From 80f88242982c9c6ad6ce8628fc5b94ea74051cf4 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 11:48:52 +0200 Subject: bugfix: double-free in omelasticsearch closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 Thanks to Marius Ionescu for providing a detailled bug report --- ChangeLog | 3 +++ plugins/omelasticsearch/omelasticsearch.c | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index cb93bda0..729c360e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,9 @@ Version 7.4.2 [v7.4-stable] 2013-06-?? - bugfix: RainerScript object required parameters were not properly checked - this clould result to segfaults on startup if parameters were missing. +- bugfix: double-free in omelasticsearch + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 + Thanks to Marius Ionescu for providing a detailled bug report - bugfix: omrelp potential segfault at startup on invalid config parameters - bugfix: small memory leak when $uptime property was used - bugfix: potential segfault on rsyslog termination in imudp diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c index 33e58c1a..57abefdd 100644 --- a/plugins/omelasticsearch/omelasticsearch.c +++ b/plugins/omelasticsearch/omelasticsearch.c @@ -483,7 +483,6 @@ writeDataError(instanceData *pData, cJSON **pReplyRoot, uchar *reqmsg) DBGPRINTF("omelasticsearch: error %d writing error file, write returns %lld\n", errno, (long long) wrRet); } - free(rendered); cJSON_Delete(errRoot); *pReplyRoot = NULL; /* tell caller not to delete once again! */ -- cgit v1.2.3 From 8597fdd3b9c1605ddbfd8885696e6f99afda6a3b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 14:51:06 +0200 Subject: omrelp: add "windowSize" parameter to set custom RELP window size --- ChangeLog | 1 + plugins/omrelp/omrelp.c | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index 63cef548..974769f4 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ Version 7.5.2 [devel] 2013-0?-?? - librelp 1.1.4 is now required We use API extensions for better error reporting and higher performance. - omrelp: use transactional mode to make imrelp emit bulk sends +- omrelp: add "windowSize" parameter to set custom RELP window size - doc: fixed various typos closes: http://bugzilla.adiscon.com/show_bug.cgi?id=391 Thanks to Georgi Georgiev for the patch. diff --git a/plugins/omrelp/omrelp.c b/plugins/omrelp/omrelp.c index d41b46a6..898bafe2 100644 --- a/plugins/omrelp/omrelp.c +++ b/plugins/omrelp/omrelp.c @@ -65,6 +65,7 @@ typedef struct _instanceData { uchar *port; int bInitialConnect; /* is this the initial connection request of our module? (0-no, 1-yes) */ int bIsConnected; /* currently connected to server? 0 - no, 1 - yes */ + int sizeWindow; /**< the RELP window size - 0=use default */ unsigned timeout; unsigned rebindInterval; unsigned nSent; @@ -104,6 +105,7 @@ static struct cnfparamdescr actpdescr[] = { { "tls.permittedpeer", eCmdHdlrArray, 0 }, { "port", eCmdHdlrGetWord, 0 }, { "rebindinterval", eCmdHdlrInt, 0 }, + { "windowsize", eCmdHdlrInt, 0 }, { "timeout", eCmdHdlrInt, 0 }, { "template", eCmdHdlrGetWord, 0 } }; @@ -157,6 +159,8 @@ doCreateRelpClient(instanceData *pData) ABORT_FINALIZE(RS_RET_RELP_ERR); if(relpCltSetTimeout(pData->pRelpClt, pData->timeout) != RELP_RET_OK) ABORT_FINALIZE(RS_RET_RELP_ERR); + if(relpCltSetWindowSize(pData->pRelpClt, pData->sizeWindow) != RELP_RET_OK) + ABORT_FINALIZE(RS_RET_RELP_ERR); if(relpCltSetUsrPtr(pData->pRelpClt, pData) != RELP_RET_OK) ABORT_FINALIZE(RS_RET_RELP_ERR); if(pData->bEnableTLS) { @@ -195,6 +199,7 @@ finalize_it: BEGINcreateInstance CODESTARTcreateInstance + pData->sizeWindow = 0; pData->timeout = 90; pData->rebindInterval = 0; pData->bEnableTLS = DFLT_ENABLE_TLS; @@ -233,6 +238,7 @@ setInstParamDefaults(instanceData *pData) pData->port = NULL; pData->tplName = NULL; pData->timeout = 90; + pData->sizeWindow = 0; pData->rebindInterval = 0; pData->bEnableTLS = DFLT_ENABLE_TLS; pData->bEnableTLSZip = DFLT_ENABLE_TLSZIP; @@ -269,6 +275,8 @@ CODESTARTnewActInst pData->timeout = (unsigned) pvals[i].val.d.n; } else if(!strcmp(actpblk.descr[i].name, "rebindinterval")) { pData->rebindInterval = (unsigned) pvals[i].val.d.n; + } else if(!strcmp(actpblk.descr[i].name, "windowsize")) { + pData->sizeWindow = (int) pvals[i].val.d.n; } else if(!strcmp(actpblk.descr[i].name, "tls")) { pData->bEnableTLS = (unsigned) pvals[i].val.d.n; } else if(!strcmp(actpblk.descr[i].name, "tls.compression")) { -- cgit v1.2.3 From d8a9b4cf2a3d5d68fb476712d92ab4aba31fc528 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 14:58:00 +0200 Subject: doc: rollback html edit of imfile doc The html editor did a total rewrite, which causes merges from older versions to fail miserably. --- doc/imfile.html | 395 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 230 insertions(+), 165 deletions(-) diff --git a/doc/imfile.html b/doc/imfile.html index 88f0d39f..274d6e60 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -1,156 +1,218 @@ - - - - Text File Input Monitor - - -

- back

-

- Text File Input Module

-

- Module Name:    imfile

-

- Author: Rainer Gerhards <rgerhards@adiscon.com>

-

- Description:

-

- Provides the ability to convert any standard text file into a syslog message. A standard text file is a file consisting of printable characters with lines being delimited by LF.

-

- The file is read line-by-line and any line read is passed to rsyslog's rule engine. The rule engine applies filter conditons and selects which actions needs to be carried out. Empty lines are not processed, as they would result in empty syslog records. They are simply ignored.

-

- As new lines are written they are taken from the file and processed. Please note that this happens based on a polling interval and not immediately. The file monitor support file rotation. To fully work, rsyslogd must run while the file is rotated. Then, any remaining lines from the old file are read and processed and when done with that, the new file is being processed from the beginning. If rsyslogd is stopped during rotation, the new file is read, but any not-yet-reported lines from the previous file can no longer be obtained.

-

- When rsyslogd is stopped while monitoring a text file, it records the last processed location and continues to work from there upon restart. So no data is lost during a restart (except, as noted above, if the file is rotated just in this very moment).

-

- Currently, the file must have a fixed name and location (directory). It is planned to add support for dynamically generating file names in the future.

-

- Multiple files may be monitored by specifying $InputRunFileMonitor multiple times.

