rsyslog

The rocket-fast system for log processing pipelines

rsyslog 8.2510.0 (2025.10) released

By Rainer GerhardsPosted on Posted in announcement, Release Announcement, Uncategorized

We have today released the 8.25100 rsyslog scheduled stable release. This release delivers three main themes: better Windows Security event ingestion, more flexible JSON handling end to end, and pragmatic compatibility fixes across popular outputs and platforms. It also includes steady documentation improvements and CI hardening.

Highlights

Windows Security events at scale

  • New module mmsnareparse: a comprehensive parser for Snare-formatted Windows Security logs (RFC5424 and RFC3164). Covers the major event types (e.g. 4624, 4625, 4634), extracts 100+ fields with type awareness, handles modern telemetry (LAPS, TLS, WDAC, WUFB, Kerberos), supports runtime configuration, and ships with an extensive test suite. Intended for SIEM use, threat detection, and compliance.

JSON pipelines made easier

  • mmjsonparse: find-json mode
    Parses the first top-level JSON object embedded in text without requiring cookies. Opt-in. Default behavior unchanged.
  • New experimental module mmjsontransform
    Unflatten dotted keys into nested JSON by default, or flatten nested trees back to dotted keys. Outputs to a configured property, validates conflicts with precise paths, and refuses to overwrite an existing destination. Build with --enable-mmjsontransform. Interface is experimental and may change.
  • Templates: option.jsonftree for jsonf
    Opt-in nested JSON rendering. Dotted outnames like host.hostname become {"host":{"hostname":...}} to match schemas such as Elastic ECS. Falls back to flat rendering on collisions.

Output modules and protocol polish

  • omelasticsearch
    • Detects server version and ElasticSearch vs OpenSearch at startup to adjust config automatically.
    • Defaults to typeless APIs and omits _type by default to work out of the box with modern clusters. Older setups that relied on a default type on ES < 8 may need explicit config.
  • omkafka
    Restores feature detection and fallback from produceva to legacy produce for older librdkafka. If headers are configured but unsupported, configuration now fails fast.
  • omrelp
    Keep-alive support added.

Inputs, TLS, and observability

  • New message property fromhost-port and inclusion of source port in imtcp user-targeting messages
    Improves disambiguation where multiple senders share an IP.
  • imtcp: clearer error on TLS handshakes to a plain listener
    Emits one explicit error per mismatched connection with a troubleshooting hint.
  • TLS 1.3 KeyUpdate handling
    Prevents stalls by driving a minimal read during send when required by the TLS stack (OpenSSL and GnuTLS).
  • imhttp: better health and metrics endpoints
    Optional Basic Auth for /health and /metrics via htpasswd files and explicit Content-Length. Exports full rsyslog stats for Prometheus and is proxy friendly.

New RainerScript functions

  • b64_decode() and toupper() added.

Ecosystem, build, and CI

  • openEuler 24.03 LTS container and CI job added.
  • Cross-platform and toolchain fixes, including pkg-config use for libgcrypt and configure checks.
  • Code coverage uploads stabilized, flakiness reduced in Kafka tests.
  • Documentation builds restored, many typos fixed, and doc spellcheck added.
  • GitHub security analysis workflow enabled.

Notable fixes

  • imrelp: potential segfault on termination fixed, which could otherwise impact state files or disk queues.
  • musrmsg: null pointer dereference fixed, plus a memory leak and error reporting improvements.
  • Docker image: collector UDP and TCP flags can now be enabled independently.
  • imdocker: adds the container image name and tag to metadata for easier source identification.
  • ommongodb: supports mongo-c-driver v2 while retaining v1 compatibility.

Compatibility and upgrade notes

  • Elasticsearch types: _type is now omitted by default and typeless endpoints are used. ES < 8 users who relied on a default type must set it explicitly.
  • Kafka headers: if your config sets message headers but the installed librdkafka lacks header support, configuration will fail. Adjust either the library or the config.
  • New modules:
    • mmsnareparse is production oriented.
    • mmjsontransform is experimental. Interface and parameters may change.
    • mmleefparse is a PoC for LEEF and may change, including breaking changes.
  • Properties: fromhost-port is new. Out-of-tree modules that depend on message properties or the TCP session interface need a rebuild.

Thank you to our contributors

Patches, analysis, or help credited in this cycle to: Qiumiao Zhang, Zhang Wen, Michael Biebl, Kevin Guillemot, Will Robertson, schrotthaufen (GitHub), Sourav Sharma, Kevin Backhouse, Madhushree, and Naisthecreator. Plus many thanks to everyone who reviewed, tested, and improved docs and CI.

Changelog themes

  • Documentation: broad updates and typo fixes, Sphinx helper restored, new doc spellcheck.
  • Build and CI: improved cross-platform checks, security analysis, openEuler support, better coverage uploads.
  • Refactoring: clearer code with added doxygen comments and queue internals cleanup.

As always, we recommend testing in staging before production rollout, especially if you ship to Elasticsearch, depend on Kafka headers, or process Windows Security events at scale.

For full details, see the repository ChangeLog and module documentation.

Scroll to top