RHEL 9.8 ERRATUM

Rebase to 8.2510.0
gnutls netstream driver: improve doc
Resolves: RHEL-86031
rsyslog.conf: use RainerSscript syntax in actions
Resolves: RHEL-42508
gnutls netstream driver: report missing certificate just once
Resolves: RHEL-105782

.gitignore

@@ -88,3 +88,5 @@ rsyslog-4.6.3.tar.gz
 /rsyslog-doc-8.2412.0.tar.gz
 /rsyslog-8.2506.0.tar.gz
 /rsyslog-doc-8.2506.0.tar.gz
+/rsyslog-8.2510.0.tar.gz
+/qpid-proton-0.40.0.tar.gz

gtls-unused-certificates.patch

@@ -0,0 +1,127 @@
+From e3f131d561a1df7dd07631345662ab678614bba7 Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Mon, 3 Nov 2025 14:13:19 +0100
+Subject: [PATCH 2/2] nsd_gtls: fix repeated warnings on connection retry +
+ test
+
+Move the `loggedWarnings` bitfield from per-instance to module-level
+static storage in `runtime/nsd_gtls.c` so that missing cert/key/CA
+warnings are emitted only once per rsyslogd process, not on every
+connection retry. Otherwise, a broken connection can spam dosens of
+logs.
+---
+ runtime/nsd_gtls.c                   | 26 ++++++++++++++-----------
+ runtime/nsd_gtls.h                   |  1 -
+ tests/omfwd-gtls-missing-cert-key.sh | 29 ++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 12 deletions(-)
+ create mode 100755 tests/omfwd-gtls-missing-cert-key.sh
+
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index 7721c1bd1..9a7939fba 100644
+--- a/runtime/nsd_gtls.c
++++ b/runtime/nsd_gtls.c
+@@ -77,6 +77,9 @@ static pthread_mutex_t mutGtlsStrerror;
+ 
+ static gnutls_dh_params_t dh_params; /**< server DH parameters for anon mode */
+ 
++/* Module-level bitfield for warnings that have been logged (shared across all instances) */
++static unsigned loggedWarnings = 0;
++
+ /* bitfield for warnings that have been logged */
+ enum {
+     GTLS_LOGGED_WARN_CERT_MISSING = 1 << 0,
+@@ -674,13 +677,14 @@ static rsRetVal gtlsAddOurCert(nsd_gtls_t *const pThis) {
+     keyFile = (pThis->pszKeyFile == NULL) ? glbl.GetDfltNetstrmDrvrKeyFile(runConf) : pThis->pszKeyFile;
+     dbgprintf("GTLS certificate file: '%s'\n", certFile);
+     dbgprintf("GTLS key file: '%s'\n", keyFile);
+-    if (certFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) {
+-        LogMsg(0, RS_RET_CERT_MISSING, LOG_WARNING, "warning: certificate file is not set");
+-        pThis->loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING;
++
++    if (certFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CERT_MISSING)) {
++        LogError(0, RS_RET_CERT_MISSING, "warning: certificate file is not set");
++        loggedWarnings |= GTLS_LOGGED_WARN_CERT_MISSING;
+     }
+-    if (keyFile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) {
+-        LogMsg(0, RS_RET_CERTKEY_MISSING, LOG_WARNING, "warning: key file is not set");
+-        pThis->loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING;
++    if (keyFile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_KEY_MISSING)) {
++        LogError(0, RS_RET_CERTKEY_MISSING, "warning: key file is not set");
++        loggedWarnings |= GTLS_LOGGED_WARN_KEY_MISSING;
+     }
+ 
+     /* set certificate in gnutls */
+@@ -757,10 +761,11 @@ static rsRetVal gtlsInitCred(nsd_gtls_t *const pThis) {
