rsyslog

The rocket-fast system for log processing pipelines

rsyslog

The rocket-fast system for log processing pipelines

Search Results for: error 0

RSyslog Windows Agent 7.4 Released

friedlRelease Announcement, ,

Release Date: 2023-06-21

Build-IDs: Service 7.4.0.223, Client 7.4.0.315

Bugfixes

  • Syslog Action: Fixed a very rare case where an Action could try to open **TCP connections** to the same target **multiple times simultaneously**. The handling has been hardened to avoid concurrent connection establishment retries for the same Action.
  • Syslog Action: Fixed error handling when **the** connection fails and Syslog Caching is enabled. If a syslog backup server is enabled, the action will now retry the primary server correctly again after syslog caching has been activated.
  • EventLog Monitor V2: Fixed an issue in XML-Stream Processing that could cause failure in processing an EventLog Message.
  • LogRotate: Corrected error reporting when the feature is not available **due to** licensing.
  • Network Core: **Enhanced stability** during closing connections.

You can download Free Trial Version of RSyslog Windows Agent.

rsyslog on AWS – Applying Configuration Changes

Rainer Gerhardsrsyslog on Amazon Web Services (AWS Marketplace App)

Once you’ve updated the configuration of the AWS rsyslog application, it’s important to manually apply the new settings as rsyslog doesn’t do this automatically. This is to prevent partial changes from being loaded and potentially causing issues.

The AWS rsyslog AWS application provides a dedicated tool, rsyslogctl, which can be used to check and reload the configuration. During the reload process, rsyslogctl determines the most efficient way to apply the changes. For example, some changes like drop rules can be applied without interrupting message processing, while others require a full restart, causing a brief interruption.

Continue reading “rsyslog on AWS – Applying Configuration Changes”

AWS rsyslog – Meta Configuration

The “meta configuration” is provides a simple-to-use way for rsyslog server customization, without the need to manage rsyslog.conf and it’s helpers directly.

The configuration is stored inside the text file “rsyslog-features.env” in “/opr/rsyslog/config“. Each line consists of a keyword, an equal sign, and an associated value. The AMI file contains this file with default settings. The CloudFormation script generates an initial file based on data provided by the user during the CloudFormation process.

This is an example of a meta-config file:

# Internal Statistic Counters
RSYSLOG_PSTATS_ENABLED="on"
RSYSLOG_PSTATS_FILE_ENABLED="on"
RSYSLOG_PSTATS_CLOUDWATCH_ENABLED="off"

# Logstore Parameters
RSYSLOG_LOGSTORE_PATH="/var/log/rsyslog.store/"
RSYSLOG_LOGSTORE_CLOUDWATCH_ENABLED="off"
RSYSLOG_LOGSTORE_CLOUDWATCH_RETENTION="7"

# Logrotation Parameters
LOGROTATE_COMPRESS="zstd"
RSYSLOG_LOGROTATION_DAYS="7"

# S3 Storage Parameters
RSYSLOG_S3_ID="rsyslogfiles"
RSYSLOG_S3_LOGSTORE="off"
RSYSLOG_S3_LOGSTORE_PATH="/rsyslog.store/"
RSYSLOG_S3_CONFIG_PATH="/rsyslog.config/"

Editing the Meta-Config

Currently no specific feature for editing the meta-config exists. We suggest to use the text editor of your choice to modify the text file directly. Note: the file currently is writeable for the “root” user, only.

Configuration Parameters

Note: Parameter values contain either a string or number or the special values “on” and “off” to turn specific features on or off.

Storage Options

The storage options permit to assign where persistent storage is located.

  • RSYSLOG_LOGSTORE_PATH
    Full path name where logs incoming from the network should be stored. On this store, a two-level directory structure is automatically be created: first level is the hostname, second level is the syslog tag from the incoming message. For security reasons, slashes inside hostname or tag are replaced by underscores. The log store is automatically rotated when log rotation is turned on.
  • RSYSLOG_LOGSTORE_CLOUDWATCH_ENABLED
    Enables or disables sending all syslog data to a CloudWatch LogGroup.
  • RSYSLOG_LOGSTORE_CLOUDWATCH_RETENTION
    Retention time in days for CloudWatch LogGroup.

