Changelog for 5.7.4 (v5-beta)
Version 5.7.4 [V5-BETA] (rgerhards), 2011-02-17
- added pmsnare parser module (written by David Lang)
- enhanced imfile to support non-cancel input termination
- improved systemd socket activation thanks to Marius Tomaschweski
- improved error reporting for $WorkDirectory
non-existance and other detectable problems are now reported,
and the work directory is NOT set in this case - bugfix: pmsnare causded abort under some conditions
- bugfix: abort if imfile reads file line of more than 64KiB
Thanks to Peter Eisentraut for reporting and analysing this problem.
bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=221 - bugfix: queue engine did not properly slow down inputs in FULL_DELAY mode
when in disk-assisted mode. This especially affected imfile, which
created unnecessarily queue files if a large set of input file data was
to process. - bugfix: very long running actions could prevent shutdown under some
circumstances. This has now been solved, at least for common
situations. - bugfix: fixed compile problem due to empty structs
this occured only on some platforms/compilers. thanks to Dražen Kačar
for the fix
rsyslog 6.1.2 (devel) released
Hi all,
We have just released rsyslog 6.1.2, the new v6-devel.
This release has as first release the experimental support for log Continue reading “rsyslog 6.1.2 (devel) released”
Changelog for 6.1.2 (devel)
Version 6.1.2 [DEVEL] (rgerhards), 2010-12-16
- added experimental support for log normalizaton (via liblognorm) support for normalizing log messages has been added in the form of mmnormalize. The core engine (property replacer, filter engine) has been enhanced to support properties from normalized events.
Note: this is EXPERIMENTAL code. It is currently known that there are issues if the functionality is used with
- disk-based queues
- asynchronous action queues
You can not use the new functionality together with these features.
This limitation will be removed in later releases. However, we preferred to release early, so that one can experiment with the new feature set and accepted the price that this means the full set of functionality is not yet available. If not used together with these features, log normalizing should be pretty stable.
- enhanced testing tool tcpflood now supports sending via UDP and the capability to run multiple iterations and generate statistics data records
- bugfix: potential abort when output modules with different parameter passing modes were used in configured output modules
rsyslog 5.7.0 (v5-devel) released
Hi all,
We have just released rsyslog 5.7.0, the new v5-devel. This is a feature-enhancement release. It now supports a module to periodically output statistics about Continue reading “rsyslog 5.7.0 (v5-devel) released”
Periodic statistics on rsyslog counters
Since rsyslog 5.7.0 (V5-Devel) there is a new module called impstats.
This module provides periodic output of rsyslog internal counters. Note that the whole statistics system is currently under development. So availabilty and format of counters may change and is not yet stable (so be prepared to change your trending scripts when you upgrade to a newer rsyslog version).
The set of available counters will be output as a set of syslog messages. This output is periodic, with the interval being configurable (default is 5 minutes). Be sure that your configuration records the counter messages (default is syslog.info).
Note that loading this module has impact on rsyslog performance. Depending on settings, this impact may be severe (for high-load environments).
Please find below some simple steps how to use that module.
Of course you have to name it additionally in the configure. The configure should look like this (please note that the parameters can be different to your configure, the important thing is ––enable-impstats; this example is for Fedora 13 )
./configure --enable-impstats --sbindir=/sbin --libdir=/lib
The next steps are make and make install
make
make install
Furthermore we have to add that module in the rsyslog config. Below you will find a short excerpt of a sample config.
#### Modules #### $ModLoad imuxsock $ModLoad imklog #$ModLoad immark $ModLoad impstats $PStatsInterval 600 $PStatsSeverity 7 syslog.debug /var/log/rsyslog-stats
$ModLoad impstats – tells rsyslog to load the module impstats
$PStatsInterval 600 – is a configuration directive of impstats
$PStatsSeverity 7 – is also a configuration directive of impstats
Here you will find all information about the impstats module and its configuration directives.