+ 
+     /* sets the trusted cas file */
+     cafile = (pThis->pszCAFile == NULL) ? glbl.GetDfltNetstrmDrvrCAF(runConf) : pThis->pszCAFile;
+-    if (cafile == NULL && !(pThis->loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) {
+-        LogMsg(0, RS_RET_CA_CERT_MISSING, LOG_WARNING, "Warning: CA certificate is not set");
+-        pThis->loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING;
+-    } else {
++    if (cafile == NULL && !(loggedWarnings & GTLS_LOGGED_WARN_CA_MISSING)) {
++        LogError(0, RS_RET_CA_CERT_MISSING, "Warning: CA certificate is not set");
++        loggedWarnings |= GTLS_LOGGED_WARN_CA_MISSING;
++    }
++    if (cafile != NULL) {
+         dbgprintf("GTLS CA file: '%s'\n", cafile);
+         gnuRet = gnutls_certificate_set_x509_trust_file(pThis->xcred, (char *)cafile, GNUTLS_X509_FMT_PEM);
+         if (gnuRet == GNUTLS_E_FILE_ERROR) {
+@@ -1432,7 +1437,6 @@ static inline void gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) {
+ BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
+     iRet = nsd_ptcp.Construct(&pThis->pTcp);
+     pThis->bReportAuthErr = 1;
+-    pThis->loggedWarnings = 0;
+ ENDobjConstruct(nsd_gtls)
+ 
+ 
+diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h
+index 685f65a49..f40ab3f13 100644
+--- a/runtime/nsd_gtls.h
++++ b/runtime/nsd_gtls.h
+@@ -83,7 +83,6 @@ struct nsd_gtls_s {
+         gnutls_x509_privkey_t ourKey; /**< our private key, if in client mode (unused in server mode) */
+         short bOurCertIsInit; /**< 1 if our certificate is initialized and must be deinit on destruction */
+         short bOurKeyIsInit; /**< 1 if our private key is initialized and must be deinit on destruction */
+-        unsigned short loggedWarnings; /**< bitfield of logged warnings */
+         char *pszRcvBuf;
+         int lenRcvBuf;
+         /**< -1: empty, 0: connection closed, 1..NSD_GTLS_MAX_RCVBUF-1: data of that size present */
+diff --git a/tests/omfwd-gtls-missing-cert-key.sh b/tests/omfwd-gtls-missing-cert-key.sh
+new file mode 100755
+index 000000000..36cb2f3f5
+--- /dev/null
++++ b/tests/omfwd-gtls-missing-cert-key.sh
+@@ -0,0 +1,29 @@
++#!/bin/bash
++# Test for gnutls loggedWarnings functionality with omfwd
++# This test verifies that warnings for missing cert/key files are logged only once
++# even when the action retries multiple times (loggedWarnings mechanism)
++. ${srcdir:=.}/diag.sh init
++
++export PORT_RCVR="$(get_free_port)"
++export RS_REDIR=">${RSYSLOG_DYNNAME}.rsyslog.log 2>&1"
++
++generate_conf
++add_conf '
++global(defaultNetstreamDriverCAFile="'$srcdir/tls-certs/ca.pem'")
++
++action(type="omfwd" protocol="tcp" target="127.0.0.1" port="'$PORT_RCVR'"
++	StreamDriver="gtls"
++	StreamDriverMode="1"
++	StreamDriverAuthMode="x509/name"
++	action.resumeRetryCount="-1"
++	action.resumeInterval="10")
++'
++startup
++sleep 30
++shutdown_immediate
++wait_shutdown
++
++content_count_check "warning: certificate file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log
++content_count_check "warning: key file is not set" 1 ${RSYSLOG_DYNNAME}.rsyslog.log
++
++exit_test
+-- 
+2.51.0
+

