40 changed files with 3276 additions and 481 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/qpid-proton-0.31.0.tar.gz
-SOURCES/rsyslog-8.1911.0.tar.gz
-SOURCES/rsyslog-doc-8.1911.0.tar.gz
+SOURCES/qpid-proton-0.34.0.tar.gz
+SOURCES/rsyslog-8.2102.0.tar.gz
+SOURCES/rsyslog-doc-8.2102.0.tar.gz
--- a/.rsyslog.metadata
+++ b/.rsyslog.metadata
@ -1,3 +1,3 @@
-8714235747ec8947648448eecda57e97d3a733ce SOURCES/qpid-proton-0.31.0.tar.gz
-30dfc2b99d73598788e2bd0d0ac45e16e7c3a3d5 SOURCES/rsyslog-8.1911.0.tar.gz
-8bcb23571ab8011b712ccf52acee20f8940b7f03 SOURCES/rsyslog-doc-8.1911.0.tar.gz
+390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz
+fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
+9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz
--- a/SOURCES/rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
@ -1,123 +0,0 @@
-From ba5b68be84888b24918dd019b87ed9f62d7fa988 Mon Sep 17 00:00:00 2001
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Tue, 11 Feb 2020 13:46:23 +0100
-Subject: [PATCH] Fixed processing of 'cofig.enabled' directive
-
-Previously the directive was processed way too late which caused
-false errors whenever it was set to 'off' and possibly other
-problems.
---
- grammar/rainerscript.c | 43+++++++++++++++++++++++----------------
- grammar/rainerscript.h |  1 +
- runtime/rsconf.c       | 10 +++++++++
- 3 files changed, 38 insertions(+), 18 deletions(-)
-
-diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
-index 8f14bbe319..4398e6011a 100644
--- a/grammar/rainerscript.c
-+++ b/grammar/rainerscript.c
-@@ -699,6 +699,22 @@ nvlstFindNameCStr(struct nvlst *lst, const char *const __restrict__ name)
- 	return lst;
- }
- 
-+/* check if the nvlst is disabled, and mark config.enabled directive
-+ * as used if it is not. Returns 1 if block is disabled, 0 otherwise.
-+ */
-+int nvlstChkDisabled(struct nvlst *lst)
-+{
-+	struct nvlst *valnode;
-+
-+	if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
-+		lst->bUsed = 1;
-+		if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
-+			return 1;
-+		}
-+	}
-+	return 0;
-+}
-+
- 
- /* check if there are duplicate names inside a nvlst and emit
-  * an error message, if so.
-@@ -1207,21 +1224,6 @@ nvlstGetParams(struct nvlst *lst, struct cnfparamblk *params,
- 		}
- 	}
- 
-	/* now config-system parameters (currently a bit hackish, as we
-	 * only have one...). -- rgerhards, 2018-01-24
-	 */
-	if((valnode = nvlstFindNameCStr(lst, "config.enabled")) != NULL) {
-		if(es_strbufcmp(valnode->val.d.estr, (unsigned char*) "on", 2)) {
-			dbgprintf("config object disabled by configuration\n");
-			/* flag all params as used to not emit error mssages */
-			bInError = 1;
-			struct nvlst *val;
-			for(val = lst; val != NULL ; val = val->next) {
-				val->bUsed = 1;
-			}
-		}
-	}
-
- 	/* done parameter processing */
- 	if(bInError) {
- 		if(bValsWasNULL)
-@@ -4418,8 +4418,13 @@ cnfstmtNewAct(struct nvlst *lst)
- 	struct cnfstmt* cnfstmt;
- 	char namebuf[256];
- 	rsRetVal localRet;
-	if((cnfstmt = cnfstmtNew(S_ACT)) == NULL)
-+	if((cnfstmt = cnfstmtNew(S_ACT)) == NULL) {
- 		goto done;
-+	}
-+	if (nvlstChkDisabled(lst)) {
-+		dbgprintf("action disabled by configuration\n");
-+		cnfstmt->nodetype = S_NOP;
-+	}
- 	localRet = actionNewInst(lst, &cnfstmt->d.act);
- 	if(localRet == RS_RET_OK_WARN) {
- 		parser_errmsg("warnings occured in file '%s' around line %d",
-@@ -5284,6 +5289,11 @@ includeProcessCnf(struct nvlst *const lst)
- 		goto done;
- 	}
- 
-+	if (nvlstChkDisabled(lst)) {
-+		DBGPRINTF("include statement disabled\n");
-+		goto done;
-+	}
-+
- 	pvals = nvlstGetParams(lst, &incpblk, NULL);
- 	if(pvals == NULL) {
- 		goto done;
-diff --git a/grammar/rainerscript.h b/grammar/rainerscript.h
-index bfa8ee6cb9..0f8128861b 100644
--- a/grammar/rainerscript.h
-+++ b/grammar/rainerscript.h
-@@ -340,6 +340,7 @@ void nvlstDestruct(struct nvlst *lst);
- void nvlstPrint(struct nvlst *lst);
- void nvlstChkUnused(struct nvlst *lst);
- struct nvlst* nvlstFindName(struct nvlst *lst, es_str_t *name);
-+int nvlstChkDisabled(struct nvlst *lst);
- struct cnfobj* cnfobjNew(enum cnfobjType objType, struct nvlst *lst);
- void cnfobjDestruct(struct cnfobj *o);
- void cnfobjPrint(struct cnfobj *o);
-diff --git a/runtime/rsconf.c b/runtime/rsconf.c
-index fc0863a738..303e06365b 100644
--- a/runtime/rsconf.c
-+++ b/runtime/rsconf.c
-@@ -438,6 +438,16 @@ cnfDoObj(struct cnfobj *const o)
- 
- 	dbgprintf("cnf:global:obj: ");
- 	cnfobjPrint(o);
-+
-+	/* We need to check for object disabling as early as here to cover most
-+	 * of them at once and avoid needless initializations
-+	 * - jvymazal 2020-02-12
-+	 */
-+	if (nvlstChkDisabled(o->nvlst)) {
-+		dbgprintf("object disabled by configuration\n");
-+		return;
-+	}
-+
- 	switch(o->objType) {
- 	case CNFOBJ_GLOBAL:
- 		glblProcessCnf(o);
--- a/SOURCES/rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
@ -1,142 +0,0 @@
-From ac30968b7858d4ca3743d2b4d296eca543864fe2 Mon Sep 17 00:00:00 2001
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Fri, 22 Nov 2019 14:25:59 +0100
-Subject: [PATCH] Thorougher state-file renaming and cleaning
-
-Now checking if file-id changes and reanming - cleaning state file
-accordingly and always checking and cleaning old inode-only style
-state files.
---
- plugins/imfile/imfile.c | 66 +++++++++++++++++++++++++++--------------
- 1 file changed, 43 insertions(+), 23 deletions(-)
-
-diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
-index d9bf0fbb6d..9db2b47ac9 100644
--- a/plugins/imfile/imfile.c
-+++ b/plugins/imfile/imfile.c
-@@ -182,6 +182,7 @@ struct act_obj_s {
- 	time_t timeoutBase; /* what time to calculate the timeout against? */
- 	/* file dynamic data */
- 	char file_id[FILE_ID_HASH_SIZE]; /* file id for this entry, once we could obtain it */
-+	char file_id_prev[FILE_ID_HASH_SIZE]; /* previous file id for this entry, set if changed */
- 	int in_move;	/* workaround for inotify move: if set, state file must not be deleted */
- 	ino_t ino;	/* current inode nbr */
- 	int fd;		/* fd to file in order to obtain file_id (needs to be preserved across move) */
-@@ -711,7 +712,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
- 		if (is_file) {
- 			LogError(errno, RS_RET_ERR, "imfile: error accessing file '%s'", name);
- 		} else { /* reporting only in debug for dirs as higher lvl paths are likely blocked by selinux */
-			DBGPRINTF("imfile: error accessing file '%s'", name);
-+			DBGPRINTF("imfile: error accessing directory '%s'", name);
- 		}
- 		FINALIZE;
- 	}
-@@ -727,6 +728,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
- 	act->ino = ino;
- 	act->fd = fd;
- 	act->file_id[0] = '\0';
-+	act->file_id_prev[0] = '\0';
- 	act->is_symlink = is_symlink;
- 	if (source) { /* we are target of symlink */
- 		CHKmalloc(act->source_name = strdup(source));
-@@ -1256,17 +1258,15 @@ get_file_id_hash(const char *data, size_t lendata,
- static void ATTR_NONNULL(1)
- getFileID(act_obj_t *const act)
- {
-	if(act->file_id[0] != '\0') {
-		return; /* everything already done */
-	}
-+	/* save the old id for cleaning purposes */
-+	strncpy(act->file_id_prev, (const char*)act->file_id, FILE_ID_HASH_SIZE);
-+	act->file_id[0] = '\0';
- 	assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
- 	char filedata[FILE_ID_SIZE];
-+	lseek(act->fd, 0, SEEK_SET); /* Seek to beginning of file so we have correct id */
- 	const int r = read(act->fd, filedata, FILE_ID_SIZE);
- 	if(r == FILE_ID_SIZE) {
- 		get_file_id_hash(filedata, sizeof(filedata), act->file_id, sizeof(act->file_id));
-		dbgprintf("file_id '%s' obtained, closing monitoring file handle\n", act->file_id);
-		close(act->fd); /* we will never go here! */
-		act->fd = -1;
- 	} else {
- 		DBGPRINTF("getFileID partial or error read, ret %d\n", r);
- 	}
-@@ -1378,28 +1378,13 @@ openFileWithStateFile(act_obj_t *const act)
- 	if(fd < 0) {
- 		if(errno == ENOENT) {
- 			if(act->file_id[0] != '\0') {
-				const char *pszSFNamHash = strdup((const char*)pszSFNam);
-				CHKmalloc(pszSFNamHash);
- 				DBGPRINTF("state file %s for %s does not exist - trying to see if "
- 					"inode-only file exists\n", pszSFNam, act->name);
- 				getFullStateFileName(statefn, "", pszSFNam, sizeof(pszSFNam));
- 				fd = open((char*)pszSFNam, O_CLOEXEC | O_NOCTTY | O_RDONLY, 0600);
- 				if(fd >= 0) {
-					dbgprintf("found inode-only state file, renaming it now that we "
-						"know the file_id, new name: %s\n", pszSFNamHash);
-					/* we now can use identify the file, so let's rename it */
-					if(rename((const char*)pszSFNam, pszSFNamHash) != 0) {
-						LogError(errno, RS_RET_IO_ERROR,
-							"imfile error trying to rename state file for '%s' - "
-							"ignoring this error, usually this means a file no "
-							"longer file is left over, but this may also cause "
-							"some real trouble. Still the best we can do ",
-							act->name);
-						free((void*) pszSFNamHash);
-						ABORT_FINALIZE(RS_RET_IO_ERROR);
-					}
-+					dbgprintf("found inode-only state file, will be renamed at next persist\n");
- 				}
-				free((void*) pszSFNamHash);
- 			}
- 			if(fd < 0) {
- 				DBGPRINTF("state file %s for %s does not exist - trying to see if "
-@@ -2609,6 +2594,36 @@ atomicWriteStateFile(const char *fn, const char *content)
- 	RETiRet;
- }
- 
-+/* This function should be called after any file ID change - that is if
-+ * file grown from hash-only statefile, or was truncated, this will ensure
-+ * we delete the old file so we do not make garbage in our working dir and
-+ * there are no leftover statefiles which can in theory later bind to something
-+ * and cause data loss.
-+ * jvymazal 2019-11-27
-+ */
-+static void
-+removeOldStatefile(const uchar *statefn, const char *hashToDelete)
-+{
-+	int ret;
-+	uchar statefname[MAXFNAME];
-+
-+	getFullStateFileName(statefn, hashToDelete, statefname, sizeof(statefname));
-+	DBGPRINTF("removing old state file: '%s'\n", statefname);
-+	ret = unlink((const char*)statefname);
-+	if(ret != 0) {
-+		if (errno != ENOENT) {
-+			LogError(errno, RS_RET_IO_ERROR,
-+				"imfile error trying to delete old state file: '%s' - ignoring this "
-+				"error, usually this means a file no longer file is left over, but "
-+				"this may also cause some real trouble. Still the best we can do ",
-+				statefname);
-+		} else {
-+			DBGPRINTF("trying to delete no longer valid statefile '%s' which no "
-+					  "longer exists (probably already deleted)\n", statefname);
-+		}
-+	}
-+}
-+
- 
- /* This function persists information for a specific file being monitored.
-  * To do so, it simply persists the stream object. We do NOT abort on error
-@@ -2660,6 +2675,11 @@ persistStrmState(act_obj_t *const act)
- 	CHKiRet(atomicWriteStateFile((const char*)statefname, jstr));
- 	json_object_put(json);
- 
-+	/* file-id changed remove the old statefile */
-+	if (strncmp((const char *)act->file_id_prev, (const char *)act->file_id, FILE_ID_HASH_SIZE)) {
-+		removeOldStatefile(statefn, act->file_id_prev);
-+	}
-+
- finalize_it:
- 	if(iRet != RS_RET_OK) {
- 		LogError(0, iRet, "imfile: could not persist state "
--- a/SOURCES/rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
@ -1,58 +0,0 @@
-From 0de93c9e1597b20f71bb61d5375ded546cfd2fa8 Mon Sep 17 00:00:00 2001
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Wed, 11 Dec 2019 15:35:26 +0100
-Subject: [PATCH] Changed default for permitExpiredCerts to "off"
-
-This is to be conssitent with rsyslog's prior behavior where
-expired certs were automatically rejected
---
- runtime/nsd_gtls.c | 10 +++++-----
- runtime/nsd_ossl.c |  8 ++++----
- 2 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
-index 5df12994d1..2be0ca9c92 100644
--- a/runtime/nsd_gtls.c
-+++ b/runtime/nsd_gtls.c
-@@ -1461,16 +1461,16 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
- 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
- 
- 	ISOBJ_TYPE_assert((pThis), nsd_gtls);
-	/* default is set to warn! */
-	if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
-		pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
-	} else if(!strcasecmp((char*) mode, "off")) {
-+	/* default is set to off! */
-+	if(mode == NULL || !strcasecmp((char*)mode, "off")) {
- 		pThis->permitExpiredCerts = GTLS_EXPIRED_DENY;
-+	} else if(!strcasecmp((char*) mode, "warn")) {
-+		pThis->permitExpiredCerts = GTLS_EXPIRED_WARN;
- 	} else if(!strcasecmp((char*) mode, "on")) {
- 		pThis->permitExpiredCerts = GTLS_EXPIRED_PERMIT;
- 	} else {
- 		LogError(0, RS_RET_VALUE_NOT_SUPPORTED, "error: permitexpiredcerts mode '%s' not supported by "
-				"ossl netstream driver", mode);
-+				"gtls netstream driver", mode);
- 		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
- 	}
- 
-diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
-index 4f8dd845ab..ebb2537d72 100644
--- a/runtime/nsd_ossl.c
-+++ b/runtime/nsd_ossl.c
-@@ -1130,11 +1130,11 @@ SetPermitExpiredCerts(nsd_t *pNsd, uchar *mode)
- 	nsd_ossl_t *pThis = (nsd_ossl_t*) pNsd;
- 
- 	ISOBJ_TYPE_assert((pThis), nsd_ossl);
-	/* default is set to warn! */
-	if(mode == NULL || !strcasecmp((char*)mode, "warn")) {
-		pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
-	} else if(!strcasecmp((char*) mode, "off")) {
-+	/* default is set to off! */
-+	if(mode == NULL || !strcasecmp((char*)mode, "off")) {
- 		pThis->permitExpiredCerts = OSSL_EXPIRED_DENY;
-+	} else if(!strcasecmp((char*) mode, "warn")) {
-+		pThis->permitExpiredCerts = OSSL_EXPIRED_WARN;
- 	} else if(!strcasecmp((char*) mode, "on")) {
- 		pThis->permitExpiredCerts = OSSL_EXPIRED_PERMIT;
- 	} else {
--- a/SOURCES/rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
@ -1,33 +0,0 @@
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Wed, 18 Dec 2019 09:48:15 +0100
-Subject: [PATCH] Fix race condition related to libfastjson when using DA queue
-
-Rsyslogd aborts when writing to disk queue from multiple workers simultaneously.
-It is assumed that libfastjson is not thread-safe.
-Resolve libfastjson race condition when writing to disk queue.
-
-see also https://github.com/rsyslog/rsyslog/issues/4099
---
- runtime/msg.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/runtime/msg.c b/runtime/msg.c
-index b5c17cfdd4..f9da40005f 100644
--- a/runtime/msg.c
-+++ b/runtime/msg.c
-@@ -1242,11 +1242,15 @@ static rsRetVal MsgSerialize(smsg_t *pThis, strm_t *pStrm)
- 	psz = pThis->pszStrucData;
- 	CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("pszStrucData"), PROPTYPE_PSZ, (void*) psz));
- 	if(pThis->json != NULL) {
-+		MsgLock(pThis);
- 		psz = (uchar*) json_object_get_string(pThis->json);
-+		MsgUnlock(pThis);
- 		CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("json"), PROPTYPE_PSZ, (void*) psz));
- 	}
- 	if(pThis->localvars != NULL) {
-+		MsgLock(pThis);
- 		psz = (uchar*) json_object_get_string(pThis->localvars);
-+		MsgUnlock(pThis);
- 		CHKiRet(obj.SerializeProp(pStrm, UCHAR_CONSTANT("localvars"), PROPTYPE_PSZ, (void*) psz));
- 	}
- 
--- a/SOURCES/rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
@ -1,37 +0,0 @@
-From 0c69ec76d8cac47bcfa78abae86229ad63c92b0b Mon Sep 17 00:00:00 2001
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Tue, 21 Jan 2020 13:58:14 +0100
-Subject: [PATCH] Fixed saving of old file_id for statefiles
-
-Previously we saved old file_id unconditionally, which led to not
-deleting old statefiles if files changes without rsyslog running.
-Now it should work correctly.
---
- plugins/imfile/imfile.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
-index 908bb5901c..5ad44f6c59 100644
--- a/plugins/imfile/imfile.c
-+++ b/plugins/imfile/imfile.c
-@@ -1258,8 +1258,8 @@ get_file_id_hash(const char *data, size_t lendata,
- static void ATTR_NONNULL(1)
- getFileID(act_obj_t *const act)
- {
-	/* save the old id for cleaning purposes */
-	strncpy(act->file_id_prev, (const char*)act->file_id, FILE_ID_HASH_SIZE);
-+	char tmp_id[FILE_ID_HASH_SIZE];
-+	strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
- 	act->file_id[0] = '\0';
- 	assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
- 	char filedata[FILE_ID_SIZE];
-@@ -1270,6 +1270,9 @@ getFileID(act_obj_t *const act)
- 	} else {
- 		DBGPRINTF("getFileID partial or error read, ret %d\n", r);
- 	}
-+	if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
-+		strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
-+	}
- 	DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
- }
- 
--- a/SOURCES/rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
+++ b/SOURCES/rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
@ -1,24 +0,0 @@
-From 89ff6436b55cd81c54dcb076490b0c4de98d508d Mon Sep 17 00:00:00 2001
-From: Jiri Vymazal <jvymazal@redhat.com>
-Date: Tue, 9 Jun 2020 12:09:59 +0200
-Subject: [PATCH] Fixing imfile segfaulting on selinux denial
-
-If imfile is denied access to file watched trough symlink there is
-unchecked condition resulting in access to not initialized memory.
---
- plugins/imfile/imfile.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
-index f360bd290b..21d6546552 100644
--- a/plugins/imfile/imfile.c
-+++ b/plugins/imfile/imfile.c
-@@ -732,7 +732,7 @@ act_obj_add(fs_edge_t *const edge, const char *const name, const int is_file,
- 		} else { /* reporting only in debug for dirs as higher lvl paths are likely blocked by selinux */
- 			DBGPRINTF("imfile: error accessing directory '%s'", name);
- 		}
-		FINALIZE;
-+		ABORT_FINALIZE(RS_RET_NO_FILE_ACCESS);
- 	}
- 	DBGPRINTF("add new active object '%s' in '%s'\n", name, edge->path);
- 	CHKmalloc(act = calloc(sizeof(act_obj_t), 1));
--- a/SOURCES/rsyslog-8.1911.0-service.patch
+++ b/SOURCES/rsyslog-8.1911.0-service.patch
@ -1,21 +0,0 @@
-diff -up ./rsyslog.service.in.service ./rsyslog.service.in
--- ./rsyslog.service.in.service	2018-03-01 13:58:11.480598935 +0100
-+++ ./rsyslog.service.in	2018-03-01 13:58:25.433518607 +0100
-@@ -1,12 +1,16 @@
- [Unit]
- Description=System Logging Service
- Requires=syslog.socket
-+Wants=network.target network-online.target
-+After=network.target network-online.target
- Documentation=man:rsyslogd(8)
- Documentation=https://www.rsyslog.com/doc/
- 
- [Service]
- Type=notify
-ExecStart=@sbindir@/rsyslogd -n -iNONE
-+EnvironmentFile=-/etc/sysconfig/rsyslog
-+ExecStart=@sbindir@/rsyslogd -n $SYSLOGD_OPTIONS
-+UMask=0066
- StandardOutput=null
- Restart=on-failure
- 
--- a/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch
+++ b/SOURCES/rsyslog-8.2102.0-imtcp-param-refactor.patch
@ -0,0 +1,908 @@
+diff --git a/plugins/imdiag/imdiag.c b/plugins/imdiag/imdiag.c
+index 3e27ee4d36..d57dd5661c 100644
+--- a/plugins/imdiag/imdiag.c
+++ b/plugins/imdiag/imdiag.c
+@@ -566,28 +566,33 @@ setInjectDelayMode(void __attribute__((unused)) *pVal, uchar *const pszMode)
+ }
+ 
+ 
+-static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+static rsRetVal
+addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ {
+	tcpLstnParams_t *cnf_params = NULL;
+ 	DEFiRet;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+-		CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+-		CHKiRet(tcpsrv.SetLstnPortFileName(pOurTcpsrv, pszLstnPortFileName));
+-		/* now set optional params, but only if they were actually configured */
+-		if(pszStrmDrvrAuthMode != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+-		}
+-		if(pPermPeersRoot != NULL) {
+-			CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+-		}
+	if(pOurTcpsrv != NULL) {
+		LogError(0, NO_ERRCODE, "imdiag: only a single listener is supported, "
+			"trying to add a second");
+		ABORT_FINALIZE(RS_RET_ERR);
+	}
+	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+	CHKiRet(tcpsrv.SetSessMax(pOurTcpsrv, iTCPSessMax));
+	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+	CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode));
+	CHKiRet(tcpsrv.SetOnMsgReceive(pOurTcpsrv, OnMsgReceived));
+	/* now set optional params, but only if they were actually configured */
+	if(pszStrmDrvrAuthMode != NULL) {
+		CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode));
+	}
+	if(pPermPeersRoot != NULL) {
+		CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot));
+ 	}
+ 
+ 	/* initialized, now add socket */
+@@ -595,7 +600,11 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 						UCHAR_CONSTANT("imdiag") : pszInputName));
+ 	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, (uchar*)"imdiag"));
+ 	/* we support octect-counted frame (constant 1 below) */
+-	tcpsrv.configureTCPListen(pOurTcpsrv, pNewVal, 1, NULL, pszLstnPortFileName);
+	cnf_params->pszPort = pNewVal;
+	cnf_params->bSuppOctetFram = 1;
+	CHKmalloc(cnf_params->pszLstnPortFileName = (const uchar*) strdup((const char*)pszLstnPortFileName));
+	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -603,7 +612,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
+ 		if(pOurTcpsrv != NULL)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 	}
+-	free(pNewVal);
+	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+@@ -760,6 +769,7 @@ CODESTARTmodExit
+ 
+ 	/* free some globals to keep valgrind happy */
+ 	free(pszInputName);
+fprintf(stderr, "FINAL FREE %p\n", pszLstnPortFileName);
+ 	free(pszLstnPortFileName);
+ 	free(pszStrmDrvrAuthMode);
+ 
+diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c
+index e0cab01664..4041e88b14 100644
+--- a/plugins/imgssapi/imgssapi.c
+++ b/plugins/imgssapi/imgssapi.c
+@@ -334,34 +334,38 @@ static rsRetVal
+ actGSSListener(uchar *port)
+ {
+ 	DEFiRet;
+	tcpLstnParams_t *cnf_params = NULL;
+ 	gsssrv_t *pGSrv = NULL;
+ 
+-	if(pOurTcpsrv == NULL) {
+-		/* first create/init the gsssrv "object" */
+-		if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+-			ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+-
+-		pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+-		if(bPermitPlainTcp)
+-			pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+-		/* gsssrv initialized */
+-
+-		CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+-		CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+-		CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+-		CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+-		CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+-		CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+-		CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+-		CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+-		CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+-		CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+-		CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+-		CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+-		tcpsrv.configureTCPListen(pOurTcpsrv, port, 1, NULL, NULL);
+-		CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+-	}
+	assert(pOurTcpsrv == NULL);
+	CHKmalloc(cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+	/* first create/init the gsssrv "object" */
+	if((pGSrv = calloc(1, sizeof(gsssrv_t))) == NULL)
+		ABORT_FINALIZE(RS_RET_OUT_OF_MEMORY);
+
+	pGSrv->allowedMethods = ALLOWEDMETHOD_GSS;
+	if(bPermitPlainTcp)
+		pGSrv->allowedMethods |= ALLOWEDMETHOD_TCP;
+	/* gsssrv initialized */
+
+	CHKiRet(tcpsrv.Construct(&pOurTcpsrv));
+	CHKiRet(tcpsrv.SetUsrP(pOurTcpsrv, pGSrv));
+	CHKiRet(tcpsrv.SetCBOnSessConstructFinalize(pOurTcpsrv, OnSessConstructFinalize));
+	CHKiRet(tcpsrv.SetCBOnSessDestruct(pOurTcpsrv, OnSessDestruct));
+	CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost));
+	CHKiRet(tcpsrv.SetCBRcvData(pOurTcpsrv, doRcvData));
+	CHKiRet(tcpsrv.SetCBOpenLstnSocks(pOurTcpsrv, doOpenLstnSocks));
+	CHKiRet(tcpsrv.SetCBOnSessAccept(pOurTcpsrv, onSessAccept));
+	CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose));
+	CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose));
+	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+	CHKiRet(tcpsrv.SetKeepAlive(pOurTcpsrv, bKeepAlive));
+	CHKiRet(tcpsrv.SetOrigin(pOurTcpsrv, UCHAR_CONSTANT("imgssapi")));
+	cnf_params->pszPort = port;
+	cnf_params->bSuppOctetFram = 1;
+	tcpsrv.configureTCPListen(pOurTcpsrv, cnf_params);
+	CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv));
+	cnf_params = NULL;
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -370,6 +374,7 @@ actGSSListener(uchar *port)
+ 			tcpsrv.Destruct(&pOurTcpsrv);
+ 		free(pGSrv);
+ 	}
+	free(cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
+index cf74d4c616..c336e6c24d 100644
+--- a/plugins/imtcp/imtcp.c
+++ b/plugins/imtcp/imtcp.c
+@@ -4,7 +4,7 @@
+  * File begun on 2007-12-21 by RGerhards (extracted from syslogd.c,
+  * which at the time of the rsyslog fork was BSD-licensed)
+  *
+- * Copyright 2007-2017 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -112,9 +112,7 @@ static struct configSettings_s {
+ } cs;
+ 
+ struct instanceConf_s {
+-	uchar *pszBindPort;		/* port to bind to */
+-	uchar *pszLstnPortFileName;	/* file dynamic port is written to */
+-	uchar *pszBindAddr;             /* IP to bind socket to */
+	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	uchar *pszBindRuleset;		/* name of ruleset to bind to */
+ 	ruleset_t *pBindRuleset;	/* ruleset to bind listener to (use system default if unspecified) */
+ 	uchar *pszInputName;		/* value for inputname property, NULL is OK and handled by core engine */
+@@ -122,7 +120,6 @@ struct instanceConf_s {
+ 	sbool bSPFramingFix;
+ 	unsigned int ratelimitInterval;
+ 	unsigned int ratelimitBurst;
+-	int bSuppOctetFram;