-

- Configuration Directives:

-

- Module Directives

-
    -
  • - PollingInterval seconds
    - This is a global setting. It specifies how often files are to be polled for new data. The time specified is in seconds. The default value is 10 seconds. Please note that future releases of imfile may support per-file polling intervals, but currently this is not the case. If multiple PollingInterval statements are present in rsyslog.conf, only the last one is used.
    - A short poll interval provides more rapid message forwarding, but requires more system ressources. While it is possible, we stongly recommend not to set the polling interval to 0 seconds. That will make rsyslogd become a CPU hog, taking up considerable ressources. It is supported, however, for the few very unusual situations where this level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as there is any data in them. So a "polling sleep" will only happen when nothing is left to be processed.
    • -
-

- Action Directives

-
    -
  • - (required) File /path/to/file
    - The file being monitored. So far, this must be an absolute name (no macros or templates).
    • -
  • - (required) Tag tag:
    - The syslog tag to be used for messages that originate from this file. If you would like to see the colon after the tag, you need to specify it here (as shown above).
    • -
  • - (required) StateFile <name-of-state-file>
    - Rsyslog must keep track of which parts of the to be monitored file it already processed. This is done in the state file. This file always is created in the rsyslog working directory (configurable via $WorkDirectory). So you need to provide a file name here, not a path. Be careful to use unique names for different files being monitored. If there are duplicates, all sorts of "interesting" things may happen. Rsyslog currently does not check if a name is specified multiple times. Note that when $WorkDirectory is not set or set to a non-writable location, the state file will not be generated.
    • -
  • - Facility facility
    - The syslog facility to be assigned to lines read. Can be specified in textual form (e.g. "local0", "local1", ...) or as numbers (e.g. 128 for "local0"). Textual form is suggested. Default  is "local0".
    • -
  • - Severity
    - The syslog severity to be assigned to lines read. Can be specified in textual form (e.g. "info", "warning", ...) or as numbers (e.g. 4 for "info"). Textual form is suggested. Default is "notice".
    • -
  • - PersistStateInterval [lines]
    - Specifies how often the state file shall be written when processing the input file. The default value is 0, which means a new state file is only written when the monitored files is being closed (end of rsyslogd execution). Any other value n means that the state file is written every time n file lines have been processed. This setting can be used to guard against message duplication due to fatal errors (like power fail). Note that this setting affects imfile performance, especially when set to a low value. Frequently writing the state file is very time consuming.
    • -
  • - ReadMode [mode]
    - This mode should defined when having multiline messages. The value can range from 0-2 and determines the multiline detection method.
    - 0 (default) - line based (Each line is a new message)
    - 1 - paragraph (There is a blank line between log messages)
    - 2 - indented (New log messages start at the beginning of a line. If a line starts with a space it is part of the log message before it)
    • -
  • - MaxLinesAtOnce [number]
    - This is useful if multiple files need to be monitored. If set to 0, each file will be fully processed and then processing switches to the next file (this was the default in previous versions). If it is set, a maximum of [number] lines is processed in sequence for each file, and then the file is switched. This provides a kind of mutiplexing the load of multiple files and probably leads to a more natural distribution of events when multiple busy files are monitored. The default is 1024.
    • -
  • - MaxSubmitAtOnce [number]
    - This is an expert option. It can be used to set the maximum input batch size that imfile can generate. The default is 1024, which is suitable for a wide range of applications. Be sure to understand rsyslog message batch processing before you modify this option. If you do not know what this doc here talks about, this is a good indication that you should NOT modify the default.
    • -
  • - Ruleset <ruleset> Binds the listener to a specific ruleset.
    • -
-

- Caveats/Known Bugs:

-

- So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

-

- Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.

-

- Sample:

-

- The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.

-

-

-

- Legacy Configuration Directives:

-
    -
  • - $InputFileName /path/to/file
    - equivalent to: File
    • -
  • - $InputFileTag tag:
    - equivalent to: Tag
    • -
  • - $InputFileStateFile <name-of-state-file>
    - equivalent to: StateFile
    • -
  • - $InputFileFacility facility
    - equivalent to: Facility
    • -
  • - $InputFileSeverity
    - equivalent to: Severity
    • -
  • - $InputRunFileMonitor
    - This activates the current monitor. It has no parameters. If you forget this directive, no file monitoring will take place.
    • -
  • - $InputFilePollInterval seconds
    - equivalent to: PollingInterva
    • -
  • - $InputFilePersistStateInterval [lines]
    - Available in 4.7.3+, 5.6.2+
    - equivalent to: PersistStateInterval
    • -
  • - $InputFileReadMode [mode]
    - Available in 5.7.5+
    - equivalent to: ReadMode
    • -
  • - $InputFileMaxLinesAtOnce [number]
    - Available in 5.9.0+
    - equivalent to: MaxLinesAtOnce
    • -
  • - $InputFileBindRuleset <ruleset>
    - Available in 5.7.5+, 6.1.5+
    - equivalent to: Ruleset
    • -
-

- Caveats/Known Bugs:

-

- So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

-

- Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.

-

- Sample:

-

- The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.

-

- + + +

Legacy Configuration Directives:

+
    +
  • $InputFileName /path/to/file
    +equivalent to: File
    • +
  • $InputFileTag +tag:
    +equivalent to: Tag
    • +
  • $InputFileStateFile +<name-of-state-file>
    +equivalent to: StateFile
    • +
  • $InputFileFacility +facility
    +equivalent to: Facility
    • +
  • $InputFileSeverity
    +equivalent to: Severity
    • +
  • $InputRunFileMonitor
    +This activates +the current monitor. It has no parameters. If you forget this +directive, no file monitoring will take place.
    • +
  • $InputFilePollInterval +seconds
    +equivalent to: PollingInterva
    • +
  • $InputFilePersistStateInterval [lines]
    +Available in 4.7.3+, 5.6.2+
    +equivalent to: PersistStateInterval +
  • $InputFileReadMode [mode]
    +Available in 5.7.5+
    +equivalent to: ReadMode +
  • $InputFileMaxLinesAtOnce [number]
    +Available in 5.9.0+
    +equivalent to: MaxLinesAtOnce +
  • $InputFileBindRuleset <ruleset>
    +Available in 5.7.5+, 6.1.5+
    +equivalent to: Ruleset
    • +
+Caveats/Known Bugs: +

So far, only 100 files can be monitored. If more are needed, +the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

Powertop +users may want to notice that imfile utilizes polling. Thus, it is no +good citizen when it comes to conserving system power consumption. We +are currently evaluating to move to inotify(). However, there are a +number of subtle issues, which needs to be worked out first. We will +make the change as soon as we can. If you can afford it, we recommend +using a long polling interval in the mean time. +

+

Sample:

+

The following sample monitors two files. If you need just one, +remove the second one. If you need more, add them according to the +sample ;). This code must be placed in /etc/rsyslog.conf (or wherever +your distro puts rsyslog's config files). Note that only commands +actually needed need to be specified. The second file uses less +commands and uses defaults instead.
+

+

-

- [rsyslog.conf overview] [manual index] [rsyslog site]

-

- This documentation is part of the rsyslog project.
- Copyright © 2008 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

- - +# File 2 +$InputFileName /path/to/file2 +$InputFileTag tag2: +$InputFileStateFile stat-file2 +$InputRunFileMonitor +# ... and so on ... +# +# check for new lines every 10 seconds +$InputFilePollingInterval 10 + +

[rsyslog.conf overview] +[manual index] [rsyslog site]

+

This documentation is part of the +rsyslog project.
+Copyright © 2008 by Rainer +Gerhards and Adiscon. +Released under the GNU GPL version 3 or higher.