imfile-delete-state-on-file-move.patch

@@ -1,101 +0,0 @@
-diff -up a/plugins/imfile/imfile.c.orig b/plugins/imfile/imfile.c
---- a/plugins/imfile/imfile.c.orig	2025-07-29 15:54:35.659288215 +0200
-+++ b/plugins/imfile/imfile.c	2025-07-29 15:54:40.119329980 +0200
-@@ -157,6 +157,7 @@ struct instanceConf_s {
- 	int readTimeout;
- 	unsigned delay_perMsg;
- 	sbool bRMStateOnDel;
-+	sbool bRMStateOnMove;
- 	uint8_t readMode;
- 	uchar *startRegex;
- 	uchar *endRegex;
-@@ -253,6 +254,7 @@ struct modConfData_s {
- 	instanceConf_t *root, *tail;
- 	fs_node_t *conf_tree;
- 	uint8_t opMode;
-+	sbool bRMStateOnMove;
- 	sbool configSetViaV2Method;
- 	uchar *stateFileDirectory;
- 	sbool sortFiles;
-@@ -310,7 +312,8 @@ static struct cnfparamdescr modpdescr[]
- 	{ "sortfiles", eCmdHdlrBinary, 0 },
- 	{ "statefile.directory", eCmdHdlrString, 0 },
- 	{ "normalizepath", eCmdHdlrBinary, 0 },
--	{ "mode", eCmdHdlrGetWord, 0 }
-+	{ "mode", eCmdHdlrGetWord, 0 },
-+	{ "deletestateonfilemove", eCmdHdlrBinary, 0 },
- };
- static struct cnfparamblk modpblk =
- 	{ CNFPARAMBLK_VERSION,
-@@ -350,7 +353,8 @@ static struct cnfparamdescr inppdescr[]
- 	{ "needparse", eCmdHdlrBinary, 0},
- 	{ "ignoreolderthan", eCmdHdlrInt, 0},
- 	{ "maxbytesperminute", eCmdHdlrInt, 0},
--	{ "maxlinesperminute", eCmdHdlrInt, 0}
-+	{ "maxlinesperminute", eCmdHdlrInt, 0},
-+	{ "deletestateonfilemove", eCmdHdlrBinary, 0}
- };
- static struct cnfparamblk inppblk =
- 	{ CNFPARAMBLK_VERSION,
-@@ -856,7 +860,7 @@ detect_updates(fs_edge_t *const edge)
- 				*/
- 				sbool is_file = act->edge->is_file;
- 				if (!is_file || act->time_to_delete + FILE_DELETE_DELAY < ttNow) {
--				DBGPRINTF("detect_updates obj gone away, unlinking: "
-+					DBGPRINTF("detect_updates obj gone away, unlinking: "
- 					"'%s', ttDelete: %"PRId64"s, ttNow:%"PRId64" isFile: %d\n",
- 					act->name, (int64_t) ttNow - (act->time_to_delete + FILE_DELETE_DELAY),
- 					(int64_t) ttNow, is_file);
-@@ -1061,8 +1065,17 @@ act_obj_destroy(act_obj_t *const act, co
- 		}
- 		persistStrmState(act);
- 		strm.Destruct(&act->pStrm);
--		/* we delete state file after destruct in case strm obj initiated a write */
--		if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
-+
-+		/*
-+		 * We delete the state file after the destruct operation to ensure that any pending
-+		 * writes initiated by the stream object are completed before removal. The state file
-+		 * is deleted in the following scenarios:
-+		 *   - If the file has not been moved and we are configured to delete the state file
-+		 *     when the original file is removed.
-+		 *   - If the configuration specifies not to preserve the state file after the file
-+		 *     has been renamed. This prevents orphaned state files.
-+		 */
-+		if(is_deleted && ((!act->in_move && inst->bRMStateOnDel) || inst->bRMStateOnMove)) {
- 			DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn);
- 			unlink((char*)statefn);
- 		}
-@@ -1773,6 +1786,7 @@ createInstance(instanceConf_t **const pi
- 	inst->discardTruncatedMsg = 0;
- 	inst->msgDiscardingError = 1;
- 	inst->bRMStateOnDel = 1;
-+	inst->bRMStateOnMove = loadModConf->bRMStateOnMove;
- 	inst->escapeLF = 1;
- 	inst->escapeLFString = NULL;
- 	inst->reopenOnTruncate = 0;
-@@ -1932,6 +1946,7 @@ addInstance(void __attribute__((unused))
- 	inst->addMetadata = 0;
- 	inst->addCeeTag = 0;
- 	inst->bRMStateOnDel = 0;
-+	inst->bRMStateOnMove = loadModConf->bRMStateOnMove;
- 	inst->readTimeout = loadModConf->readTimeout;
- 	inst->msgFlag = 0;
- 
-@@ -2089,6 +2104,7 @@ CODESTARTbeginCnfLoad
- 	/* init our settings */
- 	loadModConf->opMode = OPMODE_POLLING;
- 	loadModConf->iPollInterval = DFLT_PollInterval;
-+	loadModConf->bRMStateOnMove = 0;
- 	loadModConf->configSetViaV2Method = 0;
- 	loadModConf->readTimeout = 0; /* default: no timeout */
- 	loadModConf->timeoutGranularity = 1000; /* default: 1 second */
-@@ -2142,6 +2158,8 @@ CODESTARTsetModCnf
- 			continue;
- 		if(!strcmp(modpblk.descr[i].name, "pollinginterval")) {
- 			loadModConf->iPollInterval = (int) pvals[i].val.d.n;
-+		} else if(!strcmp(modpblk.descr[i].name, "deletestateonfilemove")) {
-+			loadModConf->bRMStateOnMove = (sbool) pvals[i].val.d.n;
- 		} else if(!strcmp(modpblk.descr[i].name, "readtimeout")) {
- 			loadModConf->readTimeout = (int) pvals[i].val.d.n;
- 		} else if(!strcmp(modpblk.descr[i].name, "timeoutgranularity")) {

