.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,86 +1,3 @@
-rsyslog-4.6.3.tar.gz
+SOURCES/qpid-proton-0.34.0.tar.gz
-/rsyslog-5.5.7.tar.gz
+SOURCES/rsyslog-8.2102.0.tar.gz
-/rsyslog-5.6.2.tar.gz
+SOURCES/rsyslog-doc-8.2102.0.tar.gz
-/rsyslog-5.7.9.tar.gz
-/rsyslog-5.7.10.tar.gz
-/rsyslog-5.8.1.tar.gz
-/rsyslog-5.8.2.tar.gz
-/rsyslog-5.8.5.tar.gz
-/rsyslog-5.8.6.tar.gz
-/rsyslog-5.8.7.tar.gz
-/rsyslog-5.8.11.tar.gz
-/rsyslog-7.2.2.tar.gz
-/rsyslog-7.2.4.tar.gz
-/rsyslog-7.2.5.tar.gz
-/rsyslog-7.3.9.tar.gz
-/rsyslog-7.3.10.tar.gz
-/rsyslog-7.3.15-20130604git6e72fa6.tar.gz
-/rsyslog-7.4.0.tar.gz
-/rsyslog-7.4.1.tar.gz
-/rsyslog-7.4.2.tar.gz
-/rsyslog-7.4.7.tar.gz
-/rsyslog-7.4.8.tar.gz
-/rsyslog-7.4.10.tar.gz
-/rsyslog-8.8.0.tar.gz
-/rsyslog-doc-8.8.0.tar.gz
-/rsyslog-doc-8.10.0.tar.gz
-/rsyslog-8.10.0.tar.gz
-/rsyslog-8.12.0.tar.gz
-/rsyslog-doc-8.12.0.tar.gz
-/rsyslog-8.21.0.tar.gz
-/rsyslog-doc-8.21.0.tar.gz
-/rsyslog-doc-8.22.0.tar.gz
-/rsyslog-8.22.0.tar.gz
-/rsyslog-8.23.0.tar.gz
-/rsyslog-doc-8.23.0.tar.gz
-/rsyslog-8.24.0.tar.gz
-/rsyslog-doc-8.24.0.tar.gz
-/rsyslog-8.25.0.tar.gz
-/rsyslog-doc-8.25.0.tar.gz
-/rsyslog-8.26.0.tar.gz
-/rsyslog-doc-8.26.0.tar.gz
-/rsyslog-doc-8.27.0.tar.gz
-/rsyslog-8.27.0.tar.gz
-/rsyslog-8.29.0.tar.gz
-/rsyslog-doc-8.29.0.tar.gz
-/rsyslog-8.30.0.tar.gz
-/rsyslog-doc-8.30.0.tar.gz
-/rsyslog-8.31.0.tar.gz
-/rsyslog-doc-8.31.0.tar.gz
-/rsyslog-doc-8.32.0.tar.gz
-/rsyslog-8.32.0.tar.gz
-/rsyslog-doc-8.34.0.tar.gz
-/rsyslog-8.34.0.tar.gz
-/rsyslog-8.35.0.tar.gz
-/rsyslog-doc-8.35.0.tar.gz
-/rsyslog-8.36.0.tar.gz
-/rsyslog-doc-8.36.0.tar.gz
-/rsyslog-8.37.0.tar.gz
-/rsyslog-doc-8.37.0.tar.gz
-/rsyslog-8.38.0.tar.gz
-/rsyslog-doc-8.38.0.tar.gz
-/rsyslog-8.39.0.tar.gz
-/rsyslog-doc-8.39.0.tar.gz
-/rsyslog-8.1904.0.tar.gz
-/rsyslog-doc-8.1904.0.tar.gz
-/rsyslog-8.1907.0.tar.gz
-/rsyslog-doc-8.1907.0.tar.gz
-/rsyslog-8.1910.0.tar.gz
-/rsyslog-doc-8.1910.0.tar.gz
-/rsyslog-8.1911.0.tar.gz
-/rsyslog-doc-8.1911.0.tar.gz
-/rsyslog-8.2001.0.tar.gz
-/rsyslog-doc-8.2001.0.tar.gz
-/rsyslog-8.2002.0.tar.gz
-/rsyslog-doc-8.2002.0.tar.gz
-/rsyslog-8.2008.0.tar.gz
-/rsyslog-doc-8.2008.0.tar.gz
-/rsyslog-8.2010.0.tar.gz
-/rsyslog-doc-8.2010.0.tar.gz
-/qpid-proton-0.31.0.tar.gz
-/rsyslog-8.2102.0.tar.gz
-/rsyslog-doc-8.2102.0.tar.gz
-/qpid-proton-0.34.0.tar.gz
-/qpid-proton-0.39.0.tar.gz
-/rsyslog-8.2310.0.tar.gz
-/rsyslog-doc-8.2310.0.tar.gz

.rsyslog.metadata

@@ -0,0 +1,3 @@
+390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz
+fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
+9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz

SOURCES/propagate-gnutlsPriorityString.patch

@@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
+--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig	2024-08-26 15:27:50.528691153 +0200
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2024-08-26 15:28:06.950855632 +0200
+@@ -1544,6 +1544,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
++	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	CHKiRet(osslInitSession(pNew, osslServer));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */

SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch

@@ -1,7 +1,7 @@
-diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/plugins/imjournal/imjournal.c
+diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c
---- rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig	2023-10-10 16:42:39.771369418 +0200
+--- ./plugins/imjournal/imjournal.c.default-tag	2018-05-17 08:50:11.416418022 -0400
-+++ rsyslog-8.2310.0/plugins/imjournal/imjournal.c	2023-10-10 16:51:39.839133580 +0200
++++ ./plugins/imjournal/imjournal.c	2018-05-17 08:53:02.884418022 -0400
-@@ -87,6 +87,7 @@ static struct configSettings_s {
+@@ -78,6 +78,7 @@ static struct configSettings_s {
  	int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */
  	int bFsync;
  	int bRemote;
@@ -9,7 +9,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  } cs;
  
  static rsRetVal facilityHdlr(uchar **pp, void *pVal);
-@@ -106,7 +107,8 @@ static struct cnfparamdescr modpdescr[]
+@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[]
  	{ "usepid", eCmdHdlrString, 0 },
  	{ "workaroundjournalbug", eCmdHdlrBinary, 0 },
  	{ "fsync", eCmdHdlrBinary, 0 },
@@ -19,7 +19,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  };
  static struct cnfparamblk modpblk =
  	{ CNFPARAMBLK_VERSION,
-@@ -117,6 +119,7 @@ static struct cnfparamblk modpblk =
+@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk =
  #define DFLT_persiststateinterval 10
  #define DFLT_SEVERITY pri2sev(LOG_NOTICE)
  #define DFLT_FACILITY pri2fac(LOG_USER)
@@ -27,27 +27,37 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  
  static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */
  
-@@ -458,7 +461,7 @@ readjournal(void)
+@@ -268,7 +271,7 @@ readjournal(void)
- 	} else if (journalGetData("_COMM", &get, &length) >= 0) {
+ 
- 		CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden));
+ 	/* Information from messages */
+ 	char *message = NULL;
+-	char *sys_iden;
++	char *sys_iden = NULL;
+ 	char *sys_iden_help = NULL;
+ 
+ 	const void *get;
+@@ -331,7 +334,7 @@ readjournal(void)
+ 	if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
+ 		CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
  	} else {
 -		CHKmalloc(sys_iden = strdup("journal"));
 +		CHKmalloc(sys_iden = strdup(cs.dfltTag));
  	}
  
  	/* trying to get PID, default is "SYSLOG_PID" property */
-@@ -826,6 +829,10 @@ CODESTARTrunInput
+@@ -654,6 +657,11 @@ CODESTARTrunInput
- 			"\"usepidfromsystem\" is deprecated, use \"usepid\" instead");
+ 			"\"usepidfromsystem\" is depricated, use \"usepid\" instead");
  	}
  
 +	if (cs.dfltTag == NULL) {
 +		cs.dfltTag = strdup(DFLT_TAG);
 +	}
++
 +
  	if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) {
  		pidFieldName = "_PID";
  		bPidFallBack = 0;
-@@ -914,6 +921,7 @@ CODESTARTbeginCnfLoad
+@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad
  	cs.bWorkAroundJournalBug = 1;
  	cs.bFsync = 0;
  	cs.bRemote = 0;
@@ -55,7 +65,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  ENDbeginCnfLoad
  
  
-@@ -983,6 +991,7 @@ BEGINfreeCnf
+@@ -754,6 +763,7 @@ BEGINfreeCnf
  CODESTARTfreeCnf
  	free(cs.stateFile);
  	free(cs.usePid);
@@ -63,7 +73,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  	free(journalContext.cursor);
  	statsobj.Destruct(&(statsCounter.stats));
  ENDfreeCnf
-@@ -1077,6 +1086,8 @@ CODESTARTsetModCnf
+@@ -832,6 +842,8 @@ CODESTARTsetModCnf
  			cs.bFsync = (int) pvals[i].val.d.n;
  		} else if (!strcmp(modpblk.descr[i].name, "remote")) {
  			cs.bRemote = (int) pvals[i].val.d.n;
@@ -72,7 +82,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  		} else {
  			dbgprintf("imjournal: program error, non-handled "
  				"param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
-@@ -1144,6 +1155,8 @@ CODEmodInit_QueryRegCFSLineHdlr
+@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr
  		facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID));
  	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary,
  		NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID));

SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch

@@ -0,0 +1,908 @@
+diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c
+index 3e27ee4d36..d57dd5661c 100644
+--- a/plugins/imdiag/imdiag.c
++++ b/plugins/imdiag/imdiag.c
+@@ -566,28 +566,33 @@ setInjectDelayMode(void __attribute__((unused)) *pVal, uchar *const pszMode)
+ }
+ 
+ 
+-static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
++static rsRetVal
++addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ {
++	tcpLstnParams_t *cnf_params = NULL;
+ 	DEFiRet;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+-		CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+-		CHKiRet(tcpsrv.SetLstnPortFileName(pOurTcpsrv, pszLstnPortFileName));
+-		/* now set optional params, but only if they were actually configured */
+-		if(pszStrmDrvrAuthMode != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+-		}
+-		if(pPermPeersRoot != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+-		}
++	if(pOurTcpsrv != NULL) {
++		LogError(0, NO_ERRCODE, "imdiag: only a single listener is supported, "
++			"trying to add a second");
++		ABORT_FINALIZE(RS_RET_ERR);
++	}
++	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
++	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
++	CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
++	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
++	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
++	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
++	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
++	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
++	CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
++	CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
++	/* now set optional params, but only if they were actually configured */
++	if(pszStrmDrvrAuthMode != NULL) {
++		CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
++	}
++	if(pPermPeersRoot != NULL) {
++		CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+ 	}
+ 
+ 	/* initialized, now add socket */
+@@ -595,7 +600,11 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 						UCHAR_CONSTANT("imdiag") : pszInputName));
+ 	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, (uchar*)"imdiag"));
+ 	/* we support octect-counted frame (constant 1 below) */
+-	tcpsrv.configureTCPListen(pOurTcpsrv, pNewVal, 1, NULL, pszLstnPortFileName);
++	cnf_params->pszPort = pNewVal;
++	cnf_params->bSuppOctetFram = 1;
++	CHKmalloc(cnf_params->pszLstnPortFileName = (const uchar*) strdup((const char*)pszLstnPortFileName));
++	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
++	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -603,7 +612,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 		if(pOurTcpsrv != NULL)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 	}
+-	free(pNewVal);
++	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+@@ -760,6 +769,7 @@ CODESTARTmodExit
+ 
+ 	/* free some globals to keep valgrind happy */
+ 	free(pszInputName);
++fprintf(stderr, "FINAL FREE %p\n", pszLstnPortFileName);
+ 	free(pszLstnPortFileName);
+ 	free(pszStrmDrvrAuthMode);
+ 
+diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c
+index e0cab01664..4041e88b14 100644
+--- a/plugins/imgssapi/imgssapi.c
++++ b/plugins/imgssapi/imgssapi.c
+@@ -334,34 +334,38 @@ static rsRetVal
+ actGSSListener(uchar *port)
+ {
+ 	DEFiRet;
++	tcpLstnParams_t *cnf_params = NULL;
+ 	gsssrv_t *pGSrv = NULL;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		/* first create/init the gsssrv "object" */
+-		if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+-			ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+-
+-		pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+-		if(bPermitPlainTcp)
+-			pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+-		/* gsssrv initialized */
+-
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+-		CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+-		CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+-		CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		tcpsrv.configureTCPListen(pOurTcpsrv, port, 1, NULL, NULL);
+-		CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+-	}
++	assert(pOurTcpsrv == NULL);
++	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
++	/* first create/init the gsssrv "object" */
++	if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
++		ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
++
++	pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
++	if(bPermitPlainTcp)
++		pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
++	/* gsssrv initialized */
++
++	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
++	CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
++	CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
++	CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
++	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
++	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
++	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
++	CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
++	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
++	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
++	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
++	CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
++	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
++	cnf_params->pszPort = port;
++	cnf_params->bSuppOctetFram = 1;
++	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
++	CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
++	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -370,6 +374,7 @@ actGSSListener(uchar *port)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 		free(pGSrv);
+ 	}
++	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index cf74d4c616..c336e6c24d 100644
+--- a/plugins/imtcp/imtcp.c
++++ b/plugins/imtcp/imtcp.c
+@@ -4,7 +4,7 @@
+  * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c,
+  * which at the time of the rsyslog fork was BSD-licensed)
+  *
+- * Copyright 2007-2017 Adiscon GmbH.
++ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -112,9 +112,7 @@ static struct configSettings_s {
+ } cs;
+ 
+ struct instanceConf_s {
+-	uchar *pszBindPort;		/* port to bind to */
+-	uchar *pszLstnPortFileName;	/* file dynamic port is written to */
+-	uchar *pszBindAddr;             /* IP to bind socket to */
++	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	uchar *pszBindRuleset;		/* name of ruleset to bind to */
+ 	ruleset_t *pBindRuleset;	/* ruleset to bind listener to (use system default if unspecified) */
+ 	uchar *pszInputName;		/* value for inputname property, NULL is OK and handled by core engine */
+@@ -122,7 +120,6 @@ struct instanceConf_s {
+ 	sbool bSPFramingFix;
+ 	unsigned int ratelimitInterval;
+ 	unsigned int ratelimitBurst;
+-	int bSuppOctetFram;
+ 	struct instanceConf_s *next;
+ };
+ 
+@@ -288,19 +285,20 @@ setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID)
+ static rsRetVal
+ createInstance(instanceConf_t **pinst)
+ {
+-	instanceConf_t *inst;
++	instanceConf_t *inst = NULL;
++
+ 	DEFiRet;
+ 	CHKmalloc(inst = malloc(sizeof(instanceConf_t)));
++	CHKmalloc(inst->cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+ 	inst->next = NULL;
+ 	inst->pszBindRuleset = NULL;
+ 	inst->pszInputName = NULL;
+-	inst->pszBindAddr = NULL;
+ 	inst->dfltTZ = NULL;
+-	inst->bSuppOctetFram = -1; /* unset */
++	inst->cnf_params->bSuppOctetFram = -1; /* unset */
+ 	inst->bSPFramingFix = 0;
+ 	inst->ratelimitInterval = 0;
+ 	inst->ratelimitBurst = 10000;
+-	inst->pszLstnPortFileName = NULL;
++	inst->cnf_params->pszLstnPortFileName = NULL;
+ 
+ 	/* node created, let's add to config */
+ 	if(loadModConf->tail == NULL) {
+@@ -312,6 +310,9 @@ createInstance(instanceConf_t **pinst)
+ 
+ 	*pinst = inst;
+ finalize_it:
++	if(iRet != RS_RET_OK) {
++		free(inst);
++	}
+ 	RETiRet;
+ }
+ 
+@@ -328,7 +329,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 
+ 	CHKiRet(createInstance(&inst));
+ 
+-	CHKmalloc(inst->pszBindPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
++	CHKmalloc(inst->cnf_params->pszPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+ 				 	       ? (uchar*) "10514" : pNewVal));
+ 	if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
+ 		inst->pszBindRuleset = NULL;
+@@ -336,14 +337,14 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 		CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+ 	}
+ 	if((cs.lstnIP == NULL) || (cs.lstnIP[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
++		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszBindAddr = ustrdup(cs.lstnIP));
++		CHKmalloc(inst->cnf_params->pszAddr = ustrdup(cs.lstnIP));
+ 	}
+ 	if((cs.lstnPortFile == NULL) || (cs.lstnPortFile[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
++		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
++		CHKmalloc(inst->cnf_params->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+ 	}
+ 
+ 	if((cs.pszInputName == NULL) || (cs.pszInputName[0] == '\0')) {
+@@ -351,7 +352,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 	} else {
+ 		CHKmalloc(inst->pszInputName = ustrdup(cs.pszInputName));
+ 	}
+-	inst->bSuppOctetFram = cs.bSuppOctetFram;
++	inst->cnf_params->bSuppOctetFram = cs.bSuppOctetFram;
+ 
+ finalize_it:
+ 	free(pNewVal);
+@@ -407,7 +408,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	}
+ 
+ 	/* initialized, now add socket and listener params */
+-	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->pszBindPort);
++	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->cnf_params->pszPort);
+ 	CHKiRet(tcpsrv.SetRuleset(pOurTcpsrv, inst->pBindRuleset));
+ 	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, inst->pszInputName == NULL ?
+ 						UCHAR_CONSTANT("imtcp") : inst->pszInputName));
+@@ -416,12 +417,12 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	CHKiRet(tcpsrv.SetbSPFramingFix(pOurTcpsrv, inst->bSPFramingFix));
+ 	CHKiRet(tcpsrv.SetLinuxLikeRatelimiters(pOurTcpsrv, inst->ratelimitInterval, inst->ratelimitBurst));
+ 
+-	if((ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) == 0 && inst->pszLstnPortFileName == NULL)
+-			|| ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) < 0) {
+-		CHKmalloc(inst->pszBindPort = (uchar*)strdup("514"));
++	if((ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) == 0
++		&& inst->cnf_params->pszLstnPortFileName == NULL)
++			|| ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) < 0) {
++		CHKmalloc(inst->cnf_params->pszPort = (uchar*)strdup("514"));
+ 	}
+-	tcpsrv.configureTCPListen(pOurTcpsrv, inst->pszBindPort, inst->bSuppOctetFram,
+-		inst->pszBindAddr, inst->pszLstnPortFileName);
++	tcpsrv.configureTCPListen(pOurTcpsrv, inst->cnf_params);
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -456,9 +457,9 @@ CODESTARTnewInpInst
+ 		if(!pvals[i].bUsed)
+ 			continue;
+ 		if(!strcmp(inppblk.descr[i].name, "port")) {
+-			inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
++			inst->cnf_params->pszPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "address")) {
+-			inst->pszBindAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
++			inst->cnf_params->pszAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "name")) {
+ 			inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "defaulttz")) {
+@@ -468,13 +469,13 @@ CODESTARTnewInpInst
+ 		} else if(!strcmp(inppblk.descr[i].name, "ruleset")) {
+ 			inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "supportoctetcountedframing")) {
+-			inst->bSuppOctetFram = (int) pvals[i].val.d.n;
++			inst->cnf_params->bSuppOctetFram = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.burst")) {
+ 			inst->ratelimitBurst = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.interval")) {
+ 			inst->ratelimitInterval = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "listenportfilename")) {
+-			inst->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
++			inst->cnf_params->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else {
+ 			dbgprintf("imtcp: program error, non-handled "
+ 			  "param '%s'\n", inppblk.descr[i].name);
+@@ -656,7 +657,7 @@ std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, insta
+ {
+ 	LogError(0, NO_ERRCODE, "imtcp: ruleset '%s' for port %s not found - "
+ 			"using default ruleset instead", inst->pszBindRuleset,
+-			inst->pszBindPort);
++			inst->cnf_params->pszPort);
+ }
+ 
+ BEGINcheckCnf
+@@ -664,8 +665,8 @@ BEGINcheckCnf
+ CODESTARTcheckCnf
+ 	for(inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+ 		std_checkRuleset(pModConf, inst);
+-		if(inst->bSuppOctetFram == FRAMING_UNSET)
+-			inst->bSuppOctetFram = pModConf->bSuppOctetFram;
++		if(inst->cnf_params->bSuppOctetFram == FRAMING_UNSET)
++			inst->cnf_params->bSuppOctetFram = pModConf->bSuppOctetFram;
+ 	}
+ 	if(pModConf->root == NULL) {
+ 		LogError(0, RS_RET_NO_LISTNERS , "imtcp: module loaded, but "
+@@ -713,12 +714,9 @@ CODESTARTfreeCnf
+ 		free(pModConf->permittedPeers);
+ 	}
+ 	for(inst = pModConf->root ; inst != NULL ; ) {
+-		free(inst->pszBindPort);
+-		free(inst->pszLstnPortFileName);
+-		free(inst->pszBindAddr);
+-		free(inst->pszBindRuleset);
+-		free(inst->pszInputName);
+-		free(inst->dfltTZ);
++		free((void*)inst->pszBindRuleset);
++		free((void*)inst->pszInputName);
++		free((void*)inst->dfltTZ);
+ 		del = inst;
+ 		inst = inst->next;
+ 		free(del);
+diff --git a/runtime/netstrm.c b/runtime/netstrm.c
+index 8a394a02eb..2c1db46378 100644
+--- a/runtime/netstrm.c
++++ b/runtime/netstrm.c
+@@ -12,12 +12,18 @@
+  * to carry out its work (including, and most importantly, transport
+  * drivers).
+  *
++ * Note on processing:
++ * - Initiating a listener may be driver-specific, but in regard to TLS/non-TLS
++ *   it actually is not. This is because TLS is negotiated after a connection
++ *   has been established. So it is the "acceptConnReq" driver entry where TLS
++ *   params need to be applied.
++ *
+  * Work on this module begun 2008-04-17 by Rainer Gerhards. This code
+  * borrows from librelp's tcp.c/.h code. librelp is dual licensed and
+  * Rainer Gerhards and Adiscon GmbH have agreed to permit using the code
+  * under the terms of the GNU Lesser General Public License.
+  *
+- * Copyright 2007-2009 Rainer Gerhards and Adiscon GmbH.
++ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -134,18 +140,17 @@ AcceptConnReq(netstrm_t *pThis, netstrm_t **ppNew)
+  * pLstnPort must point to a port name or number. NULL is NOT permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
++static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
++	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
++	assert(cnf_params->pszPort != NULL);
+ 
+-	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName));
++	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+diff --git a/runtime/netstrm.h b/runtime/netstrm.h
+index 2e28d7e2e6..4ca35805e7 100644
+--- a/runtime/netstrm.h
++++ b/runtime/netstrm.h
+@@ -1,6 +1,6 @@
+ /* Definitions for the stream-based netstrmworking class.
+  *
+- * Copyright 2007, 2008 Rainer Gerhards and Adiscon GmbH.
++ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -24,6 +24,7 @@
+ #ifndef INCLUDED_NETSTRM_H
+ #define INCLUDED_NETSTRM_H
+ 
++#include "tcpsrv.h"
+ #include "netstrms.h"
+ 
+ /* the netstrm object */
+@@ -31,6 +32,7 @@ struct netstrm_s {
+ 	BEGINobjInstance;	/* Data to implement generic object - MUST be the first data element! */
+ 	nsd_t *pDrvrData;	/**< the driver's data elements (at most other places, this is called pNsd) */
+ 	nsd_if_t Drvr;		/**< our stream driver */
++	uchar *pszDrvrAuthMode;	/**< auth mode of the stream driver to use */
+ 	void *pUsr;		/**< pointer to user-provided data structure */
+ 	netstrms_t *pNS;	/**< pointer to our netstream subsystem object */
+ };
+@@ -76,8 +78,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl);
+ 	rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString);
+ 	/* v11 -- Parameter pszLstnFileName added to LstnInit*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+-		             uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
++	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
++			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v12 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(netstrm_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(netstrm_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd.h b/runtime/nsd.h
+index e862348fd6..eecffed05e 100644
+--- a/runtime/nsd.h
++++ b/runtime/nsd.h
+@@ -84,8 +84,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime);
+ 	rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString);
+ 	/* v12 -- parameter pszLstnPortFileName added to LstnInit()*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-				 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
++	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
++			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v13 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetCheckExtendedKeyUsage)(nsd_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetPrioritizeSAN)(nsd_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index da90c2e096..55f6713d62 100644
+--- a/runtime/nsd_gtls.c
++++ b/runtime/nsd_gtls.c
+@@ -1692,14 +1692,13 @@ Abort(nsd_t *pNsd)
+  * a session, but not during listener setup.
+  * gerhards, 2008-04-25
+  */
+-static rsRetVal
++static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
++	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	CHKiRet(gtlsGlblInitLstn());
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName);
++	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ finalize_it:
+ 	RETiRet;
+ }
+@@ -1785,6 +1784,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+ 		FINALIZE;
+ 	}
+ 	/* copy Properties to pnew first */
++dbgprintf("RGER: pThis %p pNew %p, authMode %d\n", pThis, pNew, pThis->authMode);
+ 	pNew->authMode = pThis->authMode;
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 431ea738b8..79347916e4 100644
+--- a/runtime/nsd_ossl.c
++++ b/runtime/nsd_ossl.c
+@@ -1308,16 +1308,15 @@ Abort(nsd_t *pNsd)
+  */
+ static rsRetVal
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName)
++	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	dbgprintf("LstnInit for openssl: entering LstnInit (%p) for %s:%s SessMax=%d\n",
+-		fAddLstn, pLstnIP, pLstnPort, iSessMax);
++		fAddLstn, cnf_params->pszAddr, cnf_params->pszPort, iSessMax);
+ 
+ 	/* Init TCP Listener using base ptcp class */
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP,
+-			iSessMax, pszLstnPortFileName);
++	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
+index c35138fb7a..2f9e77ba03 100644
+--- a/runtime/nsd_ptcp.c
++++ b/runtime/nsd_ptcp.c
+@@ -474,10 +474,9 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+  * number of sessions permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
++static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
++	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	netstrm_t *pNewStrm = NULL;
+@@ -497,20 +496,20 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
++	assert(cnf_params->pszPort != NULL);
+ 	assert(iSessMax >= 0);
+ 
+-	dbgprintf("creating tcp listen socket on port %s\n", pLstnPort);
++	dbgprintf("creating tcp listen socket on port %s\n", cnf_params->pszPort);
+ 
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_flags = AI_PASSIVE;
+ 	hints.ai_family = glbl.GetDefPFFamily();
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	error = getaddrinfo((char*)pLstnIP, (char*) pLstnPort, &hints, &res);
++	error = getaddrinfo((const char*)cnf_params->pszAddr, (const char*) cnf_params->pszPort, &hints, &res);
+ 	if(error) {
+ 		LogError(0, RS_RET_INVALID_PORT, "error querying port '%s': %s",
+-			pLstnPort, gai_strerror(error));
++			cnf_params->pszAddr, gai_strerror(error));
+ 		ABORT_FINALIZE(RS_RET_INVALID_PORT);
+ 	}
+ 
+@@ -622,9 +621,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 			r->ai_addrlen = socklen_r;
+ 			savecast.sa = (struct sockaddr*)r->ai_addr;
+ 			port_override = (isIPv6) ?  savecast.ipv6->sin6_port : savecast.ipv4->sin_port;
+-			if(pszLstnPortFileName != NULL) {
++			if(cnf_params->pszLstnPortFileName != NULL) {
+ 				FILE *fp;
+-				if((fp = fopen((const char*)pszLstnPortFileName, "w+")) == NULL) {
++				if((fp = fopen((const char*)cnf_params->pszLstnPortFileName, "w+")) == NULL) {
+ 					LogError(errno, RS_RET_IO_ERROR, "nsd_ptcp: ListenPortFileName: "
+ 							"error while trying to open file");
+ 					ABORT_FINALIZE(RS_RET_IO_ERROR);
+diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h
+index 137b7c3ce7..1c91718c19 100644
+--- a/runtime/nsd_ptcp.h
++++ b/runtime/nsd_ptcp.h
+@@ -1,6 +1,6 @@
+ /* An implementation of the nsd interface for plain tcp sockets.
+  *
+- * Copyright 2007-2012 Adiscon GmbH.
++ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -23,6 +23,7 @@
+ #define INCLUDED_NSD_PTCP_H
+ 
+ #include <sys/socket.h>
++#include "tcpsrv.h"
+ 
+ #include "nsd.h"
+ typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c81ec..845e944582 100644
+--- a/runtime/tcps_sess.c
++++ b/runtime/tcps_sess.c
+@@ -194,8 +194,8 @@ SetLstnInfo(tcps_sess_t *pThis, tcpLstnPortList_t *pLstnInfo)
+ 	assert(pLstnInfo != NULL);
+ 	pThis->pLstnInfo = pLstnInfo;
+ 	/* set cached elements */
+-	pThis->bSuppOctetFram = pLstnInfo->bSuppOctetFram;
+-	pThis->bSPFramingFix = pLstnInfo->bSPFramingFix;
++	pThis->bSuppOctetFram = pLstnInfo->cnf_params->bSuppOctetFram;
++	pThis->bSPFramingFix = pLstnInfo->cnf_params->bSPFramingFix;
+ 	RETiRet;
+ }
+ 
+@@ -235,6 +235,7 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcps_sess);
++	const tcpLstnParams_t *const cnf_params = pThis->pLstnInfo->cnf_params;
+ 	
+ 	if(pThis->iMsg == 0) {
+ 		DBGPRINTF("discarding zero-sized message\n");
+@@ -249,15 +250,15 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	/* we now create our own message object and submit it to the queue */
+ 	CHKiRet(msgConstructWithTime(&pMsg, stTime, ttGenTime));
+ 	MsgSetRawMsg(pMsg, (char*)pThis->pMsg, pThis->iMsg);
+-	MsgSetInputName(pMsg, pThis->pLstnInfo->pInputName);
+-	if(pThis->pLstnInfo->dfltTZ[0] != '\0')
+-		MsgSetDfltTZ(pMsg, (char*) pThis->pLstnInfo->dfltTZ);
++	MsgSetInputName(pMsg, cnf_params->pInputName);
++	if(cnf_params->dfltTZ[0] != '\0')
++		MsgSetDfltTZ(pMsg, (char*) cnf_params->dfltTZ);
+ 	MsgSetFlowControlType(pMsg, pThis->pSrv->bUseFlowControl
+ 			            ? eFLOWCTL_LIGHT_DELAY : eFLOWCTL_NO_DELAY);
+ 	pMsg->msgFlags  = NEEDS_PARSING | PARSE_HOSTNAME;
+ 	MsgSetRcvFrom(pMsg, pThis->fromHost);
+ 	CHKiRet(MsgSetRcvFromIP(pMsg, pThis->fromHostIP));
+-	MsgSetRuleset(pMsg, pThis->pLstnInfo->pRuleset);
++	MsgSetRuleset(pMsg, cnf_params->pRuleset);
+ 
+ 	STATSCOUNTER_INC(pThis->pLstnInfo->ctrSubmit, pThis->pLstnInfo->mutCtrSubmit);
+ 	ratelimitAddMsg(pThis->pLstnInfo->ratelimiter, pMultiSub, pMsg);
+diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
+index 76a50357c3..ab9573e5b8 100644
+--- a/runtime/tcpsrv.c
++++ b/runtime/tcpsrv.c
+@@ -123,9 +123,7 @@ static int wrkrRunning;
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal ATTR_NONNULL(1, 2)
+-addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+-	const int bSuppOctetFram, const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
++addNewLstnPort(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
+ 	tcpLstnPortList_t *pEntry;
+ 	uchar statname[64];
+@@ -135,25 +133,17 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 
+ 	/* create entry */
+ 	CHKmalloc(pEntry = (tcpLstnPortList_t*)calloc(1, sizeof(tcpLstnPortList_t)));
+-	CHKmalloc(pEntry->pszPort = ustrdup(pszPort));
++	pEntry->cnf_params = cnf_params;
+ 
+-	pEntry->pszAddr = NULL;
+-	/* only if a bind adress is defined copy it in struct */
+-	if (pszAddr != NULL) {
+-		CHKmalloc(pEntry->pszAddr = ustrdup(pszAddr));
+-	}
+-
+-	strcpy((char*)pEntry->dfltTZ, (char*)pThis->dfltTZ);
+-	pEntry->bSPFramingFix = pThis->bSPFramingFix;
++	strcpy((char*)pEntry->cnf_params->dfltTZ, (char*)pThis->dfltTZ);
++	pEntry->cnf_params->bSPFramingFix = pThis->bSPFramingFix;
++	pEntry->cnf_params->pRuleset = pThis->pRuleset;
+ 	pEntry->pSrv = pThis;
+-	pEntry->pRuleset = pThis->pRuleset;
+-	pEntry->bSuppOctetFram = bSuppOctetFram;
+-	pEntry->pszLstnPortFileName = pszLstnPortFileName;
+ 
+ 	/* we need to create a property */
+-	CHKiRet(prop.Construct(&pEntry->pInputName));
+-	CHKiRet(prop.SetString(pEntry->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+-	CHKiRet(prop.ConstructFinalize(pEntry->pInputName));
++	CHKiRet(prop.Construct(&pEntry->cnf_params->pInputName));
++	CHKiRet(prop.SetString(pEntry->cnf_params->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
++	CHKiRet(prop.ConstructFinalize(pEntry->cnf_params->pInputName));
+ 
+ 	/* support statistics gathering */
+ 	CHKiRet(ratelimitNew(&pEntry->ratelimiter, "tcperver", NULL));
+@@ -161,7 +151,7 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 	ratelimitSetThreadSafe(pEntry->ratelimiter);
+ 
+ 	CHKiRet(statsobj.Construct(&(pEntry->stats)));
+-	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, pszPort);
++	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, cnf_params->pszPort);
+ 	statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */
+ 	CHKiRet(statsobj.SetName(pEntry->stats, statname));
+ 	CHKiRet(statsobj.SetOrigin(pEntry->stats, pThis->pszOrigin));
+@@ -177,10 +167,8 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+ 		if(pEntry != NULL) {
+-			free(pEntry->pszAddr);
+-			free(pEntry->pszPort);
+-			if(pEntry->pInputName != NULL) {
+-				prop.Destruct(&pEntry->pInputName);
++			if(pEntry->cnf_params->pInputName != NULL) {
++				prop.Destruct(&pEntry->cnf_params->pInputName);
+ 			}
+ 			if(pEntry->ratelimiter != NULL) {
+ 				ratelimitDestruct(pEntry->ratelimiter);
+@@ -201,29 +189,25 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+  * rgerhards, 2008-03-20
+  */
+ static rsRetVal ATTR_NONNULL(1,2)
+-configureTCPListen(tcpsrv_t *const pThis,
+-	const uchar *const pszPort,
+-	const int bSuppOctetFram,
+-	const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
++configureTCPListen(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
++	assert(cnf_params->pszPort != NULL);
+ 	int i;
+-	const uchar *pPort = pszPort;
+ 	DEFiRet;
+ 
+-	assert(pszPort != NULL);
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 
+ 	/* extract port */
++	const uchar *pPort = cnf_params->pszPort;
+ 	i = 0;
+ 	while(isdigit((int) *pPort)) {
+ 		i = i * 10 + *pPort++ - '0';
+ 	}
+ 
+ 	if(i >= 0 && i <= 65535) {
+-		CHKiRet(addNewLstnPort(pThis, pszPort, bSuppOctetFram, pszAddr, pszLstnPortFileName));
++		CHKiRet(addNewLstnPort(pThis, cnf_params));
+ 	} else {
+-		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", pszPort);
++		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", cnf_params->pszPort);
+ 	}
+ 
+ finalize_it:
+@@ -331,8 +315,11 @@ deinit_tcp_listener(tcpsrv_t *const pThis)
+ 	/* free list of tcp listen ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
+-		free(pEntry->pszPort);
+-		prop.Destruct(&pEntry->pInputName);
++		prop.Destruct(&pEntry->cnf_params->pInputName);
++		free((void*)pEntry->cnf_params->pszPort);
++		free((void*)pEntry->cnf_params->pszAddr);
++		free((void*)pEntry->cnf_params->pszLstnPortFileName);
++		free((void*)pEntry->cnf_params);
+ 		ratelimitDestruct(pEntry->ratelimiter);
+ 		statsobj.Destruct(&(pEntry->stats));
+ 		pDel = pEntry;
+@@ -373,22 +360,21 @@ addTcpLstn(void *pUsr, netstrm_t *pLstn)
+ 
+ 
+ /* Initialize TCP listener socket for a single port
++ * Note: at this point, TLS vs. non-TLS does not matter; TLS params are
++ * set on connect!
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal
+ initTCPListener(tcpsrv_t *pThis, tcpLstnPortList_t *pPortEntry)
+ {
+ 	DEFiRet;
+-	uchar *TCPLstnPort;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 	assert(pPortEntry != NULL);
+ 
+-	TCPLstnPort = pPortEntry->pszPort;
+-
+ 	// pPortEntry->pszAddr = NULL ==> bind to all interfaces
+-	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, TCPLstnPort,
+-		pPortEntry->pszAddr, pThis->iSessMax, (uchar*)pPortEntry->pszLstnPortFileName));
++	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn,
++		pThis->iSessMax, pPortEntry->cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+@@ -408,11 +394,12 @@ create_tcp_socket(tcpsrv_t *pThis)
+ 	/* init all configured ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
++dbgprintf("RGER: configuring listener %p\n", pEntry);
+ 		localRet = initTCPListener(pThis, pEntry);
+ 		if(localRet != RS_RET_OK) {
+ 			LogError(0, localRet, "Could not create tcp listener, ignoring port "
+-			"%s bind-address %s.", pEntry->pszPort,
+-			(pEntry->pszAddr == NULL) ? "(null)" : (const char*)pEntry->pszAddr);
++			"%s bind-address %s.", pEntry->cnf_params->pszPort,
++			(pEntry->cnf_params->pszAddr == NULL) ? "(null)" : (const char*)pEntry->cnf_params->pszAddr);
+ 		}
+ 		pEntry = pEntry->pNext;
+ 	}
+@@ -1236,15 +1223,6 @@ SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal)
+ 	RETiRet;
+ }
+ 
+-static rsRetVal
+-SetLstnPortFileName(tcpsrv_t *pThis, uchar *iVal)
+-{
+-	DEFiRet;
+-	DBGPRINTF("tcpsrv: LstnPortFileName set to %s\n",
+-		(iVal == NULL) ? "(null)" : (const char*) iVal);
+-	pThis->pszLstnPortFileName = iVal;
+-	RETiRet;
+-}
+ 
+ static rsRetVal
+ SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int))
+@@ -1309,6 +1287,7 @@ SetDfltTZ(tcpsrv_t *const pThis, uchar *const tz)
+ {
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
++dbgprintf("dfltTZ prev: %s\n", pThis->dfltTZ);
+ 	strncpy((char*)pThis->dfltTZ, (char*)tz, sizeof(pThis->dfltTZ));
+ 	pThis->dfltTZ[sizeof(pThis->dfltTZ)-1] = '\0';
+ 	RETiRet;
+@@ -1557,7 +1536,6 @@ CODESTARTobjQueryInterface(tcpsrv)
+ 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;
+ 	pIf->SetKeepAliveTime = SetKeepAliveTime;
+ 	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;
+-	pIf->SetLstnPortFileName = SetLstnPortFileName;
+ 	pIf->SetUsrP = SetUsrP;
+ 	pIf->SetInputName = SetInputName;
+ 	pIf->SetOrigin = SetOrigin;
+diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h
+index db5a1d110a..bae7e3b8b9 100644
+--- a/runtime/tcpsrv.h
++++ b/runtime/tcpsrv.h
+@@ -1,6 +1,6 @@
+ /* Definitions for tcpsrv class.
+  *
+- * Copyright 2008-2015 Adiscon GmbH.
++ * Copyright 2008-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -23,6 +23,7 @@
+ 
+ #include "obj.h"
+ #include "prop.h"
++#include "net.h"
+ #include "tcps_sess.h"
+ #include "statsobj.h"
+ 
+@@ -34,19 +35,24 @@ typedef enum ETCPsyslogFramingAnomaly {
+ } eTCPsyslogFramingAnomaly;
+ 
+ 
++/* config parameters for TCP listeners */
++struct tcpLstnParams_s {
++	const uchar *pszPort;			/**< the ports the listener shall listen on */
++	const uchar *pszAddr;                 /**< the addrs the listener shall listen on */
++	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
++	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
++	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
++	prop_t *pInputName;
++	ruleset_t *pRuleset;		/**< associated ruleset */
++	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
++};
++
+ /* list of tcp listen ports */
+ struct tcpLstnPortList_s {
+-	uchar *pszPort;			/**< the ports the listener shall listen on */
+-	uchar *pszAddr;                 /**< the addrs the listener shall listen on */
+-	prop_t *pInputName;
++	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	tcpsrv_t *pSrv;			/**< pointer to higher-level server instance */
+-	ruleset_t *pRuleset;		/**< associated ruleset */
+ 	statsobj_t *stats;		/**< associated stats object */
+-	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
+ 	ratelimit_t *ratelimiter;
+-	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
+-	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
+-	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
+ 	STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit)
+ 	tcpLstnPortList_t *pNext;	/**< next port or NULL */
+ };
+@@ -130,8 +136,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*Construct)(tcpsrv_t **ppThis);
+ 	rsRetVal (*ConstructFinalize)(tcpsrv_t __attribute__((unused)) *pThis);
+ 	rsRetVal (*Destruct)(tcpsrv_t **ppThis);
+-	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*,
+-		const uchar *pszPort, int bSuppOctetFram, const uchar *pszAddr, const uchar *);
++	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, tcpLstnParams_t *const cnf_params);
+ 	rsRetVal (*create_tcp_socket)(tcpsrv_t *pThis);
+ 	rsRetVal (*Run)(tcpsrv_t *pThis);
+ 	/* set methods */
+@@ -188,8 +193,6 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*);
+ 	/* added v21 -- Preserve case in fromhost, 2018-08-16 */
+ 	rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase);
+-	/* added v22 -- File for dynamic Port, 2018-08-29 */
+-	rsRetVal (*SetLstnPortFileName)(tcpsrv_t*, uchar*);
+ 	/* added v23 -- Options for stricter driver behavior, 2019-08-16 */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(tcpsrv_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(tcpsrv_t *pThis, int prioritizeSan);
+diff --git a/runtime/typedefs.h b/runtime/typedefs.h
+index 06f5c25a8c..000b4da4fe 100644
+--- a/runtime/typedefs.h
++++ b/runtime/typedefs.h
+@@ -123,6 +123,7 @@ typedef int rs_size_t; /* we do never need more than 2Gig strings, signed permit
+ typedef rsRetVal (*prsf_t)(struct vmstk_s*, int);	/* pointer to a RainerScript function */
+ typedef uint64 qDeqID;	/* queue Dequeue order ID. 32 bits is considered dangerously few */
+ 
++typedef struct tcpLstnParams_s tcpLstnParams_t;
+ typedef struct tcpLstnPortList_s tcpLstnPortList_t; // TODO: rename?
+ typedef struct strmLstnPortList_s strmLstnPortList_t; // TODO: rename?
+ typedef struct actWrkrIParams actWrkrIParams_t;

SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch

@@ -0,0 +1,124 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index e55b014b2c..431ea738b8 100644
+--- a/runtime/nsd_ossl.c
++++ b/runtime/nsd_ossl.c
+@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
+ 
+ 	/* Loop through ERR_get_error */
+ 	while ((un_error = ERR_get_error()) > 0){
+-		LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
++		LogMsg(0, RS_RET_NO_ERRCODE, severity,
++			"nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+ 	}
+ }
+ 
+@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT,
+-			"nsd_ossl:error:"
+-			" peer fingerprint '%s' unknown - we are "
+-			"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
++				"nsd_ossl:error: peer fingerprint '%s' unknown - we are "
++				"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
++			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
+ 			cstrFinalize(pStr);
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized -  "
+-					"not permitted to talk to it. Names: %s",
+-					cstrGetSzStrNoNULL(pStr));
++				"not permitted to talk to it. Names: %s",
++				cstrGetSzStrNoNULL(pStr));
++			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
+-					"not permitted to talk to it");
++				"not permitted to talk to it");
+ 			pThis->bReportAuthErr = 0;
++			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 		}
+ 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
+ 	}
+@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
+ 			if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
+ 				LogError(0, RS_RET_CERT_EXPIRED,
+-					"nsd_ossl:CertValidity check"
+-"- not permitted to talk to peer: certificate expired: %s",
++					"nsd_ossl:CertValidity check - not permitted to talk to peer: "
++					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
++				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
+ 			} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
+ 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
+-					"nsd_ossl:CertValidity check"
+-"- warning talking to peer: certificate expired: %s",
++					"nsd_ossl:CertValidity check - warning talking to peer: "
++					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
++				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			} else {
+ 				dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
+ 					X509_verify_cert_error_string(iVerErr));
+@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		} else {
+ 			LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
+ 				"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
++			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			ABORT_FINALIZE(RS_RET_CERT_INVALID);
+ 		}
+ 	} else {
+@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+ 		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"No shared curve between syslog client and server.");
++		"No shared curve between syslog client and server.");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				resErr == SSL_ERROR_WANT_WRITE) {
+ 				pNsd->rtryCall = osslRtry_handshake;
+ 				pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
+-				LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"TLS handshake failed between syslog client and server.");
+ 				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
+ 					"immediately - setting to retry (this is OK and normal)\n");
+ 				FINALIZE;
+@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
+ 			} else {
+ 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
++				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
++					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+ 			}
+ 		}
+@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
+ 	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+ 	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
+-"TLS Connection initiated with remote syslog server.");
++	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
++		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+ 	if(!(pThis->ssl = SSL_new(ctx))) {

SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch

@@ -0,0 +1,25 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 79347916e4..69ec57af09 100644
+--- a/runtime/nsd_ossl.c
++++ b/runtime/nsd_ossl.c
+@@ -1821,11 +1821,8 @@ BIO_set_nbio( conn, 1 );
+ }
+ 
+ 
+-/* Empty wrapper for GNUTLS helper function
+- * TODO: implement a similar capability
+- */
+ static rsRetVal
+-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString)
++SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString)
+ {
+ 	DEFiRet;
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+@@ -1905,6 +1902,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus
+ 						pThis->gnutlsPriorityString);
+ 				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ 			}
++			SSL_CONF_CTX_free(cctx);
+ 		}
+ #else
+ 		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);

SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch

@@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2021-11-22 09:33:25.501668376 +0100
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-11-22 09:34:18.423642573 +0100
+@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+ 	pNew->dataTypeCheck = pThis->dataTypeCheck;
++	pNew->bSANpriority = pThis->bSANpriority;
+ 
+ 	/* if we reach this point, we are in TLS mode */
+ 	iRet = gtlsInitSession(pNew);

SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch

@@ -0,0 +1,14 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-28 09:05:23.283262154 +0200
++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-28 09:10:05.858381106 +0200
+@@ -424,8 +424,8 @@ readjournal(void)
+ 				severity = cs.iDfltSeverity;
+ 			}
+ 		} else {
+-			LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an "
+-				"unexpected length: %zu\n", length);
++			DBGPRINTF("The value of the 'PRIORITY' field has an "
++				"unexpected length: %zu value: '%s'\n", length, (const char*)get);
+ 		}
+ 	}
+ 

SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch

@@ -1,17 +1,7 @@
-From 0de0c4b274e7e33ed4a27b02d6046b62d612e29b Mon Sep 17 00:00:00 2001
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c
-From: alakatos <alakatos@redhat.com>
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking	2021-01-18 11:21:14.000000000 +0100
-Date: Tue, 24 Oct 2023 15:43:19 +0200
++++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2022-03-28 12:51:03.572554843 +0200
-Subject: [PATCH] Do not preserve statefile on file move
+@@ -259,6 +259,7 @@ struct modConfData_s {
-
----
- plugins/imfile/imfile.c | 45 ++++++++++++++++++++++++++++++-----------
- 1 file changed, 33 insertions(+), 12 deletions(-)
-
-diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
-index 5febd6db6..8769a185f 100644
---- a/plugins/imfile/imfile.c
-+++ b/plugins/imfile/imfile.c
-@@ -264,6 +264,7 @@ struct modConfData_s {
  				   Must be manually reset to 0 if desired. Helper for
  				   polling mode.
  				 */
@@ -19,7 +9,7 @@ index 5febd6db6..8769a185f 100644
  };
  static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
  static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */
-@@ -310,7 +311,8 @@ static struct cnfparamdescr modpdescr[] = {
+@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[]
  	{ "sortfiles", eCmdHdlrBinary, 0 },
  	{ "statefile.directory", eCmdHdlrString, 0 },
  	{ "normalizepath", eCmdHdlrBinary, 0 },
@@ -29,7 +19,7 @@ index 5febd6db6..8769a185f 100644
  };
  static struct cnfparamblk modpblk =
  	{ CNFPARAMBLK_VERSION,
-@@ -551,11 +553,18 @@ static int
+@@ -545,11 +547,20 @@ static int
  in_setupWatch(act_obj_t *const act, const int is_file)
  {
  	int wd = -1;
@@ -39,27 +29,77 @@ index 5febd6db6..8769a185f 100644
  
 -	wd = inotify_add_watch(ino_fd, act->name,
 -		(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
++	// wd = inotify_add_watch(ino_fd, act->name,
++	// 	(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
 +	if(is_file)
 +		flags = IN_MODIFY|IN_DONT_FOLLOW;
 +	else if(runModConf->deleteStateOnFileMove)
 +		flags = IN_CREATE|IN_DELETE|IN_MOVED_TO;
 +	else
 +		flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO;
-+
 +	wd = inotify_add_watch(ino_fd, act->name, flags);
++
  	if(wd < 0) {
  		if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */
  			DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name);
-@@ -1059,7 +1068,7 @@ act_obj_destroy(act_obj_t *const act, const int is_deleted)
+@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const
+ 	char basename[MAXFNAME];
+ 	DEFiRet;
+ 	int fd = -1;
+-	
++
+ 	DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---");
+ 	for(act = edge->active ; act != NULL ; act = act->next) {
+ 		if(!strcmp(act->name, name)) {
+@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co
+ 	if(act == NULL)
+ 		return;
+ 
+-	DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+-		act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
+-		act->in_move);
++	// DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++	// 	act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
++	// 	act->in_move);
++	if (runModConf->deleteStateOnFileMove) {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted);
++	} else {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm,
++			is_deleted, act->in_move);
++	}
++
+ 	if(act->is_symlink && is_deleted) {
+ 		act_obj_t *target_act;
+ 		for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) {
+@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co
+ 		pollFile(act); /* get any left-over data */
+ 		if(inst->bRMStateOnDel) {
+ 			statefn = getStateFileName(act, statefile, sizeof(statefile));
+-			getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			// getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check!
+ 			statefn = toDel;
+ 		}
  		persistStrmState(act);
  		strm.Destruct(&act->pStrm);
  		/* we delete state file after destruct in case strm obj initiated a write */
 -		if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
-+		if(is_deleted && inst->bRMStateOnDel && (!act->in_move || runModConf->deleteStateOnFileMove)) {
++		// if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
++		if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) {
  			DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn);
  			unlink((char*)statefn);
  		}
-@@ -2090,6 +2099,7 @@ CODESTARTbeginCnfLoad
+@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co
+ 	}
+ 	#ifdef HAVE_INOTIFY_INIT
+ 	if(act->wd != -1) {
++		inotify_rm_watch(ino_fd, act->wd);
+ 		wdmapDel(act->wd);
+ 	}
+ 	#endif
+@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad
  	loadModConf->timeoutGranularity = 1000; /* default: 1 second */
  	loadModConf->haveReadTimeouts = 0; /* default: no timeout */
  	loadModConf->normalizePath = 1;
@@ -67,7 +107,7 @@ index 5febd6db6..8769a185f 100644
  	loadModConf->sortFiles = GLOB_NOSORT;
  	loadModConf->stateFileDirectory = NULL;
  	loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1);
-@@ -2149,6 +2159,8 @@ CODESTARTsetModCnf
+@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf
  			loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
  		} else if(!strcmp(modpblk.descr[i].name, "normalizepath")) {
  			loadModConf->normalizePath = (sbool) pvals[i].val.d.n;
@@ -76,7 +116,7 @@ index 5febd6db6..8769a185f 100644
  		} else if(!strcmp(modpblk.descr[i].name, "mode")) {
  			if(!es_strconstcmp(pvals[i].val.d.estr, "polling"))
  				loadModConf->opMode = OPMODE_POLLING;
-@@ -2452,16 +2464,25 @@ in_processEvent(struct inotify_event *ev)
+@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev
  	DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n",
  		ev->mask, etry->act->edge->is_file, etry->act->name);
  