+ 	struct instanceConf_s *next;
+ };
+ 
+@@ -288,19 +285,20 @@ setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID)
+ static rsRetVal
+ createInstance(instanceConf_t **pinst)
+ {
+-	instanceConf_t *inst;
+	instanceConf_t *inst = NULL;
+
+ 	DEFiRet;
+ 	CHKmalloc(inst = malloc(sizeof(instanceConf_t)));
+	CHKmalloc(inst->cnf_params = (tcpLstnParams_t*) calloc(1, sizeof(tcpLstnParams_t)));
+ 	inst->next = NULL;
+ 	inst->pszBindRuleset = NULL;
+ 	inst->pszInputName = NULL;
+-	inst->pszBindAddr = NULL;
+ 	inst->dfltTZ = NULL;
+-	inst->bSuppOctetFram = -1; /* unset */
+	inst->cnf_params->bSuppOctetFram = -1; /* unset */
+ 	inst->bSPFramingFix = 0;
+ 	inst->ratelimitInterval = 0;
+ 	inst->ratelimitBurst = 10000;
+-	inst->pszLstnPortFileName = NULL;
+	inst->cnf_params->pszLstnPortFileName = NULL;
+ 
+ 	/* node created, let's add to config */
+ 	if(loadModConf->tail == NULL) {
+@@ -312,6 +310,9 @@ createInstance(instanceConf_t **pinst)
+ 
+ 	*pinst = inst;
+ finalize_it:
+	if(iRet != RS_RET_OK) {
+		free(inst);
+	}
+ 	RETiRet;
+ }
+ 
+@@ -328,7 +329,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 
+ 	CHKiRet(createInstance(&inst));
+ 
+-	CHKmalloc(inst->pszBindPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+	CHKmalloc(inst->cnf_params->pszPort = ustrdup((pNewVal == NULL || *pNewVal == '\0')
+ 				 	       ? (uchar*) "10514" : pNewVal));
+ 	if((cs.pszBindRuleset == NULL) || (cs.pszBindRuleset[0] == '\0')) {
+ 		inst->pszBindRuleset = NULL;
+@@ -336,14 +337,14 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 		CHKmalloc(inst->pszBindRuleset = ustrdup(cs.pszBindRuleset));
+ 	}
+ 	if((cs.lstnIP == NULL) || (cs.lstnIP[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
+		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszBindAddr = ustrdup(cs.lstnIP));
+		CHKmalloc(inst->cnf_params->pszAddr = ustrdup(cs.lstnIP));
+ 	}
+ 	if((cs.lstnPortFile == NULL) || (cs.lstnPortFile[0] == '\0')) {
+-		inst->pszBindAddr = NULL;
+		inst->cnf_params->pszAddr = NULL;
+ 	} else {
+-		CHKmalloc(inst->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+		CHKmalloc(inst->cnf_params->pszLstnPortFileName = ustrdup(cs.lstnPortFile));
+ 	}
+ 
+ 	if((cs.pszInputName == NULL) || (cs.pszInputName[0] == '\0')) {
+@@ -351,7 +352,7 @@ static rsRetVal addInstance(void __attribute__((unused)) *pVal, uchar *pNewVal)
+ 	} else {
+ 		CHKmalloc(inst->pszInputName = ustrdup(cs.pszInputName));
+ 	}
+-	inst->bSuppOctetFram = cs.bSuppOctetFram;
+	inst->cnf_params->bSuppOctetFram = cs.bSuppOctetFram;
+ 
+ finalize_it:
+ 	free(pNewVal);
+@@ -407,7 +408,7 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	}
+ 
+ 	/* initialized, now add socket and listener params */
+-	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->pszBindPort);
+	DBGPRINTF("imtcp: trying to add port *:%s\n", inst->cnf_params->pszPort);
+ 	CHKiRet(tcpsrv.SetRuleset(pOurTcpsrv, inst->pBindRuleset));
+ 	CHKiRet(tcpsrv.SetInputName(pOurTcpsrv, inst->pszInputName == NULL ?
+ 						UCHAR_CONSTANT("imtcp") : inst->pszInputName));
+@@ -416,12 +417,12 @@ addListner(modConfData_t *modConf, instanceConf_t *inst)
+ 	CHKiRet(tcpsrv.SetbSPFramingFix(pOurTcpsrv, inst->bSPFramingFix));
+ 	CHKiRet(tcpsrv.SetLinuxLikeRatelimiters(pOurTcpsrv, inst->ratelimitInterval, inst->ratelimitBurst));
+ 
+-	if((ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) == 0 && inst->pszLstnPortFileName == NULL)
+-			|| ustrcmp(inst->pszBindPort, UCHAR_CONSTANT("0")) < 0) {
+-		CHKmalloc(inst->pszBindPort = (uchar*)strdup("514"));
+	if((ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) == 0
+		&& inst->cnf_params->pszLstnPortFileName == NULL)
+			|| ustrcmp(inst->cnf_params->pszPort, UCHAR_CONSTANT("0")) < 0) {
+		CHKmalloc(inst->cnf_params->pszPort = (uchar*)strdup("514"));
+ 	}
+-	tcpsrv.configureTCPListen(pOurTcpsrv, inst->pszBindPort, inst->bSuppOctetFram,
+-		inst->pszBindAddr, inst->pszLstnPortFileName);
+	tcpsrv.configureTCPListen(pOurTcpsrv, inst->cnf_params);
+ 
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+@@ -456,9 +457,9 @@ CODESTARTnewInpInst
+ 		if(!pvals[i].bUsed)
+ 			continue;
+ 		if(!strcmp(inppblk.descr[i].name, "port")) {
+-			inst->pszBindPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszPort = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "address")) {
+-			inst->pszBindAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszAddr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "name")) {
+ 			inst->pszInputName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "defaulttz")) {
+@@ -468,13 +469,13 @@ CODESTARTnewInpInst
+ 		} else if(!strcmp(inppblk.descr[i].name, "ruleset")) {
+ 			inst->pszBindRuleset = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(inppblk.descr[i].name, "supportoctetcountedframing")) {
+-			inst->bSuppOctetFram = (int) pvals[i].val.d.n;
+			inst->cnf_params->bSuppOctetFram = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.burst")) {
+ 			inst->ratelimitBurst = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "ratelimit.interval")) {
+ 			inst->ratelimitInterval = (unsigned int) pvals[i].val.d.n;
+ 		} else if(!strcmp(inppblk.descr[i].name, "listenportfilename")) {
+-			inst->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+			inst->cnf_params->pszLstnPortFileName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else {
+ 			dbgprintf("imtcp: program error, non-handled "
+ 			  "param '%s'\n", inppblk.descr[i].name);
+@@ -656,7 +657,7 @@ std_checkRuleset_genErrMsg(__attribute__((unused)) modConfData_t *modConf, insta
+ {
+ 	LogError(0, NO_ERRCODE, "imtcp: ruleset '%s' for port %s not found - "
+ 			"using default ruleset instead", inst->pszBindRuleset,
+-			inst->pszBindPort);
+			inst->cnf_params->pszPort);
+ }
+ 
+ BEGINcheckCnf
+@@ -664,8 +665,8 @@ BEGINcheckCnf
+ CODESTARTcheckCnf
+ 	for(inst = pModConf->root ; inst != NULL ; inst = inst->next) {
+ 		std_checkRuleset(pModConf, inst);
+-		if(inst->bSuppOctetFram == FRAMING_UNSET)
+-			inst->bSuppOctetFram = pModConf->bSuppOctetFram;
+		if(inst->cnf_params->bSuppOctetFram == FRAMING_UNSET)
+			inst->cnf_params->bSuppOctetFram = pModConf->bSuppOctetFram;
+ 	}
+ 	if(pModConf->root == NULL) {
+ 		LogError(0, RS_RET_NO_LISTNERS , "imtcp: module loaded, but "
+@@ -713,12 +714,9 @@ CODESTARTfreeCnf
+ 		free(pModConf->permittedPeers);
+ 	}
+ 	for(inst = pModConf->root ; inst != NULL ; ) {
+-		free(inst->pszBindPort);
+-		free(inst->pszLstnPortFileName);
+-		free(inst->pszBindAddr);
+-		free(inst->pszBindRuleset);
+-		free(inst->pszInputName);
+-		free(inst->dfltTZ);
+		free((void*)inst->pszBindRuleset);
+		free((void*)inst->pszInputName);
+		free((void*)inst->dfltTZ);
+ 		del = inst;
+ 		inst = inst->next;
+ 		free(del);
+diff --git a/runtime/netstrm.c b/runtime/netstrm.c
+index 8a394a02eb..2c1db46378 100644
+--- a/runtime/netstrm.c
+++ b/runtime/netstrm.c
+@@ -12,12 +12,18 @@
+  * to carry out its work (including, and most importantly, transport
+  * drivers).
+  *
+ * Note on processing:
+ * - Initiating a listener may be driver-specific, but in regard to TLS/non-TLS
+ *   it actually is not. This is because TLS is negotiated after a connection
+ *   has been established. So it is the "acceptConnReq" driver entry where TLS
+ *   params need to be applied.
+ *
+  * Work on this module begun 2008-04-17 by Rainer Gerhards. This code
+  * borrows from librelp's tcp.c/.h code. librelp is dual licensed and
+  * Rainer Gerhards and Adiscon GmbH have agreed to permit using the code
+  * under the terms of the GNU Lesser General Public License.
+  *
+- * Copyright 2007-2009 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -134,18 +140,17 @@ AcceptConnReq(netstrm_t *pThis, netstrm_t **ppNew)
+  * pLstnPort must point to a port name or number. NULL is NOT permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
+	assert(cnf_params->pszPort != NULL);
+ 
+-	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName));
+	CHKiRet(pNS->Drvr.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+diff --git a/runtime/netstrm.h b/runtime/netstrm.h
+index 2e28d7e2e6..4ca35805e7 100644
+--- a/runtime/netstrm.h
+++ b/runtime/netstrm.h
+@@ -1,6 +1,6 @@
+ /* Definitions for the stream-based netstrmworking class.
+  *
+- * Copyright 2007, 2008 Rainer Gerhards and Adiscon GmbH.
+ * Copyright 2007-2020 Rainer Gerhards and Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -24,6 +24,7 @@
+ #ifndef INCLUDED_NETSTRM_H
+ #define INCLUDED_NETSTRM_H
+ 
+#include "tcpsrv.h"
+ #include "netstrms.h"
+ 
+ /* the netstrm object */
+@@ -31,6 +32,7 @@ struct netstrm_s {
+ 	BEGINobjInstance;	/* Data to implement generic object - MUST be the first data element! */
+ 	nsd_t *pDrvrData;	/**< the driver's data elements (at most other places, this is called pNsd) */
+ 	nsd_if_t Drvr;		/**< our stream driver */
+	uchar *pszDrvrAuthMode;	/**< auth mode of the stream driver to use */
+ 	void *pUsr;		/**< pointer to user-provided data structure */
+ 	netstrms_t *pNS;	/**< pointer to our netstream subsystem object */
+ };
+@@ -76,8 +78,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveIntvl)(netstrm_t *pThis, int keepAliveIntvl);
+ 	rsRetVal (*SetGnutlsPriorityString)(netstrm_t *pThis, uchar *priorityString);
+ 	/* v11 -- Parameter pszLstnFileName added to LstnInit*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+-		             uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v12 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(netstrm_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(netstrm_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd.h b/runtime/nsd.h
+index e862348fd6..eecffed05e 100644
+--- a/runtime/nsd.h
+++ b/runtime/nsd.h
+@@ -84,8 +84,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetKeepAliveTime)(nsd_t *pThis, int keepAliveTime);
+ 	rsRetVal (*SetGnutlsPriorityString)(nsd_t *pThis, uchar *gnutlsPriorityString);
+ 	/* v12 -- parameter pszLstnPortFileName added to LstnInit()*/
+-	rsRetVal (*LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-				 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName);
+	rsRetVal (ATTR_NONNULL(1,3,5) *LstnInit)(netstrms_t *pNS, void *pUsr, rsRetVal(*)(void*,netstrm_t*),
+			 const int iSessMax, const tcpLstnParams_t *const cnf_params);
+ 	/* v13 -- two new binary flags added to gtls driver enabling stricter operation */
+ 	rsRetVal (*SetCheckExtendedKeyUsage)(nsd_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetPrioritizeSAN)(nsd_t *pThis, int prioritizeSan);
+diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
+index da90c2e096..55f6713d62 100644
+--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
+@@ -1692,14 +1692,13 @@ Abort(nsd_t *pNsd)
+  * a session, but not during listener setup.
+  * gerhards, 2008-04-25
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	CHKiRet(gtlsGlblInitLstn());
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax, pszLstnPortFileName);
+	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ finalize_it:
+ 	RETiRet;
+ }
+@@ -1785,6 +1784,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+ 		FINALIZE;
+ 	}
+ 	/* copy Properties to pnew first */
+dbgprintf("RGER: pThis %p pNew %p, authMode %d\n", pThis, pNew, pThis->authMode);
+ 	pNew->authMode = pThis->authMode;
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 431ea738b8..79347916e4 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -1308,16 +1308,15 @@ Abort(nsd_t *pNsd)
+  */
+ static rsRetVal
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax, uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 
+ 	dbgprintf("LstnInit for openssl: entering LstnInit (%p) for %s:%s SessMax=%d\n",
+-		fAddLstn, pLstnIP, pLstnPort, iSessMax);
+		fAddLstn, cnf_params->pszAddr, cnf_params->pszPort, iSessMax);
+ 
+ 	/* Init TCP Listener using base ptcp class */
+-	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP,
+-			iSessMax, pszLstnPortFileName);
+	iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, iSessMax, cnf_params);
+ 	RETiRet;
+ }
+ 
+diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
+index c35138fb7a..2f9e77ba03 100644
+--- a/runtime/nsd_ptcp.c
+++ b/runtime/nsd_ptcp.c
+@@ -474,10 +474,9 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
+  * number of sessions permitted.
+  * rgerhards, 2008-04-22
+  */
+-static rsRetVal
+static rsRetVal ATTR_NONNULL(1,3,5)
+ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+-	 uchar *pLstnPort, uchar *pLstnIP, int iSessMax,
+-	 uchar *pszLstnPortFileName)
+	 const int iSessMax, const tcpLstnParams_t *const cnf_params)
+ {
+ 	DEFiRet;
+ 	netstrm_t *pNewStrm = NULL;
+@@ -497,20 +496,20 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 
+ 	ISOBJ_TYPE_assert(pNS, netstrms);
+ 	assert(fAddLstn != NULL);
+-	assert(pLstnPort != NULL);
+	assert(cnf_params->pszPort != NULL);
+ 	assert(iSessMax >= 0);
+ 
+-	dbgprintf("creating tcp listen socket on port %s\n", pLstnPort);
+	dbgprintf("creating tcp listen socket on port %s\n", cnf_params->pszPort);
+ 
+ 	memset(&hints, 0, sizeof(hints));
+ 	hints.ai_flags = AI_PASSIVE;
+ 	hints.ai_family = glbl.GetDefPFFamily();
+ 	hints.ai_socktype = SOCK_STREAM;
+ 
+-	error = getaddrinfo((char*)pLstnIP, (char*) pLstnPort, &hints, &res);
+	error = getaddrinfo((const char*)cnf_params->pszAddr, (const char*) cnf_params->pszPort, &hints, &res);
+ 	if(error) {
+ 		LogError(0, RS_RET_INVALID_PORT, "error querying port '%s': %s",
+-			pLstnPort, gai_strerror(error));
+			cnf_params->pszAddr, gai_strerror(error));
+ 		ABORT_FINALIZE(RS_RET_INVALID_PORT);
+ 	}
+ 
+@@ -622,9 +621,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*),
+ 			r->ai_addrlen = socklen_r;
+ 			savecast.sa = (struct sockaddr*)r->ai_addr;
+ 			port_override = (isIPv6) ?  savecast.ipv6->sin6_port : savecast.ipv4->sin_port;
+-			if(pszLstnPortFileName != NULL) {
+			if(cnf_params->pszLstnPortFileName != NULL) {
+ 				FILE *fp;
+-				if((fp = fopen((const char*)pszLstnPortFileName, "w+")) == NULL) {
+				if((fp = fopen((const char*)cnf_params->pszLstnPortFileName, "w+")) == NULL) {
+ 					LogError(errno, RS_RET_IO_ERROR, "nsd_ptcp: ListenPortFileName: "
+ 							"error while trying to open file");
+ 					ABORT_FINALIZE(RS_RET_IO_ERROR);
+diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h
+index 137b7c3ce7..1c91718c19 100644
+--- a/runtime/nsd_ptcp.h
+++ b/runtime/nsd_ptcp.h
+@@ -1,6 +1,6 @@
+ /* An implementation of the nsd interface for plain tcp sockets.
+  *
+- * Copyright 2007-2012 Adiscon GmbH.
+ * Copyright 2007-2020 Adiscon GmbH.
+  *
+  * This file is part of the rsyslog runtime library.
+  *
+@@ -23,6 +23,7 @@
+ #define INCLUDED_NSD_PTCP_H
+ 
+ #include <sys/socket.h>
+#include "tcpsrv.h"
+ 
+ #include "nsd.h"
+ typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */
+diff --git a/runtime/tcps_sess.c b/runtime/tcps_sess.c
+index 58528c81ec..845e944582 100644
+--- a/runtime/tcps_sess.c
+++ b/runtime/tcps_sess.c
+@@ -194,8 +194,8 @@ SetLstnInfo(tcps_sess_t *pThis, tcpLstnPortList_t *pLstnInfo)
+ 	assert(pLstnInfo != NULL);
+ 	pThis->pLstnInfo = pLstnInfo;
+ 	/* set cached elements */
+-	pThis->bSuppOctetFram = pLstnInfo->bSuppOctetFram;
+-	pThis->bSPFramingFix = pLstnInfo->bSPFramingFix;
+	pThis->bSuppOctetFram = pLstnInfo->cnf_params->bSuppOctetFram;
+	pThis->bSPFramingFix = pLstnInfo->cnf_params->bSPFramingFix;
+ 	RETiRet;
+ }
+ 
+@@ -235,6 +235,7 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcps_sess);
+	const tcpLstnParams_t *const cnf_params = pThis->pLstnInfo->cnf_params;
+ 	
+ 	if(pThis->iMsg == 0) {
+ 		DBGPRINTF("discarding zero-sized message\n");
+@@ -249,15 +250,15 @@ defaultDoSubmitMessage(tcps_sess_t *pThis, struct syslogTime *stTime, time_t ttG
+ 	/* we now create our own message object and submit it to the queue */
+ 	CHKiRet(msgConstructWithTime(&pMsg, stTime, ttGenTime));
+ 	MsgSetRawMsg(pMsg, (char*)pThis->pMsg, pThis->iMsg);
+-	MsgSetInputName(pMsg, pThis->pLstnInfo->pInputName);
+-	if(pThis->pLstnInfo->dfltTZ[0] != '\0')
+-		MsgSetDfltTZ(pMsg, (char*) pThis->pLstnInfo->dfltTZ);
+	MsgSetInputName(pMsg, cnf_params->pInputName);
+	if(cnf_params->dfltTZ[0] != '\0')
+		MsgSetDfltTZ(pMsg, (char*) cnf_params->dfltTZ);
+ 	MsgSetFlowControlType(pMsg, pThis->pSrv->bUseFlowControl
+ 			            ? eFLOWCTL_LIGHT_DELAY : eFLOWCTL_NO_DELAY);
+ 	pMsg->msgFlags  = NEEDS_PARSING | PARSE_HOSTNAME;
+ 	MsgSetRcvFrom(pMsg, pThis->fromHost);
+ 	CHKiRet(MsgSetRcvFromIP(pMsg, pThis->fromHostIP));
+-	MsgSetRuleset(pMsg, pThis->pLstnInfo->pRuleset);
+	MsgSetRuleset(pMsg, cnf_params->pRuleset);
+ 
+ 	STATSCOUNTER_INC(pThis->pLstnInfo->ctrSubmit, pThis->pLstnInfo->mutCtrSubmit);
+ 	ratelimitAddMsg(pThis->pLstnInfo->ratelimiter, pMultiSub, pMsg);
+diff --git a/runtime/tcpsrv.c b/runtime/tcpsrv.c
+index 76a50357c3..ab9573e5b8 100644
+--- a/runtime/tcpsrv.c
+++ b/runtime/tcpsrv.c
+@@ -123,9 +123,7 @@ static int wrkrRunning;
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal ATTR_NONNULL(1, 2)
+-addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+-	const int bSuppOctetFram, const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
+addNewLstnPort(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
+ 	tcpLstnPortList_t *pEntry;
+ 	uchar statname[64];
+@@ -135,25 +133,17 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 
+ 	/* create entry */
+ 	CHKmalloc(pEntry = (tcpLstnPortList_t*)calloc(1, sizeof(tcpLstnPortList_t)));
+-	CHKmalloc(pEntry->pszPort = ustrdup(pszPort));
+	pEntry->cnf_params = cnf_params;
+ 
+-	pEntry->pszAddr = NULL;
+-	/* only if a bind adress is defined copy it in struct */
+-	if (pszAddr != NULL) {
+-		CHKmalloc(pEntry->pszAddr = ustrdup(pszAddr));
+-	}
+-
+-	strcpy((char*)pEntry->dfltTZ, (char*)pThis->dfltTZ);
+-	pEntry->bSPFramingFix = pThis->bSPFramingFix;
+	strcpy((char*)pEntry->cnf_params->dfltTZ, (char*)pThis->dfltTZ);
+	pEntry->cnf_params->bSPFramingFix = pThis->bSPFramingFix;
+	pEntry->cnf_params->pRuleset = pThis->pRuleset;
+ 	pEntry->pSrv = pThis;
+-	pEntry->pRuleset = pThis->pRuleset;
+-	pEntry->bSuppOctetFram = bSuppOctetFram;
+-	pEntry->pszLstnPortFileName = pszLstnPortFileName;
+ 
+ 	/* we need to create a property */
+-	CHKiRet(prop.Construct(&pEntry->pInputName));
+-	CHKiRet(prop.SetString(pEntry->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+-	CHKiRet(prop.ConstructFinalize(pEntry->pInputName));
+	CHKiRet(prop.Construct(&pEntry->cnf_params->pInputName));
+	CHKiRet(prop.SetString(pEntry->cnf_params->pInputName, pThis->pszInputName, ustrlen(pThis->pszInputName)));
+	CHKiRet(prop.ConstructFinalize(pEntry->cnf_params->pInputName));
+ 
+ 	/* support statistics gathering */
+ 	CHKiRet(ratelimitNew(&pEntry->ratelimiter, "tcperver", NULL));
+@@ -161,7 +151,7 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ 	ratelimitSetThreadSafe(pEntry->ratelimiter);
+ 
+ 	CHKiRet(statsobj.Construct(&(pEntry->stats)));
+-	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, pszPort);
+	snprintf((char*)statname, sizeof(statname), "%s(%s)", pThis->pszInputName, cnf_params->pszPort);
+ 	statname[sizeof(statname)-1] = '\0'; /* just to be on the save side... */
+ 	CHKiRet(statsobj.SetName(pEntry->stats, statname));
+ 	CHKiRet(statsobj.SetOrigin(pEntry->stats, pThis->pszOrigin));
+@@ -177,10 +167,8 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+ finalize_it:
+ 	if(iRet != RS_RET_OK) {
+ 		if(pEntry != NULL) {
+-			free(pEntry->pszAddr);
+-			free(pEntry->pszPort);
+-			if(pEntry->pInputName != NULL) {
+-				prop.Destruct(&pEntry->pInputName);
+			if(pEntry->cnf_params->pInputName != NULL) {
+				prop.Destruct(&pEntry->cnf_params->pInputName);
+ 			}
+ 			if(pEntry->ratelimiter != NULL) {
+ 				ratelimitDestruct(pEntry->ratelimiter);
+@@ -201,29 +189,25 @@ addNewLstnPort(tcpsrv_t *const pThis, const uchar *const pszPort,
+  * rgerhards, 2008-03-20
+  */
+ static rsRetVal ATTR_NONNULL(1,2)
+-configureTCPListen(tcpsrv_t *const pThis,
+-	const uchar *const pszPort,
+-	const int bSuppOctetFram,
+-	const uchar *const pszAddr,
+-	const uchar *const pszLstnPortFileName)
+configureTCPListen(tcpsrv_t *const pThis, tcpLstnParams_t *const cnf_params)
+ {
+	assert(cnf_params->pszPort != NULL);
+ 	int i;
+-	const uchar *pPort = pszPort;
+ 	DEFiRet;
+ 
+-	assert(pszPort != NULL);
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 
+ 	/* extract port */
+	const uchar *pPort = cnf_params->pszPort;
+ 	i = 0;
+ 	while(isdigit((int) *pPort)) {
+ 		i = i * 10 + *pPort++ - '0';
+ 	}
+ 
+ 	if(i >= 0 && i <= 65535) {
+-		CHKiRet(addNewLstnPort(pThis, pszPort, bSuppOctetFram, pszAddr, pszLstnPortFileName));
+		CHKiRet(addNewLstnPort(pThis, cnf_params));
+ 	} else {
+-		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", pszPort);
+		LogError(0, NO_ERRCODE, "Invalid TCP listen port %s - ignored.\n", cnf_params->pszPort);
+ 	}
+ 
+ finalize_it:
+@@ -331,8 +315,11 @@ deinit_tcp_listener(tcpsrv_t *const pThis)
+ 	/* free list of tcp listen ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
+-		free(pEntry->pszPort);
+-		prop.Destruct(&pEntry->pInputName);
+		prop.Destruct(&pEntry->cnf_params->pInputName);
+		free((void*)pEntry->cnf_params->pszPort);
+		free((void*)pEntry->cnf_params->pszAddr);
+		free((void*)pEntry->cnf_params->pszLstnPortFileName);
+		free((void*)pEntry->cnf_params);
+ 		ratelimitDestruct(pEntry->ratelimiter);
+ 		statsobj.Destruct(&(pEntry->stats));
+ 		pDel = pEntry;
+@@ -373,22 +360,21 @@ addTcpLstn(void *pUsr, netstrm_t *pLstn)
+ 
+ 
+ /* Initialize TCP listener socket for a single port
+ * Note: at this point, TLS vs. non-TLS does not matter; TLS params are
+ * set on connect!
+  * rgerhards, 2009-05-21
+  */
+ static rsRetVal
+ initTCPListener(tcpsrv_t *pThis, tcpLstnPortList_t *pPortEntry)
+ {
+ 	DEFiRet;
+-	uchar *TCPLstnPort;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+ 	assert(pPortEntry != NULL);
+ 
+-	TCPLstnPort = pPortEntry->pszPort;
+-
+ 	// pPortEntry->pszAddr = NULL ==> bind to all interfaces
+-	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn, TCPLstnPort,
+-		pPortEntry->pszAddr, pThis->iSessMax, (uchar*)pPortEntry->pszLstnPortFileName));
+	CHKiRet(netstrm.LstnInit(pThis->pNS, (void*)pPortEntry, addTcpLstn,
+		pThis->iSessMax, pPortEntry->cnf_params));
+ 
+ finalize_it:
+ 	RETiRet;
+@@ -408,11 +394,12 @@ create_tcp_socket(tcpsrv_t *pThis)
+ 	/* init all configured ports */
+ 	pEntry = pThis->pLstnPorts;
+ 	while(pEntry != NULL) {
+dbgprintf("RGER: configuring listener %p\n", pEntry);
+ 		localRet = initTCPListener(pThis, pEntry);
+ 		if(localRet != RS_RET_OK) {
+ 			LogError(0, localRet, "Could not create tcp listener, ignoring port "
+-			"%s bind-address %s.", pEntry->pszPort,
+-			(pEntry->pszAddr == NULL) ? "(null)" : (const char*)pEntry->pszAddr);
+			"%s bind-address %s.", pEntry->cnf_params->pszPort,
+			(pEntry->cnf_params->pszAddr == NULL) ? "(null)" : (const char*)pEntry->cnf_params->pszAddr);
+ 		}
+ 		pEntry = pEntry->pNext;
+ 	}
+@@ -1236,15 +1223,6 @@ SetGnutlsPriorityString(tcpsrv_t *pThis, uchar *iVal)
+ 	RETiRet;
+ }
+ 
+-static rsRetVal
+-SetLstnPortFileName(tcpsrv_t *pThis, uchar *iVal)
+-{
+-	DEFiRet;
+-	DBGPRINTF("tcpsrv: LstnPortFileName set to %s\n",
+-		(iVal == NULL) ? "(null)" : (const char*) iVal);
+-	pThis->pszLstnPortFileName = iVal;
+-	RETiRet;
+-}
+ 
+ static rsRetVal
+ SetOnMsgReceive(tcpsrv_t *pThis, rsRetVal (*OnMsgReceive)(tcps_sess_t*, uchar*, int))
+@@ -1309,6 +1287,7 @@ SetDfltTZ(tcpsrv_t *const pThis, uchar *const tz)
+ {
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+dbgprintf("dfltTZ prev: %s\n", pThis->dfltTZ);
+ 	strncpy((char*)pThis->dfltTZ, (char*)tz, sizeof(pThis->dfltTZ));
+ 	pThis->dfltTZ[sizeof(pThis->dfltTZ)-1] = '\0';
+ 	RETiRet;
+@@ -1557,7 +1536,6 @@ CODESTARTobjQueryInterface(tcpsrv)
+ 	pIf->SetKeepAliveProbes = SetKeepAliveProbes;
+ 	pIf->SetKeepAliveTime = SetKeepAliveTime;
+ 	pIf->SetGnutlsPriorityString = SetGnutlsPriorityString;
+-	pIf->SetLstnPortFileName = SetLstnPortFileName;
+ 	pIf->SetUsrP = SetUsrP;
+ 	pIf->SetInputName = SetInputName;
+ 	pIf->SetOrigin = SetOrigin;
+diff --git a/runtime/tcpsrv.h b/runtime/tcpsrv.h
+index db5a1d110a..bae7e3b8b9 100644
+--- a/runtime/tcpsrv.h
+++ b/runtime/tcpsrv.h
+@@ -1,6 +1,6 @@
+ /* Definitions for tcpsrv class.
+  *
+- * Copyright 2008-2015 Adiscon GmbH.
+ * Copyright 2008-2020 Adiscon GmbH.
+  *
+  * This file is part of rsyslog.
+  *
+@@ -23,6 +23,7 @@
+ 
+ #include "obj.h"
+ #include "prop.h"
+#include "net.h"
+ #include "tcps_sess.h"
+ #include "statsobj.h"
+ 
+@@ -34,19 +35,24 @@ typedef enum ETCPsyslogFramingAnomaly {
+ } eTCPsyslogFramingAnomaly;
+ 
+ 
+/* config parameters for TCP listeners */
+struct tcpLstnParams_s {
+	const uchar *pszPort;			/**< the ports the listener shall listen on */
+	const uchar *pszAddr;                 /**< the addrs the listener shall listen on */
+	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
+	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
+	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
+	prop_t *pInputName;
+	ruleset_t *pRuleset;		/**< associated ruleset */
+	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
+};
+
+ /* list of tcp listen ports */
+ struct tcpLstnPortList_s {
+-	uchar *pszPort;			/**< the ports the listener shall listen on */
+-	uchar *pszAddr;                 /**< the addrs the listener shall listen on */
+-	prop_t *pInputName;
+	tcpLstnParams_t *cnf_params;	/**< listener config parameters */