+ -- cgit v1.2.3 From a4ce0065de7bcea8ddc93057c61a23a8429882aa Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 15:00:39 +0200 Subject: rollback html editor rewrite of imfile --- doc/imfile.html | 395 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 230 insertions(+), 165 deletions(-) diff --git a/doc/imfile.html b/doc/imfile.html index 88f0d39f..274d6e60 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -1,156 +1,218 @@ - - - - Text File Input Monitor - - -

- back

-

- Text File Input Module

-

- Module Name:    imfile

-

- Author: Rainer Gerhards <rgerhards@adiscon.com>

-

- Description:

-

- Provides the ability to convert any standard text file into a syslog message. A standard text file is a file consisting of printable characters with lines being delimited by LF.

-

- The file is read line-by-line and any line read is passed to rsyslog's rule engine. The rule engine applies filter conditons and selects which actions needs to be carried out. Empty lines are not processed, as they would result in empty syslog records. They are simply ignored.

-

- As new lines are written they are taken from the file and processed. Please note that this happens based on a polling interval and not immediately. The file monitor support file rotation. To fully work, rsyslogd must run while the file is rotated. Then, any remaining lines from the old file are read and processed and when done with that, the new file is being processed from the beginning. If rsyslogd is stopped during rotation, the new file is read, but any not-yet-reported lines from the previous file can no longer be obtained.

-

- When rsyslogd is stopped while monitoring a text file, it records the last processed location and continues to work from there upon restart. So no data is lost during a restart (except, as noted above, if the file is rotated just in this very moment).

-

- Currently, the file must have a fixed name and location (directory). It is planned to add support for dynamically generating file names in the future.

-

- Multiple files may be monitored by specifying $InputRunFileMonitor multiple times.

-

- Configuration Directives:

-

- Module Directives

-
    -
  • - PollingInterval seconds
    - This is a global setting. It specifies how often files are to be polled for new data. The time specified is in seconds. The default value is 10 seconds. Please note that future releases of imfile may support per-file polling intervals, but currently this is not the case. If multiple PollingInterval statements are present in rsyslog.conf, only the last one is used.
    - A short poll interval provides more rapid message forwarding, but requires more system ressources. While it is possible, we stongly recommend not to set the polling interval to 0 seconds. That will make rsyslogd become a CPU hog, taking up considerable ressources. It is supported, however, for the few very unusual situations where this level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as there is any data in them. So a "polling sleep" will only happen when nothing is left to be processed.
    • -
-

- Action Directives

-
    -
  • - (required) File /path/to/file
    - The file being monitored. So far, this must be an absolute name (no macros or templates).
    • -
  • - (required) Tag tag:
    - The syslog tag to be used for messages that originate from this file. If you would like to see the colon after the tag, you need to specify it here (as shown above).
    • -
  • - (required) StateFile <name-of-state-file>
    - Rsyslog must keep track of which parts of the to be monitored file it already processed. This is done in the state file. This file always is created in the rsyslog working directory (configurable via $WorkDirectory). So you need to provide a file name here, not a path. Be careful to use unique names for different files being monitored. If there are duplicates, all sorts of "interesting" things may happen. Rsyslog currently does not check if a name is specified multiple times. Note that when $WorkDirectory is not set or set to a non-writable location, the state file will not be generated.
    • -
  • - Facility facility
    - The syslog facility to be assigned to lines read. Can be specified in textual form (e.g. "local0", "local1", ...) or as numbers (e.g. 128 for "local0"). Textual form is suggested. Default  is "local0".
    • -
  • - Severity
    - The syslog severity to be assigned to lines read. Can be specified in textual form (e.g. "info", "warning", ...) or as numbers (e.g. 4 for "info"). Textual form is suggested. Default is "notice".
    • -
  • - PersistStateInterval [lines]
    - Specifies how often the state file shall be written when processing the input file. The default value is 0, which means a new state file is only written when the monitored files is being closed (end of rsyslogd execution). Any other value n means that the state file is written every time n file lines have been processed. This setting can be used to guard against message duplication due to fatal errors (like power fail). Note that this setting affects imfile performance, especially when set to a low value. Frequently writing the state file is very time consuming.
    • -
  • - ReadMode [mode]
    - This mode should defined when having multiline messages. The value can range from 0-2 and determines the multiline detection method.
    - 0 (default) - line based (Each line is a new message)
    - 1 - paragraph (There is a blank line between log messages)
    - 2 - indented (New log messages start at the beginning of a line. If a line starts with a space it is part of the log message before it)
    • -
  • - MaxLinesAtOnce [number]
    - This is useful if multiple files need to be monitored. If set to 0, each file will be fully processed and then processing switches to the next file (this was the default in previous versions). If it is set, a maximum of [number] lines is processed in sequence for each file, and then the file is switched. This provides a kind of mutiplexing the load of multiple files and probably leads to a more natural distribution of events when multiple busy files are monitored. The default is 1024.
    • -
  • - MaxSubmitAtOnce [number]
    - This is an expert option. It can be used to set the maximum input batch size that imfile can generate. The default is 1024, which is suitable for a wide range of applications. Be sure to understand rsyslog message batch processing before you modify this option. If you do not know what this doc here talks about, this is a good indication that you should NOT modify the default.
    • -
  • - Ruleset <ruleset> Binds the listener to a specific ruleset.
    • -
-

- Caveats/Known Bugs:

-

- So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

-

- Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.

-

- Sample:

-

- The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.

-

-

-

- Legacy Configuration Directives:

-
    -
  • - $InputFileName /path/to/file
    - equivalent to: File
    • -
  • - $InputFileTag tag:
    - equivalent to: Tag
    • -
  • - $InputFileStateFile <name-of-state-file>
    - equivalent to: StateFile
    • -
  • - $InputFileFacility facility
    - equivalent to: Facility
    • -
  • - $InputFileSeverity
    - equivalent to: Severity
    • -
  • - $InputRunFileMonitor
    - This activates the current monitor. It has no parameters. If you forget this directive, no file monitoring will take place.
    • -
  • - $InputFilePollInterval seconds
    - equivalent to: PollingInterva
    • -
  • - $InputFilePersistStateInterval [lines]
    - Available in 4.7.3+, 5.6.2+
    - equivalent to: PersistStateInterval
    • -
  • - $InputFileReadMode [mode]
    - Available in 5.7.5+
    - equivalent to: ReadMode
    • -
  • - $InputFileMaxLinesAtOnce [number]
    - Available in 5.9.0+
    - equivalent to: MaxLinesAtOnce
    • -
  • - $InputFileBindRuleset <ruleset>
    - Available in 5.7.5+, 6.1.5+
    - equivalent to: Ruleset
    • -
-

- Caveats/Known Bugs:

-

- So far, only 100 files can be monitored. If more are needed, the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

-

- Powertop users may want to notice that imfile utilizes polling. Thus, it is no good citizen when it comes to conserving system power consumption. We are currently evaluating to move to inotify(). However, there are a number of subtle issues, which needs to be worked out first. We will make the change as soon as we can. If you can afford it, we recommend using a long polling interval in the mean time.

