28 files changed, 165 insertions, 49 deletions

diff --git a/ChangeLog b/ChangeLog
index b61e861f..c6512c48 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,35 @@
 - bugfix: array-based ==/!= comparisions lead to invalid results
   This was a regression introduced in 7.3.5 bei the PRI optimizer
 ---------------------------------------------------------------------------
+Version 7.4.5  [v7.4-stable] 2013-09-??
+- mmanon: removed the check for specific "terminator characters" after 
+  last octet. As it turned out, this didn't work in practice as there
+  was an enormous set of potential terminator chars -- so removing
+  them was the best thing to do. Note that this may change behaviour of
+  existing installations. Yet, we still consider this an important
+  bugfix, that should be applied to the stable branch.
+  closes: http://bugzilla.adiscon.com/show_bug.cgi?id=477
+  Thanks to Muri Cicanor for initiating the discussion
+- bugfix: omprog blocked signals to executed programs
+  The made it impossible to send signals to programs executed via
+  omprog.
+  Thanks to Risto Vaarandi for the analysis and a patch.
+- bugfix: doc: imuxsock legacy param $SystemLogSocketParseTrusted was
+  misspelled
+  Thanks to David Lang for alerting us
+- bugfix: imfile "facility" input parameter improperly handled
+  caused facility not to be set, and severity to be overwritten with
+  the facility value.
+  Thanks to forum user dmunny for reporting this bug.
+- bugfix: small memory leak in imfile when $ResetConfigVariables was used
+  Thanks to Grégory Nuyttens for reporting this bug and providig a fix
+- bugfix: segfault on startup if TLS was used but no CA cert set
+- bugfix: segfault on startup if TCP TLS was used but no cert or key set
+- bugfix: some more build problems with newer json-c versions
+  Thanks to Michael Biebl for mentioning the problem.
+- bugfix: build system: libgcrypt.h needed even if libgrcypt was disabled
+  Thanks to Jonny Törnbom for reporting this problem
+---------------------------------------------------------------------------
 Version 7.4.4  [v7.4-stable] 2013-09-03
 - better error messages in GuardTime signature provider
   Thanks to Ahto Truu for providing the patch.
diff --git a/doc/debug.html b/doc/debug.html
index 557ca6d3..229aeb08 100644
--- a/doc/debug.html
+++ b/doc/debug.html
@@ -160,7 +160,11 @@ enable DebugOnDemand mode only for a reason. Note that when no debug mode is ena
 SIGUSR1 and SIGUSR2 are completely ignored.
 <p>When running in any of the debug modes (including on demand mode), an interactive 
 instance of rsyslogd can be aborted by pressing ctl-c.
-<p>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/how-to-use-debug-on-demand/">How to use debug on demand</a></li>
+</ul>
+</p>
 <p>[<a href="manual.html">manual index</a>] [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
 <p><font size="2">This documentation is part of the
 <a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
diff --git a/doc/impstats.html b/doc/impstats.html
index 8db9c6f6..6c44b0e9 100644
--- a/doc/impstats.html
+++ b/doc/impstats.html
@@ -81,6 +81,11 @@ If set to on, stats messages are emitted as structured cee-enhanced syslog. If
 set to off, legacy format is used (which is compatible with pre v6-rsyslog).
 </li>
 </ul>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/rsyslog-statistic-counter/">rsyslog statistics counter</a></li>
+</ul>
+</p>
 <b>Caveats/Known Bugs:</b>
 <ul>
 <li>This module MUST be loaded right at the top of rsyslog.conf, otherwise 
diff --git a/doc/imuxsock.html b/doc/imuxsock.html
index 0affe8c3..e89a67aa 100644
--- a/doc/imuxsock.html
+++ b/doc/imuxsock.html
@@ -180,7 +180,13 @@ oneself has the advantage that a limited amount of messages may be
 queued by the OS if rsyslog is not running.
 </li>
 </ul>
-
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/what-are-trusted-properties/">What are "trusted properties"?</a></li>
+<li><a href="http://www.rsyslog.com/why-does-imuxsock-not-work-on-solaris/">Why does imuxsock not work
+on Solaris?</a></li>
+</ul>
+</p>
 <b>Caveats/Known Bugs:</b><br>
 <ul>
 <li>There is a compile-time limit of 50 concurrent sockets. If you need more, you need to
diff --git a/doc/mmanon.html b/doc/mmanon.html
index 16065a1f..e14d75cf 100644
--- a/doc/mmanon.html
+++ b/doc/mmanon.html
@@ -18,14 +18,7 @@ Note that anonymization will break digital signatures on the message, if
 they exist.
 <p><i>How are IP-Addresses defined?</i>
 <p>We assume that an IP address consists of four octets in dotted notation,
-where each of the octets has a value between 0 and 255, inclusively. After
-the last octet, there must be either a space or a colon. So, for example,
-"1.2.3.4 Test" and "1.2.3.4:514 Test" are detected as containing valid IP 
-addresses, whereas this is not the case for "1.2.300.4 Test" or
-"1.2.3.4-Test". The message text may contain multiple addresses. If so,
-each of them is anonimized (according to the same rules).
-<b>Important:</b> We may change the set of acceptable characters after
-the last octet in the future, if there are good reasons to do so.
+where each of the octets has a value between 0 and 255, inclusively.
 <p>&nbsp;</p>
 