+ 	tcpsrv_t *pSrv;			/**< pointer to higher-level server instance */
+-	ruleset_t *pRuleset;		/**< associated ruleset */
+ 	statsobj_t *stats;		/**< associated stats object */
+-	sbool bSuppOctetFram;	/**< do we support octect-counted framing? (if no->legay only!)*/
+ 	ratelimit_t *ratelimiter;
+-	uchar dfltTZ[8];		/**< default TZ if none in timestamp; '\0' =No Default */
+-	sbool bSPFramingFix;	/**< support work-around for broken Cisco ASA framing? */
+-	const uchar *pszLstnPortFileName;	/**< File in which the dynamic port is written */
+ 	STATSCOUNTER_DEF(ctrSubmit, mutCtrSubmit)
+ 	tcpLstnPortList_t *pNext;	/**< next port or NULL */
+ };
+@@ -130,8 +136,7 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*Construct)(tcpsrv_t **ppThis);
+ 	rsRetVal (*ConstructFinalize)(tcpsrv_t __attribute__((unused)) *pThis);
+ 	rsRetVal (*Destruct)(tcpsrv_t **ppThis);
+-	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*,
+-		const uchar *pszPort, int bSuppOctetFram, const uchar *pszAddr, const uchar *);
+	rsRetVal (*ATTR_NONNULL(1,2) configureTCPListen)(tcpsrv_t*, tcpLstnParams_t *const cnf_params);
+ 	rsRetVal (*create_tcp_socket)(tcpsrv_t *pThis);
+ 	rsRetVal (*Run)(tcpsrv_t *pThis);
+ 	/* set methods */
+@@ -188,8 +193,6 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */
+ 	rsRetVal (*SetGnutlsPriorityString)(tcpsrv_t*, uchar*);
+ 	/* added v21 -- Preserve case in fromhost, 2018-08-16 */
+ 	rsRetVal (*SetPreserveCase)(tcpsrv_t *pThis, int bPreserveCase);
+-	/* added v22 -- File for dynamic Port, 2018-08-29 */
+-	rsRetVal (*SetLstnPortFileName)(tcpsrv_t*, uchar*);
+ 	/* added v23 -- Options for stricter driver behavior, 2019-08-16 */
+ 	rsRetVal (*SetDrvrCheckExtendedKeyUsage)(tcpsrv_t *pThis, int ChkExtendedKeyUsage);
+ 	rsRetVal (*SetDrvrPrioritizeSAN)(tcpsrv_t *pThis, int prioritizeSan);
+diff --git a/runtime/typedefs.h b/runtime/typedefs.h
+index 06f5c25a8c..000b4da4fe 100644
+--- a/runtime/typedefs.h
+++ b/runtime/typedefs.h
+@@ -123,6 +123,7 @@ typedef int rs_size_t; /* we do never need more than 2Gig strings, signed permit
+ typedef rsRetVal (*prsf_t)(struct vmstk_s*, int);	/* pointer to a RainerScript function */
+ typedef uint64 qDeqID;	/* queue Dequeue order ID. 32 bits is considered dangerously few */
+ 
+typedef struct tcpLstnParams_s tcpLstnParams_t;
+ typedef struct tcpLstnPortList_s tcpLstnPortList_t; // TODO: rename?
+ typedef struct strmLstnPortList_s strmLstnPortList_t; // TODO: rename?
+ typedef struct actWrkrIParams actWrkrIParams_t;
--- a/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch
+++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-better-logs.patch
@ -0,0 +1,124 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index e55b014b2c..431ea738b8 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -210,7 +210,8 @@ void osslLastSSLErrorMsg(int ret, SSL *ssl, int severity, const char* pszCallSou
+ 
+ 	/* Loop through ERR_get_error */
+ 	while ((un_error = ERR_get_error()) > 0){
+-		LogMsg(0, RS_RET_NO_ERRCODE, severity, "OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+		LogMsg(0, RS_RET_NO_ERRCODE, severity,
+			"nsd_ossl:OpenSSL Error Stack: %s", ERR_error_string(un_error, NULL) );
+ 	}
+ }
+ 
+@@ -721,9 +722,10 @@ osslChkPeerFingerprint(nsd_ossl_t *pThis, X509 *pCert)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT,
+-			"nsd_ossl:error:"
+-			" peer fingerprint '%s' unknown - we are "
+-			"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+				"nsd_ossl:error: peer fingerprint '%s' unknown - we are "
+				"not permitted to talk to it", cstrGetSzStrNoNULL(pstrFingerprint));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -834,8 +836,10 @@ osslChkPeerName(nsd_ossl_t *pThis, X509 *pCert)
+ 			cstrFinalize(pStr);
+ 			errno = 0;
+ 			LogError(0, RS_RET_INVALID_FINGERPRINT, "nsd_ossl:error: peer name not authorized -  "
+-					"not permitted to talk to it. Names: %s",
+-					cstrGetSzStrNoNULL(pStr));
+				"not permitted to talk to it. Names: %s",
+				cstrGetSzStrNoNULL(pStr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			pThis->bReportAuthErr = 0;
+ 		}
+ 		ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
+@@ -871,8 +875,10 @@ osslChkPeerID(nsd_ossl_t *pThis)
+ 		if(pThis->bReportAuthErr == 1) {
+ 			errno = 0;
+ 			LogError(0, RS_RET_TLS_NO_CERT, "nsd_ossl:error: peer did not provide a certificate, "
+-					"not permitted to talk to it");
+				"not permitted to talk to it");
+ 			pThis->bReportAuthErr = 0;
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 		}
+ 		ABORT_FINALIZE(RS_RET_TLS_NO_CERT);
+ 	}
+@@ -905,15 +911,19 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		if (iVerErr == X509_V_ERR_CERT_HAS_EXPIRED) {
+ 			if (pThis->permitExpiredCerts == OSSL_EXPIRED_DENY) {
+ 				LogError(0, RS_RET_CERT_EXPIRED,
+-					"nsd_ossl:CertValidity check"
+-"- not permitted to talk to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - not permitted to talk to peer: "
+					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_CERT_EXPIRED);
+ 			} else if (pThis->permitExpiredCerts == OSSL_EXPIRED_WARN) {
+ 				LogMsg(0, RS_RET_NO_ERRCODE, LOG_WARNING,
+-					"nsd_ossl:CertValidity check"
+-"- warning talking to peer: certificate expired: %s",
+					"nsd_ossl:CertValidity check - warning talking to peer: "
+					"certificate expired: %s",
+ 					X509_verify_cert_error_string(iVerErr));
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			} else {
+ 				dbgprintf("osslChkPeerCertValidity: talking to peer: certificate expired: %s\n",
+ 					X509_verify_cert_error_string(iVerErr));
+@@ -921,6 +931,8 @@ osslChkPeerCertValidity(nsd_ossl_t *pThis)
+ 		} else {
+ 			LogError(0, RS_RET_CERT_INVALID, "nsd_ossl:not permitted to talk to peer: "
+ 				"certificate validation failed: %s", X509_verify_cert_error_string(iVerErr));
+			LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+				"nsd_ossl:TLS session terminated with remote syslog server.");
+ 			ABORT_FINALIZE(RS_RET_CERT_INVALID);
+ 		}
+ 	} else {
+@@ -1384,7 +1396,7 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+ 		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"No shared curve between syslog client and server.");
+		"No shared curve between syslog client and server.");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1446,8 +1458,6 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				resErr == SSL_ERROR_WANT_WRITE) {
+ 				pNsd->rtryCall = osslRtry_handshake;
+ 				pNsd->rtryOsslErr = resErr; /* Store SSL ErrorCode into*/
+-				LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-"TLS handshake failed between syslog client and server.");
+ 				dbgprintf("osslHandshakeCheck: OpenSSL Client handshake does not complete "
+ 					"immediately - setting to retry (this is OK and normal)\n");
+ 				FINALIZE;
+@@ -1458,6 +1468,8 @@ osslHandshakeCheck(nsd_ossl_t *pNsd)
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE /*RS_RET_RETRY*/);
+ 			} else {
+ 				osslLastSSLErrorMsg(res, pNsd->ssl, LOG_ERR, "osslHandshakeCheck Client");
+				LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO,
+					"nsd_ossl:TLS session terminated with remote syslog server.");
+ 				ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+ 			}
+ 		}
+@@ -1738,8 +1750,8 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host, char *device)
+ 	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+ 	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl:"
+-"TLS Connection initiated with remote syslog server.");
+	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+ 	if(!(pThis->ssl = SSL_new(ctx))) {
--- a/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
+++ b/SOURCES/rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
@ -0,0 +1,25 @@
+diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
+index 79347916e4..69ec57af09 100644
+--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
+@@ -1821,11 +1821,8 @@ BIO_set_nbio( conn, 1 );
+ }
+ 
+ 
+-/* Empty wrapper for GNUTLS helper function
+- * TODO: implement a similar capability
+- */
+ static rsRetVal
+-SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unused)) uchar *gnutlsPriorityString)
+SetGnutlsPriorityString(nsd_t *const pNsd, uchar *const gnutlsPriorityString)
+ {
+ 	DEFiRet;
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+@@ -1905,6 +1902,7 @@ SetGnutlsPriorityString(__attribute__((unused)) nsd_t *pNsd, __attribute__((unus
+ 						pThis->gnutlsPriorityString);
+ 				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ 			}
+			SSL_CONF_CTX_free(cctx);
+ 		}
+ #else
+ 		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
--- a/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2021-11-22 09:33:25.501668376 +0100
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-11-22 09:34:18.423642573 +0100
+@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+ 	pNew->dataTypeCheck = pThis->dataTypeCheck;
+	pNew->bSANpriority = pThis->bSANpriority;
+ 
+ 	/* if we reach this point, we are in TLS mode */
+ 	iRet = gtlsInitSession(pNew);
--- a/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
@ -0,0 +1,14 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-28 09:05:23.283262154 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-28 09:10:05.858381106 +0200
+@@ -424,8 +424,8 @@ readjournal(void)
+ 				severity = cs.iDfltSeverity;
+ 			}
+ 		} else {
+-			LogError(0, RS_RET_ERR, "The value of the 'PRIORITY' field has an "
+-				"unexpected length: %zu\n", length);
+			DBGPRINTF("The value of the 'PRIORITY' field has an "
+				"unexpected length: %zu value: '%s'\n", length, (const char*)get);
+ 		}
+ 	}
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
@ -0,0 +1,21 @@
+diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c
+--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig	2021-06-15 12:46:14.758589030 +0200
+++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c	2021-06-15 12:47:08.130516632 +0200
+@@ -303,7 +303,7 @@ ENDfreeCnf
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->sizeWindow = 0;
+-	pData->timeout = 90;
+	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->rebindInterval = 0;
+ 	pData->bEnableTLS = DFLT_ENABLE_TLS;
+@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData
+ 	pData->target = NULL;
+ 	pData->port = NULL;
+ 	pData->tplName = NULL;
+-	pData->timeout = 90;
+	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->sizeWindow = 0;
+ 	pData->rebindInterval = 0;
--- a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
@ -0,0 +1,47 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc rsyslog-8.2102.0/doc/configuration/modules/imfile.html
+--- rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc	2021-02-15 12:53:31.000000000 +0100
+++ rsyslog-8.2102.0/doc/configuration/modules/imfile.html	2022-03-29 10:35:07.187827004 +0200
+@@ -294,6 +294,28 @@ rsyslog needs write permissions to work
+ also might require SELinux definitions (or similar for other enhanced security
+ systems).</p>
+ </div>
+<div class="section" id="deletestateonfilemove">
+<h4>deleteStateOnFileMove<a class="headerlink" href="#deletestateonfilemove" title="Permalink to this headline">¶</a></h4>
+<table border="1" class="colwidths-auto parameter-table docutils">
+<thead valign="bottom">
+<tr class="row-odd"><th class="head">type</th>
+<th class="head">default</th>
+<th class="head">mandatory</th>
+<th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
+</tr>
+</thead>
+<tbody valign="top">
+<tr class="row-even"><td>binary</td>
+<td>off</td>
+<td>no</td>
+<td>none</td>
+</tr>
+</tbody>
+</table>
+<p>This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.</p>
+
+<p>However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.</p>
+</div>
+ </div>
+ <div class="section" id="input-parameters">
+ <h3>Input Parameters<a class="headerlink" href="#input-parameters" title="Permalink to this headline">¶</a></h3>
+@@ -1214,6 +1236,7 @@ and Others.</p>
+ <li><a class="reference internal" href="#sortfiles">sortFiles</a></li>
+ <li><a class="reference internal" href="#pollinginterval">PollingInterval</a></li>
+ <li><a class="reference internal" href="#statefile-directory">statefile.directory</a></li>
+<li><a class="reference internal" href="#deletestateonfilemove">deleteStateOnFileMove</a></li>
+ </ul>
+ </li>
+ <li><a class="reference internal" href="#input-parameters">Input Parameters</a><ul>
+@@ -1311,4 +1334,4 @@ and Others.</p>
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
+</html>
--- a/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
@ -0,0 +1,162 @@
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking	2021-01-18 11:21:14.000000000 +0100
+++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2022-03-28 12:51:03.572554843 +0200
+@@ -259,6 +259,7 @@ struct modConfData_s {
+ 				   Must be manually reset to 0 if desired. Helper for
+ 				   polling mode.
+ 				 */
+	sbool deleteStateOnFileMove;
+ };
+ static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
+ static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */
+@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[]
+ 	{ "sortfiles", eCmdHdlrBinary, 0 },
+ 	{ "statefile.directory", eCmdHdlrString, 0 },
+ 	{ "normalizepath", eCmdHdlrBinary, 0 },
+-	{ "mode", eCmdHdlrGetWord, 0 }
+	{ "mode", eCmdHdlrGetWord, 0 },
+	{ "deletestateonfilemove", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk modpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -545,11 +547,20 @@ static int
+ in_setupWatch(act_obj_t *const act, const int is_file)
+ {
+ 	int wd = -1;
+	int flags;
+ 	if(runModConf->opMode != OPMODE_INOTIFY)
+ 		goto done;
+ 
+-	wd = inotify_add_watch(ino_fd, act->name,
+-		(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
+	// wd = inotify_add_watch(ino_fd, act->name,
+	// 	(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
+	if(is_file)
+		flags = IN_MODIFY|IN_DONT_FOLLOW;
+	else if(runModConf->deleteStateOnFileMove)
+		flags = IN_CREATE|IN_DELETE|IN_MOVED_TO;
+	else
+		flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO;
+	wd = inotify_add_watch(ino_fd, act->name, flags);
+
+ 	if(wd < 0) {
+ 		if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */
+ 			DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name);
+@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const
+ 	char basename[MAXFNAME];
+ 	DEFiRet;
+ 	int fd = -1;
+-	
+
+ 	DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---");
+ 	for(act = edge->active ; act != NULL ; act = act->next) {
+ 		if(!strcmp(act->name, name)) {
+@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co
+ 	if(act == NULL)
+ 		return;
+ 
+-	DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+-		act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
+-		act->in_move);
+	// DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+	// 	act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
+	// 	act->in_move);
+	if (runModConf->deleteStateOnFileMove) {
+		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n",
+			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted);
+	} else {
+		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm,
+			is_deleted, act->in_move);
+	}
+
+ 	if(act->is_symlink && is_deleted) {
+ 		act_obj_t *target_act;
+ 		for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) {
+@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co
+ 		pollFile(act); /* get any left-over data */
+ 		if(inst->bRMStateOnDel) {
+ 			statefn = getStateFileName(act, statefile, sizeof(statefile));
+-			getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
+			// getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
+			getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check!
+ 			statefn = toDel;
+ 		}
+ 		persistStrmState(act);
+ 		strm.Destruct(&act->pStrm);
+ 		/* we delete state file after destruct in case strm obj initiated a write */
+-		if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
+		// if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
+		if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) {
+ 			DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn);
+ 			unlink((char*)statefn);
+ 		}
+@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co
+ 	}
+ 	#ifdef HAVE_INOTIFY_INIT
+ 	if(act->wd != -1) {
+		inotify_rm_watch(ino_fd, act->wd);
+ 		wdmapDel(act->wd);
+ 	}
+ 	#endif
+@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad
+ 	loadModConf->timeoutGranularity = 1000; /* default: 1 second */
+ 	loadModConf->haveReadTimeouts = 0; /* default: no timeout */
+ 	loadModConf->normalizePath = 1;
+	loadModConf->deleteStateOnFileMove = 0;
+ 	loadModConf->sortFiles = GLOB_NOSORT;
+ 	loadModConf->stateFileDirectory = NULL;
+ 	loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1);
+@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf
+ 			loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(modpblk.descr[i].name, "normalizepath")) {
+ 			loadModConf->normalizePath = (sbool) pvals[i].val.d.n;
+		} else if(!strcmp(modpblk.descr[i].name, "deletestateonfilemove")) {
+			loadModConf->deleteStateOnFileMove = (sbool) pvals[i].val.d.n;
+ 		} else if(!strcmp(modpblk.descr[i].name, "mode")) {
+ 			if(!es_strconstcmp(pvals[i].val.d.estr, "polling"))
+ 				loadModConf->opMode = OPMODE_POLLING;
+@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev
+ 	DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n",
+ 		ev->mask, etry->act->edge->is_file, etry->act->name);
+ 
+-	if((ev->mask & IN_MOVED_FROM)) {
+-		flag_in_move(etry->act->edge->node->edges, ev->name);
+-	}
+-	if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
+-		fs_node_walk(etry->act->edge->node, poll_tree);
+-	} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
+-		in_handleFileEvent(ev, etry); // esentially poll_file()!
+	// if((ev->mask & IN_MOVED_FROM)) {
+	// 	flag_in_move(etry->act->edge->node->edges, ev->name);
+	// }
+	// if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
+	// 	fs_node_walk(etry->act->edge->node, poll_tree);
+	// } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
+	// 	in_handleFileEvent(ev, etry); // esentially poll_file()!
+	// } else {
+	// 	fs_node_walk(etry->act->edge->node, poll_tree);
+	// }
+	if(!runModConf->deleteStateOnFileMove) {
+		if((ev->mask & IN_MOVED_FROM)) {
+			flag_in_move(etry->act->edge->node->edges, ev->name);
+		}
+		if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
+			fs_node_walk(etry->act->edge->node, poll_tree);
+		} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
+			in_handleFileEvent(ev, etry); // esentially poll_file()!
+		} else {
+			fs_node_walk(etry->act->edge->node, poll_tree);
+		}
+ 	} else {
+-		fs_node_walk(etry->act->edge->node, poll_tree);
+		if((ev->mask & IN_MODIFY) && etry->act->edge->is_file && !(etry->act->is_symlink)) {
+			in_handleFileEvent(ev, etry); // esentially poll_file()!
+		} else {
+			fs_node_walk(etry->act->edge->node, poll_tree);
+		}
+ 	}
+
+ done:	return;
+ }
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
@ -0,0 +1,20 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-15 12:30:35.238832058 +0200
+++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-15 12:32:04.699721356 +0200
+@@ -565,6 +565,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
+	fflush(sf);
+
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -586,6 +588,7 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
+		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);
--- a/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
@ -0,0 +1,190 @@
+--- rsyslog-8.2102.0/action.c	2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0-changes/action.c	2022-03-08 15:55:33.989525382 +0100
+@@ -198,6 +198,7 @@
+ 	{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
+ 	{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
+ 	{ "action.errorfile", eCmdHdlrString, 0 },
+	{ "action.errorfile.maxsize", eCmdHdlrInt, 0 },
+ 	{ "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */
+ 	{ "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */
+ 	{ "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */
+@@ -400,6 +401,8 @@
+ 	pThis->iResumeRetryCount = 0;
+ 	pThis->pszName = NULL;
+ 	pThis->pszErrFile = NULL;
+	pThis->maxErrFileSize = 0;
+	pThis->errFileWritten = 0;	
+ 	pThis->pszExternalStateFile = NULL;
+ 	pThis->fdErrFile = -1;
+ 	pThis->bWriteAllMarkMsgs = 1;
+@@ -1436,6 +1439,12 @@
+ 				pThis->pszName, pThis->pszErrFile);
+ 			goto done;
+ 		}
+		struct stat statbuf;
+		if (fstat(pThis->fdErrFile, &statbuf) == -1) {
+			LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
+			goto done;
+		}
+		pThis->errFileWritten += statbuf.st_size;
+ 	}
+ 
+ 	for(int i = 0 ; i < nparams ; ++i) {
+@@ -1454,16 +1463,26 @@
+ 		char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
+ 		if(rendered == NULL)
+ 			goto done;
+-		const size_t toWrite = strlen(rendered) + 1;
+-		/* note: we use the '\0' inside the string to store a LF - we do not
+-		 * otherwise need it and it safes us a copy/realloc.
+-		 */
+-		rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
+-		const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
+-		if(wrRet != (ssize_t) toWrite) {
+-			LogError(errno, RS_RET_IO_ERROR,
+-				"action %s: error writing errorFile %s, write returned %lld",
+-				pThis->pszName, pThis->pszErrFile, (long long) wrRet);
+		size_t toWrite = strlen(rendered) + 1;
+		// Check if need to truncate the amount of bytes to write
+		if (pThis->maxErrFileSize > 0) {
+			if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) {
+				// Truncate to the pending available
+				toWrite = pThis->maxErrFileSize - pThis->errFileWritten;
+			}
+			pThis->errFileWritten += toWrite;
+		}
+		if(toWrite > 0) {
+			/* note: we use the '\0' inside the string to store a LF - we do not
+			 * otherwise need it and it safes us a copy/realloc.
+			 */
+			rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
+			const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
+			if(wrRet != (ssize_t) toWrite) {
+				LogError(errno, RS_RET_IO_ERROR,
+					"action %s: error writing errorFile %s, write returned %lld",
+					pThis->pszName, pThis->pszErrFile, (long long) wrRet);
+			}
+ 		}
+ 		free(rendered);
+ 
+@@ -2048,6 +2067,8 @@
+ 			continue; /* this is handled seperately during module select! */
+ 		} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
+ 			pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);
+		} else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) {
+			pAction->maxErrFileSize = pvals[i].val.d.n;
+ 		} else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) {
+ 			pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) {
+--- rsyslog-8.2102.0-ori/action.h	2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0-changes/action.h	2022-03-04 11:36:47.024588972 +0100
+@@ -77,6 +77,8 @@
+ 	/* error file */
+ 	const char *pszErrFile;
+ 	int fdErrFile;
+	size_t maxErrFileSize;
+	size_t errFileWritten;
+ 	pthread_mutex_t mutErrFile;
+ 	/* external stat file system */
+ 	const char *pszExternalStateFile;
+--- rsyslog-8.2102.0-ori/tests/Makefile.am	2021-02-15 12:06:16.000000000 +0100
+++ rsyslog-8.2102.0-changes/tests/Makefile.am	2022-03-04 11:38:01.625095709 +0100
+@@ -695,7 +695,8 @@
+ 	mysql-actq-mt.sh \
+ 	mysql-actq-mt-withpause.sh \
+ 	action-tx-single-processing.sh \
+-	action-tx-errfile.sh
+	action-tx-errfile.sh \
+	action-tx-errfile-maxsize.sh
+ 
+ mysql-basic.log: mysqld-start.log
+ mysql-basic-cnf6.log: mysqld-start.log
+@@ -2156,6 +2157,8 @@
+ 	sndrcv_omudpspoof_nonstdpt.sh \
+ 	sndrcv_gzip.sh \
+ 	action-tx-single-processing.sh \
+	omfwd-errfile-maxsize.sh \
+	action-tx-errfile-maxsize.sh \
+ 	action-tx-errfile.sh \
+ 	testsuites/action-tx-errfile.result \
+ 	pipeaction.sh \
+--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh	2022-03-04 11:39:02.060506234 +0100
+@@ -0,0 +1,17 @@
+#!/bin/bash
+# part of the rsyslog project, released under ASL 2.0
+. ${srcdir:=.}/diag.sh init
+
+export MAX_ERROR_SIZE=1999
+
+generate_conf
+add_conf '
+action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
+       action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
+'
+startup
+shutdown_when_empty
+wait_shutdown
+check_file_exists ${RSYSLOG2_OUT_LOG}
+file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
+exit_test
+--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh	2022-03-04 11:59:22.592796989 +0100
+@@ -0,0 +1,35 @@
+#!/bin/bash
+# part of the rsyslog project, released under ASL 2.0
+
+. ${srcdir:=.}/diag.sh init
+
+export NUMMESSAGES=50 # enough to generate big file
+export MAX_ERROR_SIZE=100
+
+generate_conf
+add_conf '
+$ModLoad ../plugins/ommysql/.libs/ommysql
+global(errormessagestostderr.maxnumber="5")
+
+template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on")
+
+if((not($msg contains "error")) and ($msg contains "msgnum:")) then {
+	set $.num = field($msg, 58, 2);
+	if $.num % 2 == 0 then {
+		set $!facility = $syslogfacility;
+	} else {
+		set $/cntr = 0;
+	}
+	action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl"
+	       db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
+}
+'
+mysql_prep_for_test
+startup
+injectmsg
+shutdown_when_empty
+wait_shutdown
+mysql_get_data
+check_file_exists ${RSYSLOG2_OUT_LOG}
+file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
