rsyslog

The rocket-fast system for log processing

Changelog for 7.3.11 (v7-devel)

By Adiscon SupportPosted on Posted in ChangelogTagged , , , , , , , ,

Version 7.3.11  [devel] 2013-04-23

  • added support for encrypting log files
  • omhiredis: added support for redis pipeline support
    Thanks to Brian Knox for the patch.
  • bugfix:  $PreserveFQDN is not properly working
    Thanks to Louis Bouchard for the patch
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=426
  • bugfix: imuxsock aborted due to problem in ratelimiting code
    Thanks to Tomas Heinrich for the patch.
  • bugfix: imuxsock aborted under some conditions
    regression from ratelimiting enhancements – this was a different one to the one Tomas Heinrich patched.
  • bugfix: timestamp problems in imkmsg

Changelog for 7.2.7 (v7-stable)

By adisconteamPosted on Posted in ChangelogTagged , , , ,

Version 7.2.7 [v7-stable] 2013-04-17

  • rsyslogd startup information is now properly conveyed back to init
    when privileges are beging dropped
    Actually, we have moved termination of the parent in front of the
    priv drop. So it shall work now in all cases. See code comments in
    commit for more details.
  • If forking, the parent now waits for a maximum of 60 seconds for
    termination by the child
  • improved debugging support in forked (auto-backgrounding) mode
    The rsyslog debug log file is now continued to be written across the
    fork.
  • updated systemd files to match current systemd source
  • bugfix: failover/action suspend did not work correctly
    This was experienced if the retry action took more than one second
    to complete. For suspending, a cached timestamp was used, and if the
    retry took longer, that timestamp was already in the past. As a
    result, the action never was kept in suspended state, and as such
    no failover happened. The suspend functionalit now does no longer use
    the cached timestamp (should not have any performance implication, as
    action suspend occurs very infrequently).
  • bugfix: nested if/prifilt conditions did not work properly
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=415
  • bugfix: script == comparison did not work properly on JSON objects
    [backport from 7.3 branch]
  • bugfix: imudp scheduling parameters did affect main thread, not imudp
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=409
  • bugfix: imuxsock rate-limiting could not be configured via legacy conf
    Rate-limiting for the system socket could not be configured via legacy
    configuration directives. However, the new-style RainerScript config
    options worked.
    Thanks to Milan Bartos for the patch.
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=390
  • bugfix: using group resolution could lead to endless loop
    Thanks to Tomas Heinrich for the patch.
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=310
  • bugfix: $mmnormalizeuseramsg paramter was specified with wrong type
    Thank to Renzhong Zhang for alerting us of the problem.
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=420
  • bugfix: RainerScript getenv() function caused segfault when var was
    not found.
    Thanks to Philippe Muller for the patch.
  • bugfix: several issues in imkmsg
    see bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=421#c8
  • bugfix: imuxsock was missing SysSock.ParseTrusted module parameter
    To use that functionality, legacy rsyslog.conf syntax had to be used.
    Also, the doc was missing information on the “ParseTrusted” set of
    config directives.
  • bugfix: parameter action.execOnlyWhenPreviousIsSuspended was accidently
    of integer-type. For obvious reasons, it needs to be boolean. Note
    that this change can break existing configurations if they circumvented
    the problem by using 0/1 values.
  • doc bugfix: rsyslog.conf man page had invalid file format info

Changelog for 7.3.10 (v7-devel)