 <p><b>Module Configuration Parameters</b>:</p>
diff --git a/doc/mmnormalize.html b/doc/mmnormalize.html
index 787bd957..81100235 100644
--- a/doc/mmnormalize.html
+++ b/doc/mmnormalize.html
@@ -46,6 +46,17 @@ parameter.
 <li>$mmnormalizeUseRawMsg &lt;on/off&gt; - equivalent to the "useRawMsg" 
 parameter.
 </ul>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/normalizer-first-steps-for-mmnormalize/">First steps for mmnormalize</a></li>
+<li><a href="http://www.rsyslog.com/log-normalization-and-special-characters/">Log normalization and
+special characters</a></li>
+<li><a href="http://www.rsyslog.com/log-normalization-and-the-leading-space/">Log normalization and
+the leading space</a></li>
+<li><a href="http://www.rsyslog.com/using-rsyslog-mmnormalize-module-effectively-with-adiscon-loganalyzer/">Using
+mmnormalize effectively with Adiscon LogAnalyzer</a></li>
+</ul>
+</p>
 <b>Caveats/Known Bugs:</b>
 <p>None known at this time.
 </ul>
diff --git a/doc/omfile.html b/doc/omfile.html
index 72320921..0f64f26f 100644
--- a/doc/omfile.html
+++ b/doc/omfile.html
@@ -97,6 +97,11 @@
 	sets a new default template for file actions.<br></li><br>
 	
 </ul>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/">Sign log messages through signature provider Guardtime</a></li>
+</ul>
+</p>
 <p><b>Caveats/Known Bugs:</b></p>
 <ul>
 <li>One needs to be careful with log rotation if signatures and/or encryption
diff --git a/doc/omfwd.html b/doc/omfwd.html
index 53f9e527..a541dd27 100644
--- a/doc/omfwd.html
+++ b/doc/omfwd.html
@@ -56,6 +56,11 @@
 	Permits to resend the last message when a connection is reconnected. This setting affects TCP-based syslog, only. It is most useful for traditional, plain TCP syslog. Using this protocol, it is not always possible to know which messages were successfully transmitted to the receiver when a connection breaks. In many cases, the last message sent is lost. By switching this setting to "yes", rsyslog will always retransmit the last message when a connection is reestablished. This reduces potential message loss, but comes at the price that some messages may be duplicated (what usually is more acceptable). <br></li><br>
 	