openssl-disable-engines.patch

@@ -1,62 +0,0 @@
-diff --git a/plugins/imdtls/imdtls.c b/plugins/imdtls/imdtls.c
-index f90e8ad61c..bfb63452c7 100644
---- a/plugins/imdtls/imdtls.c
-+++ b/plugins/imdtls/imdtls.c
-@@ -41,7 +41,9 @@
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
- #	include <openssl/bioerr.h>
- #endif
--#include <openssl/engine.h>
-+#ifndef OPENSSL_NO_ENGINE
-+#       include <openssl/engine.h>
-+#endif
- // ---
- 
- #include "rsyslog.h"
-diff --git a/plugins/omdtls/omdtls.c b/plugins/omdtls/omdtls.c
-index 2b28908030..693ff99c77 100644
---- a/plugins/omdtls/omdtls.c
-+++ b/plugins/omdtls/omdtls.c
-@@ -52,7 +52,9 @@
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
- #	include <openssl/bioerr.h>
- #endif
--#include <openssl/engine.h>
-+#ifndef OPENSSL_NO_ENGINE
-+#       include <openssl/engine.h>
-+#endif
- // ---
- 
- // Include rsyslog headers
-diff --git a/runtime/net_ossl.h b/runtime/net_ossl.h
-index af36ffe488..d66a422d4d 100644
---- a/runtime/net_ossl.h
-+++ b/runtime/net_ossl.h
-@@ -31,7 +31,9 @@
- #if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
- #	include <openssl/bioerr.h>
- #endif
--#include <openssl/engine.h>
-+#ifndef OPENSSL_NO_ENGINE
-+#       include <openssl/engine.h>
-+#endif
- #include <openssl/rand.h>
- #include <openssl/evp.h>
- 
-diff --git a/tests/tcpflood.c b/tests/tcpflood.c
-index 4b2d98b2c8..7322aeb135 100644
---- a/tests/tcpflood.c
-+++ b/tests/tcpflood.c
-@@ -129,8 +129,10 @@
- #ifdef ENABLE_OPENSSL
- 	#include <openssl/ssl.h>
- 	#include <openssl/x509v3.h>
--	#include <openssl/err.h>
--	#include <openssl/engine.h>
-+       #include <openssl/err.h>
-+#       ifndef OPENSSL_NO_ENGINE
-+#               include <openssl/engine.h>
-+#       endif
- 
- 	/* OpenSSL API differences */
- 	#if OPENSSL_VERSION_NUMBER >= 0x10100000L

ossl-free-cert.patch

@@ -0,0 +1,38 @@
+From e21ea186a88d2750c97092c016811d1378cbe24c Mon Sep 17 00:00:00 2001
+From: Cropi <alakatos@redhat.com>
+Date: Thu, 9 Oct 2025 11:39:46 +0200
+Subject: [PATCH] ossl bugfix: ensure peer cert is freed in osslChkPeerAuth
+
+Ensure osslChkPeerAuth starts with a null peer-certificate pointer and
+frees any retrieved X509 certificate so OpenSSL allocations from
+SSL_get_peer_certificate do not leak after TLS handshakes.
+---
+ runtime/nsd_ossl.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 30300156b..954277fef 100644
+--- a/runtime/nsd_ossl.c
++++ b/runtime/nsd_ossl.c
+@@ -353,7 +353,7 @@ finalize_it:
+  */
+ rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) {
+     DEFiRet;
+-    X509 *certpeer;
++    X509 *certpeer = NULL;
+ 
+     ISOBJ_TYPE_assert(pThis, nsd_ossl);
+     uchar *fromHostIP = NULL;
+@@ -388,6 +388,9 @@ rsRetVal osslChkPeerAuth(nsd_ossl_t *pThis) {
+             break;
+     }
+ finalize_it:
++    if (certpeer != NULL) {
++        X509_free(certpeer);
++    }
+     if (fromHostIP != NULL) {
+         free(fromHostIP);
+     }
+-- 
+2.51.0
+

rsyslog.conf

@@ -9,24 +9,25 @@
 # Where to place auxiliary files
 global(workDirectory="/var/lib/rsyslog")
 