If we have a look at the mentioned output file rsyslog-stats we can see the results of the static module.
The content of that file should look like this
Sep 17 11:43:49 localhost rsyslogd-pstats: umxsock: submitted=16 Sep 17 11:43:49 localhost rsyslogd-pstats: main Q: size=1 enqueued=2403 full=0 maxqsize=2
At the actual point all objects are shown in the results. Every Object has its own counter like
umxsock: (= object) submitted=16 (=counter; 16 logs received by the object umxsock). The main queue of rsyslog is also shown -> main Q with the parameters size (messages in the queue), enqueued (all received messages), full (how often was the queue full) and maxqsize (the maximal amount of messages in the queue).
Please be sure that the features and options of that module will be develeloped soon.
All information about the periodic statistics module you will find in the documentation. There is also a list of rsyslog impstats counters available on the web site.
Changelog for 3.2.2 (v3-stable)
Version 3.22.2 [v3-stable] (rgerhards), 2010-08-05
- bugfix: comment char (‘#’) in literal terminated script parsing and thus could not be used.
but tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=119 - enhance: imrelp now also provides remote peer’s IP address[if librelp != 1.0.0 is used]
- bugfix: sending syslog messages with zip compression did not work
- bugfix: potential hang condition on queue shutdown
- bugfix: segfault on startup when -q or -Q option was given
bug tracker: http://bugzilla.adiscon.com/show_bug.cgi?id=157
Thanks to Jonas Nogueira for reporting this bug. - clarified use of $ActionsSendStreamDriver[AuthMode/PermittedPeers]in doc set (require TLS drivers)
- bugfix: $CreateDirs variable not properly initialized, default thuswas random (but most often “on”)
- bugfix: potential segfault when -p command line option was usedthanks to varmojfekoj for pointing me at this bug
- bugfix: programname filter in ! configuration can not be resetThanks to Kiss Gabor for the patch.
rsyslog 5.5.5 (devel) released
Hi all,
We have just released rsyslog 5.5.5, a member of the devel branch. This is a bug-fixing release which contains a single fix that solves a potential hang condition on system shutdown when infinite action retries are configured for an asynchronous action using a queue in disk-assisted mode and the action was suspended. This is probably not a very common case, but a configuration recommended by our doc samples. If you do not use such a configuration, there is no need to update at this time. See Changelog for more details.
ChangeLog:
http://www.rsyslog.com/article461/
Download:
http://www.rsyslog.com/Downloads-req-viewdownloaddetails-lid-204.phtml
As always, feedback is appreciated.
Best regards,
Tom Bergfeld
Changelog for 4.7.0 (v4-devel)
Version 4.7.0 [v4-devel] (rgerhards), 2010-04-14
- new: support for Solaris added (but not yet the Solaris door API)
- added function getenv() to RainerScript
- added new config option $InputUnixListenSocketCreatePath to permit the auto-creation of pathes to additional log sockets. This turns out to be useful if they reside on temporary file systems and rsyslogd starts up before the daemons that create these sockets (rsyslogd always creates the socket itself if it does not exist).
- added $LogRSyslogStatusMessages configuration directive permitting to turn off rsyslog start/stop/HUP messages.
See Debian ticket http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463793 - added new config directive $omfileForceChown to (try to) fix some broken system configs.