@@ -87,6 +127,16 @@ index 5febd6db6..8769a185f 100644
 -		fs_node_walk(etry->act->edge->node, poll_tree);
 -	} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
 -		in_handleFileEvent(ev, etry); // esentially poll_file()!
++	// if((ev->mask & IN_MOVED_FROM)) {
++	// 	flag_in_move(etry->act->edge->node->edges, ev->name);
++	// }
++	// if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
++	// 	in_handleFileEvent(ev, etry); // esentially poll_file()!
++	// } else {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// }
 +	if(!runModConf->deleteStateOnFileMove) {
 +		if((ev->mask & IN_MOVED_FROM)) {
 +			flag_in_move(etry->act->edge->node->edges, ev->name);
@@ -110,6 +160,3 @@ index 5febd6db6..8769a185f 100644
  done:	return;
  }
  
--- 
-2.41.0
-

SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch

@@ -0,0 +1,20 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-15 12:30:35.238832058 +0200
++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-15 12:32:04.699721356 +0200
+@@ -565,6 +565,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
++	fflush(sf);
++
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -586,6 +588,7 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
++		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);

SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch

@@ -0,0 +1,190 @@
+--- rsyslog-8.2102.0/action.c	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/action.c	2022-03-08 15:55:33.989525382 +0100
+@@ -198,6 +198,7 @@
+ 	{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
+ 	{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
+ 	{ "action.errorfile", eCmdHdlrString, 0 },
++	{ "action.errorfile.maxsize", eCmdHdlrInt, 0 },
+ 	{ "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */
+ 	{ "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */
+ 	{ "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */
+@@ -400,6 +401,8 @@
+ 	pThis->iResumeRetryCount = 0;
+ 	pThis->pszName = NULL;
+ 	pThis->pszErrFile = NULL;
++	pThis->maxErrFileSize = 0;
++	pThis->errFileWritten = 0;	
+ 	pThis->pszExternalStateFile = NULL;
+ 	pThis->fdErrFile = -1;
+ 	pThis->bWriteAllMarkMsgs = 1;
+@@ -1436,6 +1439,12 @@
+ 				pThis->pszName, pThis->pszErrFile);
+ 			goto done;
+ 		}
++		struct stat statbuf;
++		if (fstat(pThis->fdErrFile, &statbuf) == -1) {
++			LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
++			goto done;
++		}
++		pThis->errFileWritten += statbuf.st_size;
+ 	}
+ 
+ 	for(int i = 0 ; i < nparams ; ++i) {
+@@ -1454,16 +1463,26 @@
+ 		char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
+ 		if(rendered == NULL)
+ 			goto done;
+-		const size_t toWrite = strlen(rendered) + 1;
+-		/* note: we use the '\0' inside the string to store a LF - we do not
+-		 * otherwise need it and it safes us a copy/realloc.
+-		 */
+-		rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
+-		const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
+-		if(wrRet != (ssize_t) toWrite) {
+-			LogError(errno, RS_RET_IO_ERROR,
+-				"action %s: error writing errorFile %s, write returned %lld",
+-				pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++		size_t toWrite = strlen(rendered) + 1;
++		// Check if need to truncate the amount of bytes to write
++		if (pThis->maxErrFileSize > 0) {
++			if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) {
++				// Truncate to the pending available
++				toWrite = pThis->maxErrFileSize - pThis->errFileWritten;
++			}
++			pThis->errFileWritten += toWrite;
++		}
++		if(toWrite > 0) {
++			/* note: we use the '\0' inside the string to store a LF - we do not
++			 * otherwise need it and it safes us a copy/realloc.
++			 */
++			rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
++			const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
++			if(wrRet != (ssize_t) toWrite) {
++				LogError(errno, RS_RET_IO_ERROR,
++					"action %s: error writing errorFile %s, write returned %lld",
++					pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++			}
+ 		}
+ 		free(rendered);
+ 
+@@ -2048,6 +2067,8 @@
+ 			continue; /* this is handled seperately during module select! */
+ 		} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
+ 			pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);
++		} else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) {
++			pAction->maxErrFileSize = pvals[i].val.d.n;
+ 		} else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) {
+ 			pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) {
+--- rsyslog-8.2102.0-ori/action.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0-changes/action.h	2022-03-04 11:36:47.024588972 +0100
+@@ -77,6 +77,8 @@
+ 	/* error file */
+ 	const char *pszErrFile;
+ 	int fdErrFile;
++	size_t maxErrFileSize;
++	size_t errFileWritten;
+ 	pthread_mutex_t mutErrFile;
+ 	/* external stat file system */
+ 	const char *pszExternalStateFile;
+--- rsyslog-8.2102.0-ori/tests/Makefile.am	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/Makefile.am	2022-03-04 11:38:01.625095709 +0100
+@@ -695,7 +695,8 @@
+ 	mysql-actq-mt.sh \
+ 	mysql-actq-mt-withpause.sh \
+ 	action-tx-single-processing.sh \
+-	action-tx-errfile.sh
++	action-tx-errfile.sh \
++	action-tx-errfile-maxsize.sh
+ 
+ mysql-basic.log: mysqld-start.log
+ mysql-basic-cnf6.log: mysqld-start.log
+@@ -2156,6 +2157,8 @@
+ 	sndrcv_omudpspoof_nonstdpt.sh \
+ 	sndrcv_gzip.sh \
+ 	action-tx-single-processing.sh \
++	omfwd-errfile-maxsize.sh \
++	action-tx-errfile-maxsize.sh \
+ 	action-tx-errfile.sh \
+ 	testsuites/action-tx-errfile.result \
+ 	pipeaction.sh \
+--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh	2022-03-04 11:39:02.060506234 +0100
+@@ -0,0 +1,17 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++
++export MAX_ERROR_SIZE=1999
++
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh	2022-03-04 11:59:22.592796989 +0100
+@@ -0,0 +1,35 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++
++. ${srcdir:=.}/diag.sh init
++
++export NUMMESSAGES=50 # enough to generate big file
++export MAX_ERROR_SIZE=100
++
++generate_conf
++add_conf '
++$ModLoad ../plugins/ommysql/.libs/ommysql
++global(errormessagestostderr.maxnumber="5")
++
++template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on")
++
++if((not($msg contains "error")) and ($msg contains "msgnum:")) then {
++	set $.num = field($msg, 58, 2);
++	if $.num % 2 == 0 then {
++		set $!facility = $syslogfacility;
++	} else {
++		set $/cntr = 0;
++	}
++	action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl"
++	       db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++}
++'
++mysql_prep_for_test
++startup
++injectmsg
++shutdown_when_empty
++wait_shutdown
++mysql_get_data
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh	2022-03-08 16:24:01.174365289 +0100
+@@ -0,0 +1,19 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++ERRFILE=$(mktemp)
++export MAX_ERROR_SIZE=1999
++export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100))
++dd if=/dev/urandom of=${ERRFILE}  bs=1 count=${INITIAL_FILE_SIZE}
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${ERRFILE}
++file_size_check ${ERRFILE} ${MAX_ERROR_SIZE}
++exit_test
++rm ${ERRFILE}

SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch

@@ -0,0 +1,102 @@
+diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
+--- rsyslog-8.2102.0/runtime/cfsysline.c.orig	2021-08-04 07:16:02.663163106 +0200
++++ rsyslog-8.2102.0/runtime/cfsysline.c	2021-08-04 07:18:05.952490008 +0200
+@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	do {
+@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 			LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
+ 		}
+ 		iRet = RS_RET_NOT_FOUND;
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
+-			exit(1); /* good exit */
+-		}
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
+ 
+ 	if(ppwBuf == NULL) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+-			iRet = RS_RET_NOT_FOUND;
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
++		iRet = RS_RET_NOT_FOUND;
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2021-08-04 07:18:19.301633677 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2021-08-04 07:19:02.409019106 +0200
+@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "environment", eCmdHdlrArray, 0 },
+ 	{ "processinternalmessages", eCmdHdlrBinary, 0 },
+ 	{ "umask", eCmdHdlrFileCreateMode, 0 },
+-	{ "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
+ 	{ "internal.developeronly.options", eCmdHdlrInt, 0 },
+ 	{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
+ 	{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
+@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
+ 			glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
+ 			loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
+-		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+-			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
+ 			*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2021-08-04 07:19:13.103104854 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.c	2021-08-04 07:19:44.635357684 +0200
+@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
+ 	pThis->globals.maxErrMsgToStderr = -1;
+ 	pThis->globals.umask = -1;
+ 	pThis->globals.gidDropPrivKeepSupplemental = 0;
+-	pThis->globals.abortOnIDResolutionFail = 1;
+ 	pThis->templates.root = NULL;
+ 	pThis->templates.last = NULL;
+ 	pThis->templates.lastStatic = NULL;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2021-08-04 07:20:15.848607958 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.h	2021-08-04 07:20:42.782823920 +0200
+@@ -73,7 +73,6 @@ struct globals_s {
+ 	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
+ 	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
+ 	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
+-	int abortOnIDResolutionFail;
+ 	int umask;		/* umask to use */
+ 	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */
+ 

SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch

@@ -0,0 +1,26 @@
+diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
+--- rsyslog-8.2102.0/runtime/ratelimit.c.orig	2021-07-27 10:37:50.972903104 +0200
++++ rsyslog-8.2102.0/runtime/ratelimit.c	2021-07-27 10:38:26.141002988 +0200
+@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ {
+ 	DEFiRet;
+ 	rsRetVal localRet;
+-	int severity = 0;
+ 
+ 	*ppRepMsg = NULL;
+ 
+@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ 				DBGPRINTF("Message discarded, parsing error %d\n", localRet);
+ 				ABORT_FINALIZE(RS_RET_DISCARDMSG);
+ 			}
+-			severity = pMsg->iSeverity;
+ 		}
+ 	}
+ 
+ 	/* Only the messages having severity level at or below the
+ 	 * treshold (the value is >=) are subject to ratelimiting. */
+-	if(ratelimit->interval && (severity >= ratelimit->severity)) {
++	if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
+ 		char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
+ 		snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
+ 			getAPPNAME(pMsg, 0));

SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch

@@ -0,0 +1,354 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
+--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig	2022-04-15 13:42:05.320615894 +0200
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-04-15 14:33:43.472482696 +0200
+@@ -609,10 +609,10 @@ finalize_it:
+ }
+ 
+ static rsRetVal
+-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
++osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
+ {
+ 	DEFiRet;
+-	BIO *client;
++	BIO *conn;
+ 	char pristringBuf[4096];
+ 	nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+ 
+@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		if (pThis->DrvrVerifyDepth != 0) {
+ 			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+ 		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
++	} else 	if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
++		/* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
+ 		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+ 		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		}
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
+ 
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(client, BIO_debug_callback);
++	/* Create BIO from ptcp socket! */
++	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
++	dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( client, 1 );
++	/* Set debug Callback for conn BIO as well! */
++	BIO_set_callback(conn, BIO_debug_callback);
+ 
+-	SSL_set_bio(pThis->ssl, client, client);
+-	SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
++	/* TODO: still needed? Set to NON blocking ! */
++	BIO_set_nbio( conn, 1 );
++	SSL_set_bio(pThis->ssl, conn, conn);
+ 
++	if (osslType == osslServer) {
++		/* Server Socket */
++		SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
++		pThis->sslState = osslServer; /*set Server state */
++	} else {
++		/* Client Socket */
++		SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
++		pThis->sslState = osslClient; /*set Client state */
++	}
+ 	pThis->bHaveSess = 1;
+-	pThis->sslState = osslServer; /*set Server state */
+ 
+ 	/* we are done */
+ 	FINALIZE;
+@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
+ 		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
+ 	}
+ 
+-		/* Init Anon OpenSSL stuff */
+-		CHKiRet(osslAnonInit());
++	/* Init Anon OpenSSL stuff */
++	CHKiRet(osslAnonInit());
+ 
+ 	dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
+ 
+@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+-		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-		"No shared curve between syslog client and server.");
++		// This is not a failure
++		LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
++		"Information, no shared curve between syslog client and server");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+-	CHKiRet(osslInitSession(pNew));
++	CHKiRet(osslInitSession(pNew, osslServer));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pNew->ssl, 0, pThis);
+@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+-	nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+-	BIO *conn;
+-	char pristringBuf[4096];
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 	assert(port != NULL);
+@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 		FINALIZE;
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+-
+ 	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ 		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+-	if(!(pThis->ssl = SSL_new(ctx))) {
+-		pThis->ssl = NULL;
+-		osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
+-		ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+-	}
+ 
+-	// Set SSL_MODE_AUTO_RETRY to SSL obj
+-	SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
+-
+-	if (pThis->authMode != OSSL_AUTH_CERTANON) {
+-		dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
+-			pThis->authMode, pThis->DrvrVerifyDepth);
+-		/* Enable certificate valid checking */
+-		SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
+-		if (pThis->DrvrVerifyDepth != 0) {
+-			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+-		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
+-		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+-			sizeof(pristringBuf));
+-		#else
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
+-			sizeof(pristringBuf));
+-		#endif
+-
+-		dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
+-		if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
+-			dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
+-			ABORT_FINALIZE(RS_RET_SYS_ERR);
+-		}
+-	}
+-
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(conn, BIO_debug_callback);
+-
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( conn, 1 );
+-
+-	SSL_set_bio(pThis->ssl, conn, conn);
+-	SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+-	pThis->sslState = osslClient; /*set Client state */
+-	pThis->bHaveSess = 1;
++	/* Do SSL Session init */
++	CHKiRet(osslInitSession(pThis, osslClient));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pThis->ssl, 0, pThis);
+@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 
+-	pThis->gnutlsPriorityString = gnutlsPriorityString;
++	dbgprintf("gnutlsPriorityString: set to '%s'\n",
++		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
+ 
+ 	/* Skip function if function is NULL gnutlsPriorityString */
+-	if (gnutlsPriorityString == NULL) {
+-		RETiRet;
+-	} else {
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		char *pCurrentPos;
+-		char *pNextPos;
+-		char *pszCmd;
+-		char *pszValue;
+-		int iConfErr;
+-
+-		/* Set working pointer */
+-		pCurrentPos = (char*) pThis->gnutlsPriorityString;
+-		if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+-			// Create CTX Config Helper
+-			SSL_CONF_CTX *cctx;
+-			cctx = SSL_CONF_CTX_new();
+-			if (pThis->sslState == osslServer) {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+-			} else {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+-			}
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+-			SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+-
+-			do
+-			{
+-				pNextPos = index(pCurrentPos, '=');
+-				if (pNextPos != NULL) {
+-					while (	*pCurrentPos != '\0' &&
+-						(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+-						pCurrentPos++;
+-					pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+-					pCurrentPos = pNextPos+1;
+-					pNextPos = index(pCurrentPos, '\n');
+-					pszValue = (pNextPos == NULL ?
+-							strdup(pCurrentPos) :
+-							strndup(pCurrentPos, pNextPos - pCurrentPos));
+-					pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+-
+-					/* Add SSL Conf Command */
+-					iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+-					if (iConfErr > 0) {
+-						dbgprintf("gnutlsPriorityString: Successfully added Command "
+-							"'%s':'%s'\n",
+-							pszCmd, pszValue);
+-					}
+-					else {
+-						LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+-							"in gnutlsPriorityString with error '%d'",
+-							pszCmd, pszValue, iConfErr);
+-					}
++	sbool ApplySettings = 0;
++	if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
++		(gnutlsPriorityString != NULL &&
++		strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
++		) {
++		ApplySettings = 1;
++	}
++
++	pThis->gnutlsPriorityString = gnutlsPriorityString;
++	dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
++		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
++		(ApplySettings == 1? "TRUE" : "FALSE"));
+ 
+-					free(pszCmd);
+-					free(pszValue);
++	if (ApplySettings) {
++
++		if (gnutlsPriorityString == NULL || ctx == NULL) {
++			RETiRet;
++		} else {
++			dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
++			char *pCurrentPos;
++			char *pNextPos;
++			char *pszCmd;
++			char *pszValue;
++			int iConfErr;
++
++			/* Set working pointer */
++			pCurrentPos = (char*) pThis->gnutlsPriorityString;
++			if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
++				// Create CTX Config Helper
++				SSL_CONF_CTX *cctx;
++				cctx = SSL_CONF_CTX_new();
++				if (pThis->sslState == osslServer) {
++					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+ 				} else {
+-					/* Abort further parsing */
+-					pCurrentPos = NULL;
++					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+ 				}
+-			}
+-			while (pCurrentPos != NULL);
++				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
++				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
++				SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
++
++				do
++				{
++					pNextPos = index(pCurrentPos, '=');
++					if (pNextPos != NULL) {
++						while (	*pCurrentPos != '\0' &&
++							(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
++							pCurrentPos++;
++						pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
++						pCurrentPos = pNextPos+1;
++						pNextPos = index(pCurrentPos, '\n');
++						pszValue = (pNextPos == NULL ?
++								strdup(pCurrentPos) :
++								strndup(pCurrentPos, pNextPos - pCurrentPos));
++						pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
++
++						/* Add SSL Conf Command */
++						iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
++						if (iConfErr > 0) {
++							dbgprintf("gnutlsPriorityString: Successfully added Command "
++								"'%s':'%s'\n",
++								pszCmd, pszValue);
++						}
++						else {
++							LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
++								"in gnutlsPriorityString with error '%d'",
++								pszCmd, pszValue, iConfErr);
++						}
++
++						free(pszCmd);
++						free(pszValue);
++					} else {
++						/* Abort further parsing */
++						pCurrentPos = NULL;
++					}
++				}
++				while (pCurrentPos != NULL);
+ 
+-			/* Finalize SSL Conf */
+-			iConfErr = SSL_CONF_CTX_finish(cctx);
+-			if (!iConfErr) {
+-				LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+-						"Open ssl error info may follow in next messages",
+-						pThis->gnutlsPriorityString);
+-				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
++				/* Finalize SSL Conf */
++				iConfErr = SSL_CONF_CTX_finish(cctx);
++				if (!iConfErr) {
++					LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
++							"Open ssl error info may follow in next messages",
++							pThis->gnutlsPriorityString);
++					osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
++				}
++				SSL_CONF_CTX_free(cctx);
+ 			}
+-			SSL_CONF_CTX_free(cctx);
+ 		}
++	}
+ #else
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+-		LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+-			"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+-			"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+-			gnutlsPriorityString);
++	LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
++		"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
++		"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
++		gnutlsPriorityString);
+ #endif
+-	}
+ 
+ 	RETiRet;
+ }

SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch

@@ -0,0 +1,215 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2022-04-11 09:26:17.826271989 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-04-11 09:33:28.702012052 +0200
+@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+-	DBGPRINTF("gtlsRecordRecv: start\n");
++	DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n",
++		gnutls_record_check_pending(pThis->sess),
++		(gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") );
+ 
+ 	lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF);
+ 	if(lenRcvd >= 0) {
+@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 					(NSD_GTLS_MAX_RCVBUF+lenRcvd));
+ 				pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd;
+ 			} else {
+-				goto sslerr;
++				if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
++					goto sslerragain;	/* Go to ERR AGAIN handling */
++				} else {
++					/* Do all other error handling */
++					int gnuRet = lenRcvd;
++					ABORTgnutls;
++				}
+ 			}
+ 		}
+ 	} else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
+-sslerr:
+-		pThis->rtryCall = gtlsRtry_recv;
+-		dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n");
+-		ABORT_FINALIZE(RS_RET_RETRY);
++sslerragain:
++		/* Check if the underlaying file descriptor needs to read or write data!*/
++		if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) {
++			pThis->rtryCall = gtlsRtry_recv;
++			dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n");
++			ABORT_FINALIZE(RS_RET_RETRY);
++		} else {
++			uchar *pErr = gtlsStrerror(lenRcvd);
++			LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) "
++				"- this could be caused by a broken connection. GnuTLS reports: %s\n",
++				lenRcvd, pErr);
++			free(pErr);
++			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
++		}
+ 	} else {
+ 		int gnuRet = lenRcvd;
+ 		ABORTgnutls;
+@@ -1978,6 +1996,7 @@ static rsRetVal
+ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
+ {
+ 	int iSent;
++	int wantsWriteData = 0;
+ 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *
+ 			break;
+ 		}
+ 		if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) {
++			/* Check if the underlaying file descriptor needs to read or write data!*/
++			wantsWriteData = gnutls_record_get_direction(pThis->sess);
+ 			uchar *pErr = gtlsStrerror(iSent);
+-			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this "
+-				"could be caused by a broken connection. GnuTLS reports: %s \n",
+-				iSent, pErr);
++			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this "
++				"could be caused by a broken connection. GnuTLS reports: %s\n",
++				iSent, wantsWriteData, pErr);
+ 			free(pErr);
+ 			gnutls_perror(iSent);
+ 			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h
+--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig	2022-04-11 09:26:32.744262781 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.h	2022-04-11 09:34:29.909982895 +0200
+@@ -33,6 +33,11 @@ typedef enum {
+ 	gtlsRtry_recv = 2
+ } gtlsRtryCall_t;		/**< IDs of calls that needs to be retried */
+ 
++typedef enum {
++	gtlsDir_READ = 0,	/**< GNUTLS wants READ */
++	gtlsDir_WRITE = 1	/**< GNUTLS wants WRITE */
++} gtlsDirection_t;
++
+ typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */
+ 
+ /* the nsd_gtls object */
+diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c
+--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig	2022-04-11 09:26:42.529256742 +0200
++++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c	2022-04-11 09:38:27.425869737 +0200
+@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsdsel_gtls);
+ 	ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls);
++	DBGPRINTF("Add on nsd %p:\n", pNsdGTLS);
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			++pThis->iBufferRcvReady;
+@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 		}
+ 	}
+ 
++	dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp);
++
+ 	/* if we reach this point, we need no special handling */
+ 	CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp));
+ 
+@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead
+ 	if(pThis->iBufferRcvReady > 0) {
+ 		/* we still have data ready! */
+ 		*piNumReady = pThis->iBufferRcvReady;
+-		dbgprintf("nsdsel_gtls: doing dummy select, data present\n");
++		dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n",
++			pThis, pThis->iBufferRcvReady);
+ 	} else {
+ 		iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady);
+ 	}
+@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 	DEFiRet;
+ 	int gnuRet;
+ 
+-	dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
++	dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
+ 
+ 	/* We follow a common scheme here: first, we do the systen call and
+ 	 * then we check the result. So far, the result is checked after the
+@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 		case gtlsRtry_handshake:
+ 			gnuRet = gnutls_handshake(pNsd->sess);
+ 			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
+-				dbgprintf("GnuTLS handshake retry did not finish - "
++				dbgprintf("doRetry: GnuTLS handshake retry did not finish - "
+ 					"setting to retry (this is OK and can happen)\n");
+ 				FINALIZE;
+ 			} else if(gnuRet == 0) {
+@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd)
+ 			}
+ 			break;
+ 		case gtlsRtry_recv:
+-			dbgprintf("retrying gtls recv, nsd: %p\n", pNsd);
+-			CHKiRet(gtlsRecordRecv(pNsd));
+-			pNsd->rtryCall = gtlsRtry_None; /* we are done */
++			dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd);
++			iRet = gtlsRecordRecv(pNsd);
++			if (iRet == RS_RET_RETRY) {
++				// Check if there is pending data
++				size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess);
++				if (stBytesLeft > 0) {
++					// We are in retry and more data waiting, finalize it
++					goto finalize_it;
++				} else {
++					dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending"
++						"data on nsd: %p\n", pNsd);
++				}
++			}
++			pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */
+ 			gnuRet = 0;
+ 			break;
+ 		case gtlsRtry_None:
+@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd,
+ 		 * socket. -- rgerhards, 2010-11-20
+ 		 */
+ 		if(pThis->iBufferRcvReady) {
+-			dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n");
++			dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis);
+ 			*pbIsReady = 0;
+ 			FINALIZE;
+ 		}
+diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c
+--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig	2022-04-11 09:27:00.376245726 +0200
++++ rsyslog-8.2102.0/runtime/tcpsrv.c	2022-04-11 09:41:57.885777708 +0200
+@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 	int oserr = 0;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+-	DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm);
++	prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++	DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer);
+ 	/* Receive message */
+ 	iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr);
+ 	switch(iRet) {
+ 	case RS_RET_CLOSED:
+ 		if(pThis->bEmitMsgOnClose) {
+ 			errno = 0;
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote "
+ 				"peer %s.\n", (*ppSess)->pStrm, pszPeer);
+ 		}
+@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 			/* in this case, something went awfully wrong.
+ 			 * We are instructed to terminate the session.
+ 			 */
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer);
+ 			CHKiRet(closeSess(pThis, ppSess, pPoll));
+ 		}
+ 		break;
+ 	default:
+-		prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++		// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 		LogError(oserr, iRet, "netstream session %p from %s will be closed due to error",
+ 				(*ppSess)->pStrm, pszPeer);
+ 		CHKiRet(closeSess(pThis, ppSess, pPoll));
+@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset
+ 		while(iTCPSess != -1) {
+ 			/* TODO: access to pNsd is NOT really CLEAN, use method... */
+ 			CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD));
++			DBGPRINTF("tcpsrv process session %d:\n", iTCPSess);
+ 			/* now get next... */
+ 			iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess);
+ 		}

SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch

@@ -0,0 +1,23 @@
+--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
++++ rsyslog-8.2102.0/doc/configuration/global/index.html	2022-09-07 13:32:10.426621438 +0200
+@@ -119,6 +119,13 @@
+ <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
+ Defaults to ptcp.</p>
+ </li>
++<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
++This directive allows to configure multiple additional extra CA files.
++This is intended for SSL certificate chains to work appropriately,
++as the different CA files in the chain need to be specified.
++It must be remarked that this directive only works with the OpenSSL driver.
++</p>
++</li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
+ </li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
+@@ -311,4 +318,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch

@@ -0,0 +1,134 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-07 13:32:51.623799582 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-07 13:17:02.669696053 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-07 13:56:37.678966129 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
++	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
++/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -838,6 +842,12 @@
+ 	return(pszDfltNetstrmDrvrCAF);
+ }
+ 
++/* return the extra CA Files, if needed */
++static uchar*
++GetNetstrmDrvrCAExtraFiles(void)
++{
++      return(pszNetstrmDrvrCAExtraFiles);
++}
+ 
+ /* return the current default netstream driver key File */
+ static uchar*
+@@ -925,6 +935,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -941,6 +952,8 @@
+ 	pszDfltNetstrmDrvr = NULL;
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	pszDfltNetstrmDrvrCAF = NULL;
++	free(pszNetstrmDrvrCAExtraFiles);
++	pszNetstrmDrvrCAExtraFiles = NULL;	
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+@@ -1350,6 +1363,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
++		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
++			free(pszNetstrmDrvrCAExtraFiles);
++			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1562,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
++	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
++	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2022-09-07 13:17:02.705696208 +0200
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-07 14:09:18.697256943 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
++static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -414,7 +415,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
++	const char *caFile, *certFile, *keyFile, *extraCaFile;
++	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -451,9 +453,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
++	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
++	if(extraCaFiles == NULL) {
++		bHaveExtraCAFiles = 0;
++	} else {
++		bHaveExtraCAFiles = 1;
++	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
++	if(bHaveExtraCAFiles == 1) {
++		while((extraCaFile = strsep(&extraCaFiles, ","))) {
++			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
++				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
++					"Check at least: 1) file path is correct, 2) file exist, "
++					"3) permissions are correct, 4) file content is correct. "
++					"Open ssl error info may follow in next messages");
++				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
++				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
++			}
++		}
++	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "

SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch

@@ -0,0 +1,20 @@
+diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
+index 6c24b5a2db..78cfc3bae2 100644
+--- a/plugins/imklog/imklog.c
++++ b/plugins/imklog/imklog.c
+@@ -453,6 +453,7 @@ ENDactivateCnf
+ 
+ BEGINfreeCnf
+ CODESTARTfreeCnf
++	free(pModConf->pszBindRuleset);
+ ENDfreeCnf
+ 
+ 
+@@ -475,7 +476,6 @@ CODESTARTmodExit
+ 	if(pInputName != NULL)
+ 		prop.Destruct(&pInputName);
+ 
+-	free(runModConf->pszBindRuleset);
+ 	/* release objects we used */
+ 	objRelease(glbl, CORE_COMPONENT);
+ 	objRelease(net, CORE_COMPONENT);

SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch

@@ -0,0 +1,72 @@
+diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h
+--- rsyslog-8.2102.0/parse.h.orig	2023-05-09 09:10:09.236597063 +0200
++++ rsyslog-8.2102.0/parse.h	2023-05-09 09:10:26.913608034 +0200
+@@ -56,7 +56,7 @@ struct rsParsObject
+ 	rsObjID OID;			/**< object ID */
+ #endif
+ 	cstr_t *pCStr;		/**< pointer to the string object we are parsing */
+-	int iCurrPos;			/**< current parsing position (char offset) */
++	size_t iCurrPos;			/**< current parsing position (char offset) */
+ };
+ typedef struct rsParsObject rsParsObj;
+ 
+diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c
+--- rsyslog-8.2102.0/runtime/stream.c.orig	2023-05-09 09:10:34.122612508 +0200
++++ rsyslog-8.2102.0/runtime/stream.c	2023-05-09 09:12:47.934640583 +0200
+@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 	cstr_t *thisLine = NULL;
+ 	rsRetVal readCharRet;
+ 	const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0;
+-	int maxMsgSize = glblGetMaxLine();
++	size_t maxMsgSize = glblGetMaxLine();
+ 	DEFiRet;
+ 
+ 	do {
+@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 					}
+ 
+ 
+-					int currLineLen = cstrLen(thisLine);
++					size_t currLineLen = cstrLen(thisLine);
+ 					if(currLineLen > 0) {
+-						int len;
++						size_t len;
+ 						if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) <
+ 						maxMsgSize) {
+ 							CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine));
+@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 								len = 0;
+ 							} else {
+ 								len = currLineLen-(len-maxMsgSize);
+-								for(int z=0; z<len; z++) {
++								for(size_t z=0; z<len; z++) {
+ 									cstrAppendChar(pThis->prevMsgSegment,
+ 										thisLine->pBuf[z]);
+ 								}
+diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c
+--- rsyslog-8.2102.0/runtime/stringbuf.c.orig	2023-05-09 09:09:37.627577446 +0200
++++ rsyslog-8.2102.0/runtime/stringbuf.c	2023-05-09 09:09:59.061590749 +0200
+@@ -474,7 +474,7 @@ finalize_it:
+  * This is due to performance reasons.
+  */
+ #ifndef NDEBUG
+-int cstrLen(cstr_t *pThis)
++size_t cstrLen(cstr_t *pThis)
+ {
+ 	rsCHECKVALIDOBJECT(pThis, OIDrsCStr);
+ 	return(pThis->iStrLen);
+diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h
+--- rsyslog-8.2102.0/runtime/stringbuf.h.orig	2023-05-09 09:08:05.199520082 +0200
++++ rsyslog-8.2102.0/runtime/stringbuf.h	2023-05-09 09:09:26.924570803 +0200
+@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c
+ 
+ /* now come inline-like functions */
+ #ifdef NDEBUG
+-#	define cstrLen(x) ((int)((x)->iStrLen))
++#	define cstrLen(x) ((size_t)((x)->iStrLen))
+ #else
+-	int cstrLen(cstr_t *pThis);
++	size_t cstrLen(cstr_t *pThis);
+ #endif
+ #define rsCStrLen(s) cstrLen((s))
+ 

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch

@@ -0,0 +1,37 @@
+diff -up rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c
+--- rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig	2023-05-11 14:14:39.778187570 +0200
++++ rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c	2023-05-11 14:15:36.254234445 +0200
+@@ -232,7 +232,11 @@ static rsRetVal curlSetup(wrkrInstanceDa
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->fdErrFile = -1;
+-	pthread_mutex_init(&pData->mutErrFile, NULL);
++	if(pthread_mutex_init(&pData->mutErrFile, NULL) != 0) {
++		LogError(errno, RS_RET_ERR, "omelasticsearch: cannot create "
++			"error file mutex, failing this action");
++		ABORT_FINALIZE(RS_RET_ERR);
++	}
+ 	pData->caCertFile = NULL;
+ 	pData->myCertFile = NULL;
+ 	pData->myPrivKeyFile = NULL;
+@@ -240,6 +244,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
++finalize_it:
+ ENDcreateInstance
+ 
+ BEGINcreateWrkrInstance
+@@ -2165,10 +2170,12 @@ ENDfreeCnf
+ 
+ BEGINdoHUP
+ CODESTARTdoHUP
++	pthread_mutex_lock(&pData->mutErrFile);
+ 	if(pData->fdErrFile != -1) {
+ 		close(pData->fdErrFile);
+ 		pData->fdErrFile = -1;
+ 	}
++	pthread_mutex_unlock(&pData->mutErrFile);
+ ENDdoHUP
+ 
+ 

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch

@@ -0,0 +1,54 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..d7d6c68e60 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -116,6 +116,7 @@ typedef struct instanceConf_s {
+ 	uchar **serverBaseUrls;
+ 	int numServers;
+ 	long healthCheckTimeout;
++	long indexTimeout;
+ 	uchar *uid;
+ 	uchar *pwd;
+ 	uchar *authBuf;
+@@ -187,6 +188,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "server", eCmdHdlrArray, 0 },
+ 	{ "serverport", eCmdHdlrInt, 0 },
+ 	{ "healthchecktimeout", eCmdHdlrInt, 0 },
++	{ "indextimeout", eCmdHdlrInt, 0 },
+ 	{ "uid", eCmdHdlrGetWord, 0 },
+ 	{ "pwd", eCmdHdlrGetWord, 0 },
+ 	{ "searchindex", eCmdHdlrGetWord, 0 },
+@@ -355,6 +357,7 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\ttemplate='%s'\n", pData->tplName);
+ 	dbgprintf("\tnumServers=%d\n", pData->numServers);
+ 	dbgprintf("\thealthCheckTimeout=%lu\n", pData->healthCheckTimeout);
++	dbgprintf("\tindexTimeout=%lu\n", pData->indexTimeout);
+ 	dbgprintf("\tserverBaseUrls=");
+ 	for(i = 0 ; i < pData->numServers ; ++i)
+ 		dbgprintf("%c'%s'", i == 0 ? '[' : ' ', pData->serverBaseUrls[i]);
+@@ -1768,6 +1771,8 @@ curlPostSetup(wrkrInstanceData_t *const pWrkrData)
+ 	PTR_ASSERT_SET_TYPE(pWrkrData, WRKR_DATA_TYPE_ES);
+ 	curlSetupCommon(pWrkrData, pWrkrData->curlPostHandle);
+ 	curl_easy_setopt(pWrkrData->curlPostHandle, CURLOPT_POST, 1);
++	curl_easy_setopt(pWrkrData->curlPostHandle,
++		CURLOPT_TIMEOUT_MS, pWrkrData->pData->indexTimeout);
+ }
+ 
+ #define CONTENT_JSON "Content-Type: application/json; charset=utf-8"
+@@ -1797,6 +1802,7 @@ setInstParamDefaults(instanceData *const pData)
+ 	pData->serverBaseUrls = NULL;
+ 	pData->defaultPort = 9200;
+ 	pData->healthCheckTimeout = 3500;
++	pData->indexTimeout = 0;
+ 	pData->uid = NULL;
+ 	pData->pwd = NULL;
+ 	pData->authBuf = NULL;
+@@ -1865,6 +1871,8 @@ CODESTARTnewActInst
+ 			pData->defaultPort = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "healthchecktimeout")) {
+ 			pData->healthCheckTimeout = (long) pvals[i].val.d.n;
++		} else if(!strcmp(actpblk.descr[i].name, "indextimeout")) {
++			pData->indexTimeout = (long) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "uid")) {
+ 			pData->uid = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "pwd")) {