+exit_test
+--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh	1970-01-01 01:00:00.000000000 +0100
+++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh	2022-03-08 16:24:01.174365289 +0100
+@@ -0,0 +1,19 @@
+#!/bin/bash
+# part of the rsyslog project, released under ASL 2.0
+. ${srcdir:=.}/diag.sh init
+ERRFILE=$(mktemp)
+export MAX_ERROR_SIZE=1999
+export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100))
+dd if=/dev/urandom of=${ERRFILE}  bs=1 count=${INITIAL_FILE_SIZE}
+generate_conf
+add_conf '
+action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
+       action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
+'
+startup
+shutdown_when_empty
+wait_shutdown
+check_file_exists ${ERRFILE}
+file_size_check ${ERRFILE} ${MAX_ERROR_SIZE}
+exit_test
+rm ${ERRFILE}
--- a/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
@ -0,0 +1,102 @@
+diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
+--- rsyslog-8.2102.0/runtime/cfsysline.c.orig	2021-08-04 07:16:02.663163106 +0200
+++ rsyslog-8.2102.0/runtime/cfsysline.c	2021-08-04 07:18:05.952490008 +0200
+@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	do {
+@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 			LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
+ 		}
+ 		iRet = RS_RET_NOT_FOUND;
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
+-			exit(1); /* good exit */
+-		}
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
+ 
+ 	if(ppwBuf == NULL) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+-			iRet = RS_RET_NOT_FOUND;
+-		}
+		LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+		iRet = RS_RET_NOT_FOUND;
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2021-08-04 07:18:19.301633677 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2021-08-04 07:19:02.409019106 +0200
+@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "environment", eCmdHdlrArray, 0 },
+ 	{ "processinternalmessages", eCmdHdlrBinary, 0 },
+ 	{ "umask", eCmdHdlrFileCreateMode, 0 },
+-	{ "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
+ 	{ "internal.developeronly.options", eCmdHdlrInt, 0 },
+ 	{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
+ 	{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
+@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
+ 			glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
+ 			loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
+-		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+-			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
+ 			*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2021-08-04 07:19:13.103104854 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.c	2021-08-04 07:19:44.635357684 +0200
+@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
+ 	pThis->globals.maxErrMsgToStderr = -1;
+ 	pThis->globals.umask = -1;
+ 	pThis->globals.gidDropPrivKeepSupplemental = 0;
+-	pThis->globals.abortOnIDResolutionFail = 1;
+ 	pThis->templates.root = NULL;
+ 	pThis->templates.last = NULL;
+ 	pThis->templates.lastStatic = NULL;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2021-08-04 07:20:15.848607958 +0200
+++ rsyslog-8.2102.0/runtime/rsconf.h	2021-08-04 07:20:42.782823920 +0200
+@@ -73,7 +73,6 @@ struct globals_s {
+ 	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
+ 	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
+ 	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
+-	int abortOnIDResolutionFail;
+ 	int umask;		/* umask to use */
+ 	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
@ -0,0 +1,26 @@
+diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
+--- rsyslog-8.2102.0/runtime/ratelimit.c.orig	2021-07-27 10:37:50.972903104 +0200
+++ rsyslog-8.2102.0/runtime/ratelimit.c	2021-07-27 10:38:26.141002988 +0200
+@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ {
+ 	DEFiRet;
+ 	rsRetVal localRet;
+-	int severity = 0;
+ 
+ 	*ppRepMsg = NULL;
+ 
+@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ 				DBGPRINTF("Message discarded, parsing error %d\n", localRet);
+ 				ABORT_FINALIZE(RS_RET_DISCARDMSG);
+ 			}
+-			severity = pMsg->iSeverity;
+ 		}
+ 	}
+ 
+ 	/* Only the messages having severity level at or below the
+ 	 * treshold (the value is >=) are subject to ratelimiting. */
+-	if(ratelimit->interval && (severity >= ratelimit->severity)) {
+	if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
+ 		char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
+ 		snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
+ 			getAPPNAME(pMsg, 0));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
@ -0,0 +1,354 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
+--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig	2022-04-15 13:42:05.320615894 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-04-15 14:33:43.472482696 +0200
+@@ -609,10 +609,10 @@ finalize_it:
+ }
+ 
+ static rsRetVal
+-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
+ {
+ 	DEFiRet;
+-	BIO *client;
+	BIO *conn;
+ 	char pristringBuf[4096];
+ 	nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+ 
+@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		if (pThis->DrvrVerifyDepth != 0) {
+ 			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+ 		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
+	} else 	if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
+		/* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
+ 		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+ 		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
+ 		}
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
+ 
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(client, BIO_debug_callback);
+	/* Create BIO from ptcp socket! */
+	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+	dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
+ 
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( client, 1 );
+	/* Set debug Callback for conn BIO as well! */
+	BIO_set_callback(conn, BIO_debug_callback);
+ 
+-	SSL_set_bio(pThis->ssl, client, client);
+-	SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+	/* TODO: still needed? Set to NON blocking ! */
+	BIO_set_nbio( conn, 1 );
+	SSL_set_bio(pThis->ssl, conn, conn);
+ 
+	if (osslType == osslServer) {
+		/* Server Socket */
+		SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+		pThis->sslState = osslServer; /*set Server state */
+	} else {
+		/* Client Socket */
+		SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+		pThis->sslState = osslClient; /*set Client state */
+	}
+ 	pThis->bHaveSess = 1;
+-	pThis->sslState = osslServer; /*set Server state */
+ 
+ 	/* we are done */
+ 	FINALIZE;
+@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
+ 		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
+ 	}
+ 
+-		/* Init Anon OpenSSL stuff */
+-		CHKiRet(osslAnonInit());
+	/* Init Anon OpenSSL stuff */
+	CHKiRet(osslAnonInit());
+ 
+ 	dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
+ 
+@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
+ 
+ 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
+-		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
+-		"No shared curve between syslog client and server.");
+		// This is not a failure
+		LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"Information, no shared curve between syslog client and server");
+ 	}
+ 	#endif
+ 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
+@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
+ 	pNew->pPermPeers = pThis->pPermPeers;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+-	CHKiRet(osslInitSession(pNew));
+	CHKiRet(osslInitSession(pNew, osslServer));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pNew->ssl, 0, pThis);
+@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+-	nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
+-	BIO *conn;
+-	char pristringBuf[4096];
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 	assert(port != NULL);
+@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
+ 		FINALIZE;
+ 	}
+ 
+-	/* Create BIO from ptcp socket! */
+-	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+-	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
+-
+ 	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ 		"TLS Connection initiated with remote syslog server.");
+ 	/*if we reach this point we are in tls mode */
+ 	DBGPRINTF("Connect: TLS Mode\n");
+-	if(!(pThis->ssl = SSL_new(ctx))) {
+-		pThis->ssl = NULL;
+-		osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
+-		ABORT_FINALIZE(RS_RET_NO_ERRCODE);
+-	}
+ 
+-	// Set SSL_MODE_AUTO_RETRY to SSL obj
+-	SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
+-
+-	if (pThis->authMode != OSSL_AUTH_CERTANON) {
+-		dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
+-			pThis->authMode, pThis->DrvrVerifyDepth);
+-		/* Enable certificate valid checking */
+-		SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
+-		if (pThis->DrvrVerifyDepth != 0) {
+-			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
+-		}
+-	}
+-
+-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
+-		/* Allow ANON Ciphers */
+-		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
+-			sizeof(pristringBuf));
+-		#else
+-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
+-			sizeof(pristringBuf));
+-		#endif
+-
+-		dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
+-		if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
+-			dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
+-			ABORT_FINALIZE(RS_RET_SYS_ERR);
+-		}
+-	}
+-
+-	/* Set debug Callback for client BIO as well! */
+-	BIO_set_callback(conn, BIO_debug_callback);
+-
+-/* TODO: still needed? Set to NON blocking ! */
+-BIO_set_nbio( conn, 1 );
+-
+-	SSL_set_bio(pThis->ssl, conn, conn);
+-	SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+-	pThis->sslState = osslClient; /*set Client state */
+-	pThis->bHaveSess = 1;
+	/* Do SSL Session init */
+	CHKiRet(osslInitSession(pThis, osslClient));
+ 
+ 	/* Store nsd_ossl_t* reference in SSL obj */
+ 	SSL_set_ex_data(pThis->ssl, 0, pThis);
+@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
+ 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
+ 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
+ 
+-	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s'\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
+ 
+ 	/* Skip function if function is NULL gnutlsPriorityString */
+-	if (gnutlsPriorityString == NULL) {
+-		RETiRet;
+-	} else {
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+ #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
+-		char *pCurrentPos;
+-		char *pNextPos;
+-		char *pszCmd;
+-		char *pszValue;
+-		int iConfErr;
+-
+-		/* Set working pointer */
+-		pCurrentPos = (char*) pThis->gnutlsPriorityString;
+-		if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+-			// Create CTX Config Helper
+-			SSL_CONF_CTX *cctx;
+-			cctx = SSL_CONF_CTX_new();
+-			if (pThis->sslState == osslServer) {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+-			} else {
+-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+-			}
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+-			SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+-
+-			do
+-			{
+-				pNextPos = index(pCurrentPos, '=');
+-				if (pNextPos != NULL) {
+-					while (	*pCurrentPos != '\0' &&
+-						(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+-						pCurrentPos++;
+-					pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+-					pCurrentPos = pNextPos+1;
+-					pNextPos = index(pCurrentPos, '\n');
+-					pszValue = (pNextPos == NULL ?
+-							strdup(pCurrentPos) :
+-							strndup(pCurrentPos, pNextPos - pCurrentPos));
+-					pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+-
+-					/* Add SSL Conf Command */
+-					iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+-					if (iConfErr > 0) {
+-						dbgprintf("gnutlsPriorityString: Successfully added Command "
+-							"'%s':'%s'\n",
+-							pszCmd, pszValue);
+-					}
+-					else {
+-						LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+-							"in gnutlsPriorityString with error '%d'",
+-							pszCmd, pszValue, iConfErr);
+-					}
+	sbool ApplySettings = 0;
+	if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
+		(gnutlsPriorityString != NULL &&
+		strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
+		) {
+		ApplySettings = 1;
+	}
+
+	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
+		(ApplySettings == 1? "TRUE" : "FALSE"));
+ 
+-					free(pszCmd);
+-					free(pszValue);
+	if (ApplySettings) {
+
+		if (gnutlsPriorityString == NULL || ctx == NULL) {
+			RETiRet;
+		} else {
+			dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+			char *pCurrentPos;
+			char *pNextPos;
+			char *pszCmd;
+			char *pszValue;
+			int iConfErr;
+
+			/* Set working pointer */
+			pCurrentPos = (char*) pThis->gnutlsPriorityString;
+			if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+				// Create CTX Config Helper
+				SSL_CONF_CTX *cctx;
+				cctx = SSL_CONF_CTX_new();
+				if (pThis->sslState == osslServer) {
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+ 				} else {
+-					/* Abort further parsing */
+-					pCurrentPos = NULL;
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+ 				}
+-			}
+-			while (pCurrentPos != NULL);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+				SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+
+				do
+				{
+					pNextPos = index(pCurrentPos, '=');
+					if (pNextPos != NULL) {
+						while (	*pCurrentPos != '\0' &&
+							(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+							pCurrentPos++;
+						pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+						pCurrentPos = pNextPos+1;
+						pNextPos = index(pCurrentPos, '\n');
+						pszValue = (pNextPos == NULL ?
+								strdup(pCurrentPos) :
+								strndup(pCurrentPos, pNextPos - pCurrentPos));
+						pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+
+						/* Add SSL Conf Command */
+						iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+						if (iConfErr > 0) {
+							dbgprintf("gnutlsPriorityString: Successfully added Command "
+								"'%s':'%s'\n",
+								pszCmd, pszValue);
+						}
+						else {
+							LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+								"in gnutlsPriorityString with error '%d'",
+								pszCmd, pszValue, iConfErr);
+						}
+
+						free(pszCmd);
+						free(pszValue);
+					} else {
+						/* Abort further parsing */
+						pCurrentPos = NULL;
+					}
+				}
+				while (pCurrentPos != NULL);
+ 
+-			/* Finalize SSL Conf */
+-			iConfErr = SSL_CONF_CTX_finish(cctx);
+-			if (!iConfErr) {
+-				LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+-						"Open ssl error info may follow in next messages",
+-						pThis->gnutlsPriorityString);
+-				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				/* Finalize SSL Conf */
+				iConfErr = SSL_CONF_CTX_finish(cctx);
+				if (!iConfErr) {
+					LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+							"Open ssl error info may follow in next messages",
+							pThis->gnutlsPriorityString);
+					osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				}
+				SSL_CONF_CTX_free(cctx);
+ 			}
+-			SSL_CONF_CTX_free(cctx);
+ 		}
+	}
+ #else
+-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+-		LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+-			"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+-			"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+-			gnutlsPriorityString);
+	LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+		"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+		"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+		gnutlsPriorityString);
+ #endif
+-	}
+ 
+ 	RETiRet;
+ }
--- a/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
@ -0,0 +1,215 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2022-04-11 09:26:17.826271989 +0200
+++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-04-11 09:33:28.702012052 +0200
+@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+-	DBGPRINTF("gtlsRecordRecv: start\n");
+	DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n",
+		gnutls_record_check_pending(pThis->sess),
+		(gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") );
+ 
+ 	lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF);
+ 	if(lenRcvd >= 0) {
+@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 					(NSD_GTLS_MAX_RCVBUF+lenRcvd));
+ 				pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd;
+ 			} else {
+-				goto sslerr;
+				if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
+					goto sslerragain;	/* Go to ERR AGAIN handling */
+				} else {
+					/* Do all other error handling */
+					int gnuRet = lenRcvd;
+					ABORTgnutls;
+				}
+ 			}
+ 		}
+ 	} else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
+-sslerr:
+-		pThis->rtryCall = gtlsRtry_recv;
+-		dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n");
+-		ABORT_FINALIZE(RS_RET_RETRY);
+sslerragain:
+		/* Check if the underlaying file descriptor needs to read or write data!*/
+		if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) {
+			pThis->rtryCall = gtlsRtry_recv;
+			dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n");
+			ABORT_FINALIZE(RS_RET_RETRY);
+		} else {
+			uchar *pErr = gtlsStrerror(lenRcvd);
+			LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) "
+				"- this could be caused by a broken connection. GnuTLS reports: %s\n",
+				lenRcvd, pErr);
+			free(pErr);
+			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+		}
+ 	} else {
+ 		int gnuRet = lenRcvd;
+ 		ABORTgnutls;
+@@ -1978,6 +1996,7 @@ static rsRetVal
+ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
+ {
+ 	int iSent;
+	int wantsWriteData = 0;
+ 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *
+ 			break;
+ 		}
+ 		if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) {
+			/* Check if the underlaying file descriptor needs to read or write data!*/
+			wantsWriteData = gnutls_record_get_direction(pThis->sess);
+ 			uchar *pErr = gtlsStrerror(iSent);
+-			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this "
+-				"could be caused by a broken connection. GnuTLS reports: %s \n",
+-				iSent, pErr);
+			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this "
+				"could be caused by a broken connection. GnuTLS reports: %s\n",
+				iSent, wantsWriteData, pErr);
+ 			free(pErr);
+ 			gnutls_perror(iSent);
+ 			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h
+--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig	2022-04-11 09:26:32.744262781 +0200
+++ rsyslog-8.2102.0/runtime/nsd_gtls.h	2022-04-11 09:34:29.909982895 +0200
+@@ -33,6 +33,11 @@ typedef enum {
+ 	gtlsRtry_recv = 2
+ } gtlsRtryCall_t;		/**< IDs of calls that needs to be retried */
+ 
+typedef enum {
+	gtlsDir_READ = 0,	/**< GNUTLS wants READ */
+	gtlsDir_WRITE = 1	/**< GNUTLS wants WRITE */
+} gtlsDirection_t;
+
+ typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */
+ 
+ /* the nsd_gtls object */
+diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c
+--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig	2022-04-11 09:26:42.529256742 +0200
+++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c	2022-04-11 09:38:27.425869737 +0200
+@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsdsel_gtls);
+ 	ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls);
+	DBGPRINTF("Add on nsd %p:\n", pNsdGTLS);
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			++pThis->iBufferRcvReady;
+@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 		}
+ 	}
+ 
+	dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp);
+
+ 	/* if we reach this point, we need no special handling */
+ 	CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp));
+ 
+@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead
+ 	if(pThis->iBufferRcvReady > 0) {
+ 		/* we still have data ready! */
+ 		*piNumReady = pThis->iBufferRcvReady;
+-		dbgprintf("nsdsel_gtls: doing dummy select, data present\n");
+		dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n",
+			pThis, pThis->iBufferRcvReady);
+ 	} else {
+ 		iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady);
+ 	}
+@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 	DEFiRet;
+ 	int gnuRet;
+ 
+-	dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
+	dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
+ 
+ 	/* We follow a common scheme here: first, we do the systen call and
+ 	 * then we check the result. So far, the result is checked after the
+@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 		case gtlsRtry_handshake:
+ 			gnuRet = gnutls_handshake(pNsd->sess);
+ 			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
+-				dbgprintf("GnuTLS handshake retry did not finish - "
+				dbgprintf("doRetry: GnuTLS handshake retry did not finish - "
+ 					"setting to retry (this is OK and can happen)\n");
+ 				FINALIZE;
+ 			} else if(gnuRet == 0) {
+@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd)
+ 			}
+ 			break;
+ 		case gtlsRtry_recv:
+-			dbgprintf("retrying gtls recv, nsd: %p\n", pNsd);
+-			CHKiRet(gtlsRecordRecv(pNsd));
+-			pNsd->rtryCall = gtlsRtry_None; /* we are done */
+			dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd);
+			iRet = gtlsRecordRecv(pNsd);
+			if (iRet == RS_RET_RETRY) {
+				// Check if there is pending data
+				size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess);
+				if (stBytesLeft > 0) {
+					// We are in retry and more data waiting, finalize it
+					goto finalize_it;
+				} else {
+					dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending"
+						"data on nsd: %p\n", pNsd);
+				}
+			}
+			pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */
+ 			gnuRet = 0;
+ 			break;
+ 		case gtlsRtry_None:
+@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd,
+ 		 * socket. -- rgerhards, 2010-11-20
+ 		 */
+ 		if(pThis->iBufferRcvReady) {
+-			dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n");
+			dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis);
+ 			*pbIsReady = 0;
+ 			FINALIZE;
+ 		}
+diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c
+--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig	2022-04-11 09:27:00.376245726 +0200
+++ rsyslog-8.2102.0/runtime/tcpsrv.c	2022-04-11 09:41:57.885777708 +0200
+@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 	int oserr = 0;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+-	DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm);
+	prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+	DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer);
+ 	/* Receive message */
+ 	iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr);
+ 	switch(iRet) {
+ 	case RS_RET_CLOSED:
+ 		if(pThis->bEmitMsgOnClose) {
+ 			errno = 0;
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote "
+ 				"peer %s.\n", (*ppSess)->pStrm, pszPeer);
+ 		}
+@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 			/* in this case, something went awfully wrong.
+ 			 * We are instructed to terminate the session.
+ 			 */
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer);
+ 			CHKiRet(closeSess(pThis, ppSess, pPoll));
+ 		}
+ 		break;
+ 	default:
+-		prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+		// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 		LogError(oserr, iRet, "netstream session %p from %s will be closed due to error",
+ 				(*ppSess)->pStrm, pszPeer);
+ 		CHKiRet(closeSess(pThis, ppSess, pPoll));
+@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset
+ 		while(iTCPSess != -1) {
+ 			/* TODO: access to pNsd is NOT really CLEAN, use method... */
+ 			CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD));
+			DBGPRINTF("tcpsrv process session %d:\n", iTCPSess);
+ 			/* now get next... */
+ 			iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess);
+ 		}
--- a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
@ -0,0 +1,23 @@
+--- rsyslog-8.2102.0.ori/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
+++ rsyslog-8.2102.0/doc/configuration/global/index.html	2022-09-07 13:32:10.426621438 +0200
+@@ -119,6 +119,13 @@
+ <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
+ Defaults to ptcp.</p>
+ </li>
+<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
+This directive allows to configure multiple additional extra CA files.
+This is intended for SSL certificate chains to work appropriately,
+as the different CA files in the chain need to be specified.
+It must be remarked that this directive only works with the OpenSSL driver.
+</p>
+</li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
+ </li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
+@@ -311,4 +318,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
+</html>
--- a/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
@ -0,0 +1,134 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
+++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-07 13:32:51.623799582 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
+	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-07 13:17:02.669696053 +0200
+++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-07 13:56:37.678966129 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