+#### MODULES ####
+
 # Use default timestamp format
 module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
 
-#### MODULES ####
-
-module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
+module(load="imuxsock"    # provides support for local system logging (e.g. via logger command)
        SysSock.Use="off") # Turn off message reception via local log socket; 
-			  # local messages are retrieved through imjournal now.
-module(load="imjournal" 	    # provides access to the systemd journal
+                          # local messages are retrieved through imjournal now.
+module(load="imjournal"             # provides access to the systemd journal
        UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
        FileCreateMode="0644" # Set the access permissions for the state file
        StateFile="imjournal.state") # File to store the position in the journal
-#module(load="imklog") # reads kernel messages (the same are read from journald)
-#module(load="immark") # provides --MARK-- message capability
 
 # Include all config files in /etc/rsyslog.d/
 include(file="/etc/rsyslog.d/*.conf" mode="optional")
 
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
 # Provides UDP syslog reception
 # for parameters see http://www.rsyslog.com/doc/imudp.html
 #module(load="imudp") # needs to be done just once
@@ -41,30 +42,29 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
 
 # Log all kernel messages to the console.
 # Logging much else clutters up the screen.
-#kern.*                                                 /dev/console
+#kern.* action(type="omfile" file="/dev/console")
 
 # Log anything (except mail) of level info or higher.
 # Don't log private authentication messages!
-*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+*.info;mail.none;authpriv.none;cron.none action(type="omfile" file="/var/log/messages")
 
 # The authpriv file has restricted access.
-authpriv.*                                              /var/log/secure
+authpriv.* action(type="omfile" file="/var/log/secure")
 
 # Log all the mail messages in one place.
-mail.*                                                  -/var/log/maillog
-
+mail.* action(type="omfile" file="/var/log/maillog" sync="on")
 
 # Log cron stuff
-cron.*                                                  /var/log/cron
+cron.* action(type="omfile" file="/var/log/cron")
 
 # Everybody gets emergency messages
-*.emerg                                                 :omusrmsg:*
+*.emerg action(type="omusrmsg" users="*")
 
 # Save news errors of level crit and higher in a special file.
-uucp,news.crit                                          /var/log/spooler
+uucp,news.crit action(type="omfile" file="/var/log/spooler")
 
 # Save boot messages also to boot.log
-local7.*                                                /var/log/boot.log
+local7.* action(type="omfile" file="/var/log/boot.log")
 
 
 # ### sample forwarding rule ###

rsyslog.spec

@@ -1,27 +1,26 @@
 %define rsyslog_statedir %{_sharedstatedir}/rsyslog
 %define rsyslog_pkidir %{_sysconfdir}/pki/rsyslog
 %define rsyslog_docdir %{_docdir}/rsyslog
-%define qpid_proton_v 0.39.0
+%define qpid_proton_v 0.40.0
 
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2506.0
+Version: 8.2510.0
 Release: 2%{?dist}
 License: GPL-3.0-or-later AND Apache-2.0
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
-Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.tar.gz
-Source2: rsyslog.conf
-Source3: rsyslog.sysconfig
-Source4: rsyslog.log
-Source5: rsyslog.service
+Source1: rsyslog.conf
+Source2: rsyslog.sysconfig
+Source3: rsyslog.log
+Source4: rsyslog.service
 # Add qpid-proton as another source, enable omamqp1 module in a
 # separatae sub-package with it statically linked(see rhbz#1713427)
-Source6: https://archive.apache.org/dist/qpid/proton/%{qpid_proton_v}/qpid-proton-%{qpid_proton_v}.tar.gz
+Source5: https://archive.apache.org/dist/qpid/proton/%{qpid_proton_v}/qpid-proton-%{qpid_proton_v}.tar.gz
 Source7: rsyslog-tmpfiles.conf
 
-Patch0: openssl-disable-engines.patch
-Patch1: imfile-delete-state-on-file-move.patch
+Patch0: ossl-free-cert.patch
+Patch1: gtls-unused-certificates.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -248,18 +247,13 @@ The rsyslog-mmkubernetes package provides module for adding kubernetes
 container metadata.
 