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch

@@ -0,0 +1,43 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..ed9359732c 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -877,14 +877,6 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 	int i;
+ 	int numitems;
+ 	fjson_object *items=NULL, *jo_errors = NULL;
+-	int errors = 0;
+-
+-	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+-		errors = fjson_object_get_boolean(jo_errors);
+-		if (!errors && pWrkrData->pData->retryFailures) {
+-			return RS_RET_OK;
+-		}
+-	}
+ 
+ 	/*iterate over items*/
+ 	if(!fjson_object_object_get_ex(replyRoot, "items", &items)) {
+@@ -897,6 +889,15 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 
+ 	numitems = fjson_object_array_length(items);
+ 
++	int errors = 0;
++	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
++		errors = fjson_object_get_boolean(jo_errors);
++		if (!errors && pWrkrData->pData->retryFailures) {
++			STATSCOUNTER_ADD(indexSuccess, mutIndexSuccess, numitems);
++			return RS_RET_OK;
++		}
++	}
++
+ 	if (reqmsg) {
+ 		DBGPRINTF("omelasticsearch: Entire request %s\n", reqmsg);
+ 	} else {
+@@ -1267,6 +1268,7 @@ getDataRetryFailures(context *ctx,int itemStatus,char *request,char *response,
+ 				response);
+ 		}
+ 	}
++
+ 	need_free_omes = 0;
+ 	CHKiRet(msgAddJSON(msg, (uchar*)".omes", omes, 0, 0));
+ 	MsgSetRuleset(msg, ctx->retryRuleset);

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch

@@ -0,0 +1,148 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index ed9359732c..8200403eaf 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -86,12 +86,14 @@ STATSCOUNTER_DEF(rebinds, mutRebinds)
+ static prop_t *pInputName = NULL;
+ 
+ #	define META_STRT "{\"index\":{\"_index\": \""
+-#	define META_STRT_CREATE "{\"create\":{\"_index\": \""
++#	define META_STRT_CREATE "{\"create\":{"    /* \"_index\": \" */
++#	define META_IX "\"_index\": \""
+ #	define META_TYPE "\",\"_type\":\""
+ #       define META_PIPELINE "\",\"pipeline\":\""
+ #	define META_PARENT "\",\"_parent\":\""
+ #	define META_ID "\", \"_id\":\""
+ #	define META_END  "\"}}\n"
++#	define META_END_NOQUOTE  " }}\n"
+ 
+ typedef enum {
+ 	ES_WRITE_INDEX,
+@@ -362,8 +364,8 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex);
+-	dbgprintf("\tsearch type='%s'\n", pData->searchType);
++	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
++        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -596,8 +598,8 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	assert(srchIndex != NULL);
+-	assert(srchType != NULL);
++	//assert(srchIndex != NULL);
++	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -633,9 +635,14 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		parent = NULL;
+ 	} else {
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-		r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
++		if(searchIndex != NULL) {
++			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
++			if(r == 0) r = es_addChar(&url, '/');
++			if(searchType != NULL) {
++				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
++			}
++		} else
++			r = 0;
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -692,7 +699,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	uchar *pipelineName;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	r += ustrlen((char *)message) + ustrlen(searchIndex) + ustrlen(searchType);
++	r += ustrlen((char *)message);
++        if(searchIndex != NULL)
++                r += ustrlen(searchIndex);
++        if(searchType != NULL)
++                r += ustrlen(searchType);
+ 
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -717,6 +728,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
++       	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -725,28 +737,43 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 	DEFiRet;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
++	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE) {
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT_CREATE, sizeof(META_STRT_CREATE)-1);
+-	else
++		endQuote = 0;
++	} else
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT, sizeof(META_STRT)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
++	if(searchIndex != NULL) {
++		endQuote = 1;
++		if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
++		if(searchType != NULL) {
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
++		}
++	}
+ 	if(parent != NULL) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PARENT, sizeof(META_PARENT)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)parent, ustrlen(parent));
+ 	}
+ 	if(pipelineName != NULL && (!pWrkrData->pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PIPELINE, sizeof(META_PIPELINE)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)pipelineName, ustrlen(pipelineName));
+ 	}
+ 	if(bulkId != NULL) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_ID, sizeof(META_ID)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)bulkId, ustrlen(bulkId));
+ 	}
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
++	if(endQuote == 0) {
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END_NOQUOTE, sizeof(META_END_NOQUOTE)-1);
++	} else {
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
++	}
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)message, length);
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, "\n", sizeof("\n")-1);
+ 	if(r != 0) {
+@@ -2094,6 +2121,8 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
++	//Only needed befor ES-Version 7.x
++	/*
+ 	if(pData->searchIndex == NULL)
+ 		pData->searchIndex = (uchar*) strdup("system");
+ 	if(pData->searchType == NULL)
+@@ -2104,6 +2133,7 @@ CODESTARTnewActInst
+ 			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+ 		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+ 	}
++	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch

@@ -0,0 +1,118 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 8200403eaf..8b74d610df 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -130,6 +130,7 @@ typedef struct instanceConf_s {
+ 	uchar *timeout;
+ 	uchar *bulkId;
+ 	uchar *errorFile;
++	int esVersion;
+ 	sbool errorOnly;
+ 	sbool interleaved;
+ 	sbool dynSrchIdx;
+@@ -221,7 +222,8 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "ratelimit.interval", eCmdHdlrInt, 0 },
+ 	{ "ratelimit.burst", eCmdHdlrInt, 0 },
+ 	{ "retryruleset", eCmdHdlrString, 0 },
+-	{ "rebindinterval", eCmdHdlrInt, 0 }
++	{ "rebindinterval", eCmdHdlrInt, 0 },
++	{ "esversion.major", eCmdHdlrPositiveInt, 0 }
+ };
+ static struct cnfparamblk actpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -246,6 +248,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
++	pData->esVersion = 0;
+ finalize_it:
+ ENDcreateInstance
+ 
+@@ -364,8 +367,10 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+-        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
++	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL
++			? (uchar*)"(not configured)" : pData->searchIndex);
++	dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL
++			? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -598,8 +603,6 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	//assert(srchIndex != NULL);
+-	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -700,11 +703,12 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 	r += ustrlen((char *)message);
+-        if(searchIndex != NULL)
+-                r += ustrlen(searchIndex);
+-        if(searchType != NULL)
+-                r += ustrlen(searchType);
+-
++	if(searchIndex != NULL) {
++		r += ustrlen(searchIndex);
++	}
++	if(searchType != NULL) {
++		r += ustrlen(searchType);
++	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+ 	}
+@@ -728,7 +732,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+-       	int endQuote = 1;
++	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -1990,6 +1994,8 @@ CODESTARTnewActInst
+ 			pData->retryRulesetName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "rebindinterval")) {
+ 			pData->rebindInterval = (int) pvals[i].val.d.n;
++		} else if(!strcmp(actpblk.descr[i].name, "esversion.major")) {
++			pData->esVersion = pvals[i].val.d.n;
+ 		} else {
+ 			LogError(0, RS_RET_INTERNAL_ERROR, "omelasticsearch: program error, "
+ 				"non-handled param '%s'", actpblk.descr[i].name);
+@@ -2121,19 +2127,18 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+-	//Only needed befor ES-Version 7.x
+-	/*
+-	if(pData->searchIndex == NULL)
+-		pData->searchIndex = (uchar*) strdup("system");
+-	if(pData->searchType == NULL)
+-		pData->searchType = (uchar*) strdup("events");
++	if(pData->esVersion < 8) {
++		if(pData->searchIndex == NULL)
++			pData->searchIndex = (uchar*) strdup("system");
++		if(pData->searchType == NULL)
++			pData->searchType = (uchar*) strdup("events");
+ 
+-	if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+-		LogError(0, RS_RET_CONFIG_ERROR,
+-			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+-		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
++		if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
++			LogError(0, RS_RET_CONFIG_ERROR,
++				"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
++			ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
++		}
+ 	}
+-	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch

@@ -0,0 +1,40 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 76d5081d3b..f481ec3f7e 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -620,6 +620,8 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	uchar *parent;
+ 	uchar *bulkId;
+ 	char* baseUrl;
++	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
++	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+ 	int r;
+ 	DEFiRet;
+@@ -645,11 +647,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+ 			if(r == 0) r = es_addChar(&url, '/');
+-			if(searchType != NULL) {
+-				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+-			}
+-		} else
+-			r = 0;
++
++		if(searchType != NULL) {
++			actualSearchType = searchType;
++		}
++		if(r == 0) r = es_addChar(&url, '/');
++		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -693,7 +696,7 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	const uchar *const message,
+ 	uchar **const tpls)
+ {
+-	size_t r = sizeof(META_TYPE)-1 + sizeof(META_END)-1 + sizeof("\n")-1;
++	size_t r = sizeof(META_END)-1 + sizeof("\n")-1;
+ 	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+ 		r += sizeof(META_STRT_CREATE)-1;
+ 	else

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch

@@ -0,0 +1,53 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index f481ec3f7e..b297a9274f 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -623,7 +623,7 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+ 	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+-	int r;
++	int r = 0;
+ 	DEFiRet;
+ 	instanceData *const pData = pWrkrData->pData;
+ 	char separator;
+@@ -646,13 +646,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
++			if(searchType != NULL && searchType[0] != '\0') {
++				actualSearchType = searchType;
++			}
+ 			if(r == 0) r = es_addChar(&url, '/');
+-
+-		if(searchType != NULL) {
+-			actualSearchType = searchType;
++			if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		}
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -714,7 +713,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 		r += ustrlen(searchIndex);
+ 	}
+ 	if(searchType != NULL) {
+-		r += ustrlen(searchType);
++		if(searchType[0] == '\0') {
++			r += 4; // "_doc"
++		} else {
++			r += ustrlen(searchType);
++		}
+ 	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -759,7 +762,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-		if(searchType != NULL) {
++		if(searchType != NULL && searchType[0] != '\0') {
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch

@@ -0,0 +1,32 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html
+--- rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig	2023-05-11 15:56:24.308601241 +0200
++++ rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html	2023-05-11 15:57:11.000662477 +0200
+@@ -156,6 +156,28 @@ this timeframe. Defaults to 3500.</p>
+ <p><em>Note, the health check is verifying connectivity only, not the state of
+ the Elasticsearch cluster.</em></p>
+ </div>
++
++<div class="section" id="esVersion.major">
++  <span id="id2"></span><h4>esVersion.major<a class="headerlink" href="#esVersion.major" title="Permalink to this headline">¶</a></h4>
++  <table border="1" class="colwidths-auto parameter-table docutils">
++  <thead valign="bottom">
++  <tr class="row-odd"><th class="head">type</th>
++  <th class="head">default</th>
++  <th class="head">mandatory</th>
++  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
++  </tr>
++  </thead>
++  <tbody valign="top">
++  <tr class="row-even"><td>integer</td>
++  <td>0</td>
++  <td>no</td>
++  <td>none</td>
++  </tr>
++  </tbody>
++  </table>
++  <p>ElasticSearch is notoriously bad at maintaining backwards compatibility. For this reason, the setting can be used to configure the server’s major version number (e.g. 7, 8, …). As far as we know breaking changes only happen with major version changes. As of now, only value 8 triggers API changes. All other values select pre-version-8 API usage.</p>
++  </div>
++
+ <div class="section" id="searchindex">
+ <span id="id3"></span><h4>searchIndex<a class="headerlink" href="#searchindex" title="Permalink to this headline">¶</a></h4>
+ <table border="1" class="colwidths-auto parameter-table docutils">

SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch

@@ -0,0 +1,30 @@
+diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig	2022-05-09 12:22:59.050623119 +0200
++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c	2022-05-09 12:34:39.979854853 +0200
+@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c
+--- rsyslog-8.37.0/runtime/tcps_sess.c.orig	2022-05-09 12:23:12.789627661 +0200
++++ rsyslog-8.37.0/runtime/tcps_sess.c	2022-05-09 12:36:51.426898549 +0200
+@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);

SOURCES/rsyslog.conf

@@ -4,14 +4,6 @@
 # or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
 # If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
 
-#### GLOBAL DIRECTIVES ####
-
-# Where to place auxiliary files
-global(workDirectory="/var/lib/rsyslog")
-
-# Use default timestamp format
-module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
-
 #### MODULES ####
 
 module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
@@ -19,14 +11,10 @@ module(load="imuxsock" 	  # provides support for local system logging (e.g. via
 			  # local messages are retrieved through imjournal now.
 module(load="imjournal" 	    # provides access to the systemd journal
        UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
-       FileCreateMode="0644" # Set the access permissions for the state file
        StateFile="imjournal.state") # File to store the position in the journal
 #module(load="imklog") # reads kernel messages (the same are read from journald)
 #module(load="immark") # provides --MARK-- message capability
 
-# Include all config files in /etc/rsyslog.d/
-include(file="/etc/rsyslog.d/*.conf" mode="optional")
-
 # Provides UDP syslog reception
 # for parameters see http://www.rsyslog.com/doc/imudp.html
 #module(load="imudp") # needs to be done just once
@@ -37,6 +25,17 @@ include(file="/etc/rsyslog.d/*.conf" mode="optional")
 #module(load="imtcp") # needs to be done just once
 #input(type="imtcp" port="514")
 
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
 #### RULES ####
 
 # Log all kernel messages to the console.
@@ -69,13 +68,13 @@ local7.*                                                /var/log/boot.log
 
 # ### sample forwarding rule ###
 #action(type="omfwd"  
-# # An on-disk queue is created for this action. If the remote host is
+# An on-disk queue is created for this action. If the remote host is
-# # down, messages are spooled to disk and sent when it is up again.
+# down, messages are spooled to disk and sent when it is up again.
 #queue.filename="fwdRule1"       # unique name prefix for spool files
 #queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
 #queue.saveonshutdown="on"       # save messages to disk on shutdown
 #queue.type="LinkedList"         # run asynchronously
 #action.resumeRetryCount="-1"    # infinite retries if host is down
-# # Remote Logging (we use TCP for reliable delivery)
+# Remote Logging (we use TCP for reliable delivery)
-# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+# remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
 #Target="remote_host" Port="XXX" Protocol="tcp")

SOURCES/rsyslog.service

@@ -10,7 +10,6 @@ Documentation=https://www.rsyslog.com/doc/
 Type=notify
 EnvironmentFile=-/etc/sysconfig/rsyslog
 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
-ExecReload=/usr/bin/kill -HUP $MAINPID
 UMask=0066
 StandardOutput=null
 Restart=on-failure