Please note that sending syslog data to CloudWatch is a priced item in AWS and can cause additional costs of being used. Therefor it is disabled by default.

Internal Statistic Counters

  • RSYSLOG_PSTATS_ENABLED
    Turns the rsyslog-internal statistics system (impstats) completely on or off. If any other pstats-related settings are to be used, this must be set to “on”.
  • RSYSLOG_PSTATS_FILE_ENABLED
    Turns on or off writing statistics records to a local log file.
  • RSYSLOG_PSTATS_CLOUDWATCH_ENABLED
    Turns on or off pushing select statistics counters to the AWS CloudWatch Dashboard.

Please note that sending statistics to CloudWatch is a priced item in AWS. For that very reason, we also permit to write statistics to local files, which involves no cost but storage fees. File writing and CloudWatch push can be turned on or off independently. Both can be used together.

Log Rotation Parameters

Our application rotates log files daily shortly after midnight using advanced rsyslog capabilities and our own custom logic. We do not utilize the logrotate tool. As part of the log rotation process, the previous day’s log files are compressed (if the compression feature is enabled) and then synced to an S3 bucket (if the RSYSLOG_S3_ID configuration variable is set). After the log files have been successfully synced, our local retention policy is applied to manage disk space usage.

It’s important to note that our application does not enforce any retention policy for S3 buckets. Therefore, it’s crucial to set an appropriate retention policy for your S3 bucket using AWS tooling to avoid exceeding your desired storage limits or incurring unnecessary costs. Please ensure that you set a retention policy that meets your specific business requirements.

The configuration can be customized via these settings:

  • LOGROTATE_COMPRESS
    Specifies the compression method to be used during rotation. Currently, the available options are “no” and “zstd“. If set to “Parameters”, no compression will be applied.
  • RSYSLOG_LOGROTATION_DAYS
    Specifies the number of days that log files should be kept locally. After the specified period, they will be deleted. To delete local log files immediately after they have been synced to S3, set the value to zero.

S3 Storage Parameters

  • RSYSLOG_S3_ID
    The id (name) of the S3 store to be used for persistent storage. Leave empty to disable automatic synchronizing to S3. The S3 store’s structure is described here.
    Note: automatic data sync to S3 happens after log rotation, which is daily run shortly after midnight.
  • RSYSLOG_S3_LOGSTORE
    Enables or disables storing rotated logfiles into S3 Bucket.
  • RSYSLOG_S3_LOGSTORE_PATH
    Like the local LOGSTORE_PATH, this is the “path” (prefix) used inside the S3 store for log files.
    Note: if RSYSLOG_S3_ID is empty, this parameter is ignored.
  • RSYSLOG_S3_CONFIG_PATH
    The “home path” for persistent storage of the rsyslog user configuration.
    Note: if RSYSLOG_S3_ID is empty, this parameter is ignored.

Important: The beta version’s default log store is not persistent and will not survive instance termination. To ensure data is not lost, users should configure an external EBS disk for persistent storage. Currently, mount settings must be created manually as there is no automatic setting. However, this feature is planned for future beta versions.

Applying Configuration Changes

Important: after changing the meta configuration, be sure to check it against any typos or other problems. This can be done via the command sudo rsyslogctl check-config. If this is error-free, you can apply the new config via sudo rsyslogctl reload-config.

For more information on how to apply configuration changes to rsyslog on AWS configuration changes, please refer to this dedicated page.

Back to aws rsyslog overview.

RSyslog Windows Agent 7.2 Released

friedlRelease Announcement, , , ,

Release Date: 2022-01-18

Build-IDs: Service 7.2.0.217, Client 7.2.0.310

Features

  • Syslog Service: Added configurable option to detect Year in RFC3164 Syslog Header. If enabled, the service will try to detect a Year after the usual RFC3164 Date Header.
  • Syslog Service: Added configurable message size limit for syslog tcp messages. The default is 1MB which is far more as defined in syslog rfcs.