+static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
+	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
+SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
+/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -838,6 +842,12 @@
+ 	return(pszDfltNetstrmDrvrCAF);
+ }
+ 
+/* return the extra CA Files, if needed */
+static uchar*
+GetNetstrmDrvrCAExtraFiles(void)
+{
+      return(pszNetstrmDrvrCAExtraFiles);
+}
+ 
+ /* return the current default netstream driver key File */
+ static uchar*
+@@ -925,6 +935,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
+	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -941,6 +952,8 @@
+ 	pszDfltNetstrmDrvr = NULL;
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	pszDfltNetstrmDrvrCAF = NULL;
+	free(pszNetstrmDrvrCAExtraFiles);
+	pszNetstrmDrvrCAExtraFiles = NULL;	
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+@@ -1350,6 +1363,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
+			free(pszNetstrmDrvrCAExtraFiles);
+			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1562,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
+	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2022-09-07 13:17:02.705696208 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-07 14:09:18.697256943 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
+static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -414,7 +415,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
+	const char *caFile, *certFile, *keyFile, *extraCaFile;
+	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -451,9 +453,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
+	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
+	if(extraCaFiles == NULL) {
+		bHaveExtraCAFiles = 0;
+	} else {
+		bHaveExtraCAFiles = 1;
+	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
+	if(bHaveExtraCAFiles == 1) {
+		while((extraCaFile = strsep(&extraCaFiles, ","))) {
+			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
+				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
+					"Check at least: 1) file path is correct, 2) file exist, "
+					"3) permissions are correct, 4) file content is correct. "
+					"Open ssl error info may follow in next messages");
+				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
+			}
+		}
+	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "
--- a/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch
@ -0,0 +1,20 @@
+diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
+index 6c24b5a2db..78cfc3bae2 100644
+--- a/plugins/imklog/imklog.c
+++ b/plugins/imklog/imklog.c
+@@ -453,6 +453,7 @@ ENDactivateCnf
+ 
+ BEGINfreeCnf
+ CODESTARTfreeCnf
+	free(pModConf->pszBindRuleset);
+ ENDfreeCnf
+ 
+ 
+@@ -475,7 +476,6 @@ CODESTARTmodExit
+ 	if(pInputName != NULL)
+ 		prop.Destruct(&pInputName);
+ 
+-	free(runModConf->pszBindRuleset);
+ 	/* release objects we used */
+ 	objRelease(glbl, CORE_COMPONENT);
+ 	objRelease(net, CORE_COMPONENT);
--- a/SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
@ -0,0 +1,72 @@
+diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h
+--- rsyslog-8.2102.0/parse.h.orig	2023-05-09 09:10:09.236597063 +0200
+++ rsyslog-8.2102.0/parse.h	2023-05-09 09:10:26.913608034 +0200
+@@ -56,7 +56,7 @@ struct rsParsObject
+ 	rsObjID OID;			/**< object ID */
+ #endif
+ 	cstr_t *pCStr;		/**< pointer to the string object we are parsing */
+-	int iCurrPos;			/**< current parsing position (char offset) */
+	size_t iCurrPos;			/**< current parsing position (char offset) */
+ };
+ typedef struct rsParsObject rsParsObj;
+ 
+diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c
+--- rsyslog-8.2102.0/runtime/stream.c.orig	2023-05-09 09:10:34.122612508 +0200
+++ rsyslog-8.2102.0/runtime/stream.c	2023-05-09 09:12:47.934640583 +0200
+@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 	cstr_t *thisLine = NULL;
+ 	rsRetVal readCharRet;
+ 	const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0;
+-	int maxMsgSize = glblGetMaxLine();
+	size_t maxMsgSize = glblGetMaxLine();
+ 	DEFiRet;
+ 
+ 	do {
+@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 					}
+ 
+ 
+-					int currLineLen = cstrLen(thisLine);
+					size_t currLineLen = cstrLen(thisLine);
+ 					if(currLineLen > 0) {
+-						int len;
+						size_t len;
+ 						if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) <
+ 						maxMsgSize) {
+ 							CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine));
+@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 								len = 0;
+ 							} else {
+ 								len = currLineLen-(len-maxMsgSize);
+-								for(int z=0; z<len; z++) {
+								for(size_t z=0; z<len; z++) {
+ 									cstrAppendChar(pThis->prevMsgSegment,
+ 										thisLine->pBuf[z]);
+ 								}
+diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c
+--- rsyslog-8.2102.0/runtime/stringbuf.c.orig	2023-05-09 09:09:37.627577446 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.c	2023-05-09 09:09:59.061590749 +0200
+@@ -474,7 +474,7 @@ finalize_it:
+  * This is due to performance reasons.
+  */
+ #ifndef NDEBUG
+-int cstrLen(cstr_t *pThis)
+size_t cstrLen(cstr_t *pThis)
+ {
+ 	rsCHECKVALIDOBJECT(pThis, OIDrsCStr);
+ 	return(pThis->iStrLen);
+diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h
+--- rsyslog-8.2102.0/runtime/stringbuf.h.orig	2023-05-09 09:08:05.199520082 +0200
+++ rsyslog-8.2102.0/runtime/stringbuf.h	2023-05-09 09:09:26.924570803 +0200
+@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c
+ 
+ /* now come inline-like functions */
+ #ifdef NDEBUG
+-#	define cstrLen(x) ((int)((x)->iStrLen))
+#	define cstrLen(x) ((size_t)((x)->iStrLen))
+ #else
+-	int cstrLen(cstr_t *pThis);
+	size_t cstrLen(cstr_t *pThis);
+ #endif
+ #define rsCStrLen(s) cstrLen((s))
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch
@ -0,0 +1,37 @@
+diff -up rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c
+--- rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig	2023-05-11 14:14:39.778187570 +0200
+++ rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c	2023-05-11 14:15:36.254234445 +0200
+@@ -232,7 +232,11 @@ static rsRetVal curlSetup(wrkrInstanceDa
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->fdErrFile = -1;
+-	pthread_mutex_init(&pData->mutErrFile, NULL);
+	if(pthread_mutex_init(&pData->mutErrFile, NULL) != 0) {
+		LogError(errno, RS_RET_ERR, "omelasticsearch: cannot create "
+			"error file mutex, failing this action");
+		ABORT_FINALIZE(RS_RET_ERR);
+	}
+ 	pData->caCertFile = NULL;
+ 	pData->myCertFile = NULL;
+ 	pData->myPrivKeyFile = NULL;
+@@ -240,6 +244,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
+finalize_it:
+ ENDcreateInstance
+ 
+ BEGINcreateWrkrInstance
+@@ -2165,10 +2170,12 @@ ENDfreeCnf
+ 
+ BEGINdoHUP
+ CODESTARTdoHUP
+	pthread_mutex_lock(&pData->mutErrFile);
+ 	if(pData->fdErrFile != -1) {
+ 		close(pData->fdErrFile);
+ 		pData->fdErrFile = -1;
+ 	}
+	pthread_mutex_unlock(&pData->mutErrFile);
+ ENDdoHUP
+ 
+ 
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch
@ -0,0 +1,54 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..d7d6c68e60 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -116,6 +116,7 @@ typedef struct instanceConf_s {
+ 	uchar **serverBaseUrls;
+ 	int numServers;
+ 	long healthCheckTimeout;
+	long indexTimeout;
+ 	uchar *uid;
+ 	uchar *pwd;
+ 	uchar *authBuf;
+@@ -187,6 +188,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "server", eCmdHdlrArray, 0 },
+ 	{ "serverport", eCmdHdlrInt, 0 },
+ 	{ "healthchecktimeout", eCmdHdlrInt, 0 },
+	{ "indextimeout", eCmdHdlrInt, 0 },
+ 	{ "uid", eCmdHdlrGetWord, 0 },
+ 	{ "pwd", eCmdHdlrGetWord, 0 },
+ 	{ "searchindex", eCmdHdlrGetWord, 0 },
+@@ -355,6 +357,7 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\ttemplate='%s'\n", pData->tplName);
+ 	dbgprintf("\tnumServers=%d\n", pData->numServers);
+ 	dbgprintf("\thealthCheckTimeout=%lu\n", pData->healthCheckTimeout);
+	dbgprintf("\tindexTimeout=%lu\n", pData->indexTimeout);
+ 	dbgprintf("\tserverBaseUrls=");
+ 	for(i = 0 ; i < pData->numServers ; ++i)
+ 		dbgprintf("%c'%s'", i == 0 ? '[' : ' ', pData->serverBaseUrls[i]);
+@@ -1768,6 +1771,8 @@ curlPostSetup(wrkrInstanceData_t *const pWrkrData)
+ 	PTR_ASSERT_SET_TYPE(pWrkrData, WRKR_DATA_TYPE_ES);
+ 	curlSetupCommon(pWrkrData, pWrkrData->curlPostHandle);
+ 	curl_easy_setopt(pWrkrData->curlPostHandle, CURLOPT_POST, 1);
+	curl_easy_setopt(pWrkrData->curlPostHandle,
+		CURLOPT_TIMEOUT_MS, pWrkrData->pData->indexTimeout);
+ }
+ 
+ #define CONTENT_JSON "Content-Type: application/json; charset=utf-8"
+@@ -1797,6 +1802,7 @@ setInstParamDefaults(instanceData *const pData)
+ 	pData->serverBaseUrls = NULL;
+ 	pData->defaultPort = 9200;
+ 	pData->healthCheckTimeout = 3500;
+	pData->indexTimeout = 0;
+ 	pData->uid = NULL;
+ 	pData->pwd = NULL;
+ 	pData->authBuf = NULL;
+@@ -1865,6 +1871,8 @@ CODESTARTnewActInst
+ 			pData->defaultPort = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "healthchecktimeout")) {
+ 			pData->healthCheckTimeout = (long) pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "indextimeout")) {
+			pData->indexTimeout = (long) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "uid")) {
+ 			pData->uid = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "pwd")) {
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch
@ -0,0 +1,43 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..ed9359732c 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -877,14 +877,6 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 	int i;
+ 	int numitems;
+ 	fjson_object *items=NULL, *jo_errors = NULL;
+-	int errors = 0;
+-
+-	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+-		errors = fjson_object_get_boolean(jo_errors);
+-		if (!errors && pWrkrData->pData->retryFailures) {
+-			return RS_RET_OK;
+-		}
+-	}
+ 
+ 	/*iterate over items*/
+ 	if(!fjson_object_object_get_ex(replyRoot, "items", &items)) {
+@@ -897,6 +889,15 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 
+ 	numitems = fjson_object_array_length(items);
+ 
+	int errors = 0;
+	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+		errors = fjson_object_get_boolean(jo_errors);
+		if (!errors && pWrkrData->pData->retryFailures) {
+			STATSCOUNTER_ADD(indexSuccess, mutIndexSuccess, numitems);
+			return RS_RET_OK;
+		}
+	}
+
+ 	if (reqmsg) {
+ 		DBGPRINTF("omelasticsearch: Entire request %s\n", reqmsg);
+ 	} else {
+@@ -1267,6 +1268,7 @@ getDataRetryFailures(context *ctx,int itemStatus,char *request,char *response,
+ 				response);
+ 		}
+ 	}
+
+ 	need_free_omes = 0;
+ 	CHKiRet(msgAddJSON(msg, (uchar*)".omes", omes, 0, 0));
+ 	MsgSetRuleset(msg, ctx->retryRuleset);
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch
@ -0,0 +1,148 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index ed9359732c..8200403eaf 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -86,12 +86,14 @@ STATSCOUNTER_DEF(rebinds, mutRebinds)
+ static prop_t *pInputName = NULL;
+ 
+ #	define META_STRT "{\"index\":{\"_index\": \""
+-#	define META_STRT_CREATE "{\"create\":{\"_index\": \""
+#	define META_STRT_CREATE "{\"create\":{"    /* \"_index\": \" */
+#	define META_IX "\"_index\": \""
+ #	define META_TYPE "\",\"_type\":\""
+ #       define META_PIPELINE "\",\"pipeline\":\""
+ #	define META_PARENT "\",\"_parent\":\""
+ #	define META_ID "\", \"_id\":\""
+ #	define META_END  "\"}}\n"
+#	define META_END_NOQUOTE  " }}\n"
+ 
+ typedef enum {
+ 	ES_WRITE_INDEX,
+@@ -362,8 +364,8 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex);
+-	dbgprintf("\tsearch type='%s'\n", pData->searchType);
+	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -596,8 +598,8 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	assert(srchIndex != NULL);
+-	assert(srchType != NULL);
+	//assert(srchIndex != NULL);
+	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -633,9 +635,14 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		parent = NULL;
+ 	} else {
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-		r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+		if(searchIndex != NULL) {
+			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+			if(r == 0) r = es_addChar(&url, '/');
+			if(searchType != NULL) {
+				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+			}
+		} else
+			r = 0;
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -692,7 +699,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	uchar *pipelineName;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	r += ustrlen((char *)message) + ustrlen(searchIndex) + ustrlen(searchType);
+	r += ustrlen((char *)message);
+        if(searchIndex != NULL)
+                r += ustrlen(searchIndex);
+        if(searchType != NULL)
+                r += ustrlen(searchType);
+ 
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -717,6 +728,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+       	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -725,28 +737,43 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 	DEFiRet;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE) {
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT_CREATE, sizeof(META_STRT_CREATE)-1);
+-	else
+		endQuote = 0;
+	} else
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT, sizeof(META_STRT)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+	if(searchIndex != NULL) {
+		endQuote = 1;
+		if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+		if(searchType != NULL) {
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
+		}
+	}
+ 	if(parent != NULL) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PARENT, sizeof(META_PARENT)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)parent, ustrlen(parent));
+ 	}
+ 	if(pipelineName != NULL && (!pWrkrData->pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PIPELINE, sizeof(META_PIPELINE)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)pipelineName, ustrlen(pipelineName));
+ 	}
+ 	if(bulkId != NULL) {
+		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_ID, sizeof(META_ID)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)bulkId, ustrlen(bulkId));
+ 	}
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
+	if(endQuote == 0) {
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END_NOQUOTE, sizeof(META_END_NOQUOTE)-1);
+	} else {
+		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
+	}
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)message, length);
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, "\n", sizeof("\n")-1);
+ 	if(r != 0) {
+@@ -2094,6 +2121,8 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+	//Only needed befor ES-Version 7.x
+	/*
+ 	if(pData->searchIndex == NULL)
+ 		pData->searchIndex = (uchar*) strdup("system");
+ 	if(pData->searchType == NULL)
+@@ -2104,6 +2133,7 @@ CODESTARTnewActInst
+ 			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+ 		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+ 	}
+	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch
@ -0,0 +1,118 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 8200403eaf..8b74d610df 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -130,6 +130,7 @@ typedef struct instanceConf_s {
+ 	uchar *timeout;
+ 	uchar *bulkId;
+ 	uchar *errorFile;
+	int esVersion;
+ 	sbool errorOnly;
+ 	sbool interleaved;
+ 	sbool dynSrchIdx;
+@@ -221,7 +222,8 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "ratelimit.interval", eCmdHdlrInt, 0 },
+ 	{ "ratelimit.burst", eCmdHdlrInt, 0 },
+ 	{ "retryruleset", eCmdHdlrString, 0 },
+-	{ "rebindinterval", eCmdHdlrInt, 0 }
+	{ "rebindinterval", eCmdHdlrInt, 0 },
+	{ "esversion.major", eCmdHdlrPositiveInt, 0 }
+ };
+ static struct cnfparamblk actpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -246,6 +248,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
+	pData->esVersion = 0;
+ finalize_it:
+ ENDcreateInstance
+ 
+@@ -364,8 +367,10 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+-        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL
+			? (uchar*)"(not configured)" : pData->searchIndex);
+	dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL
+			? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -598,8 +603,6 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	//assert(srchIndex != NULL);
+-	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -700,11 +703,12 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 	r += ustrlen((char *)message);
+-        if(searchIndex != NULL)
+-                r += ustrlen(searchIndex);
+-        if(searchType != NULL)
+-                r += ustrlen(searchType);
+-
+	if(searchIndex != NULL) {
+		r += ustrlen(searchIndex);
+	}
+	if(searchType != NULL) {
+		r += ustrlen(searchType);
+	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+ 	}
+@@ -728,7 +732,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+-       	int endQuote = 1;
+	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -1990,6 +1994,8 @@ CODESTARTnewActInst
+ 			pData->retryRulesetName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "rebindinterval")) {
+ 			pData->rebindInterval = (int) pvals[i].val.d.n;
+		} else if(!strcmp(actpblk.descr[i].name, "esversion.major")) {
+			pData->esVersion = pvals[i].val.d.n;
+ 		} else {
+ 			LogError(0, RS_RET_INTERNAL_ERROR, "omelasticsearch: program error, "
+ 				"non-handled param '%s'", actpblk.descr[i].name);
+@@ -2121,19 +2127,18 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+-	//Only needed befor ES-Version 7.x
+-	/*
+-	if(pData->searchIndex == NULL)
+-		pData->searchIndex = (uchar*) strdup("system");
+-	if(pData->searchType == NULL)
+-		pData->searchType = (uchar*) strdup("events");
+	if(pData->esVersion < 8) {
+		if(pData->searchIndex == NULL)
+			pData->searchIndex = (uchar*) strdup("system");
+		if(pData->searchType == NULL)
+			pData->searchType = (uchar*) strdup("events");
+ 
+-	if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+-		LogError(0, RS_RET_CONFIG_ERROR,
+-			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+-		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+		if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+			LogError(0, RS_RET_CONFIG_ERROR,
+				"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+			ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+		}
+ 	}
+-	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch
@ -0,0 +1,40 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 76d5081d3b..f481ec3f7e 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -620,6 +620,8 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	uchar *parent;
+ 	uchar *bulkId;
+ 	char* baseUrl;
+	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+ 	int r;
+ 	DEFiRet;
+@@ -645,11 +647,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+ 			if(r == 0) r = es_addChar(&url, '/');
+-			if(searchType != NULL) {
+-				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+-			}
+-		} else
+-			r = 0;
+
+		if(searchType != NULL) {
+			actualSearchType = searchType;
+		}
+		if(r == 0) r = es_addChar(&url, '/');
+		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -693,7 +696,7 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	const uchar *const message,
+ 	uchar **const tpls)
+ {
+-	size_t r = sizeof(META_TYPE)-1 + sizeof(META_END)-1 + sizeof("\n")-1;
+	size_t r = sizeof(META_END)-1 + sizeof("\n")-1;
+ 	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+ 		r += sizeof(META_STRT_CREATE)-1;
+ 	else
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch
@ -0,0 +1,53 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index f481ec3f7e..b297a9274f 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
+++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -623,7 +623,7 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+ 	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+-	int r;
+	int r = 0;
+ 	DEFiRet;
+ 	instanceData *const pData = pWrkrData->pData;
+ 	char separator;
+@@ -646,13 +646,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+			if(searchType != NULL && searchType[0] != '\0') {
+				actualSearchType = searchType;
+			}
+ 			if(r == 0) r = es_addChar(&url, '/');
+-
+-		if(searchType != NULL) {
+-			actualSearchType = searchType;
+			if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		}
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -714,7 +713,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 		r += ustrlen(searchIndex);
+ 	}
+ 	if(searchType != NULL) {
+-		r += ustrlen(searchType);
+		if(searchType[0] == '\0') {
+			r += 4; // "_doc"
+		} else {
+			r += ustrlen(searchType);
+		}
+ 	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -759,7 +762,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-		if(searchType != NULL) {
+		if(searchType != NULL && searchType[0] != '\0') {
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
--- a/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch
+++ b/SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch
@ -0,0 +1,32 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html
+--- rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig	2023-05-11 15:56:24.308601241 +0200
+++ rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html	2023-05-11 15:57:11.000662477 +0200
+@@ -156,6 +156,28 @@ this timeframe. Defaults to 3500.</p>
+ <p><em>Note, the health check is verifying connectivity only, not the state of
+ the Elasticsearch cluster.</em></p>
+ </div>
+
+<div class="section" id="esVersion.major">
+  <span id="id2"></span><h4>esVersion.major<a class="headerlink" href="#esVersion.major" title="Permalink to this headline">¶</a></h4>
+  <table border="1" class="colwidths-auto parameter-table docutils">
+  <thead valign="bottom">
+  <tr class="row-odd"><th class="head">type</th>
+  <th class="head">default</th>
+  <th class="head">mandatory</th>
+  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
+  </tr>
+  </thead>
+  <tbody valign="top">
+  <tr class="row-even"><td>integer</td>
+  <td>0</td>
+  <td>no</td>
+  <td>none</td>
+  </tr>
+  </tbody>
+  </table>
+  <p>ElasticSearch is notoriously bad at maintaining backwards compatibility. For this reason, the setting can be used to configure the server’s major version number (e.g. 7, 8, …). As far as we know breaking changes only happen with major version changes. As of now, only value 8 triggers API changes. All other values select pre-version-8 API usage.</p>
+  </div>
+
+ <div class="section" id="searchindex">
+ <span id="id3"></span><h4>searchIndex<a class="headerlink" href="#searchindex" title="Permalink to this headline">¶</a></h4>
+ <table border="1" class="colwidths-auto parameter-table docutils">
--- a/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
+++ b/SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
@ -0,0 +1,30 @@
+diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig	2022-05-09 12:22:59.050623119 +0200
+++ rsyslog-8.37.0/plugins/imptcp/imptcp.c	2022-05-09 12:34:39.979854853 +0200
+@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
+			// *(pThis->pMsg + pThis->iMsg++) = c;
+			if(pThis->iMsg < iMaxLine) {
+				*(pThis->pMsg + pThis->iMsg++) = c;
+			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c
+--- rsyslog-8.37.0/runtime/tcps_sess.c.orig	2022-05-09 12:23:12.789627661 +0200
+++ rsyslog-8.37.0/runtime/tcps_sess.c	2022-05-09 12:36:51.426898549 +0200
+@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
+			// *(pThis->pMsg + pThis->iMsg++) = c;
+			if(pThis->iMsg < iMaxLine) {
+				*(pThis->pMsg + pThis->iMsg++) = c;
+			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);
--- a/SOURCES/rsyslog.conf
+++ b/SOURCES/rsyslog.conf
@ -10,6 +10,7 @@ module(load="imuxsock" 	  # provides support for local system logging (e.g. via
       SysSock.Use="off") # Turn off message reception via local log socket; 
 			  # local messages are retrieved through imjournal now.
 module(load="imjournal" 	    # provides access to the systemd journal
+       UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
       StateFile="imjournal.state") # File to store the position in the journal
 #module(load="imklog") # reads kernel messages (the same are read from journald)
 #module(load="immark") # provides --MARK-- message capability
--- a/SOURCES/rsyslog.log
+++ b/SOURCES/rsyslog.log
@ -7,6 +7,6 @@
    missingok
    sharedscripts
    postrotate
-        /usr/bin/systemctl kill -s HUP rsyslog.service >/dev/null 2>&1 || true
+        /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
    endscript
 }
--- a/SOURCES/rsyslog.service
+++ b/SOURCES/rsyslog.service
@ -0,0 +1,35 @@
+[Unit]
+Description=System Logging Service
+;Requires=syslog.socket
+Wants=network.target network-online.target
+After=network.target network-online.target
+Documentation=man:rsyslogd(8)
+Documentation=https://www.rsyslog.com/doc/
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/sysconfig/rsyslog
+ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
+UMask=0066
+StandardOutput=null
+Restart=on-failure
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictNamespaces=net
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+ProtectHome=read-only
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @debug @module @raw-io @reboot @swap @cpu-emulation @obsolete
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+;Alias=syslog.service
--- a/SPECS/rsyslog.spec
+++ b/SPECS/rsyslog.spec
@ -5,8 +5,8 @@