 </ul>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/encrypted-disk-queues/">Encrypted Disk Queues</a></li>
+</ul>
+</p>
 <p><b>Caveats/Known Bugs:</b></p><ul><li>None.</li></ul>
 <p><b>Sample:</b></p>
 <p>The following command sends all syslog messages to a remote server via TCP port 10514.</p>
diff --git a/doc/omruleset.html b/doc/omruleset.html
index 41d6ccfc..f0d5f7bd 100644
--- a/doc/omruleset.html
+++ b/doc/omruleset.html
@@ -122,6 +122,11 @@ $ActionOmrulesetRulesetName nested
 # of course, we can have "regular" actions alongside :omrulset: actions
 *.* /path/to/general-message-file.log
 </textarea>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/rulesets-and-rsyslog-7-2/">Calling rulesets since rsyslog 7.2</a></li>
+</ul>
+</p>
 <p><b>Caveats/Known Bugs:</b>
 <p>The current configuration file language is not really adequate for a complex construct
 like omruleset. Unfortunately, more important work is currently preventing me from redoing the
diff --git a/doc/property_replacer.html b/doc/property_replacer.html
index 13ff41c3..7218c22e 100644
--- a/doc/property_replacer.html
+++ b/doc/property_replacer.html
@@ -746,13 +746,15 @@ use drop-cc and "drop-cc,escape-cc" will use escape-cc mode.
 options. It was initially introduced to support the "jsonf" option, for which it provides
 the capability to set an alternative field name. If it is not specified, it defaults to 
 the property name.
-<h2>Further Links</h2>
+<b>See also</b>
 <ul>
 <li>Article on "<a href="rsyslog_recording_pri.html">Recording
 the Priority of Syslog Messages</a>" (describes use of templates
 to record severity and facility of a message)</li>
 <li><a href="rsyslog_conf.html">Configuration file
 format</a>, this is where you actually use the property replacer.</li>
+<li><a href="http://www.rsyslog.com/what-is-the-difference-between-timereported-and-timegenerated/">
+Difference between timereported and timegenerated.</li>
 </ul>
 <p>[<a href="manual.html">manual index</a>]
 [<a href="rsyslog_conf.html">rsyslog.conf</a>]
diff --git a/doc/queues.html b/doc/queues.html
index 75b70fbf..85df9fef 100644
--- a/doc/queues.html
+++ b/doc/queues.html
@@ -386,6 +386,11 @@ it terminates. This includes data elements there were begun being processed by
 workers that needed to be cancelled due to too-long processing. For a large 
 queue, this operation may be lengthy. No timeout applies to a required shutdown 
 save.</p>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/encrypted-disk-queues/">Encrypted Disk Queues</a></li>
+</ul>
+</p>
 [<a href="manual.html">manual index</a>]
 [<a href="rsyslog_conf.html">rsyslog.conf</a>]
 [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
diff --git a/doc/rsyslog_conf_filter.html b/doc/rsyslog_conf_filter.html
index a795193f..c8a40b6c 100644
--- a/doc/rsyslog_conf_filter.html
+++ b/doc/rsyslog_conf_filter.html
@@ -275,6 +275,11 @@ supported (except for "not" as outlined above). Please note that while
 it is possible to query facility and severity via property-based
 filters, it is far more advisable to use classic selectors (see above)
 for those cases.</p>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/filter-optimization-with-arrays/">Filter optimization with arrays</a></li>
+</ul>
+</p>
 <p>[<a href="manual.html">manual index</a>]
 [<a href="rsyslog_conf.html">rsyslog.conf</a>]
 [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
diff --git a/doc/rsyslog_conf_templates.html b/doc/rsyslog_conf_templates.html
index 9a6e1619..38927c03 100644
--- a/doc/rsyslog_conf_templates.html
+++ b/doc/rsyslog_conf_templates.html
@@ -524,7 +524,13 @@ $template TraditionalForwardFormat,"<%PRI%>%TIMESTAMP% %HOSTNAME% %syslogtag:1:3
 <br><br>
 $template StdSQLFormat,"insert into SystemEvents (Message, Facility, FromHost, Priority, DeviceReportedTime, ReceivedAt, InfoUnitID, SysLogTag) values ('%msg%', %syslogfacility%, '%HOSTNAME%', %syslogpriority%, '%timereported:::date-mysql%', '%timegenerated:::date-mysql%', %iut%, '%syslogtag%')",SQL
 </code></p>
-
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/how-to-bind-a-template/">How to bind a template</a></li>
+<li><a href="http://www.rsyslog.com/adding-the-bom-to-a-message/">Adding the BOM to a message</a></li>
+<li><a href="http://www.rsyslog.com/article60/">How to separate log files by host name of the sending device</a></li>
+</ul>
+</p>
 <p>[<a href="manual.html">manual index</a>]
 [<a href="rsyslog_conf.html">rsyslog.conf</a>]
 [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
diff --git a/doc/rsyslog_packages.html b/doc/rsyslog_packages.html
index 5bb62fa5..014791a3 100644
--- a/doc/rsyslog_packages.html
+++ b/doc/rsyslog_packages.html
@@ -81,5 +81,10 @@ of the distribution name.