Bugfixes

  • EventLog Monitor v2: Fix handling of empty Debug/analytic channels.
  • TLS: Fix a problem with X509 Certificate Checking (Server Side).
  • File Config: Fixed a problem loading big numbers (Signed/Unsigned).
  • Queue Engine: Add limit to queue full warnings/errors events  to avoid spamming the eventlog.
  • Engine: Increased stability.

You can download Free Trial Version of RSyslog Windows Agent.

RSyslog Windows Agent 7.0 Released

friedlRelease Announcement, , , , , , No Comments on RSyslog Windows Agent 7.0 Released

Release Date: 2021-03-09

Build-IDs: Service 7.0.0.213, Client 7.0.0.297

Features

  • Filter Engine: Add support to filter by IPv6 addresses.
  • Eventlog Monitor V2: Added support to for LogPoint SIEM JSON Format.
  • Eventlog Monitor V2: Added support for the following EventLog properties (if available):
    Providerguid, processed, threaded, version, opcode, eventtype, nxseverityvalue (required for Severity Mapping in LogPoint SIEM JSON Format)
  • Action Caching: Added support for caching / queuing in RELP Action when Action processing fails.
  • Filter Engine: Added support to store filter results when using the global Status Variable type filters.
  • Queue Engine: Added Warning/Error events which are generated when the queue gets full.
  • Librelp: Updated librelp to v1.8.0.
  • Openssl: Updated to version 1.1.1g.

Bugfixes

  • Filter Engine: Fixed SaveIntoProperty handling when using the Status Type Filter.
  • Queue Engine: Fixed an issue that caused an internal exception
    STATUS_STACK_BUFFER_OVERRUN when two TCP Syslog Sessions where closed at the same time.

You can download Free Trial Version of RSyslog Windows Agent.

Encasing of control structures

friedlFAQ, , , ,

When using control structures to create some case filtering, there are some things to consider when formatting this.

In general, a control structure can be as simple as this:

if $msg contains "word" then 
    action()
else
    action()

While this is correct and will work as expected, it is generally better style to encase expressions and actions. That way, they are more clearly separated from the control structure itself for better overview and can be more easily expanded without error. When using multiple actions or expressions, encasing is needed anyway, so we think it’s good practice to always use it.

Example:

if ($msg contains "word") then {
    action() 
} else {
    action()
}

And a more complex example:

if ($msg contains "word" and $source == "123.123.123.123") then {
    action()
    action()
} else {
    action()
    action()
}

All three sample snippets above are correct in their own way. Added complexity makes encasing necessary though. So, you may as well use it for all your filters to have a consistent and all-case proof configuration.

RSyslog Windows Agent 6.0 Released

friedlRelease AnnouncementNo Comments on RSyslog Windows Agent 6.0 Released

Release Date: 2019-07-01

Build-IDs: Service 6.0.0.200, Client 6.0.0.277

Features

  • Configuration Client using latest .Net Framework now.
  • Windows 2019 Support.
  • Configuration reload: Added support to update configuration from https url.
  • Property engine: Added new options
    • date-rfc3164strict: Same as date-rfc3164 but with two spaces
      after month if day is below 10.
    • crlftovbar: Replaces all CRLF or LF to vertical bar character.
    • replacechar: Replaces a single character with another single
      character, sample: %msg:$x:$y:replacechar%. More information’s can be
      found in the manual.
    • removecc: Removes all control characters from 0x00 to 0x1F
  • EventLog Monitor V2: Added JSON Output format Option to MessageFormat
    selection.
  • EventLog Monitor V2: Refactored code for performance improvements.
    Implemented Event Caching options for Publisher handles, Levels, Tasks and
    Keywords.
  • TLS Support: Enhanced error reporting when OpenSSL errors are being
    processed internally.
  • HTTP Request Action: Added support for https urls.