See ticket for details: http://bugzilla.adiscon.com/show_bug.cgi?id=150 - added $EscapeControlCharacterTab config directive
Thanks to Jonathan Bond-Caron for the patch. - added option to use unlimited-size select() calls
Thanks to varmjofekoj for the patch - debugondemand mode caused backgrounding to fail – close to a bug, but I’d consider the ability to background in this mode a new feature…
- bugfix (kind of): check if TCP connection is still alive if using TLS
Thanks to Jonathan Bond-Caron for the patch. - imported changes from 4.5.7 and below
- bugfix: potential segfault when -p command line option was used
Thanks for varmojfekoj for pointing me at this bug. - bugfix: potential segfaults during queue shutdown (bugs require certain non-standard settings to appear)
Thanks to varmojfekoj for the patch [imported from 4.5.8]
Sending Messages to a Remote Syslog Server
In this recipe, we forward messages from one system to another one. Typical use cases are:
- the local system does not store any messages (e.g. has not sufficient space to do so)
- there is a (e.g. legal) requirement to consolidate all logs on a single system
- the server may run some advanced alerting rules, and needs to have a full picture or network activity to work well
- you want to get the logs to a different system in a different security domain (to prevent attackers from hiding their tracks)
- and many more …
In our case, we forward all messages to the remote system. Note that by applying different filters, you may only forward select entries to the remote system. Also note that you can include as many forwarding actions as you like. For example, if you need to have a backup central server, you can simply forward to both of them, using two different forwarding actions.
To learn how to configure the remote server, see recipe Receiving Messages from a Remote System.
Config Statements
# this is the simplest forwarding action:
*.* action(type="omfwd" target="192.0.2.1" port="10514" protocol="tcp")
# it is equivalent to the following obsolete legacy format line:
*.* @@192.0.2.1:10514 # do NOT use this any longer!
# Note: if the remote system is unreachable, processing will
# block here and discard messages after a while
# so a better use is
*.* action(type="omfwd" target="192.0.2.2" port="10514" protocol="tcp"
action.resumeRetryCount="100"
queue.type="linkedList" queue.size="10000")
# this will de-couple the sending from the other logging actions,
# and prevent delays when the remote system is not reachable. Also,
# it will try to connect 100 times before it discards messages as
# undeliverable.
# the rest below is more or less a plain vanilla rsyslog.conf as
# many distros ship it - it's more for your reference...
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.logThings to think about
You need to select the protocol best suitable for your use case. If in doubt, TCP is a decent choice. This recipe uses TCP for that reason.
TCP forwarding is a build-in capability and always present. As such, no plugin needs to be loaded. The target can be specified by DNS name or IP address. Use IP addresses for most robust operations. If you use a DNS name and name resolution fails, forwarding may be disabled for some time. DNS resolution typically fails on the DNS server itself during system startup.
In this example, we forward to port 10514. We could as well remove the port=”…” parameter from the configuration, which would result in the default port being used. However, you need to specify the port address on the server in any case. So it is strongly advised to use an explicit port number to make sure that client and server configuration match each other (if they used different ports, the message transfer would not work.
ChangeLog for 4.5.8 (v4-beta)
Version 4.5.8 [v4-beta] (rgerhards), 2010-02-10
- enhanced doc for using PostgreSQL
Thanks to Marc Schiffbauer for the new/updated doc - bugfix: property replacer returned invalid parameters under some (unusual) conditions. In extreme cases, this could lead to garbled logs and/or a system failure.
- bugfix: invalid length returned (often) when using regular expressions inside the property replacer
- bugfix: submatch regex in property replacer did not honor “return 0 on no match” config case
- bugfix: imuxsock incorrectly stated inputname “imudp”
Thanks to Ryan Lynch for reporting this. - (slightly) enhanced support for FreeBSD by setting _PATH_MODDIR to the correct value on FreeBSD.
Thanks to Cristiano for the patch. - bugfix: -d did not enable display of debug messages regression from introduction of “debug on demand” mode
Thanks to Michael Biebl for reporting this bug - bugfix: blanks inside file names did not terminate file name parsing.
This could reslult in the whole rest of a line (including comments) to be treated as file name in “write to file” actions.
Thanks to Jack for reporting this issue. - bugfix: rsyslog hang when writing to a named pipe which nobody was reading. Thanks to Michael Biebl for reporting this bug.
- bugfix: memory leak when sending messages in zip-compressed format
Thanks to Naoya Nakazawa for analyzing this issue and providing a patch. - bugfix: potential segfaults during queue shutdown (bugs require certain non-standard settings to appear)
Thanks to varmojfekoj for the patch