-

- Sample:

-

- The following sample monitors two files. If you need just one, remove the second one. If you need more, add them according to the sample ;). This code must be placed in /etc/rsyslog.conf (or wherever your distro puts rsyslog's config files). Note that only commands actually needed need to be specified. The second file uses less commands and uses defaults instead.

-

- + + +

Legacy Configuration Directives:

+
    +
  • $InputFileName /path/to/file
    +equivalent to: File
    • +
  • $InputFileTag +tag:
    +equivalent to: Tag
    • +
  • $InputFileStateFile +<name-of-state-file>
    +equivalent to: StateFile
    • +
  • $InputFileFacility +facility
    +equivalent to: Facility
    • +
  • $InputFileSeverity
    +equivalent to: Severity
    • +
  • $InputRunFileMonitor
    +This activates +the current monitor. It has no parameters. If you forget this +directive, no file monitoring will take place.
    • +
  • $InputFilePollInterval +seconds
    +equivalent to: PollingInterva
    • +
  • $InputFilePersistStateInterval [lines]
    +Available in 4.7.3+, 5.6.2+
    +equivalent to: PersistStateInterval +
  • $InputFileReadMode [mode]
    +Available in 5.7.5+
    +equivalent to: ReadMode +
  • $InputFileMaxLinesAtOnce [number]
    +Available in 5.9.0+
    +equivalent to: MaxLinesAtOnce +
  • $InputFileBindRuleset <ruleset>
    +Available in 5.7.5+, 6.1.5+
    +equivalent to: Ruleset
    • +
+Caveats/Known Bugs: +

So far, only 100 files can be monitored. If more are needed, +the source needs to be patched. See define MAX_INPUT_FILES in imfile.c

Powertop +users may want to notice that imfile utilizes polling. Thus, it is no +good citizen when it comes to conserving system power consumption. We +are currently evaluating to move to inotify(). However, there are a +number of subtle issues, which needs to be worked out first. We will +make the change as soon as we can. If you can afford it, we recommend +using a long polling interval in the mean time. +

+

Sample:

+

The following sample monitors two files. If you need just one, +remove the second one. If you need more, add them according to the +sample ;). This code must be placed in /etc/rsyslog.conf (or wherever +your distro puts rsyslog's config files). Note that only commands +actually needed need to be specified. The second file uses less +commands and uses defaults instead.
+

+

-

- [rsyslog.conf overview] [manual index] [rsyslog site]

-

- This documentation is part of the rsyslog project.
- Copyright © 2008 by Rainer Gerhards and Adiscon. Released under the GNU GPL version 3 or higher.

- - +# File 2 +$InputFileName /path/to/file2 +$InputFileTag tag2: +$InputFileStateFile stat-file2 +$InputRunFileMonitor +# ... and so on ... +# +# check for new lines every 10 seconds +$InputFilePollingInterval 10 + +

[rsyslog.conf overview] +[manual index] [rsyslog site]

+

This documentation is part of the +rsyslog project.
+Copyright © 2008 by Rainer +Gerhards and Adiscon. +Released under the GNU GPL version 3 or higher.

+ -- cgit v1.2.3 From 887774fc1575f76368b13b9a9e26e344a1f16d45 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 15:23:28 +0200 Subject: doc/imfile: re-do spelling corrections --- doc/imfile.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/doc/imfile.html b/doc/imfile.html index 274d6e60..dd62c86f 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -14,7 +14,7 @@ a syslog message. A standard text file is a file consisting of printable characters with lines being delimited by LF.

The file is read line-by-line and any line read is passed to -rsyslog's rule engine. The rule engine applies filter conditons and +rsyslog's rule engine. The rule engine applies filter conditions and selects which actions needs to be carried out. Empty lines are not processed, as they would result in empty syslog records. They are simply ignored.

@@ -49,9 +49,9 @@ releases of imfile may support per-file polling intervals, but currently this is not the case. If multiple PollingInterval statements are present in rsyslog.conf, only the last one is used.
A short poll interval provides more rapid message forwarding, but -requires more system ressources. While it is possible, we stongly +requires more system resources. While it is possible, we stongly recommend not to set the polling interval to 0 seconds. That will make -rsyslogd become a CPU hog, taking up considerable ressources. It is +rsyslogd become a CPU hog, taking up considerable resources. It is supported, however, for the few very unusual situations where this level may be needed. Even if you need quick response, 1 seconds should be well enough. Please note that imfile keeps reading files as long as -- cgit v1.2.3 From b81919fe9c2b427735339faad5a0879039041f13 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 2 Jul 2013 15:31:17 +0200 Subject: doc: add new omrelp parameter "windowSize" --- doc/omrelp.html | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/doc/omrelp.html b/doc/omrelp.html index 30ac3daa..8049ebaf 100644 --- a/doc/omrelp.html +++ b/doc/omrelp.html @@ -34,6 +34,19 @@ must be used. Timeout for relp sessions. If set too low, valid sessions may be considered dead and tried to recover. +
  • windowSize (not mandatory, default 0)
    + This is an expert parameter. It permits to override the + RELP window size being used by the client. Changing the window + size has both an effect on performance as well as potential + message duplication in failure case. A larger window size means + more performance, but also potentially more duplicated + messages - and vice versa. The default 0 means that librelp's + default window size is being used, which is considered a + compromise between goals reached. For your information: + at the time of this writing, the librelp default window size + is 128 messages, but this may change at any time. +
    Note that there is no equivalent server parameter, as the + client proposes and manages the window size in RELP protocol.
  • tls (not mandatory, values "on","off", default "off")
    If set to "on", the RELP connection will be encrypted by TLS, so that the data is protected against observers. Please note that both the client and the server must have set TLS to either "on" or "off". Other combinations lead to unpredictable results.
    • -- cgit v1.2.3 From 44bdfdcf1d71fe1b5a1bf68a3fd1f476ec95c75c Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 11:16:54 +0200 Subject: prepare for 7.4.2 release --- ChangeLog | 8 ++++++-- configure.ac | 2 +- doc/manual.html | 2 +- 3 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 729c360e..16365d10 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,12 +1,16 @@ --------------------------------------------------------------------------- -Version 7.4.2 [v7.4-stable] 2013-06-?? +Version 7.4.2 [v7.4-stable] 2013-07-04 - bugfix: in RFC5425 TLS, multiple wildcards in auth could cause segfault - bugfix: RainerScript object required parameters were not properly checked - this clould result to segfaults on startup if parameters were missing. - bugfix: double-free in omelasticsearch closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 - Thanks to Marius Ionescu for providing a detailled bug report + a security advisory for this bug is available at: + http://www.lsexperts.de/advisories/lse-2013-07-03.txt + Thanks to Markus Vervier and Marius Ionescu for providing a detailled + bug report. Special thanks to Markus for coordinating his security + advisory with us. - bugfix: omrelp potential segfault at startup on invalid config parameters - bugfix: small memory leak when $uptime property was used - bugfix: potential segfault on rsyslog termination in imudp diff --git a/configure.ac b/configure.ac index a62bc687..db324c7c 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([rsyslog],[7.4.1],[rsyslog@lists.adiscon.com]) +AC_INIT([rsyslog],[7.4.2],[rsyslog@lists.adiscon.com]) AM_INIT_AUTOMAKE m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/doc/manual.html b/doc/manual.html index bc57c136..3c0c6ce3 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ professional services available directly from the source!

    Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.

    -

    This documentation is for version 7.4.1 (v7.4-stable branch) of rsyslog. +

    This documentation is for version 7.4.2 (v7.4-stable branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

    If you like rsyslog, you might -- cgit v1.2.3 From 2622100ac57c85fbec2b5a06c98532a8126c0e59 Mon Sep 17 00:00:00 2001 From: Andre Lorbach Date: Thu, 27 Jun 2013 11:36:51 +0200 Subject: Added header in typedefs.h needed for building on ehel 5 --- runtime/typedefs.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/runtime/typedefs.h b/runtime/typedefs.h index 8db567f0..d3f68b4a 100644 --- a/runtime/typedefs.h +++ b/runtime/typedefs.h @@ -29,6 +29,10 @@ #include #endif +#ifndef HAVE_LSEEK64 +#include +#endif + /* some universal fixed size integer defines ... */ typedef long long int64; typedef long long unsigned uint64; -- cgit v1.2.3 From 114e996c35e1101cba68f799595761e1f4c3d1ab Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 11:22:41 +0200 Subject: doc: mention imported build patch for CENTOS5 --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 16365d10..6f951442 100644 --- a/ChangeLog +++ b/ChangeLog @@ -24,6 +24,7 @@ Version 7.4.2 [v7.4-stable] 2013-07-04 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=457 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=458 Thanks to Christiano for reproting and suggesting patches +- solved build problems on CENTOS5 --------------------------------------------------------------------------- Version 7.4.1 [v7.4-stable] 2013-06-17 - imjournal: add ratelimiting capability -- cgit v1.2.3 From e6f54ff95b7700a98c16e872afe82996168d1c9b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 11:57:49 +0200 Subject: prepare for 7.5.2 --- ChangeLog | 2 +- configure.ac | 2 +- doc/manual.html | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9d1361e5..6c6b79aa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,5 @@ --------------------------------------------------------------------------- -Version 7.5.2 [devel] 2013-0?-?? +Version 7.5.2 [devel] 2013-07-04 - librelp 1.1.4 is now required We use API extensions for better error reporting and higher performance. - omrelp: use transactional mode to make imrelp emit bulk sends diff --git a/configure.ac b/configure.ac index 04b1fb2e..be13dac5 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT([rsyslog],[7.5.1],[rsyslog@lists.adiscon.com]) +AC_INIT([rsyslog],[7.5.2],[rsyslog@lists.adiscon.com]) AM_INIT_AUTOMAKE m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) diff --git a/doc/manual.html b/doc/manual.html index d72e8e71..8d5eb733 100644 --- a/doc/manual.html +++ b/doc/manual.html @@ -19,7 +19,7 @@ professional services available directly from the source!

    Please visit the rsyslog sponsor's page to honor the project sponsors or become one yourself! We are very grateful for any help towards the project goals.

    -

    This documentation is for version 7.5.1 (devel branch) of rsyslog. +

    This documentation is for version 7.5.2 (devel branch) of rsyslog. Visit the rsyslog status page to obtain current version information and project status.

