rsyslog

The rocket-fast system for log processing

rsyslog 7.5.0 (v7-devel) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , , , , ,

This release opens the new 7.5 development branch. Most importantly, this version provides TLS protection for RELP (note that librelp 1.1.1 is required).

More information can be found in this blogpost: http://blog.gerhards.net/2013/06/new-rsyslog-devel-branch-75.html

ChangeLog:

http://www.rsyslog.com/changelog-for-7-5-0-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-5-0-v7-devel/

As always, feedback is appreciated.

Best regards,
Florian Riedl

rsyslog 7.4.0 (v7-stable) released

By Adiscon SupportPosted on Posted in News, Release AnnouncementTagged , , , , ,

This is the first release of the 7.4 stable branch. It incorporates all new features from the 7.3 development branch. For details, see the blog posting http://www.rsyslog.com/7-4-0-the-new-stable/
ChangeLog: http://www.rsyslog.com/changelog-for-7-4-0-v7-stable/
Download: http://www.rsyslog.com/rsyslog-7-4-0-v7-stable/

As always, feedback is appreciated.

Best regards, Florian Riedl

7.4.0 – the new stable

By Adiscon SupportPosted on Posted in News, Top NewsTagged , , , , , , , , ,

new rsyslog 7.4.0 stable released

We just released rsyslog 7.4.0, a new stable release which replaces the 7.2 branch. After nine month of hard work, there are many exciting enhancements compared to 7.2, and I thought I give you a quick rundown of the more important new features. Note that while I list some “minor features” at the end of this posting, the list is not complete. I left out those things that are primarily of interest for smaller groups of users. So if you look for a specific feature not mentioned here, it may pay to look at the ChangeLog or post a question to the rsyslog mailing list.

With this release, the rsyslog project officially supports the 7.4 and 7.2 branches. If support for older versions is required, utilizing Adiscon’s professional services for rsyslog is recommended.

Note that I only list main headlines for each of the features. Follow links (where provided) to gain more in-depth information.

Security Package

Improved Rate-Limiters

  • introduction of Linux-like rate-limiting for all inputs
  • “Last message repeated n times” now done on a per-input basis; makes it much more useful AND increases processing speed.

Systemd Journal support

  • omjournal writes messages to the journal
  • imjournal obtains messages including journal-specific meta data items from the journal

Performance Improvements

  • Disk Queue Performance greatly improved
  • DNS chache greatly improved and optimized
  • omfile now supports fully async writing
  • script optimizer now changes frequently-used long-running filters into equivalent quick ones when possible (this even affects some distros default configs and is a great performance saver)

Minor Features

  • various plugins now support the new RainerScript based config language
  • omlibdbi improvements, among them support for transactions
  • ommysql now supports transactions
  • improved omfile zip writing speed
  • performance optimizations
  • omelasticsearch improvements (bulk processing mode, local error file)
  • omudpspoof now supports packets larger than 1472 by using fragmentation
  • omrelp now supports session timeout
  • contributed module (not project-supported) omrabbitmq was added

Changelog for 7.4.0 (v7-stable)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , , ,

Version 7.4.0  [v7.4-stable] 2013-06-06
This starts a new stable branch based on 7.3.15 plus the following changes:

  • add –enable-cached-man-pages ./configure option
    permits to build rsyslog on a system where rst2man is not installed. In that case, cached versions of the man pages are used (they were built during “make dist”, so they should be current for the version in question.
  • doc bugfix: ReadMode wrong in imfile doc, two values were swapped
    Thanks to jokajak@gmail.com for mentioning this
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=450
  • imjournal: no longer do periodic wakeup
  • bugfix: potential hang *in debug mode* on rsyslogd termination
    This ONLY affected rsyslogd if it were running with debug output enabled.
  • bugfix: $template statement with multiple spaces lead to invalid tpl name
    If multiple spaces were used in front of the template name, all but one of them became actually part of the template name. So $template   a,”…” would be name ”  a”, and as such “a” was not available, e.g. in
    *.* /var/log/file;a
    This is a legacy config problem. As it was unreported for many years, no backport of the fix to old versions will happen. This is a long-standing bug that was only recently reported by forum user mc-sim.
    Reference: http://kb.monitorware.com/post23448.html
  •  0mq fixes; credits to Hongfei Cheng and Brian Knox

Encrypted disk queues

By adisconteamPosted on Posted in FAQTagged , , ,

This guide will tell you, how to quickly protect your disk queue through encryption. So you can be sure that unauthorized persons can’t read your queue.
Please note that we only use the “disk” queue format in this guide to show you the encrypted files but normally we recommend you to use the “LinkedList” queue format for a better performance.