 <p>If you do not find a suitable package for your distribution, there is no reason
 to panic. It is quite simple to install rsyslog from the source tarball, so you
 should consider that.
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/how-to-use-the-ubuntu-repository/">How to use the Ubuntu repository</a></li>
+</ul>
+</p>
 </body>
 </html>
diff --git a/doc/sigprov_gt.html b/doc/sigprov_gt.html
index caeee116..5ffd26d8 100644
--- a/doc/sigprov_gt.html
+++ b/doc/sigprov_gt.html
@@ -64,6 +64,12 @@ sig.keepRecordHashes requries). Note that both Tree and Record
 hashes can be kept inside the signature file.
 </li>
 </ul>
+<p><b>See Also</b>
+<ul>
+<li><a href="http://www.rsyslog.com/how-to-sign-log-messages-through-signature-provider-guardtime/">How
+to sign log messages through signature provider Guardtime</a></li>
+</ul>
+</p>
 <b>Caveats/Known Bugs:</b>
 <ul>
 <li>currently none known
diff --git a/doc/troubleshoot.html b/doc/troubleshoot.html
index 0f0c7fca..a0303a24 100644
--- a/doc/troubleshoot.html
+++ b/doc/troubleshoot.html
@@ -88,15 +88,19 @@ passwords or other sensitive data. If it does, you can change it to some <b>cons
 meaningless value. <b>Do not delete the lines</b>, as this renders the debug log
 unusable (and makes Rainer quite angry for wasted time, aka significantly reduces the chance
 he will remain motivated to look at your problem ;)). For the same reason, make sure
-whatever you change is change consistently. Really!
-<p>Debug log file can get quite large. Before submitting them, it is a good idea to zip them.
-Rainer has handled files of around 1 to 2 GB. If your's is larger ask before submitting. Often, 
-it is sufficient to submit the first 2,000 lines of the log file and around another 1,000 around
-the area where you see a problem. Also,
-ask you can submit a file via private mail. Private mail is usually a good way to go for large files
-or files with sensitive content. However, do NOT send anything sensitive that you do not want
-the outside to be known. While Rainer so far made effort no to leak any sensitive information,
-there is no guarantee that doesn't happen. If you need a guarantee, you are probably a
+whatever you change is changed consistently. Really!
+<p>While most debug log files are moderately large, some can get quite to extremly large.
+For those on the larger side, it is a good idea to zip them. If the file is less than
+around 100KiB, it's probably not necessary.
+<p>A good place to post your debug log is at the
+<a href="http://kb.monitorware.com/rsyslog-f40.html">rsyslog support forums</a>, together with
+your question. This also enables us to keep track of the case. The forums accept attachments in
+various common formats, but rejects others for security reasons. The zip, txt, and log extensions
+are definitely permitted, so it probably is a good idea to use one of them. For others, please
+simply try and revert to another format if the forum doesn't like what you used.
+<p>
+Please note that all information in your debug file is publically visiable.
+If this is not acceptable for you, you are probably a
 candidate for a <a href="professional_support.html">commercial support contract</a>. Free support
 comes without any guarantees, include no guarantee on confidentiality
 [aka "we don't want to be sued for work were are not even paid for ;)].
@@ -156,7 +160,7 @@ need to program or do anything else except get a problem solved ;)
 [<a href="http://www.rsyslog.com/">rsyslog site</a>]</p>
 <p><font size="2">This documentation is part of the
 <a href="http://www.rsyslog.com/">rsyslog</a> project.<br>
-Copyright &copy; 2008-2010 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
+Copyright &copy; 2008-2013 by <a href="http://www.gerhards.net/rainer">Rainer Gerhards</a> and
 <a href="http://www.adiscon.com/">Adiscon</a>. Released under the GNU GPL 
 version 3 or higher.</font></p>
 </body>
diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
index 45882fb2..9c824c18 100644
--- a/plugins/imfile/imfile.c
+++ b/plugins/imfile/imfile.c
@@ -473,7 +473,7 @@ CODESTARTnewInpInst
 		} else if(!strcmp(inppblk.descr[i].name, "severity")) {
 			inst->iSeverity = pvals[i].val.d.n;
 		} else if(!strcmp(inppblk.descr[i].name, "facility")) {
-			inst->iSeverity = pvals[i].val.d.n;
+			inst->iFacility = pvals[i].val.d.n;
 		} else if(!strcmp(inppblk.descr[i].name, "readmode")) {
 			inst->readMode = pvals[i].val.d.n;
 		} else if(!strcmp(inppblk.descr[i].name, "maxlinesatonce")) {
@@ -832,8 +832,8 @@ resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unus
 	cs.pszFileName = NULL;
 	free(cs.pszFileTag);
 	cs.pszFileTag = NULL;
-	free(cs.pszFileTag);
-	cs.pszFileTag = NULL;
+	free(cs.pszStateFile);
+	cs.pszStateFile = NULL;
 