SPECS/rsyslog.spec

@@ -0,0 +1,848 @@
+%define rsyslog_statedir %{_sharedstatedir}/%{name}
+%define rsyslog_pkidir %{_sysconfdir}/pki/%{name}
+%define rsyslog_docdir %{_docdir}/%{name}
+
+
+Summary: Enhanced system logging and kernel message trapping daemon
+Name: rsyslog
+Version: 8.2102.0
+Release: 15%{?dist}.1
+License: (GPLv3+ and ASL 2.0)
+Group: System Environment/Daemons
+ExcludeArch: i686
+URL: http://www.rsyslog.com/
+Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
+Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.tar.gz
+Source2: rsyslog.conf
+Source3: rsyslog.sysconfig
+Source4: rsyslog.log
+Source5: qpid-proton-0.34.0.tar.gz
+Source6: rsyslog.service
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: bison
+BuildRequires: flex
+BuildRequires: libcurl-devel
+BuildRequires: libgcrypt-devel
+BuildRequires: libfastjson-devel >= 0.99.8
+BuildRequires: libestr-devel >= 0.1.9
+BuildRequires: libtool
+BuildRequires: libuuid-devel
+BuildRequires: pkgconfig
+BuildRequires: python3-docutils
+# it depens on rhbz#1419228
+BuildRequires: systemd-devel >= 219-39
+BuildRequires: zlib-devel
+BuildRequires: openssl-devel
+
+Requires: openssl-libs
+Requires: logrotate >= 3.5.2
+Requires: bash >= 2.0
+Requires: libestr >= 0.1.9
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+
+Provides: syslog
+Obsoletes: sysklogd < 1.5-11
+
+# imjournal: adds "journal" when tag/process name is missing
+Patch0:  rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
+Patch1:  rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+Patch2:  rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+Patch3:  rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
+Patch4:  rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+Patch5:  rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
+Patch6:  rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
+Patch7:  rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
+Patch8:  rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
+Patch9:  rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
+Patch10: rsyslog-8.2102.0-nsd_ossl-better-logs.patch
+Patch11: rsyslog-8.2102.0-imtcp-param-refactor.patch
+Patch12: rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
+Patch13: rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
+Patch14: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
+Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
+Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
+Patch18: rsyslog-8.2102.0-rhbz2157658-imklog.patch
+Patch19: rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+Patch20: rsyslog-8.2102.0-rhbz2192955-es-0.patch
+Patch21: rsyslog-8.2102.0-rhbz2192955-es-1.patch
+Patch22: rsyslog-8.2102.0-rhbz2192955-es-2.patch
+Patch23: rsyslog-8.2102.0-rhbz2192955-es-3.patch
+Patch24: rsyslog-8.2102.0-rhbz2192955-es-4.patch
+Patch25: rsyslog-8.2102.0-rhbz2192955-es-5.patch
+Patch26: rsyslog-8.2102.0-rhbz2192955-es-6.patch
+Patch27: rsyslog-8.2102.0-rhbz2192955-es-doc.patch
+Patch28: propagate-gnutlsPriorityString.patch
+
+%package crypto
+Summary: Encryption support
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package doc
+Summary: HTML Documentation for rsyslog
+Group: Documentation
+#no reason to have arched documentation
+BuildArch: noarch
+
+%package elasticsearch
+Summary: ElasticSearch output module for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package gnutls
+Summary: TLS protocol support for rsyslog via GnuTLS library
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: gnutls-devel
+
+%package openssl
+Summary: TLS protocol support for rsyslog via OpenSSL library
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: openssl-devel
+
+%package gssapi
+Summary: GSSAPI authentication and encryption support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: krb5-devel
+
+%package kafka
+Summary: Provides kafka support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: librdkafka-devel
+
+%package mmaudit
+Summary: Message modification module supporting Linux audit format
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package mmjsonparse
+Summary: JSON enhanced logging support
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package mmkubernetes
+Summary: Provides the mmkubernetes module
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package mmnormalize
+Summary: Log normalization support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: liblognorm-devel
+
+%package mmfields
+Summary: Fields extraction module
+Requires: %name = %version-%release
+
+%package mmsnmptrapd
+Summary: Message modification module for snmptrapd generated messages
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+
+%package mysql
+Summary: MySQL support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: mariadb-connector-c-devel
+
+%package omamqp1
+Summary: AMQP1 support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+Requires: cyrus-sasl-lib
+Requires: openssl-libs
+BuildRequires: cmake
+BuildRequires: make
+BuildRequires: gcc
+BuildRequires: gcc-c++
+BuildRequires: cyrus-sasl-devel
+BuildRequires: openssl-devel
+BuildRequires: python3
+
+%package pgsql
+Summary: PostgresSQL support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: postgresql-devel
+
+%package relp
+Summary: RELP protocol support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+Requires: librelp >= 1.9.0
+BuildRequires: librelp-devel >= 1.9.0
+
+%package snmp
+Summary: SNMP protocol support for rsyslog
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: net-snmp-devel
+
+%package udpspoof
+Summary: Provides the omudpspoof module
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: libnet-devel
+
+%description
+Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
+syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
+and fine grain output format control. It is compatible with stock sysklogd
+and can be used as a drop-in replacement. Rsyslog is simple to set up, with
+advanced features suitable for enterprise-class, encryption-protected syslog
+relay chains.
+
+%description crypto
+This package contains a module providing log file encryption and a
+command line tool to process encrypted logs.
+
+%description doc
+This subpackage contains documentation for rsyslog.
+
+%description elasticsearch
+This module provides the capability for rsyslog to feed logs directly into
+Elasticsearch.
+
+%description gnutls
+The rsyslog-gnutls package contains the rsyslog plugins that provide the
+ability to send and receive syslog messages via TCP or RELP using TLS
+encryption via GnuTLS library. For details refer to rsyslog doc on imtcp
+and omfwd modules.
+
+%description openssl
+The rsyslog-openssl package contains the rsyslog plugins that provide the
+ability to send and receive syslog messages via TCP or RELP using TLS
+encryption via OpenSSL library. For details refer to rsyslog doc on imtcp
+and omfwd modules.
+
+%description gssapi
+The rsyslog-gssapi package contains the rsyslog plugins which support GSSAPI
+authentication and secure connections. GSSAPI is commonly used for Kerberos
+authentication.
+
+%description kafka
+The rsyslog-kafka package provides modules for Apache Kafka input and output.
+
+%description mmaudit
+This module provides message modification supporting Linux audit format
+in various settings.
+
+%description mmjsonparse
+This module provides the capability to recognize and parse JSON enhanced
+syslog messages.
+
+%description mmkubernetes
+The rsyslog-mmkubernetes package provides module for adding kubernetes
+container metadata.
+
+%description mmnormalize
+This module provides the capability to normalize log messages via liblognorm.
+
+%description mmfields
+The mmfield module permits to extract fields. Using this module is of special
+advantage if a field-based log format is to be processed, like for example CEF
+and either a large number of fields is needed or a specific field is used multiple
+times inside filters.
+
+%description mmsnmptrapd
+This message modification module takes messages generated from snmptrapd and
+modifies them so that they look like they originated from the read originator.
+
+%description mysql
+The rsyslog-mysql package contains a dynamic shared object that will add
+MySQL database support to rsyslog.
+
+%description omamqp1
+The rsyslog-omamqp1 package contains a dynamic shared object that will add
+AMQP1 support to rsyslog.
+
+%description pgsql
+The rsyslog-pgsql package contains a dynamic shared object that will add
+PostgreSQL database support to rsyslog.
+
+%description relp
+The rsyslog-relp package contains the rsyslog plugins that provide
+the ability to receive syslog messages via the reliable RELP
+protocol.
+
+%description snmp
+The rsyslog-snmp package contains the rsyslog plugin that provides the
+ability to send syslog messages as SNMPv1 and SNMPv2c traps.
+
+%description udpspoof
+This module is similar to the regular UDP forwarder, but permits to
+spoof the sender address. Also, it enables to circle through a number
+of source ports.
+
+%prep
+# set up rsyslog-doc sources
+%setup -q -a 1 -T -c
+#regenerate the docs
+
+#mv build/searchindex.js searchindex_backup.js
+#sphinx-build -b html source build
+#clean up
+#mv searchindex_backup.js build/searchindex.js
+
+rm -r LICENSE README.md source build/objects.inv
+mv build doc
+
+# set up rsyslog sources
+%setup -q -D
+%setup -q -D -T -b 5
+
+%patch -P 0 -p1
+%patch -P 1 -p1
+%patch -P 2 -p1
+%patch -P 3 -p1
+%patch -P 4 -p1
+%patch -P 5 -p1
+%patch -P 6 -p1
+%patch -P 7 -p1
+%patch -P 8 -p1
+%patch -P 9 -p1
+%patch -P 10 -p1
+%patch -P 11 -p1
+%patch -P 12 -p1
+%patch -P 13 -p1
+%patch -P 14 -p1
+%patch -P 15 -p1
+%patch -P 16 -p1
+%patch -P 17 -p1
+%patch -P 18 -p1
+%patch -P 19 -p1
+%patch -P 20 -p1
+%patch -P 21 -p1
+%patch -P 22 -p1
+%patch -P 23 -p1
+%patch -P 24 -p1
+%patch -P 25 -p1
+%patch -P 26 -p1
+%patch -P 27 -p1
+%patch -P 28 -p1
+
+%build
+%ifarch sparc64
+#sparc64 need big PIE
+export CFLAGS="$RPM_OPT_FLAGS -fPIC"
+%else
+export CFLAGS="$RPM_OPT_FLAGS -fpic"
+%endif
+# build the proton first
+(
+	cd %{_builddir}/qpid-proton-0.34.0
+	mkdir bld
+	cd bld
+
+	# Need ENABLE_FUZZ_TESTING=NO to avoid a link failure
+	# Find python include dir and python library from
+	# https://stackoverflow.com/questions/24174394/cmake-is-not-able-to-find-python-libraries
+    cmake .. \
+		-DBUILD_BINDINGS="" \
+		-DBUILD_STATIC_LIBS=YES \
+		-DENABLE_FUZZ_TESTING=NO \
+		-DPYTHON_INCLUDE_DIR=$(python3 -c "from distutils.sysconfig import get_python_inc; print(get_python_inc())")  \
+		-DPYTHON_LIBRARY=$(python3 -c "import distutils.sysconfig as sysconfig; print(sysconfig.get_config_var('LIBDIR'))") \
+		-DCMAKE_AR="/usr/bin/gcc-ar" -DCMAKE_NM="/usr/bin/gcc-nm" -DCMAKE_RANLIB="/usr/bin/gcc-ranlib"
+	make -j8
+)
+%ifarch sparc64
+#sparc64 need big PIE
+export CFLAGS="$RPM_OPT_FLAGS -fPIE"
+%else
+export CFLAGS="$RPM_OPT_FLAGS -fpie"
+%endif
+export LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
+
+sed -i 's/%{version}/%{version}-%{release}/g' configure.ac
+autoreconf -if
+%configure \
+	--prefix=/usr \
+	--disable-static \
+	--disable-testbench \
+	--enable-elasticsearch \
+	--enable-generate-man-pages \
+	--enable-gnutls \
+	--enable-openssl \
+	--enable-gssapi-krb5 \
+	--enable-imdiag \
+	--enable-imfile \
+	--enable-imjournal \
+	--enable-imkafka \
+	--enable-impstats \
+	--enable-imptcp \
+	--enable-mail \
+	--enable-mmanon \
+	--enable-mmaudit \
+	--enable-mmcount \
+	--enable-mmjsonparse \
+	--enable-mmkubernetes \
+	--enable-mmnormalize \
+	--enable-mmfields \
+	--enable-mmsnmptrapd \
+	--enable-mmutf8fix \
+	--enable-mysql \
+	--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.34.0/bld/c/include" \
+	--enable-omhttp \
+	--enable-omjournal \
+	--enable-omkafka \
+	--enable-omprog \
+	--enable-omstdout \
+	--enable-omudpspoof \
+	--enable-omuxsock \
+	--enable-pgsql \
+	--enable-pmaixforwardedfrom \
+	--enable-pmcisconames \
+	--enable-pmlastmsg \
+	--enable-pmsnare \
+	--enable-relp \
+	--enable-snmp \
+	--enable-unlimited-select \
+	--enable-usertools
+
+make
+
+%install
+make DESTDIR=%{buildroot} install
+
+install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
+install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -d -m 755 %{buildroot}%{_unitdir}
+install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d
+install -d -m 700 %{buildroot}%{rsyslog_statedir}
+install -d -m 700 %{buildroot}%{rsyslog_pkidir}
+install -d -m 755 %{buildroot}%{rsyslog_docdir}/html
+
+install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf
+install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
+install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/syslog
+install -p -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/rsyslog.service
+install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql
+install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql
+install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir}
+# extract documentation
+cp -r doc/* %{buildroot}%{rsyslog_docdir}/html
+# get rid of libtool libraries
+rm -f %{buildroot}%{_libdir}/rsyslog/*.la
+
+# convert line endings from "\r\n" to "\n"
+cat tools/recover_qi.pl | tr -d '\r' > %{buildroot}%{_bindir}/rsyslog-recover-qi.pl
+
+%post
+for n in /var/log/{messages,secure,maillog,spooler}
+do
+	[ -f $n ] && continue
+	umask 066 && touch $n
+done
+%systemd_post rsyslog.service
+
+%preun
+%systemd_preun rsyslog.service
+
+%postun
+%systemd_postun_with_restart rsyslog.service
+
+%files
+%doc AUTHORS COPYING* ChangeLog
+%exclude %{rsyslog_docdir}/html
+%exclude %{rsyslog_docdir}/mysql-createDB.sql
+%exclude %{rsyslog_docdir}/pgsql-createDB.sql
+%dir %{_libdir}/rsyslog
+%dir %{_sysconfdir}/rsyslog.d
+%dir %{rsyslog_statedir}
+%dir %{rsyslog_pkidir}
+%{_sbindir}/rsyslogd
+%attr(755,root,root) %{_bindir}/rsyslog-recover-qi.pl
+%{_mandir}/man5/rsyslog.conf.5.gz
+%{_mandir}/man8/rsyslogd.8.gz
+%{_unitdir}/rsyslog.service
+%config(noreplace) %{_sysconfdir}/rsyslog.conf
+%config(noreplace) %{_sysconfdir}/sysconfig/rsyslog
+%config(noreplace) %{_sysconfdir}/logrotate.d/syslog
+# plugins
+%{_libdir}/rsyslog/fmhash.so
+%{_libdir}/rsyslog/fmhttp.so
+%{_libdir}/rsyslog/imdiag.so
+%{_libdir}/rsyslog/imfile.so
+%{_libdir}/rsyslog/imjournal.so
+%{_libdir}/rsyslog/imklog.so
+%{_libdir}/rsyslog/immark.so
+%{_libdir}/rsyslog/impstats.so
+%{_libdir}/rsyslog/imptcp.so
+%{_libdir}/rsyslog/imtcp.so
+%{_libdir}/rsyslog/imudp.so
+%{_libdir}/rsyslog/imuxsock.so
+%{_libdir}/rsyslog/lmnet.so
+%{_libdir}/rsyslog/lmnetstrms.so
+%{_libdir}/rsyslog/lmnsd_ptcp.so
+%{_libdir}/rsyslog/lmregexp.so
+%{_libdir}/rsyslog/lmtcpclt.so
+%{_libdir}/rsyslog/lmtcpsrv.so
+%{_libdir}/rsyslog/lmzlibw.so
+%{_libdir}/rsyslog/mmanon.so
+%{_libdir}/rsyslog/mmcount.so
+%{_libdir}/rsyslog/mmexternal.so
+%{_libdir}/rsyslog/mmutf8fix.so
+%{_libdir}/rsyslog/omhttp.so
+%{_libdir}/rsyslog/omjournal.so
+%{_libdir}/rsyslog/ommail.so
+%{_libdir}/rsyslog/omprog.so
+%{_libdir}/rsyslog/omstdout.so
+%{_libdir}/rsyslog/omtesting.so
+%{_libdir}/rsyslog/omuxsock.so
+%{_libdir}/rsyslog/pmaixforwardedfrom.so
+%{_libdir}/rsyslog/pmcisconames.so
+%{_libdir}/rsyslog/pmlastmsg.so
+%{_libdir}/rsyslog/pmsnare.so
+
+%files crypto
+%{_bindir}/rscryutil
+%{_mandir}/man1/rscryutil.1.gz
+%{_libdir}/rsyslog/lmcry_gcry.so
+
+%files doc
+%doc %{rsyslog_docdir}/html
+
+%files elasticsearch
+%{_libdir}/rsyslog/omelasticsearch.so
+
+%files gssapi
+%{_libdir}/rsyslog/lmgssutil.so
+%{_libdir}/rsyslog/imgssapi.so
+%{_libdir}/rsyslog/omgssapi.so
+
+%files gnutls
+%{_libdir}/rsyslog/lmnsd_gtls.so
+
+%files openssl
+%{_libdir}/rsyslog/lmnsd_ossl.so
+
+%files kafka
+%{_libdir}/rsyslog/imkafka.so
+%{_libdir}/rsyslog/omkafka.so
+
+%files mmaudit
+%{_libdir}/rsyslog/mmaudit.so
+
+%files mmjsonparse
+%{_libdir}/rsyslog/mmjsonparse.so
+
+%files mmkubernetes
+%{_libdir}/rsyslog/mmkubernetes.so
+%doc %{rsyslog_docdir}/k8s_filename.rulebase
+%doc %{rsyslog_docdir}/k8s_container_name.rulebase
+
+%files mmnormalize
+%{_libdir}/rsyslog/mmnormalize.so
+
+%files mmfields
+%{_libdir}/rsyslog/mmfields.so
+
+%files mmsnmptrapd
+%{_libdir}/rsyslog/mmsnmptrapd.so
+
+%files mysql
+%doc %{rsyslog_docdir}/mysql-createDB.sql
+%{_libdir}/rsyslog/ommysql.so
+
+%files omamqp1
+%{_libdir}/rsyslog/omamqp1.so
+
+%files pgsql
+%doc %{rsyslog_docdir}/pgsql-createDB.sql
+%{_libdir}/rsyslog/ompgsql.so
+
+%files relp
+%{_libdir}/rsyslog/imrelp.so
+%{_libdir}/rsyslog/omrelp.so
+
+%files snmp
+%{_libdir}/rsyslog/omsnmp.so
+
+%files udpspoof
+%defattr(-,root,root)
+%{_libdir}/rsyslog/omudpspoof.so
+
+%changelog
+* Mon Aug 26 2024 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-15.1
+- Propagate gnutlsPriorityString when accepting new connection
+  resolves: RHEL-54663
+
+* Thu May 11 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-15
+- omelasticsearch: make compatible with elasticsearch>=8
+- add new action specific parameter esversion.major
+  resolves: rhbz#2192955
+
+* Tue May 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-14
+- Fix wrong type conversion in cstrLen()
+  resolves: rhbz#2157804
+- imjournal: by default retrieves _PID from journal as PID number
+  resolves: rhbz#2176398
+- Systemd service file hardening
+  resolves: rhbz#2176404
+
+* Mon Jan 09 2023 Attila Lakatos <alaktos@redhat.com> - 8.2102.0-13
+- Make rsyslog-relp require librelp>= 1.9.0
+  resolves: rhbz#2029352
+- Reorder logrotate parameters to work with POSIXLY_CORRECT env var
+  resolves: rhbz#2070496
+
+* Fri Jan 06 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-12
+- Fix invalid memory adressing in imklog that could cause abort
+  resolves: rhbz#2157658
+
+* Tue Sep 06 2022 Sergio Arroutbi <sarroutb@redhat.com> - 8.2102.0-11
+- Enable multiple SSL CA files
+  resolves: rhbz#2124934
+
+* Wed Apr 13 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-10
+- openssl: Correct gnutlsPriorityString (custom ciphers) behaviour
+- Fix error handling in gtlsRecordRecv that can cause 100 percent CPU usage
+  resolves: rhbz#2046158
+- Address CVE-2022-24903, Heap-based overflow in TCP syslog server
+  resolves: rhbz#2081401
+
+* Mon Mar 28 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-9
+- Add deleteStateOnFileMove imfile module option
+  resolves: rhbz#1909639
+- Add inotify_rm_watch() inotify API call when object needs to be destroyed
+  resolves: rhbz#2052403
+
+* Fri Mar 04 2022 Sergio Arroutbi <sarroutb@redhat.com> - 8.2102.0-8
+- Include maxsize for error files
+  resolves: rhbz#1962318
+
+* Mon Nov 22 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-7
+- Propagate prioritizeSAN when accepting new connection
+  resolves: rhbz#1832368
+
+* Mon Oct 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-6
+- Enable mmfields module
+  resolves: rhbz#1947907
+  resolves: rhbz#1866900
+
+* Wed Aug 04 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-5
+- Do not exit when user/group can not be found
+  resolves: rhbz#1984489
+- Remove abortOnIDResolution fail
+
+* Tue Jul 27 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-4
+- Allways use message severity when comparing with ratelimit severity
+  resolves: rhbz#1984616
+
+* Mon Jun 28 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-3
+- Priority field must have valid length
+  resolves: rhbz#1866877
+- Allocate more memory on too large groups
+  resolves: rhbz#1944718
+
+* Tue May 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-2
+  RHEL 8.5.0 ERRATUM
+- rebase to 8.2102.0
+  resolves: rhbz#1932795
+- Enable openssl
+  resolves: rhbz#1891458
+- EKU check for client cert on server side
+  resolves: rhbz#1783348
+- Use GNUTLS_SHUT_WR when ending TLS connections
+  resolves: rhbz#1880434
+- Use librelp with openssl enabled
+  resolves: rhbz#1795607
+- Close dir when fsync=on
+  resolves: rhbz#1960536
+
+* Wed Nov 18 2020 Attila Lakatos <alakatos@redhat.com> - 8.1911.0-7
+- add back rsyslog-udpspoof package
+  resolves: rhbz#1869874
+
+* Thu Jun 18 2020 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-6
+  RHEL 8.3.0 ERRATUM
+- added patch preventing imfile crash when selinux blocks symlink
+  access
+  resolves: rhbz#1843994
+- fixed config-enabled patch
+  resolves: rhbz#1659383
+
+* Thu Jun 04 2020 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-5
+  RHEL 8.3.0 ERRATUM
+- added qpid-proton as another source and enabled omamqp1 module
+  in a separate sub-package with it statically linked
+  resolves: rhbz#1713427
+- extended config.enabled patch to cover rest of the cases
+  resolves: rhbz#1659383
+- added patch making json serialization thread-safe
+  resolves: rhbz#1789675
+- added another patch for imfile state-files id
+  resolves: rhbz#1793569
+- fixed typo in commend-out part of default rsyslog.conf
+
+* Wed Dec 11 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-3
+  RHEL 8.2.0 ERRATUM
+- added patch reverting rejecting expired certs by default
+  resolves: rhbz#1782353
+- added patch silencing false errors on config.enabled statement
+  resolves: rhbz#1659383
+
+* Tue Dec 03 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-2
+  RHEL 8.2.0 ERRATUM
+- cleaned old patches, fixed patch names
+  resolves: rhbz#1740683
+
+* Mon Dec 02 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-1
+  RHEL 8.2.0 ERRATUM
+- rebased to 8.1911.0 upstream version, removed, previously
+  upstreamed patches
+  resolves: rhbz#1740683
+  resolves: rhbz#1659383
+  resolves: rhbz#1746876
+  resolves: rhbz#1676559
+  resolves: rhbz#1692072
+  resolves: rhbz#1692073
+  resolves: rhbz#1692074
+  resolves: rhbz#1699242
+  resolves: rhbz#1738213
+  resolves: rhbz#1744691
+  resolves: rhbz#1755218
+  resolves: rhbz#1768321
+  resolves: rhbz#1768324
+- added patch fixing imfile stefiles naming
+  resolves: rhbz#1763757
+
+* Fri Aug 30 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-13
+  RHEL 8.1.0 ERRATUM
+- added patch enabling stricter TLS certs checking conforming to
+  common criteria requirements
+  resolves: rhbz#1733244
+
+* Mon Jul 22 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-12
+  RHEL 8.1.0 ERRATUM
+- edited imjournal memleak patch to not cause double-free crash
+  resolves: rhbz#1729995
+- added patch calling journald API only when there are no
+  preceeding errors
+  resolves: rhbz#1722165
+- added patch fixing imrelp module when invoked with old syntax
+  resolves: rhbz#1724218
+
+* Wed Jun 05 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-11
+  RHEL 8.1.0 ERRATUM
+- fixed memory leak in imjournal by proper cursor releasing
+  resolves: rhbz#1716867
+
+* Fri May 10 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-10
+  RHEL 8.1.0 ERRATUM
+- added option for imfile endmsg.regex
+  resolves: rhbz#1627941
+- added patch enhancing imfile rotation detection
+  resolves: rhbz#1674471
+- added patch fixing msgOffset datatype preventing crash on
+  message with too long other fields
+  resolves: rhbz#1677037
+- added patch introducing "preservecase" option for imudp/imtcp
+  resolves: rhbz#1614181
+
+* Mon Dec 17 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-9
+  RHEL 8.0.0 ERRATUM
+- added back legacy option for imjournal default tag
+  resolves: rhbz#1659898
+
+* Fri Dec 14 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-8
+  RHEL 8.0.0 ERRATUM
+- fixes mmkubenetes handling 404 and 429 errors
+  resolves: rhbz#1622768
+
+* Fri Oct 19 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-7
+- removed version from docdir macro
+  resolves: rhbz#1638023
+
+* Mon Aug 27 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-6
+- updated patch for enhanced imfile symlink support
+  resolves: rhbz#1614179
+
+* Fri Aug 10 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-5
+- rebuild for rebased dependencies
+- dependency cleanup and sorted sub-packages in spec
+  resolves: rhbz#1613880
+
+* Fri Aug 10 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-4
+- enabled mmkubernetes module
+  resolves: rhbz#1614432
+  resolves: rhbz#1614441
+
+* Thu Aug 09 2018 Josef Ridky <jridky@redhat.com> - 8.37.0-3
+- Rebuild for Net-SNMP
+
+* Thu Aug 09 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-2
+- added patch for enhanced imfile symlink support
+  resolves: rhbz#1614179
+
+* Wed Aug 08 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-1
+- rebase to 8.37.0
+  resolves: rhbz#1613880
+  resolves: rhbz#1564054
+  resolves: rhbz#1598218
+  - dropped invalid statefile patch - upstreamed
+  - dropped imjournal duplicates patch - upstreamed
+  resolves: rhbz#1544394
+- renumbered default tag patch and fitted onto rebased version
+
+* Fri Aug 03 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-4
+- removed dependency on libee
+  resolves: rhbz#1612032
+
+* Wed Aug 01 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-3
+- dropped json_nonoverwrite patch as there is no reason for
+  keeping it
+- renumbered rest of patches
+- added release number to AC_INIT to have it in package error logs
+
+* Mon Jul 16 2018 Charalampos Stratakis <cstratak@redhat.com> - 8.36.0-2
+- Depend on python3-docutils
+
+* Mon Jul 02 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-1
+- changed PID file name to follow upstream
+- removed config option to disable stdlog as it is now
+  disabled by default
+
+* Thu Jun 28 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-1
+- rebase to 8.36
+- removed hiredis module
+- removed omudpspoof module
+  resolves: rhbz#1593762
+- finished converting config to new-style syntax
+
+* Mon May 21 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.35.0-1
+- spec file cleanup
+- enabled kafka and hiredis modules
+  resolves: rhbz#1542497
+  resolves: rhbz#1542504
+- renamed patch fixing imjournal duplicating messages
+  resolves: rhbz#1544394
+
+* Thu May 17 2018 Marek Tamaskovic <mtamasko@redhat.com> - 8.35.0-1
+- rebase to 8.35
+- rebased patches from 8.32 to 8.35
+  - fixed imjournal-duplicates
+  - fixed imjournal-default-tag
+  - fixed service patch
+  - fixed in upstream deserialize-property-name
+
+* Fri Mar 23 2018 Radovan Sroka <rsroka@redhat.com> - 8.32.0-2
+- rebuild, bumped release number
+
+* Tue Feb 06 2018 Radovan Sroka <rsroka@redhat.com> - 8.32.0-1
+- initial clean build with plugins from rhel7
+- removed plugins:
+  - libdbi
+  - omruleset
+  - pmrfc3164sd
+- imported from fedora26

