Author: Rainer Gerhards

A lot of small development today… For the first time in history (hehe), rsyslog prooves that it is really flexible. We can emulate syslog-ng database writing, so that php-syslog-ng can be used together with it. See the history forum post on using rsyslog with php-syslog-ng. ;)

I am abusing this blog a little as my lab notebook. I had an interesting discussion on IHE and syslog. The issue with that is that IHE defines log records of up to 32K, while syslog only allows records of up to 1k – at least in current standards. Thankfully, many syslog implementation to not take this limit as fixed and ignore the standard in that regard. Also, the upcoming new standard allows for larger messages, so this…

While writing the text, I found blogger to be a bit unhandy for this use. So I moved that over to a paper on our web sites. There it is now, entitled “IHE and syslog message size“.

I keep the text in here as a reference.

Some things iterate from time to time. So this summer’s syslog reliability discussion has surfaced ;) While it for sure is an iteration, it might be slightly different this time. A lot of work has been done on the “reliability front” and much more experience is in the field (and also I have some additional experience and testing done with rsyslog).

Yesterday, I have written a syslog to MySQL tutorial . It describes everything one needs to know to put syslog data into MySQL. Actually, I hope that the description will attract some more people to rsyslog. Let’s see how things evolve…

Actually, I didn’t plan to release a new version of rsyslog today, but it somehow evolved. So I have released rsyslog 0.9.5. It fixes the “semicolon bug” and it also supports multiple rsyslogd instances on a single machine. I needed to support this for our demo system, but it might also be helpful for some secure configurations (I need to think a little bit more about this, but it “smells” like there is a point in this…).

I’ve finally modified rsyslog so that it can run in multiple instances. With that, I could now set up the syslog demo machine so that it runs two instances of rsyslogd. One instance is the “real” rsyslogd, which listens locally. The other instance is the demo rsyslogd, which reads data from the network and shuffles it to the database. As the database was very silent, I were now able to add some rules to forward some events from the real rsyslogd to the demo one. I do this mostly with postfix messages. For demo purposes, I’ve set up a fake postfix. Whoever sends mail to it, gets a bounce back. But the good thing is that postfix has something to do and as such messages will be added to the (demo) system log. I am sure spammers will pick up the mail address from web pages like this one, so I will have a healthy flow of log messages shortly ;)

Finally, I managed to get the new rsyslog site up and running. It turned out to be more work than initially expected. Special thanks go to Timm Herget, who did some of the initial preparation and of course to Andre Lorbach, who made the whole system appear. I just added the content and fumbled a little bit with the config settings ;)

The new site now allows user postings and easier updates. I hope it will be a valuable resource for the (hopefully growing) rsyslog community.

Besides rsyslog, the site also is intended to provide reference for add-ons like phpLogCon.

I so often used ports 1514 and 10514 that I didn’t really notice that they are IANA-reserved. I today posted my syslog stunnel article at aplawrence, and the first comment told me so. Wow! Looks like I need to rethink which ports I used. I am also a bit tempted to try to register a port for syslog/tcp, but this sounds not very easy (especially given the fact that the syslog-sec IETF WG does not at all like plain tcp syslog.

Yesterday, I finally released rsyslog 0.9.4, the first version with full TCP support. I got some encouraging feedback from www.syslog.org. I hope that word now spreads and we get some more momentum for rsyslog. After all, it isn’t looking bad at all. We just need to keep in mind that the project is out since a few month (March this year I remember), so its not bad at all.

The next thing to do is writing a parser for syslog-protocol-14. I wanted to at least seriously begin this during the last call period, but I begin to feel I won’t be able to manage that. Well, we’ll see…

Wow… I took me the afternoon to create a syslog encryption tutorial. The initial version is now posted for review and comments, but I think it will need some further brush-up. Also, doing the tutorial I noticed that I needed to tweak rsyslog a little to make it behave well with stunnel. It’s done now, too. Looks like I am about releasing it early next week :)