 	/* set defaults... */
 	cs.iPollInterval = DFLT_PollInterval;
diff --git a/plugins/mmanon/mmanon.c b/plugins/mmanon/mmanon.c
index a1c99d09..7d8f9964 100644
--- a/plugins/mmanon/mmanon.c
+++ b/plugins/mmanon/mmanon.c
@@ -307,7 +307,7 @@ anonip(instanceData *pData, uchar *msg, int *pLenMsg, int *idx)
 	++i;
 	ipstart[3] = i;
 	octet = getnum(msg, lenMsg, &i);
-	if(octet > 255 || !(msg[i] == ' ' || msg[i] == ':')) goto done;
+	if(octet > 255) goto done;
 	ipv4addr |= octet;
 
 	/* OK, we now found an ip address */
diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
index aea8e321..d49667f9 100644
--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
@@ -58,10 +58,9 @@ DEFobjCurrIf(errmsg)
 DEFobjCurrIf(statsobj)
 
 statsobj_t *indexStats;
-STATSCOUNTER_DEF(indexConFail, mutIndexConFail)
 STATSCOUNTER_DEF(indexSubmit, mutIndexSubmit)
-STATSCOUNTER_DEF(indexFailed, mutIndexFailed)
-STATSCOUNTER_DEF(indexSuccess, mutIndexSuccess)
+STATSCOUNTER_DEF(indexHTTPFail, mutIndexHTTPFail)
+STATSCOUNTER_DEF(indexESFail, mutIndexESFail)
 
 /* REST API for elasticsearch hits this URL:
  * http://<hostName>:<restPort>/<searchIndex>/<searchType>
@@ -540,6 +539,9 @@ DBGPRINTF("omelasticsearch: %d items in reply\n", numitems);
 	}
 
 finalize_it:
+	if(iRet != RS_RET_OK) {
+		STATSCOUNTER_INC(indexESFail, mutIndexESFail);
+	}
 	RETiRet;
 }
 
@@ -603,13 +605,12 @@ curlPost(instanceData *pData, uchar *message, int msglen, uchar **tpls)
 		case CURLE_COULDNT_RESOLVE_PROXY:
 		case CURLE_COULDNT_CONNECT:
 		case CURLE_WRITE_ERROR:
-			STATSCOUNTER_INC(indexConFail, mutIndexConFail);
+			STATSCOUNTER_INC(indexHTTPFail, mutIndexHTTPFail);
 			DBGPRINTF("omelasticsearch: we are suspending ourselfs due "
 				  "to failure %lld of curl_easy_perform()\n",
 				  (long long) code);
 			ABORT_FINALIZE(RS_RET_SUSPENDED);
 		default:
-			STATSCOUNTER_INC(indexSubmit, mutIndexSubmit);
 			break;
 	}
 
@@ -639,6 +640,7 @@ ENDbeginTransaction
 
 BEGINdoAction
 CODESTARTdoAction
+	STATSCOUNTER_INC(indexSubmit, mutIndexSubmit);
 	if(pData->bulkmode) {
 		CHKiRet(buildBatch(pData, ppString[0], ppString));
 	} else {
@@ -993,15 +995,13 @@ CODEmodInit_QueryRegCFSLineHdlr
 
