im in Beijing china.
usually TZ=UTC+8 should be set . howover its wrong, behind 16 hours
i try TZ=UTC-8 , its right time.
what happened?
thanks

When master branch is used, initenv.sh does not pull changes from master into checked out master.

Since redhat broke yum compatibility between centos7 (host) and centos8 (nock), we need to update the centos pkg dockerfiles to centos8 at least and rebuild them. See for more:
https://bugzilla.redhat.com/show_bug.cgi?id=1755410

I'm wondering if it would be good have a container build system that's compatible with container other container bases?

ElasticSearch for example base their containers on CentOS, and while it has more bloat, CentOS (or debian) have a more mature set of packages to extend builds with (compared to Alpine).

As an example of a CentOS based rsyslog container that tries to extend the base RSyslog features, but also include plugins like RELP and Kafka, see https://github.com/JPvRiel/docker-rsyslog (We've been running this based on 8.31 with fairly good stability over the past 2 months)

P.S.: Nice to see some work going towards making rsyslog more container friendly. In my example above, the approach to use confd to "12-factor" the config of the container by taking ENV vars and tempating rsyslog config can now be made simpler given this changelog note for 8.33.0

• text can be included form e.g. an environment variable
  --> ex: include(text=echo $ENVVAR)"

I had to use confd because prior versions didn't always play well with using env vars in all parts of the config syntax...

I clone this repo, and try it myself. I found what I interaction with bash was directed into system output(I can see by "docker logs" command). I try command "logger hello", can't find it anywhere ? And how to close the behaviour that loging my interaction with bash

I tried running this on Kubernetes using a Load Balancer IP (via MetalLB) as the IP address that other hosts should send their logs to.

It works, in general, but all of the logs show up as one of the cluster IPs (whichever one is providing the loadbalancer service at the moment, I guess).

That breaks the typical strategy of breaking out the logs into separate files (or subdirectories) the way this container does by default. All of the logs from all hosts end up in one file, and the directory that file is in has nothing to do with the source address.

This is probably best fixed by some other cluster or networking change (perhaps changing how I send the logs from each host?), but I figured I'd at least raise the issue for awareness, maybe adding a note to the docs, and perhaps input. I'll suggest an edit if I come up with a solution on MetalLB

Hi, how do you logrotate or automatically trim log files with this "appliance"?

Thank you!

Hi! Is standard logging over TLS supported, or any plans to enable it?
I'm trying the published beta but I see no TLS driver in the modules folder.

Help specifies that log files are stored in /log - however, they are stored in /logs

rsyslogd: could not load module '/usr/lib/rsyslog/mmnormalize.so', dlopen: Error loading shared library /usr/lib/rsyslog/mmnormalize.so: No such file or directory [v8.36.0 try http://www.rsyslog.com/e/2066 ]

Expected behavior

docker run rsyslog/syslog_appliance_alpine show-config show-config
displays edited config

Actual behavior

docker run rsyslog/syslog_appliance_alpine show-config show-config
displays old config

Steps to reproduce the behavior

1. Run docker run -ti rsyslog/syslog_appliance_alpine edit-config
2. Edit config with VIM
3. Save config with
   edit-config - edit container config (with vi editor, press <ESC>ZZ to quit)
   as stated in help, then :wq to save and exit form VIM

Environment

• rsyslog version: rsyslog appliance version 2018-06-26 (1530020232)
• platform: MacOS Mojave 10.14.5
• for configuration questions/issues, include rsyslog.conf and included config files

This shall create a container that is ready to ship logs to Logsene with limited configuration. This task is neither to simple nor to complex, so it probably is a good starter to understand what we need to do.

Note that this is meant as a development / protoype kind of work. Once this works, we can create the real container. As such, we initially use an Ubuntu 16.04 dev container, as this provides for a quick compile and link cycle.

Steps to do:

• create a basic configuration that ships logs to logsene (see https://github.com/megastef/rsyslog-logsene/blob/master/rsyslog.conf) --> see ./tests/test_logsene.sh in personal dev environment
• create a basic capability to read config vars from file system (or environment) --> rsyslog/rsyslog#2416
• create a basic devel container which utilizes these logs
• provide complete listener config (udp, tcp, relp)
• check that spool files correctly work

We are not able to run this in our cluster that has security context configured to run as non-root.

$ kubectl logs rsyslog-1-fcvd9
cp: can't create '/config/container_config': Permission denied
cp: can't create '/config/droprules.conf': Permission denied
/home/appliance/starter.sh: source: line 3: can't open '/config/container_config'

This is to support this new module: rsyslog/rsyslog#2466

It seems pretty important and so we should ensure it is checked as part of CI.

I would like to use rsyslogd (ultimately with omkafka) inside a Docker container (in a Kubernetes sidecar container, actually). Docker Hub says rsyslog/syslog_appliance_alpine was "updated 3 years ago", the image identifies itself with "rsyslog appliance version 2018-06-26", and it runs rsyslogd 8.36.0 (which is also from 2018).