Bugfixes

  • Fixed configuration reload freeze when debug logging was enabled.
  • Syslog Action: Added missing RealSource option when using RFC3164 syslog
    header.

You can download Free Trial Version of RSyslog Windows Agent.

librelp 1.2.16

Rainer Gerhards1.2.16, API,

librelp 1.2.16 [download]

This new release of librelp provides API changes that allow better handling of oversize messages, as well as defining the listener interface. In addition, a few bugfixes for memory leaks and several minor issues are included.

For more details, please take a look at the changelog below.

———————————————————————-
– API changes
  * add new API: relpSrvSetOversizeMode()
    This permits to tell librelp how to handle oversize messages.
    Traditionally (and now default), this aborts the session. We now
    added an option to truncate the message instead.
    Also, in case of session abort a descriptive error message is
    emitted. This did not happen previously and caused confusion.
    closes https://github.com/rsyslog/librelp/issues/81
  * add new API: relpSrvSetLstnAddr()
    It permits to set the listen address inside the relp server.
    If not called, the server will bind to all interfaces. 
    Thanks to github user perlei for contributing it.
– support additional hashes for fingerprint mode
  old-style SHA1 is used automatically
  Thanks to github user briaeros for the patch.
  see also https://github.com/rsyslog/librelp/pull/55
– bugfix: potential memory leak
  This is very unlikely to occur in practice. Memory can be leaked
  when TLS initialization fails when the client tries to connect
  to the server. However, if this actually happens, it can happen
  frequently and so accumulate to a large leak.
  No report of such occurence from practice.
  Detected by Coverity Scan, CID 266008.
– bugfix: memory leak on protocol error
  Receiving relp frames are not correctly deallocated while handling
  protocol errors resulting in memory leak of dirty pages.
  Thanks to github user gleentea for the patch.
  see also https://github.com/rsyslog/librelp/issues/59
  closes https://github.com/rsyslog/librelp/issues/60
– fixed a couple of minor issues:
  * fix memory leak when relp frame construction fails
    detected by clang static analyzer
  * removed unnecessary code
    detected by clang static analyzer
  * fix memory leak
    This leaks occurs if the process is already totally out of memory,
    a situation that is very rare and will also cuase other troubles.
    So the practical relevance of this patch looks rather slim.
    Detected by clang static analyzer.
  * fix memory leak on relpSrvRun() error
    this is kind of cosmetic, because it can only occur when the
    run fails, which usually should lead to termination of the
    calling application
    deteced by Coverity Scan, CID 266016
  * fix memory leak on relp listener construction error
    detected by Coverity Scan, CID 266014, 266015
  * also resolved all other issues reported by Coverity scan
– CI
  * added native testbench (formerly used rsyslog for testing)
  * added additional compile tests


sha256sum: 0c235dd2a01060ad5e64438879b31ae64e7640d0e262aa1a287a2dd9bc60fd53

RSyslog Windows Agent 5.0 Released

friedlRelease Announcement, , , , ,

Release Date: 2018-04-11

Build-IDs: Service 5.0.0.185, Client 5.0.0.263

Features

  • File Monitor: Added new options “Process rest of file as one message” and Read  Filebuffer size for better regex message separator handling.
  • Syslog Action: Added support for multiple syslog servers (Load balancing)
  • Syslog Action: Backup Syslog Server is now tried on connect as well. Before, the backup server was only used when an existing connection to the primary server interrupted.
  • Core Engine: Enhanced debug output for network errors.
  • LogNorm Action: Updated Action to support liblognorm v2 rulebases.

Bugfixes

  • Property Engine: Fixed daylight handling when using RFC3339 string conversion. Daylight was incorrectly always applied.
  • Property Engine: Fixed dynamic properties conversion when using xml output. This bug caused some properties to be missing when sending them by SETP protocol or using Syslog Cache mode.
  • Configuration reload: Fixed missing SNMP Mibtree after configuration reload.

You can download Free Trial Version of RSyslog Windows Agent.

Scroll to top