 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.1911.0
-Release: 6%{?dist}
+Version: 8.2102.0
+Release: 15%{?dist}
 License: (GPLv3+ and ASL 2.0)
 Group: System Environment/Daemons
 ExcludeArch: i686
@ -16,14 +16,15 @@ Source1: http://www.rsyslog.com/files/download/rsyslog/%{name}-doc-%{version}.ta
 Source2: rsyslog.conf
 Source3: rsyslog.sysconfig
 Source4: rsyslog.log
-Source5: qpid-proton-0.31.0.tar.gz
+Source5: qpid-proton-0.34.0.tar.gz
+Source6: rsyslog.service

 BuildRequires: autoconf
 BuildRequires: automake
 BuildRequires: bison
 BuildRequires: flex
 BuildRequires: libcurl-devel
-BuildRequires: libgcrypt-devel 
+BuildRequires: libgcrypt-devel
 BuildRequires: libfastjson-devel >= 0.99.8
 BuildRequires: libestr-devel >= 0.1.9
 BuildRequires: libtool
@ -33,7 +34,9 @@ BuildRequires: python3-docutils
 # it depens on rhbz#1419228
 BuildRequires: systemd-devel >= 219-39
 BuildRequires: zlib-devel
+BuildRequires: openssl-devel

+Requires: openssl-libs
 Requires: logrotate >= 3.5.2
 Requires: bash >= 2.0
 Requires: libestr >= 0.1.9
@ -44,16 +47,35 @@ Requires(postun): systemd
 Provides: syslog
 Obsoletes: sysklogd < 1.5-11