 	/* support statistics gathering */
 	CHKiRet(statsobj.Construct(&indexStats));
-	CHKiRet(statsobj.SetName(indexStats, (uchar *)"elasticsearch"));
-	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"connfail",
-		ctrType_IntCtr, &indexConFail));
-	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"submits",
+	CHKiRet(statsobj.SetName(indexStats, (uchar *)"omelasticsearch"));
+	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"submitted",
 		ctrType_IntCtr, &indexSubmit));
-	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"failed",
-		ctrType_IntCtr, &indexFailed));
-	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"success",
-		ctrType_IntCtr, &indexSuccess));
+	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"failed.http",
+		ctrType_IntCtr, &indexHTTPFail));
+	CHKiRet(statsobj.AddCounter(indexStats, (uchar *)"failed.es",
+		ctrType_IntCtr, &indexESFail));
 	CHKiRet(statsobj.ConstructFinalize(indexStats));
 ENDmodInit
 
diff --git a/plugins/ommongodb/ommongodb.c b/plugins/ommongodb/ommongodb.c
index 64d501d3..ecfd2518 100644
--- a/plugins/ommongodb/ommongodb.c
+++ b/plugins/ommongodb/ommongodb.c
@@ -35,7 +35,7 @@
 #include <mongo.h>
 #include <json.h>
 /* For struct json_object_iter, should not be necessary in future versions */
-#include <json/json_object_private.h>
+#include <json_object_private.h>
 
 #include "rsyslog.h"
 #include "conf.h"
diff --git a/plugins/omprog/omprog.c b/plugins/omprog/omprog.c
index 69261656..d821ff16 100644
--- a/plugins/omprog/omprog.c
+++ b/plugins/omprog/omprog.c
@@ -122,6 +122,7 @@ static void execBinary(instanceData *pData, int fdStdin)
 {
 	int i;
 	struct sigaction sigAct;
+	sigset_t set;
 	char *newargv[] = { NULL };
 	char *newenviron[] = { NULL };
 
@@ -146,10 +147,12 @@ static void execBinary(instanceData *pData, int fdStdin)
 
 	/* reset signal handlers to default */
 	memset(&sigAct, 0, sizeof(sigAct));
-	sigfillset(&sigAct.sa_mask);
+	sigemptyset(&sigAct.sa_mask);
 	sigAct.sa_handler = SIG_DFL;
 	for(i = 1 ; i < NSIG ; ++i)
 		sigaction(i, &sigAct, NULL);
+	sigemptyset(&set);
+        sigprocmask(SIG_SETMASK, &set, NULL);
 
 	alarm(0);
 
diff --git a/runtime/cryprov.h b/runtime/cryprov.h
index 8496b745..005b33f7 100644
--- a/runtime/cryprov.h
+++ b/runtime/cryprov.h
@@ -24,8 +24,6 @@
 #ifndef INCLUDED_CRYPROV_H
 #define INCLUDED_CRYPROV_H
 
-#include <gcrypt.h>
-
 /* interface */
 BEGINinterface(cryprov) /* name must also be changed in ENDinterface macro! */
 	rsRetVal (*Construct)(void *ppThis);
diff --git a/runtime/libgcry.h b/runtime/libgcry.h
index b77b0f9e..83f508bf 100644
--- a/runtime/libgcry.h
+++ b/runtime/libgcry.h
@@ -21,7 +21,7 @@
 #ifndef INCLUDED_LIBGCRY_H
 #define INCLUDED_LIBGCRY_H
 #include <stdint.h>
-
+#include <gcrypt.h>
 
