: Fix an issue with events, that cannot be formatted properly.
  • EventLog Monitor V2: Fix loading enabled state for Event Channels when either Debug or Admin channels are enabled/disabled.
  • EventLog Monitor V2: Fix the default Channel enabled state for disabled channel types.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.2 Released

Release Date: 2022-01-18

Build-IDs: Service 7.2.0.217, Client 7.2.0.310

Features

  • Syslog Service: Added configurable option to detect Year in RFC3164 Syslog Header. If enabled, the service will try to detect a Year after the usual RFC3164 Date Header.
  • Syslog Service: Added configurable message size limit for syslog tcp messages. The default is 1MB which is far more as defined in syslog rfcs.

Bugfixes

  • EventLog Monitor v2: Fix handling of empty Debug/analytic channels.
  • TLS: Fix a problem with X509 Certificate Checking (Server Side).
  • File Config: Fixed a problem loading big numbers (Signed/Unsigned).
  • Queue Engine: Add limit to queue full warnings/errors events  to avoid spamming the eventlog.
  • Engine: Increased stability.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.1 Released

Release Date: 2021-07-14

Build-IDs: Service 7.1.0.214, Client 7.1.0.300

Features

  • EventLog Monitor V2: Add support to monitor Analytic and Debug Channels. These channels will only work in polling mode and detection of the last record is limited due the nature of analytic / debug channels.
  • EventLog Monitor V2: Added new “Copy Messageformat into property” option to copy a second output format into a custom property.
  • File Monitor: Added support for batched processing which is a huge improvement regarding processing speed.

Bugfixes

  • EventLog Monitor v2: Removed unnecessary spaces within LOGSIEM JSON format.
  • File Monitor: Fixed a race condition saving the correct file position on action failure.
  • Status Actions: Fixed an issue calculating wrong values when multiple compute status actions were executed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.0 Released

Release Date: 2021-03-09

Build-IDs: Service 7.0.0.213, Client 7.0.0.297

Features

  • Filter Engine: Add support to filter by IPv6 addresses.
  • Eventlog Monitor V2: Added support to for LogPoint SIEM JSON Format.
  • Eventlog Monitor V2: Added support for the following EventLog properties (if available):
    Providerguid, processed, threaded, version, opcode, eventtype, nxseverityvalue (required for Severity Mapping in LogPoint SIEM JSON Format)
  • Action Caching: Added support for caching / queuing in RELP Action when Action processing fails.
  • Filter Engine: Added support to store filter results when using the global Status Variable type filters.
  • Queue Engine: Added Warning/Error events which are generated when the queue gets full.
  • Librelp: Updated librelp to v1.8.0.
  • Openssl: Updated to version 1.1.1g.

Bugfixes

  • Filter Engine: Fixed SaveIntoProperty handling when using the Status Type Filter.
  • Queue Engine: Fixed an issue that caused an internal exception
    STATUS_STACK_BUFFER_OVERRUN when two TCP Syslog Sessions where closed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 6.2c Released

Release Date: 2021-01-28

Build-IDs: Service 6.2.0.210, Client 6.2.0.284

Bugfixes

  • Syslog Service: Fixed an parsing issue of the syslogtag (rfc5424 only) with malformed syslog headers.
  • Syslog Service: Fixed an issue where two nullbytes were appended to the rawsyslogmsg property.
  • EventLog Monitor V2: Fixed Unicode support when using JSON Output format.
  • IPv6: Fixed a conversion issue when a source was converted into a IPv6 address string.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 6.2b Released

Release Date: 2020-09-04

Build-IDs: Service 6.2.0.209, Client 6.2.0.284

Bugfixes

  • Start Program Action: Fixed loading the Sync Timeout setting in file configuration mode.
  • Queue Engine: Fix for STATUS_STACK_BUFFER_OVERRUN exception.
    STATUS_STACK_BUFFER_OVERRUN doesn’t mean that there was a stack buffer overrun. It appears that due recent security updates in windows network code, a new exception type was introduced. This exception could be happening in very rare conditions when two Syslog Action would close their TCP Sessions at the very same millisecond.

You can download Free Trial Version of RSyslog Windows Agent.

Scroll to top