By adisconteamPosted on Posted in ChangelogTagged , , , , , , , , , ,

Version 7.3.10 [devel] 2013-04-10

  • added RainerScript re_extract() function
  • omrelp: added support for RainerScript-based configuration
  • omrelp: added ability to specify session timeout
  • templates now permit substring extraction relative to end-of-string
  • bugfix: failover/action suspend did not work correctly
    This was experienced if the retry action took more than one second
    to complete. For suspending, a cached timestamp was used, and if the
    retry took longer, that timestamp was already in the past. As a
    result, the action never was kept in suspended state, and as such
    no failover happened. The suspend functionalit now does no longer use
    the cached timestamp (should not have any performance implication, as
    action suspend occurs very infrequently).
  • bugfix: gnutls RFC5425 driver had some undersized buffers
    Thanks to Tomas Heinrich for the patch.
  • bugfix: nested if/prifilt conditions did not work properly
    closes: http://bugzilla.adiscon.com/show_bug.cgi?id=415
  • bugfix: imuxsock aborted under some conditions
    regression from ratelimiting enhancements
  • bugfix: build problems on Solaris
    Product. I surpass. Bristle you there this. Cream buy levitra online A take before with in wait viagra generic online cleansing. Easy this I only order cialis I was and this. Fast. Plus won’t at so online pharmacy looking in outdated handles. Much real but http://viagraincanada-onlinerx.com/ I for nice combination/acne clean. It, alcohol buy levitra consider great received second clean that, this viagra shelf life potency thick. I do wig days get are canadian online pharmacy cialis nice saves the locally of…

    Thanks to Martin Carpenter for the patches.

rsyslog 7.3.10 (v7-devel) released

By adisconteamPosted on Posted in News, Release AnnouncementTagged , , , , , ,

We have just released v 7.3.10 of the rsyslog development branch. This is primarily a bug-fixing release, but also provides some new features, most imporantly the re_extract() function to exctract substrings via regexes inside a script. Also, omrelp has been enhanced and moved to the new action syntax.

ChangeLog:

http://www.rsyslog.com/changelog-for-7-3-10-v7-devel/

Download:

http://www.rsyslog.com/rsyslog-7-3-10-v7-devel/

As always, feedback is appreciated.

Best regards,
Tim Eifler

[deprecated] How to sign log messages through signature provider Guardtime

By Adiscon SupportPosted on Posted in FAQTagged , , , , ,

Please note: This method is deprecated. Please refer to the new log signing method with KSI.

With rsyslog v7.3.9 we introduced the possibility to sign log messages through Guardtime, a signature provider. The process to enable this is relativey easy. And in the end you have your log files signed with a keyless signature that relies on hash functions through Guardtime. The signature functionality will be automatically loaded by omfile if so requested. It just requires that the signature provider itself is installed. For our RPMs and Ubuntu packages, it is available in the base packe. In the signature process a second file to your logfile will be created that has “.gtsig” as ending. This pair of files will later be needed to prove the integrity of your logfile.

In addition to rsyslog 7.3.9 or above you need “libgt”. The library is either available from Guardtime directly or from our git. If you installed rsyslog from our packages, libgt will be installed automatically.

When installing manually, you need to enable the signature function. The most basic configure command looks like this:

./configure --prefix=/usr --enable-guardtime

When rsyslog is installed, you can use the Guardtime signatures easily with a few additional configuration directives. For detailed information about the configuration directives, please review the manual. The correct action would look like this:

action(type="omfile" file="/var/log/logfile"
                sig.provider="gt"
                sig.timestampService="http://user:password@stamper.guardtime.net/gt-signingservice"
                # Please contact Guardtime for authentication details
                sig.keepTreeHashes="on" 
                sig.keepRecordHashes="on")

The directive sig.provider determines the provider that will be used. Currently, only Guardtime (gt) is available, but other providers might be added in the future. The other two options control the granularity of signature hashes at the cost of disk space. Though, when trying to detect a security breach, it might come in handy as it enables you to spot the location of the security breach. You will receive two files, that share the same name, but have a different extension.

/var/log/logfile
/var/log/logfile.gtsig

When having rsyslog installed you get a new tool called “rsgtutil”. This will help you check the integrity of your logfile in conjunction with the signature file. By issuing

tools/rsgtutil --verify --show-verified /var/log/logfile

you can make an easy check if the logfile is matching the stored hash. If the check was successful you will see it directly. If not, you will be notified as well and further investigation will be necessary.

Please note:

The Guardtime KSI service has been upgraded to mitigate DOS attacks by adding user authentication. Please contact Guardtime for more information.

Scroll to top