Are these relatively old dates a feature or a bug, and what is my best option for running rsyslogd inside a container these days?

I'm attempting to log RFC 5424 messages, but nothing is logged.
Have tried enabling debug, but see nothing that indicates a message is even received. :-(

I have the correct port mapped (514 UDP) and verified a similar setup works with another container.

I'm using this code to send RFC 5424 formatted messages:

#!/usr/bin/python
# -*- coding: utf-8 -*-
# https://github.com/jobec/rfc5424-logging-handler
# Documentation: https://rfc5424-logging-handler.readthedocs.io/en/latest/

import sys
import logging
from rfc5424logging import Rfc5424SysLogHandler, Rfc5424SysLogAdapter

logger = logging.getLogger('rfc5424logging_test')
logger.setLevel(logging.DEBUG)

# Data specified in the handler will override default values and will be come new defaults. Can be overruled later, too.
sh = Rfc5424SysLogHandler(address=('10.0.2.2', 514),
                          #hostname="otherserver",
                          # appname="my_wonderfull_app",
                          # procid=555,
                          # structured_data={'sd_id_1': {'key1': 'value1'}},
                          enterprise_id=32473,   # required for structured data.
                          utc_timestamp=False)
logger.addHandler(sh)

adapter = Rfc5424SysLogAdapter(logger)

adapter.info('This message have structured date',
             structured_data={'sd_id2': {'key2': 'value2', 'key3': 'value3'}})

adapter.warning('This message have a special msgid',
             msgid='some_unique_msgid')

adapter.error('This message have a special msgid and structured data',
             structured_data={'sd_id2': {'key2': 'value2', 'key3': 'value3'}},
             msgid='some_unique_msgid')

# Since version 1.0 it's also possible to override the appname, hostname and procid per message
adapter.debug('Some other message',
             msgid='some_unique_msgid',
             appname="rfc5424logging_custom",
             hostname="my_hostname",
             procid="5678")

Here: https://github.com/docker-library/official-images

Hi Team,
we are facing a weird issue using the rsyslog alpine image. rsyslog stops sending logs after 12 am and after two-three hours it continues.

<img width="1358" alt="Screenshot 2021-09-14 at 12 22 31 AM" src="https://user-images.githubusercontent.com/59436466/133140468

-06aab451-a66c-42b1-bb74-8da5b9cbcfa7.png">
I am attaching the rsyslog configuration which we are using.
``
$ModLoad imuxsock
$ModLoad imklog

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022

#$IncludeConfig /config/rsys-config/*.conf
#Writing custom config here

module(load="imfile" mode="polling")

template (name="fk-fwd" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% Ma.%$!app_id%,Mgrp.%$!instance_grp%,Mi.%$/instance_id%,Mz.%$!zone%,Mtyp.%$/type%,srv.%$/sr_version%,MphyApp.%$/phy_app_id%,MphyIGrp.%$/phy_inst_grp%,%$!tag%%$!msg:::sp-if-no-1st-sp%%$!msg%")

ruleset(name="strm.relay.mod") {
if ( $!msg == "" ) then {
set $!msg = $msg;
}
if ( $!tag == "" ) then {
set $!tag = $syslogtag;
}

if ( $!app_id == "" ) then {
set $!app_id = $/phy_app_id;
}

if ( $!cluster != "" ) then {
set $!instance_grp = $!cluster;
} else if ( getenv("LOGSVC_CLUSTER") != "" ) then {
set $!instance_grp = getenv("LOGSVC_CLUSTER");
} else {
set $!instance_grp = $/phy_inst_grp;
}

if ( $!instance_grp == "" ) then {
set $!instance_grp = "#NULL#";
}

set $!zone = $/zone;
if ( $!zone == "" ) then {
set $!zone = "NULL";
}
}

ruleset(name="relay.logstorage" queue.type="Direct") {
call strm.relay.mod
action(type="omfwd" Target="10.33.183.44" Port="10514" Protocol="tcp" ResendLastMSGOnReconnect="on" ZipLevel="9")
action(type="omfwd" Target="10.33.67.116" Port="10514" Protocol="tcp" ResendLastMSGOnReconnect="on" ZipLevel="9" action.execOnlyWhenPreviousIsSuspended="on")
}

ruleset(name="logstorage_access" queue.type="Direct") {
if ( not ($msg contains "/unicorn/elb-healthcheck") and not ($msg contains "/unicorn/2.0/payments/options") and not ($msg contains "/unicorn/1.0/payments/instrumentcheck") ) then {
call relay.logstorage
}
}

input(type="imfile" File="/var/log/flipkart/fkpg-unicorn/default.log"
Tag="default.log,prod-unicorn-app,fpg"
Severity="error"
ruleset="logstorage_access"
readmode="2")
input(type="imfile" File="/var/log/flipkart/fkpg-unicorn/error.log"
Tag="error.log,prod-unicorn-app,fpg"
Severity="error"
ruleset="logstorage_access"
readmode="2")

auth,authpriv.* /var/log/auth.log
.;auth,authpriv.none -/var/log/syslog
daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
user.* -/var/log/user.log

mail.info -/var/log/mail.info
mail.warn -/var/log/mail.warn
mail.err /var/log/mail.err

news.crit /var/log/news/news.crit
news.err /var/log/news/news.err
news.notice -/var/log/news/news.notice