This feature is available from version 7.5.0 or higher. In addition to rsyslog we need the most current version of librelp.

 

The Intention

Whenever two systems talk over a network, something can go wrong. For example, the communications link may go down, or a client or server may abort. Even in regular cases, the server may be offline for a short period of time because of routine maintenance.

A logging system should be capable of avoiding message loss in situations where the server is not reachable. To do so, unsent data needs to be buffered at the client while the server is offline. Then, once the server is up again, this data is to be sent.

This can easily be acomplished by rsyslog. In rsyslog, every action runs on its own queue and each queue can be set to buffer data if the action is not ready. Of course, you must be able to detect that “the action is not ready”, which means the remote server is offline. This can be detected with plain TCP syslog and RELP, but not with UDP. So you need to use either of the two. In this howto, we use plain TCP syslog.

Please note that we are using rsyslog-specific features. The are required on the client, but not on the server. So the client system must run rsyslog (at least version 7.5.0), while on the server another syslogd may be running, as long as it supports plain tcp syslog.

Normally the rsyslog queueing subsystem tries to buffer to memory if you use the “LinkedList” queue typ. So even if the remote server goes offline, no disk file is generated. File on disk are created only if there is need to, for example if rsyslog runs out of (configured) memory queue space or needs to shutdown (and thus persist yet unsent messages). Using main memory and going to the disk when needed is a huge performance benefit. But in this case we only want to create a disk queue which is encrypted. So we use “Disk” as the queue typ, disk means that rsyslog writes immediately.

How To Setup

First, you need to create a working directory for rsyslog. This is where it stores its queue files (should need arise). You may use any location on your local system.

What have to do next is instruct rsyslog to use a disk queue and then configure your action. There is nothing else to do. With the following simple config file, you forward anything you receive to a remote server and have buffering applied automatically. This must be done on the client machine.

module(load=” imuxsock”) # local message reception
$WorkDirectory /home/test/rsyslog/work # default location for work (spool) files

action(type=”omfwd”
queue.type=”disk” queue.fileName=”enc”
queue.cry.provider=”gcry” queue.cry.key=”/path/to/contrib/gnutls/key.pem”
target=”172.123.123.5
port=”10514″)

The “queue.fileName=”enc”” is used to create encrypted queue files, should need arise. This value must be unique inside rsyslog.conf. No two rules must use the same queue file. Also, for obvious reasons, it must only contain those characters that can be used inside a valid file name. Rsyslog possibly adds some characters in front and/or at the end of that name when it creates files. So that name should not be at the file size name length limit (which should not be a problem these days).
In the next value “queue.cry.key=”/path/to/key”” you have to provide the path to your keyfile, if this path is invalid rsyslog will not encrypt your queue files.

Please note that actual spool files are directly created because we use the “disk” mode, if you use the “LinkedList” mode then they are only created if the remote server is down and there is no more space in the in-memory queue. By default, a short failure of the remote server will never result in the creation of a disk file as a couple of hundered messages can be held in memory by default. [These parameters can be fine-tuned. However, then you need to either fully understand how the queue works (read elaborate doc) or use professional services to have it done based on your specs ;) – what that means is that fine-tuning queue parameters is far from being trivial…]

If you would like to test the encryption scenario, you need to stop, wait a while and restart your server. Then simply open a new generated queue file they should all be encrypted now.

Howto store remote messages in a separate file

By adisconteamPosted on Posted in Video TutorialsTagged , , , , , , , , ,

In this ~8 minute video Rainer Gerhards describes Howto store remote messages in a separate file. It’s actually one of the most frequently asked question on rsyslog forum and mailing list.

Note: the tutorial is for legacy config format in order to help most people gain benefit from it.

Please accept YouTube cookies to play this video. By accepting you will be accessing content from YouTube, a service provided by an external third party.

YouTube privacy policy

If you accept this notice, your choice will be saved and the page will refresh.

Scroll to top