 struct gcryctx_s {
 	uchar *key;
diff --git a/runtime/msg.c b/runtime/msg.c
index 36cbd261..03906070 100644
--- a/runtime/msg.c
+++ b/runtime/msg.c
@@ -43,7 +43,7 @@
 #include <libestr.h>
 #include <json.h>
 /* For struct json_object_iter, should not be necessary in future versions */
-#include <json/json_object_private.h>
+#include <json_object_private.h>
 #if HAVE_MALLOC_H
 #  include <malloc.h>
 #endif
diff --git a/runtime/msg.h b/runtime/msg.h
index ac220b63..e7babdbb 100644
--- a/runtime/msg.h
+++ b/runtime/msg.h
@@ -62,7 +62,6 @@ struct msg {
 				        once data has entered the queue, this property is no longer needed. */
 	pthread_mutex_t mut;
 	int	iRefCount;	/* reference counter (0 = unused) */
-	sbool	bAlreadyFreed;	/* aid to help detect a well-hidden bad bug -- TODO: remove when no longer needed */
 	sbool	bParseSuccess;	/* set to reflect state of last executed higher level parser */
 	short	iSeverity;	/* the severity 0..7 */
 	short	iFacility;	/* Facility code 0 .. 23*/
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 6ef4feba..1110c7a4 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -2,7 +2,7 @@
  *
  * An implementation of the nsd interface for GnuTLS.
  * 
- * Copyright (C) 2007, 2008 Rainer Gerhards and Adiscon GmbH.
+ * Copyright (C) 2007-2013 Rainer Gerhards and Adiscon GmbH.
  *
  * This file is part of the rsyslog runtime library.
  *
@@ -547,10 +547,20 @@ gtlsAddOurCert(void)
 	keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
 	dbgprintf("GTLS certificate file: '%s'\n", certFile);
 	dbgprintf("GTLS key file: '%s'\n", keyFile);
+	if(certFile == NULL) {
+		errmsg.LogError(0, RS_RET_CERT_MISSING, "error: certificate file is not set, cannot "
+				"continue");
+		ABORT_FINALIZE(RS_RET_CERT_MISSING);
+	}
+	if(keyFile == NULL) {
+		errmsg.LogError(0, RS_RET_CERTKEY_MISSING, "error: key file is not set, cannot "
+				"continue");
+		ABORT_FINALIZE(RS_RET_CERTKEY_MISSING);
+	}
 	CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM));
 
 finalize_it:
-	if(iRet != RS_RET_OK) {
+	if(iRet != RS_RET_OK && iRet != RS_RET_CERT_MISSING && iRet != RS_RET_CERTKEY_MISSING) {
 		pGnuErr = gtlsStrerror(gnuRet);
 		errno = 0;
 		errmsg.LogError(0, iRet, "error adding our certificate. GnuTLS error %d, message: '%s', "
@@ -580,6 +590,11 @@ gtlsGlblInit(void)
 
 	/* sets the trusted cas file */
 	cafile = glbl.GetDfltNetstrmDrvrCAF();
+	if(cafile == NULL) {
+		errmsg.LogError(0, RS_RET_CA_CERT_MISSING, "error: ca certificate is not set, cannot "
+				"continue");
+		ABORT_FINALIZE(RS_RET_CA_CERT_MISSING);
+	}
 	dbgprintf("GTLS CA file: '%s'\n", cafile);
 	gnuRet = gnutls_certificate_set_x509_trust_file(xcred, (char*)cafile, GNUTLS_X509_FMT_PEM);
 	if(gnuRet < 0) {
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 47b34783..e62ba867 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -3,7 +3,7 @@
  *
  * Begun 2005-09-15 RGerhards
  *
- * Copyright (C) 2005-2008 by Rainer Gerhards and Adiscon GmbH
+ * Copyright (C) 2005-2013 by Rainer Gerhards and Adiscon GmbH
  *
  * This file is part of the rsyslog runtime library.
  *
@@ -413,6 +413,9 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
 	RS_RET_CRY_INVLD_ALGO = -2326,/**< user specified invalid (unkonwn) crypto algorithm */
 	RS_RET_CRY_INVLD_MODE = -2327,/**< user specified invalid (unkonwn) crypto mode */
 	RS_RET_QUEUE_DISK_NO_FN = -2328,/**< disk queue configured, but filename not set */
+	RS_RET_CA_CERT_MISSING = -2329,/**< a CA cert is missing where one is required (e.g. TLS) */
+	RS_RET_CERT_MISSING = -2330,/**< a cert is missing where one is required (e.g. TLS) */
+	RS_RET_CERTKEY_MISSING = -2331,/**< a cert (private) key is missing where one is required (e.g. TLS) */
 
 	/* RainerScript error messages (range 1000.. 1999) */
 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
diff --git a/tcpsrv.c b/tcpsrv.c
index c1033ef9..c64fa3e8 100644
--- a/tcpsrv.c
+++ b/tcpsrv.c
@@ -948,6 +948,8 @@ finalize_it:
 	if(iRet != RS_RET_OK) {
 		if(pThis->pNS != NULL)
 			netstrms.Destruct(&pThis->pNS);
+		errmsg.LogError(0, iRet, "tcpsrv could not create listener (inputname: '%s')",
+				(pThis->pszInputName == NULL) ? (uchar*)"*UNSET*" : pThis->pszInputName);
 	}
 	RETiRet;
 }