-# tweak the upstream service file to honour configuration from /etc/sysconfig/rsyslog
-Patch0: rsyslog-8.1911.0-service.patch
 # imjournal: adds "journal" when tag/process name is missing
-Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
-Patch2: rsyslog-8.1911.0-rhbz1763757-imfile-statefiles.patch
-Patch3: rsyslog-8.1911.0-rhbz1782353-deny-expired-by-default.patch
-Patch4: rsyslog-8.1911.0-rhbz1659383-config-enabled-error.patch
-Patch5: rsyslog-8.1911.0-rhbz1789675-serialize-crash-race.patch
-Patch6: rsyslog-8.1911.0-rhbz1793569-imfile-file_id.patch
-Patch7: rsyslog-8.1911.0-rhbz1843994-imfile-selinux-symlink-crash.patch
+Patch0:  rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
+Patch1:  rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+Patch2:  rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+Patch3:  rsyslog-8.2102.0-rhbz1866877-unexpected-length.patch
+Patch4:  rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+Patch5:  rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
+Patch6:  rsyslog-8.2102.0-rhbz1832368-prioritize-SAN.patch
+Patch7:  rsyslog-8.2102.0-rhbz1962318-errfile-maxsize.patch
+Patch8:  rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
+Patch9:  rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
+Patch10: rsyslog-8.2102.0-nsd_ossl-better-logs.patch
+Patch11: rsyslog-8.2102.0-imtcp-param-refactor.patch
+Patch12: rsyslog-8.2102.0-nsd_ossl-memory-leak.patch
+Patch13: rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch
+Patch14: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
+Patch15: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+Patch16: rsyslog-8.2102.0-rhbz2124934-extra-ca-files.patch
+Patch17: rsyslog-8.2102.0-rhbz2124934-extra-ca-files-doc.patch
+Patch18: rsyslog-8.2102.0-rhbz2157658-imklog.patch
+Patch19: rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+Patch20: rsyslog-8.2102.0-rhbz2192955-es-0.patch
+Patch21: rsyslog-8.2102.0-rhbz2192955-es-1.patch
+Patch22: rsyslog-8.2102.0-rhbz2192955-es-2.patch
+Patch23: rsyslog-8.2102.0-rhbz2192955-es-3.patch
+Patch24: rsyslog-8.2102.0-rhbz2192955-es-4.patch
+Patch25: rsyslog-8.2102.0-rhbz2192955-es-5.patch
+Patch26: rsyslog-8.2102.0-rhbz2192955-es-6.patch
+Patch27: rsyslog-8.2102.0-rhbz2192955-es-doc.patch