.=debug;
auth,authpriv.none;
news.none;mail.none -/var/log/debug
.=info;.=notice;.=warn;
auth,authpriv.none;
cron,daemon.none;
mail,news.none -/var/log/messages

*.emerg *

daemon.;mail.;
news.err;
.=debug;.=info;
.=notice;.=warn |/dev/xconsole

Hi I'm new here, I'm just using that image for catch all logs from my connected device.

Everythink works as expected, except that the volume used by this container /var/lib/docker/volumes/xxx_xxx_xxx_xxx_xxx_xxx_xxx_xxx_xxx_xxx/ is continously growing until my disk is full and block my server.

The only solution I found for now is to stop the container, delete this volumes and restart the container.

Any best/more elegant/practice???

Thanks to everyone will answer me

I'm trying to set up an IMAP mail server in a Docker container running CentOS 7 and I'm encountering the problem as described in the title.

To reproduce use this Dockerfile:

FROM rsyslog/rsyslog_base_centos7
RUN yum -y install postfix maildrop dovecot
EXPOSE 25 110 143
COPY run.sh /run.sh
RUN chmod 755 /*.sh
RUN echo "maildrop:x:59:postfix" >> /etc/group
CMD /run.sh

and run.sh:

#!/bin/bash
rsyslogd
cd /etc/postfix
newaliases
for file in canonical \
		  	helo_access \
		  	relay_ccerts \
		  	relay \
		  	relocated \
		  	sender_canonical \
		  	transport \
		  	virtual
do
	postmap $file
done
postfix start
exec dovecot -F

And run with:

docker build -t mail .
docker run -d --name mail mail && sleep 5 && docker exec mail ls -hl /var/log/maillog

-rw------- 1 root root 2.5G Sep 25 07:54 /var/log/maillog

docker exec mail cat /var/log/messages

Sep 25 07:55:34 aa8628bbfcc6 rsyslogd: environment variable TZ is not set, auto correcting this to TZ=/etc/localtime  [v8.33.0 try http://www.rsyslog.com/e/2442 ]
Sep 25 07:55:34 aa8628bbfcc6 rsyslogd: command 'SystemLogSocketName' is currently not permitted - did you already set it via a RainerScript command (v6+ config)? [v8.33.0 try http://www.rsyslog.com/e/2222 ]
Sep 25 07:55:34 aa8628bbfcc6 rsyslogd:  [origin software="rsyslogd" swVersion="8.33.0" x-pid="8" x-info="http://www.rsyslog.com"] start

/var/log/maillog just keeps filling up very quickly, and the container is unusable. The problem didn't occur when I was using a CentOS 6 container.

I assume something's misconfigured somewhere. Can anyone help?

Some adjustments for package (re)signing need to be made to the build container

See also rsyslog/rsyslog-pkg-rhel-centos#126

• Use Ubuntu 22.04 as base
• Migrate from https://github.com/rsyslog/rsyslog-doc/blob/master/tools/buildenv/
• Update and use new sphinx theme
• Integrate into CI

We need to be able to package rsyslog for alpine, as the current set of packages does not provide all we need. Alternatively, we could start with a fatter distro like Ubuntu.

see #15 (comment)

This is not for production use (at least I would not recommend), but to ease development.

We need an Ubuntu image that can be used to simplify testing of rsyslog container features . The full cycle of edit-compile-build_tarball-build_APK-build_appliance is too time consuming to be productive. So I need some thing were I can map in the binary right after compile.

Ability to send the logs to Kafka cluster

see also #4 (comment)

Just a FYI. From the changelog:

Release 1.6.7 (released Feb 04, 2018)

Bugs fixed

#1922: html search: Upper characters problem in French
#4412: Updated jQuery version from 3.1.0 to 3.2.1
#4438: math: math with labels with whitespace cause html error
#2437: make full reference for classes, aliased with “alias of”
#4434: pure numbers as link targets produce warning
#4477: Build fails after building specific files
#4449: apidoc: include “empty” packages that contain modules
#3917: citation labels are tranformed to ellipsis
#4501: graphviz: epub3 validation error caused if graph is not clickable
#4514: graphviz: workaround for wrong map ID which graphviz generates
#4525: autosectionlabel does not support parallel build
#3953: Do not raise warning when there is a working intersphinx inventory
#4487: math: ValueError is raised on parallel build. Thanks to jschueller.
#2372: autosummary: invalid signatures are shown for type annotated functions
#3942: html: table is not aligned to center even if :align: center

Do you prefer that tickets re Sphinx updates be posted here or in the rsyslog/rsyslog-doc project?