    If you like rsyslog, you might -- cgit v1.2.3 From 3e761442105085c0c3ffcfa41a953e3034885a23 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 12:23:14 +0200 Subject: doc: mention omelasticsearch bugfix in 7.5.2 changelog --- ChangeLog | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index 6c6b79aa..a12bb95e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -4,6 +4,13 @@ Version 7.5.2 [devel] 2013-07-04 We use API extensions for better error reporting and higher performance. - omrelp: use transactional mode to make imrelp emit bulk sends - omrelp: add "windowSize" parameter to set custom RELP window size +- bugfix: double-free in omelasticsearch + closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 + a security advisory for this bug is available at: + http://www.lsexperts.de/advisories/lse-2013-07-03.txt + Thanks to Markus Vervier and Marius Ionescu for providing a detailled + bug report. Special thanks to Markus for coordinating his security + advisory with us. - doc: fixed various typos closes: http://bugzilla.adiscon.com/show_bug.cgi?id=391 Thanks to Georgi Georgiev for the patch. -- cgit v1.2.3 From 7a17ad6aef66c097ea2d0d6aec3a898db0f2a55b Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 12:33:00 +0200 Subject: doc: mention that omelasticsearch bug requires custom config to be triggered This means the majority of users is not affected at all. --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 6f951442..d02a218b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ Version 7.4.2 [v7.4-stable] 2013-07-04 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 a security advisory for this bug is available at: http://www.lsexperts.de/advisories/lse-2013-07-03.txt + PLEASE NOTE: This issue only existed if omelasticsearch was used + in a non-default configuration, where the "errorfile" parameter + was specified. Without that parameter set, the bug could not + be triggered. Thanks to Markus Vervier and Marius Ionescu for providing a detailled bug report. Special thanks to Markus for coordinating his security advisory with us. -- cgit v1.2.3 From 9fd8415c837c95098948eb5a57ceab81b65f2121 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 12:39:51 +0200 Subject: doc: mention that omelasticsearch bug requires custom config to be triggered --- ChangeLog | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ChangeLog b/ChangeLog index 563fedd6..c7d13d6c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,10 @@ Version 7.5.2 [devel] 2013-07-04 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 a security advisory for this bug is available at: http://www.lsexperts.de/advisories/lse-2013-07-03.txt + PLEASE NOTE: This issue only existed if omelasticsearch was used + in a non-default configuration, where the "errorfile" parameter + was specified. Without that parameter set, the bug could not + be triggered. Thanks to Markus Vervier and Marius Ionescu for providing a detailled bug report. Special thanks to Markus for coordinating his security advisory with us. -- cgit v1.2.3 From 081153b99a9af8f7da1085db8de59ee2b3c2151f Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 17:04:38 +0200 Subject: bugfix: very small memory leak in imrelp more or less cosmetic, a single memory block was not freed, but this only happens immediately before termination (when the OS automatically frees all memory). Still an annoyance e.g. in valgrind. --- ChangeLog | 6 ++++++ plugins/imrelp/imrelp.c | 1 + 2 files changed, 7 insertions(+) diff --git a/ChangeLog b/ChangeLog index c7d13d6c..76253d51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,10 @@ --------------------------------------------------------------------------- +Version 7.5.3 [devel] 2013-07-?? +- bugfix: very small memory leak in imrelp + more or less cosmetic, a single memory block was not freed, but this + only happens immediately before termination (when the OS automatically + frees all memory). Still an annoyance e.g. in valgrind. +--------------------------------------------------------------------------- Version 7.5.2 [devel] 2013-07-04 - librelp 1.1.4 is now required We use API extensions for better error reporting and higher performance. diff --git a/plugins/imrelp/imrelp.c b/plugins/imrelp/imrelp.c index 74cfeb72..41d96fe1 100644 --- a/plugins/imrelp/imrelp.c +++ b/plugins/imrelp/imrelp.c @@ -516,6 +516,7 @@ CODESTARTfreeCnf inst = inst->next; free(del); } + free(pModConf->pszBindRuleset); ENDfreeCnf /* This is used to terminate the plugin. Note that the signal handler blocks -- cgit v1.2.3 From ebdcba5a6a5c9a20a529b62273a7ad852a793f09 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 4 Jul 2013 18:54:55 +0200 Subject: minor code reduction --- plugins/omelasticsearch/omelasticsearch.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c index 57abefdd..cb96fb6b 100644 --- a/plugins/omelasticsearch/omelasticsearch.c +++ b/plugins/omelasticsearch/omelasticsearch.c @@ -487,8 +487,7 @@ writeDataError(instanceData *pData, cJSON **pReplyRoot, uchar *reqmsg) *pReplyRoot = NULL; /* tell caller not to delete once again! */ finalize_it: - if(rendered != NULL) - free(rendered); + free(rendered); RETiRet; } -- cgit v1.2.3 From 39aa8eb08a1b4c297dabf829690b6fcc05707c21 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 09:22:58 +0200 Subject: make use of new librelp generic error reporting facility This leads to more error messages being passed to the user and thus simplified troubleshooting. librelp 1.2.0 is now required --- ChangeLog | 4 ++++ configure.ac | 2 +- plugins/imrelp/imrelp.c | 8 ++++++++ plugins/omrelp/omrelp.c | 9 +++++++++ 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 76253d51..091e735b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,9 @@ --------------------------------------------------------------------------- Version 7.5.3 [devel] 2013-07-?? +- librelp 1.2.0 is now required +- make use of new librelp generic error reporting facility + This leads to more error messages being passed to the user and + thus simplified troubleshooting. - bugfix: very small memory leak in imrelp more or less cosmetic, a single memory block was not freed, but this only happens immediately before termination (when the OS automatically diff --git a/configure.ac b/configure.ac index be13dac5..f5060f73 100644 --- a/configure.ac +++ b/configure.ac @@ -999,7 +999,7 @@ AC_ARG_ENABLE(relp, [enable_relp=no] ) if test "x$enable_relp" = "xyes"; then - PKG_CHECK_MODULES(RELP, relp >= 1.1.4) + PKG_CHECK_MODULES(RELP, relp >= 1.2.0) fi AM_CONDITIONAL(ENABLE_RELP, test x$enable_relp = xyes) diff --git a/plugins/imrelp/imrelp.c b/plugins/imrelp/imrelp.c index 41d96fe1..d04e41e1 100644 --- a/plugins/imrelp/imrelp.c +++ b/plugins/imrelp/imrelp.c @@ -156,6 +156,13 @@ onErr(void *pUsr, char *objinfo, char* errmesg, __attribute__((unused)) relpRetV inst->pszBindPort, errmesg, objinfo); } +static void +onGenericErr(char *objinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode) +{ + errmsg.LogError(0, RS_RET_RELP_ERR, "imrelp: librelp error '%s', object " + " '%s' - input may not work as intended", errmesg, objinfo); +} + static void onAuthErr(void *pUsr, char *authinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode) { @@ -288,6 +295,7 @@ addListner(modConfData_t __attribute__((unused)) *modConf, instanceConf_t *inst) CHKiRet(relpEngineSetEnableCmd(pRelpEngine, (uchar*) "syslog", eRelpCmdState_Required)); CHKiRet(relpEngineSetSyslogRcv2(pRelpEngine, onSyslogRcv)); CHKiRet(relpEngineSetOnErr(pRelpEngine, onErr)); + CHKiRet(relpEngineSetOnGenericErr(pRelpEngine, onGenericErr)); CHKiRet(relpEngineSetOnAuthErr(pRelpEngine, onAuthErr)); if (!glbl.GetDisableDNS()) { CHKiRet(relpEngineSetDnsLookupMode(pRelpEngine, 1)); diff --git a/plugins/omrelp/omrelp.c b/plugins/omrelp/omrelp.c index 898bafe2..34511e46 100644 --- a/plugins/omrelp/omrelp.c +++ b/plugins/omrelp/omrelp.c @@ -141,6 +141,14 @@ onErr(void *pUsr, char *objinfo, char* errmesg, __attribute__((unused)) relpRetV pData->target, pData->port, errmesg, objinfo); } +static void +onGenericErr(char *objinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode) +{ + errmsg.LogError(0, RS_RET_RELP_ERR, "omrelp: librelp error '%s', object " + "'%s' - action may not work as intended", + errmesg, objinfo); +} + static void onAuthErr(void *pUsr, char *authinfo, char* errmesg, __attribute__((unused)) relpRetVal errcode) { @@ -554,6 +562,7 @@ CODEmodInit_QueryRegCFSLineHdlr CHKiRet(relpEngineConstruct(&pRelpEngine)); CHKiRet(relpEngineSetDbgprint(pRelpEngine, dbgprintf)); CHKiRet(relpEngineSetOnAuthErr(pRelpEngine, onAuthErr)); + CHKiRet(relpEngineSetOnGenericErr(pRelpEngine, onGenericErr)); CHKiRet(relpEngineSetOnErr(pRelpEngine, onErr)); CHKiRet(relpEngineSetEnableCmd(pRelpEngine, (uchar*) "syslog", eRelpCmdState_Required)); -- cgit v1.2.3 From 19b871ff1aa217e2c1316aef51cd9b0ca5470ad1 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 09:28:17 +0200 Subject: doc: add CVE ID for omelasticsearch double-free --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index d02a218b..0f6df083 100644 --- a/ChangeLog +++ b/ChangeLog @@ -8,6 +8,7 @@ Version 7.4.2 [v7.4-stable] 2013-07-04 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 a security advisory for this bug is available at: http://www.lsexperts.de/advisories/lse-2013-07-03.txt + CVE: CVE-2013-4758 PLEASE NOTE: This issue only existed if omelasticsearch was used in a non-default configuration, where the "errorfile" parameter was specified. Without that parameter set, the bug could not -- cgit v1.2.3 From c5a87e848ce98e4eb0fefd5d3e2de33b2f2a4a73 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 09:29:15 +0200 Subject: doc: add CVE ID for omelasticsearch double-free --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index 477b5607..cfd18516 100644 --- a/ChangeLog +++ b/ChangeLog @@ -18,6 +18,7 @@ Version 7.5.2 [devel] 2013-07-04 closes: http://bugzilla.adiscon.com/show_bug.cgi?id=461 a security advisory for this bug is available at: http://www.lsexperts.de/advisories/lse-2013-07-03.txt + CVE: CVE-2013-4758 PLEASE NOTE: This issue only existed if omelasticsearch was used in a non-default configuration, where the "errorfile" parameter was specified. Without that parameter set, the bug could not -- cgit v1.2.3 From d43a2e8f3f0e1f87bfa041263f02d727c00e97c7 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 12:40:04 +0200 Subject: omlibdbi: improve debug reporting on Begin/EndTX --- plugins/omlibdbi/omlibdbi.