 %package crypto
 Summary: Encryption support
@ -72,11 +94,17 @@ Group: System Environment/Daemons
 Requires: %name = %version-%release

 %package gnutls
-Summary: TLS protocol support for rsyslog
+Summary: TLS protocol support for rsyslog via GnuTLS library
 Group: System Environment/Daemons
 Requires: %name = %version-%release
 BuildRequires: gnutls-devel

+%package openssl
+Summary: TLS protocol support for rsyslog via OpenSSL library
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: openssl-devel
+
 %package gssapi
 Summary: GSSAPI authentication and encryption support for rsyslog
 Group: System Environment/Daemons
@ -110,6 +138,10 @@ Group: System Environment/Daemons
 Requires: %name = %version-%release
 BuildRequires: liblognorm-devel

+%package mmfields
+Summary: Fields extraction module
+Requires: %name = %version-%release
+
 %package mmsnmptrapd
 Summary: Message modification module for snmptrapd generated messages
 Group: System Environment/Daemons
@ -145,8 +177,8 @@ BuildRequires: postgresql-devel
 Summary: RELP protocol support for rsyslog
 Group: System Environment/Daemons
 Requires: %name = %version-%release
-Requires: librelp >= 1.0.3
-BuildRequires: librelp-devel >= 1.2.16
+Requires: librelp >= 1.9.0
+BuildRequires: librelp-devel >= 1.9.0

 %package snmp
 Summary: SNMP protocol support for rsyslog
@ -154,6 +186,12 @@ Group: System Environment/Daemons
 Requires: %name = %version-%release
 BuildRequires: net-snmp-devel

+%package udpspoof
+Summary: Provides the omudpspoof module
+Group: System Environment/Daemons
+Requires: %name = %version-%release
+BuildRequires: libnet-devel
+
 %description
 Rsyslog is an enhanced, multi-threaded syslog daemon. It supports MySQL,
 syslog/TCP, RFC 3195, permitted sender lists, filtering on any message part,
@ -176,7 +214,14 @@ Elasticsearch.
 %description gnutls
 The rsyslog-gnutls package contains the rsyslog plugins that provide the
 ability to send and receive syslog messages via TCP or RELP using TLS
-encryption. For details refer to rsyslog doc on imtcp and omfwd modules.
+encryption via GnuTLS library. For details refer to rsyslog doc on imtcp
+and omfwd modules.
+
+%description openssl
+The rsyslog-openssl package contains the rsyslog plugins that provide the
+ability to send and receive syslog messages via TCP or RELP using TLS
+encryption via OpenSSL library. For details refer to rsyslog doc on imtcp
+and omfwd modules.

 %description gssapi
 The rsyslog-gssapi package contains the rsyslog plugins which support GSSAPI
@ -184,7 +229,7 @@ authentication and secure connections. GSSAPI is commonly used for Kerberos
 authentication.

 %description kafka
-The rsyslog-kafka package provides modules for Apache Kafka input and output. 
+The rsyslog-kafka package provides modules for Apache Kafka input and output.

 %description mmaudit
 This module provides message modification supporting Linux audit format
@ -201,6 +246,12 @@ container metadata.
 %description mmnormalize
 This module provides the capability to normalize log messages via liblognorm.

+%description mmfields
+The mmfield module permits to extract fields. Using this module is of special
+advantage if a field-based log format is to be processed, like for example CEF
+and either a large number of fields is needed or a specific field is used multiple
+times inside filters.
+
 %description mmsnmptrapd
 This message modification module takes messages generated from snmptrapd and
 modifies them so that they look like they originated from the read originator.
@ -226,10 +277,14 @@ protocol.
 The rsyslog-snmp package contains the rsyslog plugin that provides the
 ability to send syslog messages as SNMPv1 and SNMPv2c traps.

+%description udpspoof
+This module is similar to the regular UDP forwarder, but permits to
+spoof the sender address. Also, it enables to circle through a number
+of source ports.
+
 %prep
 # set up rsyslog-doc sources
 %setup -q -a 1 -T -c
-
 #regenerate the docs

 #mv build/searchindex.js searchindex_backup.js
@ -244,14 +299,34 @@ mv build doc
 %setup -q -D
 %setup -q -D -T -b 5

-%patch0 -p1 -b .service
-%patch1 -p1 -b .default-tag
-%patch2 -p1 -b .imfile-statefiles
-%patch3 -p1 -b .deny-expired-certs
-%patch4 -p1 -b .config-enabled-on
-%patch5 -p1 -b .serialize-json
-%patch6 -p1 -b .imfile-id
-%patch7 -p1 -b .imfile-selinux-symlink
+%patch0  -p1 -b .default-tag
+%patch1  -p1 -b .fd-leak-on-fsync
+%patch2  -p1 -b .timeout
+%patch3  -p1 -b .unexpected-priority-length
+%patch4  -p1 -b .imuxsock-rate-limit
+%patch5  -p1 -b .abort-on-id-resolution-fail
+%patch6  -p1 -b .prioritizeSAN
+%patch7  -p1 -b .errfile-maxsize
+%patch8  -p1 -b .state-file-leaking
+%patch9  -p1 -b .state-file-leaking-doc
+%patch10 -p1 -b .ossl-better-logs
+%patch11 -p1 -b .imtcp-refactor-params
+%patch12 -p1 -b .ossl-memory-leak
+%patch13 -p1 -b .ossl-ciphers-behaviour
+%patch14 -p1 -b .CVE-24903
+%patch15 -p1 -b .gnutls-error-handling
+%patch16 -p1 -b .extra-ca-files
+%patch17 -p1 -b .extra-ca-files-doc
+%patch18 -p1 -b .imklog-heap
+%patch19 -p1 -b .cstrlen
+%patch20 -p1 -b .es0
+%patch21 -p1 -b .es1
+%patch22 -p1 -b .es2
+%patch23 -p1 -b .es3
+%patch24 -p1 -b .es4
+%patch25 -p1 -b .es5
+%patch26 -p1 -b .es6
+%patch27 -p1 -b .es-doc

 %build
 %ifarch sparc64
@ -262,7 +337,7 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic"
 %endif
 # build the proton first
 (
-	cd %{_builddir}/qpid-proton-0.31.0
+	cd %{_builddir}/qpid-proton-0.34.0
 	mkdir bld
 	cd bld

@ -295,6 +370,7 @@ autoreconf -if
 	--enable-elasticsearch \
 	--enable-generate-man-pages \
 	--enable-gnutls \
+	--enable-openssl \
 	--enable-gssapi-krb5 \
 	--enable-imdiag \
 	--enable-imfile \
@ -309,15 +385,17 @@ autoreconf -if
 	--enable-mmjsonparse \
 	--enable-mmkubernetes \
 	--enable-mmnormalize \
+	--enable-mmfields \
 	--enable-mmsnmptrapd \
 	--enable-mmutf8fix \
 	--enable-mysql \
-	--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.31.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.31.0/bld/c/include" \
+	--enable-omamqp1 PROTON_LIBS="%{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-core-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-proactor-static.a %{_builddir}/qpid-proton-0.34.0/bld/c/libqpid-proton-static.a -lssl -lsasl2 -lcrypto" PROTON_CFLAGS="-I%{_builddir}/qpid-proton-0.34.0/bld/c/include" \
 	--enable-omhttp \
 	--enable-omjournal \
 	--enable-omkafka \
 	--enable-omprog \
 	--enable-omstdout \
+	--enable-omudpspoof \
 	--enable-omuxsock \
 	--enable-pgsql \
 	--enable-pmaixforwardedfrom \
@ -327,7 +405,7 @@ autoreconf -if
 	--enable-relp \
 	--enable-snmp \
 	--enable-unlimited-select \
-	--enable-usertools 
+	--enable-usertools

 make

@ -336,6 +414,7 @@ make DESTDIR=%{buildroot} install

 install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
 install -d -m 755 %{buildroot}%{_sysconfdir}/logrotate.d
+install -d -m 755 %{buildroot}%{_unitdir}
 install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d
 install -d -m 700 %{buildroot}%{rsyslog_statedir}
 install -d -m 700 %{buildroot}%{rsyslog_pkidir}
@ -344,6 +423,7 @@ install -d -m 755 %{buildroot}%{rsyslog_docdir}/html
 install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf
 install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
 install -p -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/syslog
+install -p -m 644 %{SOURCE6} %{buildroot}%{_unitdir}/rsyslog.service
 install -p -m 644 plugins/ommysql/createDB.sql %{buildroot}%{rsyslog_docdir}/mysql-createDB.sql
 install -p -m 644 plugins/ompgsql/createDB.sql %{buildroot}%{rsyslog_docdir}/pgsql-createDB.sql
 install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir}
@ -351,8 +431,6 @@ install -p -m 644 contrib/mmkubernetes/*.rulebase %{buildroot}%{rsyslog_docdir}
 cp -r doc/* %{buildroot}%{rsyslog_docdir}/html
 # get rid of libtool libraries
 rm -f %{buildroot}%{_libdir}/rsyslog/*.la
-# get rid of socket activation by default
-sed -i '/^Alias/s/^/;/;/^Requires=syslog.socket/s/^/;/' %{buildroot}%{_unitdir}/rsyslog.service

 # convert line endings from "\r\n" to "\n"
 cat tools/recover_qi.pl | tr -d '\r' > %{buildroot}%{_bindir}/rsyslog-recover-qi.pl
@ -443,6 +521,9 @@ done
 %files gnutls
 %{_libdir}/rsyslog/lmnsd_gtls.so

+%files openssl
+%{_libdir}/rsyslog/lmnsd_ossl.so
+
 %files kafka
 %{_libdir}/rsyslog/imkafka.so
 %{_libdir}/rsyslog/omkafka.so
@ -461,6 +542,9 @@ done
 %files mmnormalize
 %{_libdir}/rsyslog/mmnormalize.so

+%files mmfields
+%{_libdir}/rsyslog/mmfields.so
+
 %files mmsnmptrapd
 %{_libdir}/rsyslog/mmsnmptrapd.so

@ -482,8 +566,98 @@ done
 %files snmp
 %{_libdir}/rsyslog/omsnmp.so

+%files udpspoof
+%defattr(-,root,root)
+%{_libdir}/rsyslog/omudpspoof.so

 %changelog
+* Thu May 11 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-15
+- omelasticsearch: make compatible with elasticsearch>=8
+- add new action specific parameter esversion.major
+  resolves: rhbz#2192955
+
+* Tue May 09 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-14
+- Fix wrong type conversion in cstrLen()
+  resolves: rhbz#2157804
+- imjournal: by default retrieves _PID from journal as PID number
+  resolves: rhbz#2176398
+- Systemd service file hardening
+  resolves: rhbz#2176404
+
+* Mon Jan 09 2023 Attila Lakatos <alaktos@redhat.com> - 8.2102.0-13
+- Make rsyslog-relp require librelp>= 1.9.0
+  resolves: rhbz#2029352
+- Reorder logrotate parameters to work with POSIXLY_CORRECT env var
+  resolves: rhbz#2070496
+
+* Fri Jan 06 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-12
+- Fix invalid memory adressing in imklog that could cause abort
+  resolves: rhbz#2157658
+
+* Tue Sep 06 2022 Sergio Arroutbi <sarroutb@redhat.com> - 8.2102.0-11
+- Enable multiple SSL CA files
+  resolves: rhbz#2124934
+
+* Wed Apr 13 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-10
+- openssl: Correct gnutlsPriorityString (custom ciphers) behaviour
+- Fix error handling in gtlsRecordRecv that can cause 100 percent CPU usage
+  resolves: rhbz#2046158
+- Address CVE-2022-24903, Heap-based overflow in TCP syslog server
+  resolves: rhbz#2081401
+
+* Mon Mar 28 2022 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-9
+- Add deleteStateOnFileMove imfile module option
+  resolves: rhbz#1909639
+- Add inotify_rm_watch() inotify API call when object needs to be destroyed
+  resolves: rhbz#2052403
+
+* Fri Mar 04 2022 Sergio Arroutbi <sarroutb@redhat.com> - 8.2102.0-8
+- Include maxsize for error files
+  resolves: rhbz#1962318
+
+* Mon Nov 22 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-7
+- Propagate prioritizeSAN when accepting new connection
+  resolves: rhbz#1832368
+
+* Mon Oct 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-6
+- Enable mmfields module
+  resolves: rhbz#1947907
+  resolves: rhbz#1866900
+
+* Wed Aug 04 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-5
+- Do not exit when user/group can not be found
+  resolves: rhbz#1984489
+- Remove abortOnIDResolution fail
+
+* Tue Jul 27 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-4
+- Allways use message severity when comparing with ratelimit severity
+  resolves: rhbz#1984616
+
+* Mon Jun 28 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-3
+- Priority field must have valid length
+  resolves: rhbz#1866877
+- Allocate more memory on too large groups
+  resolves: rhbz#1944718
+
+* Tue May 18 2021 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-2
+  RHEL 8.5.0 ERRATUM
+- rebase to 8.2102.0
+  resolves: rhbz#1932795
+- Enable openssl
+  resolves: rhbz#1891458
+- EKU check for client cert on server side
+  resolves: rhbz#1783348
+- Use GNUTLS_SHUT_WR when ending TLS connections
+  resolves: rhbz#1880434
+- Use librelp with openssl enabled
+  resolves: rhbz#1795607
+- Close dir when fsync=on
+  resolves: rhbz#1960536
+
+* Wed Nov 18 2020 Attila Lakatos <alakatos@redhat.com> - 8.1911.0-7
+- add back rsyslog-udpspoof package
+  resolves: rhbz#1869874
+
 * Thu Jun 18 2020 Jiri Vymazal <jvymazal@redhat.com> - 8.1911.0-6
  RHEL 8.3.0 ERRATUM
 - added patch preventing imfile crash when selinux blocks symlink
@ -497,7 +671,7 @@ done
 - added qpid-proton as another source and enabled omamqp1 module
  in a separate sub-package with it statically linked
  resolves: rhbz#1713427
- extended config.enabled patch to cover rest of the cases 
+- extended config.enabled patch to cover rest of the cases
  resolves: rhbz#1659383
 - added patch making json serialization thread-safe
  resolves: rhbz#1789675
@ -539,7 +713,7 @@ done

 * Fri Aug 30 2019 Jiri Vymazal <jvymazal@redhat.com> - 8.37.0-13
  RHEL 8.1.0 ERRATUM
- added patch enabling stricter TLS certs checking conforming to 
+- added patch enabling stricter TLS certs checking conforming to
  common criteria requirements
  resolves: rhbz#1733244

@ -630,7 +804,7 @@ done

 * Mon Jul 02 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-1
 - changed PID file name to follow upstream
- removed config option to disable stdlog as it is now 
+- removed config option to disable stdlog as it is now
  disabled by default

 * Thu Jun 28 2018 Jiri Vymazal <jvymazal@redhat.com> - 8.36.0-1
@ -665,4 +839,4 @@ done
  - libdbi
  - omruleset
  - pmrfc3164sd
- imported from fedora26  
+- imported from fedora26