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}

rsyslog-8.2310.0-do-not-preserve-statefile-on-file-move-doc.patch

@@ -1,42 +0,0 @@
-diff -up rsyslog-8.2310.0/doc/configuration/modules/imfile.html.orig rsyslog-8.2310.0/doc/configuration/modules/imfile.html
---- rsyslog-8.2310.0/doc/configuration/modules/imfile.html.orig	2023-11-06 09:34:00.022802039 +0100
-+++ rsyslog-8.2310.0/doc/configuration/modules/imfile.html	2023-11-06 09:37:02.086613055 +0100
-@@ -293,6 +293,30 @@ rsyslog needs write permissions to work
- also might require SELinux definitions (or similar for other enhanced security
- systems).</p>
- </div>
-+
-+<div class="section" id="deletestateonfilemove">
-+  <h4>deleteStateOnFileMove<a class="headerlink" href="#deletestateonfilemove" title="Permalink to this headline">¶</a></h4>
-+  <table border="1" class="colwidths-auto parameter-table docutils">
-+  <thead valign="bottom">
-+  <tr class="row-odd"><th class="head">type</th>
-+  <th class="head">default</th>
-+  <th class="head">mandatory</th>
-+  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
-+  </tr>
-+  </thead>
-+  <tbody valign="top">
-+  <tr class="row-even"><td>binary</td>
-+  <td>off</td>
-+  <td>no</td>
-+  <td>none</td>
-+  </tr>
-+  </tbody>
-+  </table>
-+  <p>This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.</p>
-+
-+<p>However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.</p>
-+</div>
-+
- </div>
- <div class="section" id="input-parameters">
- <h3>Input Parameters<a class="headerlink" href="#input-parameters" title="Permalink to this headline">¶</a></h3>
-@@ -1237,6 +1261,7 @@ and Others.</p>
- <li><a class="reference internal" href="#sortfiles">sortFiles</a></li>
- <li><a class="reference internal" href="#pollinginterval">PollingInterval</a></li>
- <li><a class="reference internal" href="#statefile-directory">statefile.directory</a></li>
-+<li><a class="reference internal" href="#deletestateonfilemove">deleteStateOnFileMove</a></li>
- </ul>
- </li>
- <li><a class="reference internal" href="#input-parameters">Input Parameters</a><ul>

rsyslog-8.2310.0-omprog-binary-path.patch

@@ -1,41 +0,0 @@
-diff -up rsyslog-8.2310.0/doc/configuration/modules/omprog.html.orig rsyslog-8.2310.0/doc/configuration/modules/omprog.html
---- rsyslog-8.2310.0/doc/configuration/modules/omprog.html.orig	2024-01-05 13:21:14.474252913 +0100
-+++ rsyslog-8.2310.0/doc/configuration/modules/omprog.html	2024-01-05 13:25:09.128562192 +0100
-@@ -144,8 +144,11 @@ passed to the external program.</p>
- </tr>
- </tbody>
- </table>
--<p>Full path and command line parameters of the external program to execute.</p>
--<p>In legacy config, it is <strong>not possible</strong> to specify command line parameters.</p>
-+<p>Full path and command line parameters of the external program to execute.
-+  Arbitrary external programs should be placed under the /usr/libexec/rsyslog directory.
-+  That is, the binaries put in this namespaced directory are meant for the consumption
-+  of rsyslog, and are not intended to be executed by users.
-+  In legacy config, it is <strong>not possible</strong> to specify command line parameters.</p>
- </div>
- <div class="section" id="confirmmessages">
- <span id="id1"></span><h4>confirmMessages<a class="headerlink" href="#confirmmessages" title="Permalink to this headline">¶</a></h4>
-@@ -587,12 +590,12 @@ multiple processes.</p>
- <div class="section" id="example-command-line-arguments">
- <h3>Example: command line arguments<a class="headerlink" href="#example-command-line-arguments" title="Permalink to this headline">¶</a></h3>
- <p>In the following example, logs will be sent to a program <code class="docutils literal notranslate"><span class="pre">log.sh</span></code> located
--in <code class="docutils literal notranslate"><span class="pre">/path/to</span></code>. The program will receive the command line arguments
-+in <code class="docutils literal notranslate"><span class="pre">/usr/libexec/rsyslog</span></code>. The program will receive the command line arguments
- <code class="docutils literal notranslate"><span class="pre">p1</span></code>, <code class="docutils literal notranslate"><span class="pre">p2</span></code> and <code class="docutils literal notranslate"><span class="pre">--param3=&quot;value</span> <span class="pre">3&quot;</span></code>.</p>
- <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>module(load=&quot;omprog&quot;)
- 
- action(type=&quot;omprog&quot;
--       binary=&quot;/path/to/log.sh p1 p2 --param3=\&quot;value 3\&quot;&quot;
-+       binary=&quot;/usr/libexec/rsyslog/log.sh p1 p2 --param3=\&quot;value 3\&quot;&quot;
-        template=&quot;RSYSLOG_TraditionalFileFormat&quot;)
- </pre></div>
- </div>
-@@ -618,7 +621,7 @@ rsyslog will kill and restart it.</p>
- 
- action(type=&quot;omprog&quot;
-        name=&quot;db_forward&quot;
--       binary=&quot;/usr/share/logging/db_forward.py&quot;
-+       binary=&quot;/usr/libexec/rsyslog/db_forward.py&quot;
-        confirmMessages=&quot;on&quot;
-        confirmTimeout=&quot;30000&quot;
-        queue.type=&quot;LinkedList&quot;

rsyslog-8.2310.0-remove-state-on-file-delete.patch

@@ -1,11 +0,0 @@
-diff -up rsyslog-8.2310.0/plugins/imfile/imfile.c.orig rsyslog-8.2310.0/plugins/imfile/imfile.c
---- rsyslog-8.2310.0/plugins/imfile/imfile.c.orig	2023-11-03 12:19:39.179103408 +0100
-+++ rsyslog-8.2310.0/plugins/imfile/imfile.c	2023-11-03 12:19:54.228237199 +0100
-@@ -1162,6 +1162,7 @@ fs_node_destroy(fs_node_t *const node)
- 	DBGPRINTF("node destroy: %p edges:\n", node);
- 
- 	for(edge = node->edges ; edge != NULL ; ) {
-+		detect_updates(edge);
- 		fs_node_destroy(edge->node);
- 		fs_edge_t *const toDel = edge;
- 		edge = edge->next;

sources

@@ -1,3 +0,0 @@
-SHA512 (qpid-proton-0.39.0.tar.gz) = 38659682cc86bf0c910e2a707a5b166b3a7d0fb70fd83d6c5ebcaca53b2cd5a478adf36958d2c4c55a2ea6afcb9b457a12006a7967efae6ca2d0663c0febbc58
-SHA512 (rsyslog-8.2310.0.tar.gz) = f04e14ede8c35e1799eadc711a6e99dbe56d312c7909c7ebed4d4bd489d310a44a5c2d3ed23968fbf3ccff5b580870d0f3ceeb690deb1d1424420fc9d3220696
-SHA512 (rsyslog-doc-8.2310.0.tar.gz) = cf452f3705680fc81495e940ea7d5ae705a6dbfe0e2ce5a87865c3043f79daaec243df20e8aadd9fac6144a3df8f19d7c56fdf19ec68df78e2fdaffa45096143

upstream_e2e.fmf

@@ -1,46 +0,0 @@
-summary: Testing rsyslog essential test for CI
-
-discover:
-  - how: fmf
-    url: https://github.com/RedHat-SP-Security/rsyslog-tests
-    ref: master
-    filter: component:rsyslog & tag:CI-Tier-1
-    test:
-      - /Sanity/basic-logging-facility/old-syntax
-      - /Sanity/bz1932795-rebase-to-2102
-      - /Sanity/bz672182-RFE-Provide-multi-line-message-capability/old-syntax
-      - /Sanity/bz672182-RFE-Provide-rate-limiting-support/new-syntax
-      - /Sanity/capabilities-drop
-      - /Sanity/config-enabled
-      - /Sanity/gnutls-openssl/interoperability
-      - /Sanity/gnutls-openssl/ossl
-      - /Sanity/imfile-module-test/new-syntax
-      - /Sanity/imfile-module-test/old-syntax
-      - /Sanity/imrelp-omrelp-module-test
-      - /Sanity/imtcp-module-test/old-syntax
-      - /Sanity/mmfields-module-test
-      - /Sanity/mmnormalize-module-test
-#     - /Sanity/omfile-module-test/newSyntax
-#     - /Sanity/omfile-module-test/oldSyntax
-      - /Sanity/ompipe-module-test
-      - /Sanity/omudpspoof-module-test
-      - /Sanity/test-various-configuration-directives/new-syntax
-#      - /Sanity/various-simple-checks
-      - /Regression/bz1419228-rsyslog-imjournal-module-no-longer-receives-logs
-      - /Regression/bz1763746-rsyslog-doesn-t-read-lines-from-imfile-after
-      - /Regression/bz1843992-rsyslog-dies-at-startup-when-imfile-top
-      - /Regression/bz1858297-Repeated-buffer-overflow-detected
-      - /Regression/bz1866877-parsing-msg
-      - /Regression/bz1880434-gnutls-shutdown
-      - /Regression/bz1886400-gnutls-shutdown-relp
-      - /Regression/bz1909639-imfile-leaves-state-files-behind
-      - /Regression/bz1944718-large-group
-      - /Regression/bz1960536-imjournal-fsync-fd-leak
-      - /Regression/bz1962318-errfile-maxsize
-      - /Regression/bz2052403-remove-wd-on-filemove
-#      - /Regression/bz654379-service-rsyslog-start-cat-hangs
-
-#disable flaky test for now
-
-execute:
-  how: tmt