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/plugins/omlibdbi/omlibdbi.c b/plugins/omlibdbi/omlibdbi.c index 6e27ad22..c3cac539 100644 --- a/plugins/omlibdbi/omlibdbi.c +++ b/plugins/omlibdbi/omlibdbi.c @@ -10,7 +10,7 @@ * * File begun on 2008-02-14 by RGerhards (extracted from syslogd.c) * - * Copyright 2008-2012 Adiscon GmbH. + * Copyright 2008-2013 Adiscon GmbH. * * This file is part of rsyslog. * @@ -340,7 +340,10 @@ CODESTARTbeginTransaction # if HAVE_DBI_TXSUPP if (pData->txSupport == 1) { if (dbi_conn_transaction_begin(pData->conn) != 0) { - dbgprintf("libdbi server error: begin transaction not successful\n"); + const char *emsg; + dbi_conn_error(pData->conn, &emsg); + dbgprintf("libdbi server error: begin transaction " + "not successful: %s\n", emsg); iRet = RS_RET_SUSPENDED; } } @@ -365,7 +368,10 @@ BEGINendTransaction CODESTARTendTransaction # if HAVE_DBI_TXSUPP if (dbi_conn_transaction_commit(pData->conn) != 0) { - dbgprintf("libdbi server error: transaction not committed\n"); + const char *emsg; + dbi_conn_error(pData->conn, &emsg); + dbgprintf("libdbi server error: transaction not committed: %s\n", + emsg); iRet = RS_RET_SUSPENDED; } # endif -- cgit v1.2.3 From df5d877282690154ec81b81c458d3badb25aada4 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 14:30:24 +0200 Subject: bugfix: omlibdbi did not properly close connection on some errors This happened to errors occuring in Begin/End Transaction entry points. --- ChangeLog | 5 +++++ plugins/omlibdbi/omlibdbi.c | 4 +++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 0f6df083..0c2c13ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,9 @@ --------------------------------------------------------------------------- +Version 7.4.3 [v7.4-stable] 2013-07-?? +- bugfix: omlibdbi did not properly close connection on some errors + This happened to errors occuring in Begin/End Transaction entry + points. +--------------------------------------------------------------------------- Version 7.4.2 [v7.4-stable] 2013-07-04 - bugfix: in RFC5425 TLS, multiple wildcards in auth could cause segfault - bugfix: RainerScript object required parameters were not properly diff --git a/plugins/omlibdbi/omlibdbi.c b/plugins/omlibdbi/omlibdbi.c index c3cac539..3beba4f0 100644 --- a/plugins/omlibdbi/omlibdbi.c +++ b/plugins/omlibdbi/omlibdbi.c @@ -344,7 +344,8 @@ CODESTARTbeginTransaction dbi_conn_error(pData->conn, &emsg); dbgprintf("libdbi server error: begin transaction " "not successful: %s\n", emsg); - iRet = RS_RET_SUSPENDED; + closeConn(pData); + ABORT_FINALIZE(RS_RET_SUSPENDED); } } # endif @@ -372,6 +373,7 @@ CODESTARTendTransaction dbi_conn_error(pData->conn, &emsg); dbgprintf("libdbi server error: transaction not committed: %s\n", emsg); + closeConn(pData); iRet = RS_RET_SUSPENDED; } # endif -- cgit v1.2.3 From 8ee2b0b1610fbf4dff20453d188f379583410b42 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 5 Jul 2013 16:16:49 +0200 Subject: bugfix: potential segfault during startup on invalid config could happen if invalid actions were present, which could lead to improper handling in optimizer. --- ChangeLog | 3 ++ grammar/rainerscript.c | 109 +++++++++++++++++++++++++++---------------------- 2 files changed, 63 insertions(+), 49 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0c2c13ba..f63b66da 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,8 @@ --------------------------------------------------------------------------- Version 7.4.3 [v7.4-stable] 2013-07-?? +- bugfix: potential segfault during startup on invalid config + could happen if invalid actions were present, which could lead + to improper handling in optimizer. - bugfix: omlibdbi did not properly close connection on some errors This happened to errors occuring in Begin/End Transaction entry points. diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index 95972fbe..e3e7cb32 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -2278,7 +2278,8 @@ cnfstmtPrintOnly(struct cnfstmt *stmt, int indent, sbool subtree) free(cstr); break; case S_ACT: - doIndent(indent); dbgprintf("ACTION %p [%s]\n", stmt->d.act, stmt->printable); + doIndent(indent); dbgprintf("ACTION %p [%s:%s]\n", stmt->d.act, + modGetName(stmt->d.act->pMod), stmt->printable); break; case S_IF: doIndent(indent); dbgprintf("IF\n"); @@ -2446,59 +2447,69 @@ cnfstmtNew(unsigned s_type) return cnfstmt; } +void cnfstmtDestructLst(struct cnfstmt *root); + +/* delete a single stmt */ +void +cnfstmtDestruct(struct cnfstmt *stmt) +{ + switch(stmt->nodetype) { + case S_NOP: + case S_STOP: + break; + case S_CALL: + es_deleteStr(stmt->d.s_call.name); + break; + case S_ACT: + actionDestruct(stmt->d.act); + break; + case S_IF: + cnfexprDestruct(stmt->d.s_if.expr); + if(stmt->d.s_if.t_then != NULL) { + cnfstmtDestructLst(stmt->d.s_if.t_then); + } + if(stmt->d.s_if.t_else != NULL) { + cnfstmtDestructLst(stmt->d.s_if.t_else); + } + break; + case S_SET: + free(stmt->d.s_set.varname); + cnfexprDestruct(stmt->d.s_set.expr); + break; + case S_UNSET: + free(stmt->d.s_set.varname); + break; + case S_PRIFILT: + cnfstmtDestructLst(stmt->d.s_prifilt.t_then); + cnfstmtDestructLst(stmt->d.s_prifilt.t_else); + break; + case S_PROPFILT: + if(stmt->d.s_propfilt.propName != NULL) + es_deleteStr(stmt->d.s_propfilt.propName); + if(stmt->d.s_propfilt.regex_cache != NULL) + rsCStrRegexDestruct(&stmt->d.s_propfilt.regex_cache); + if(stmt->d.s_propfilt.pCSCompValue != NULL) + cstrDestruct(&stmt->d.s_propfilt.pCSCompValue); + cnfstmtDestructLst(stmt->d.s_propfilt.t_then); + break; + default: + dbgprintf("error: unknown stmt type during destruct %u\n", + (unsigned) stmt->nodetype); + break; + } + free(stmt->printable); + free(stmt); +} + +/* delete a stmt and all others following it */ void -cnfstmtDestruct(struct cnfstmt *root) +cnfstmtDestructLst(struct cnfstmt *root) { struct cnfstmt *stmt, *todel; for(stmt = root ; stmt != NULL ; ) { - switch(stmt->nodetype) { - case S_NOP: - case S_STOP: - break; - case S_CALL: - es_deleteStr(stmt->d.s_call.name); - break; - case S_ACT: - actionDestruct(stmt->d.act); - break; - case S_IF: - cnfexprDestruct(stmt->d.s_if.expr); - if(stmt->d.s_if.t_then != NULL) { - cnfstmtDestruct(stmt->d.s_if.t_then); - } - if(stmt->d.s_if.t_else != NULL) { - cnfstmtDestruct(stmt->d.s_if.t_else); - } - break; - case S_SET: - free(stmt->d.s_set.varname); - cnfexprDestruct(stmt->d.s_set.expr); - break; - case S_UNSET: - free(stmt->d.s_set.varname); - break; - case S_PRIFILT: - cnfstmtDestruct(stmt->d.s_prifilt.t_then); - cnfstmtDestruct(stmt->d.s_prifilt.t_else); - break; - case S_PROPFILT: - if(stmt->d.s_propfilt.propName != NULL) - es_deleteStr(stmt->d.s_propfilt.propName); - if(stmt->d.s_propfilt.regex_cache != NULL) - rsCStrRegexDestruct(&stmt->d.s_propfilt.regex_cache); - if(stmt->d.s_propfilt.pCSCompValue != NULL) - cstrDestruct(&stmt->d.s_propfilt.pCSCompValue); - cnfstmtDestruct(stmt->d.s_propfilt.t_then); - break; - default: - dbgprintf("error: unknown stmt type during destruct %u\n", - (unsigned) stmt->nodetype); - break; - } - free(stmt->printable); todel = stmt; stmt = stmt->next; - free(todel); + cnfstmtDestruct(todel); } } @@ -3049,7 +3060,7 @@ cnfstmtOptimizePRIFilt(struct cnfstmt *stmt) DBGPRINTF("optimizer: removing always-true PRIFILT %p\n", stmt); if(stmt->d.s_prifilt.t_else != NULL) { parser_errmsg("error: always-true PRI filter has else part!\n"); - cnfstmtDestruct(stmt->d.s_prifilt.t_else); + cnfstmtDestructLst(stmt->d.s_prifilt.t_else); } free(stmt->printable); stmt->printable = NULL; -- cgit v1.2.3 From bd09d31a8657aec0b78c21dde5c0c1fc611e8e8c Mon Sep 17 00:00:00 2001 From: Radu Gheorghe Date: Wed, 3 Jul 2013 13:22:22 +0300 Subject: imfile changes back again, but with retained format --- doc/imfile.html | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/imfile.html b/doc/imfile.html index dd62c86f..942fe531 100644 --- a/doc/imfile.html +++ b/doc/imfile.html @@ -61,15 +61,15 @@ nothing is left to be processed.