 %prep
-# set up rsyslog-doc sources
-%setup -q -a 1 -T -c
-
-rm -r LICENSE README.md source build/objects.inv
-mv build doc
 # set up rsyslog sources
 %setup -q -D
 %patch -P 0 -p1
 %patch -P 1 -p1
 
 # Unpack qpid-proton for rhel
-%setup -q -D -T -b 6
+%setup -q -D -T -b 5
 
 %build
 # Add additional flags as per https://one.redhat.com/rhel-developer-guide/#_what_are_the_required_flags
@@ -366,10 +360,10 @@ install -d -m 755 %{buildroot}%{rsyslog_docdir}/html
 install -d -m 755 %{buildroot}%{_libexecdir}/%{name}
 install -d -m 755 %{buildroot}%{_tmpfilesdir}
 
-install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf
-install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
-install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/rsyslog
-install -p -m 644 %{SOURCE5} %{buildroot}%{_unitdir}/rsyslog.service
+install -p -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/rsyslog.conf
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/logrotate.d/rsyslog
+install -p -m 644 %{SOURCE4} %{buildroot}%{_unitdir}/rsyslog.service
 install -p -m 644 %{SOURCE7} %{buildroot}%{_tmpfilesdir}/rsyslog.conf
 install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql
 install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql
@@ -402,7 +396,7 @@ done
 %{!?_licensedir:%global license %%doc}
 %license COPYING*
 %doc AUTHORS ChangeLog README.md
-%{rsyslog_docdir}
+%exclude %{rsyslog_docdir}/recover_qi.pl
 %exclude %{rsyslog_docdir}/html
 %exclude %{rsyslog_docdir}/mysql-createDB.sql
 %exclude %{rsyslog_docdir}/pgsql-createDB.sql
@@ -440,6 +434,7 @@ done
 %{_libdir}/rsyslog/mmanon.so
 %{_libdir}/rsyslog/mmcount.so
 %{_libdir}/rsyslog/mmexternal.so
+%{_libdir}/rsyslog/mmleefparse.so
 %{_libdir}/rsyslog/mmutf8fix.so
 %{_libdir}/rsyslog/omhttp.so
 %{_libdir}/rsyslog/omjournal.so
@@ -462,7 +457,8 @@ done
 %{_libdir}/rsyslog/lmcry_gcry.so
 
 %files doc
-%doc %{rsyslog_docdir}/html
+%{rsyslog_docdir}/html
+%{rsyslog_docdir}/recover_qi.pl
 
 %files elasticsearch
 %{_libdir}/rsyslog/omelasticsearch.so
@@ -525,6 +521,15 @@ done
 
 
 %changelog
+* Fri Oct 31 2025 Attila Lakatos <alakatos@redhat.com> - 8.2510.0-2
+- Rebase to 8.2510.0
+- gnutls netstream driver: improve doc
+  Resolves: RHEL-86031
+- rsyslog.conf: use RainerSscript syntax in actions
+  Resolves: RHEL-42508
+- gnutls netstream driver: report missing certificate just once
+  Resolves: RHEL-105782
+
 * Tue Jul 29 2025 Attila Lakatos <alakatos@redhat.com> 8.2506.0-2
 - imfile: reintroduce deleteStateOnFileMove parameter
   Resolves: RHEL-92262

sources

@@ -1,3 +1,2 @@
-SHA512 (qpid-proton-0.39.0.tar.gz) = df5c5469ee82ba02de62dce15b73b81aab2aae07c7db668182df690cea4ff7584111bd12143fe5e3569469a9ddf4950ac68d60b53d1a7815da4748052948cd1b
-SHA512 (rsyslog-8.2506.0.tar.gz) = 82fd3a3e76217081c7903b0bdb8bdb46c23657593d84d5ff7f836efca4c76d7d2870706150a6473c0667f0c8571a3c8e5d237619a3ad3940701925efaec32941
-SHA512 (rsyslog-doc-8.2506.0.tar.gz) = 49db24f5905e4c48ab198358a646d105d0b10c23c7b9ea27d26baa533506e21420829a62acf52f4d34b56250d30988c1f8ab2d6798b3a416b0692c1fcf3c538d
+SHA512 (rsyslog-8.2510.0.tar.gz) = d2e693fd8c7112e4ccc36ea6fbb19909df885e7cb2778e95c04b7c5e9db8240224decfee52308a46865b7deffcf1e31ade0104c90d84b768a4dece15e5ea190e
+SHA512 (qpid-proton-0.40.0.tar.gz) = 3e7fe56ca1423f45f71d81f5e1d6ec5f21c073cc580628e12a8dbd545a86805b7312834e0d1234dde43797633d575ed639f21a96239b217500cc0a824482aae3