    Action Directives

      -
    • File /path/to/file
      +
    • (required) File /path/to/file
      The file being monitored. So far, this must be an absolute name (no macros or templates)
      • -
    • Tag +
    • (required) Tag tag:
      The tag to be used for messages that originate from this file. If you would like to see the colon after the tag, you need to specify it here (as shown above).
      • -
    • StateFile +
    • (required) StateFile <name-of-state-file>
      Rsyslog must keep track of which parts of the to be monitored file it already processed. This is done in the state file. This file always is @@ -94,7 +94,7 @@ textual form (e.g. "info", "warning", ...) or as numbers (e.g. 4 for is "notice".
    • PersistStateInterval [lines]
      Specifies how often the state file shall be written when processing the input -file. The default value is 0, which means a new state file is only written when +file. The default value is 0, which means a new state file is only written when the monitored files is being closed (end of rsyslogd execution). Any other value n means that the state file is written every time n file lines have been processed. This setting can be used to guard against message duplication due @@ -103,7 +103,7 @@ performance, especially when set to a low value. Frequently writing the state file is very time consuming.
    • ReadMode [mode]
      This mode should defined when having multiline messages. The value can range from 0-2 and determines the multiline detection method. -
      0 (default) - line based (Each line is a new message) +
      0 (default) - line based (Each line is a new message)
      1 - paragraph (There is a blank line between log messages)
      2 - indented (New log messages start at the beginning of a line. If a line starts with a space it is part of the log message before it)
    • MaxLinesAtOnce [number] @@ -114,11 +114,11 @@ will be fully processed and then processing switches to the next file [number] lines is processed in sequence for each file, and then the file is switched. This provides a kind of mutiplexing the load of multiple files and probably leads to a more natural distribution of events when multiple busy files -are monitored. The default is 1024. +are monitored. The default is 1024.
    • MaxSubmitAtOnce [number]
      This is an expert option. It can be used to set the maximum input batch size that -imfile can generate. The default is 1024, which is suitable for a wide range of +imfile can generate. The default is 1024, which is suitable for a wide range of applications. Be sure to understand rsyslog message batch processing before you modify this option. If you do not know what this doc here talks about, this is a good indication that you should NOT modify the default. @@ -147,13 +147,13 @@ commands and uses defaults instead.
      # File 1 input(type="imfile" File="/path/to/file1" Tag="tag1" - StateFile="/var/spool/rsyslog/statefile1" + StateFile="statefile1" Severity="error" Facility="local7") # File 2 input(type="imfile" File="/path/to/file2" Tag="tag2" - StateFile="/var/spool/rsyslog/statefile2") + StateFile="statefile2") # ... and so on ... # -- cgit v1.2.3 From a6e2494db89ac08eb92f144277365120027634ee Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sun, 7 Jul 2013 11:53:06 +0200 Subject: doc: instructions for rotating signed files --- doc/omfile.html | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/doc/omfile.html b/doc/omfile.html index cd53fd1d..72320921 100644 --- a/doc/omfile.html +++ b/doc/omfile.html @@ -97,7 +97,26 @@ sets a new default template for file actions.

    -

    Caveats/Known Bugs:

    • None.
    +

    Caveats/Known Bugs:

    +
      +
    • One needs to be careful with log rotation if signatures and/or encryption +are being used. These create side-files, which form a set and must be kept +together. +
      +For signatures, the ".sigstate" file must NOT be rotated away if +signature chains are to be build across multiple files. This is because +.sigstate contains just global information for the whole file set. However, +all other files need to be rotated together. The proper sequence is to +
        +
      1. move all files inside the file set +
      2. only AFTER this is completely done, HUP rsyslog +
      +This sequence will ensure that all files inside the set are atomically +closed and in sync. HUPing only after a subset of files have been moved +results in inconsistencies and will most probably render the file set +unusable. +
      • +

    Sample:

    The following command writes all syslog messages into a file.