Mailing List Archive

Rsyslog bad external log encoding ??????
Hi
My version of rsyslogd on log sever:
rsyslogd 8.2106.0 (aka 2021.06) compiled with:
PLATFORM: x86_64-suse-linux-gnu
PLATFORM (lsb_release -d):
FEATURE_REGEXP: Yes
GSSAPI Kerberos 5 support: Yes
FEATURE_DEBUG (debug build, slow code): No
32bit Atomic operations supported: Yes
64bit Atomic operations supported: Yes
memory allocator: system default
Runtime Instrumentation (slow code): No
uuid support: Yes
systemd support: Yes
Config file: /etc/rsyslog.conf
PID file: /var/run/rsyslogd.pid
Number of Bits in RainerScript integers: 64

########### Encrypting Syslog Traffic with TLS ##########
# -- TLS Syslog Server:.
## make gtls driver the default
$DefaultNetstreamDriver gtls
#
## certificate files
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
$DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
$DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem

$ModLoad imtcp # load TCP listener
#
$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
#$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
$InputTCPServerStreamDriverAuthMode x509/name
$InputTCPServerStreamDriverPermittedPeer *.domain.com
$InputTCPServerRun 514 # start up listener at port 10514
#
#$EscapeControlCharactersOnReceive off
#$Escape8BitCharactersOnReceive off

$template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
*.* ?RemoteServer

Client conf:
# certificate files - just CA for a client
$DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem

# set up the action
$DefaultNetstreamDriver gtls # use gtls netstream driver
$ActionSendStreamDriverMode 1 # require TLS for the connection
$ActionSendStreamDriverAuthMode x509/name

#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated

# Only send log to SERVER.EXAMPLE.COM host
$ActionSendStreamDriverPermittedPeer server.domain.com
*.* @@(o) server.domain.com:514 # send (all) messages

What have in log on server:
2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
domain.coml#000#034#000#002@
2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
2022-05-25T14:44:32.887714+02:00 client.domain.com .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#0003#001#000#000.#000#005#000#005#001#000#000#000#000
2022-05-25T14:44:32.887714+02:00 client.domain.com #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#001#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000 #004#001#010#011#010#004#004#003#010#007#00
5#001#010

Before 15 may working fine.
I don’t have any idea what is wrong

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
please write the logs with the template RSYSLOG_DebugFormat so we can see
exactly what is arriving on the system.

Also, can you log on the client as well so we can see what it thinks it is
sending?

David Lang

On Wed, 25 May 2022, Grzegorz Zalewski via rsyslog wrote:

> Date: Wed, 25 May 2022 13:02:47 +0000
> From: Grzegorz Zalewski via rsyslog <rsyslog@lists.adiscon.com>
> To: "rsyslog@lists.adiscon.com" <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: [rsyslog] Rsyslog bad external log encoding ??????
>
> Hi
> My version of rsyslogd on log sever:
> rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> PLATFORM: x86_64-suse-linux-gnu
> PLATFORM (lsb_release -d):
> FEATURE_REGEXP: Yes
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> 32bit Atomic operations supported: Yes
> 64bit Atomic operations supported: Yes
> memory allocator: system default
> Runtime Instrumentation (slow code): No
> uuid support: Yes
> systemd support: Yes
> Config file: /etc/rsyslog.conf
> PID file: /var/run/rsyslogd.pid
> Number of Bits in RainerScript integers: 64
>
> # ######### Receiving Messages from Remote Hosts ##########.
> ########### Encrypting Syslog Traffic with TLS ##########
> # -- TLS Syslog Server:.
> ## make gtls driver the default
> $DefaultNetstreamDriver gtls
> #
> ## certificate files
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
>
> $ModLoad imtcp # load TCP listener
> #
> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> #$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
> $InputTCPServerStreamDriverAuthMode x509/name
> $InputTCPServerStreamDriverPermittedPeer *.domain.com
> $InputTCPServerRun 514 # start up listener at port 10514
> #
> #$EscapeControlCharactersOnReceive off
> #$Escape8BitCharactersOnReceive off
>
> $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> *.* ?RemoteServer
>
> Client conf:
> # certificate files - just CA for a client
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
>
> # set up the action
> $DefaultNetstreamDriver gtls # use gtls netstream driver
> $ActionSendStreamDriverMode 1 # require TLS for the connection
> $ActionSendStreamDriverAuthMode x509/name
>
> #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>
> # Only send log to SERVER.EXAMPLE.COM host
> $ActionSendStreamDriverPermittedPeer server.domain.com
> *.* @@(o) server.domain.com:514 # send (all) messages
>
> What have in log on server:
> 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> domain.coml#000#034#000#002@
> 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> 2022-05-25T14:44:32.887714+02:00 client.domain.com .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#0003#001#000#000.#000#005#000#005#001#000#000#000#000
> 2022-05-25T14:44:32.887714+02:00 client.domain.com #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#001#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000 #004#001#010#011#010#004#004#003#010#007#00
> 5#001#010
>
> Before 15 may working fine.
> I don’t have any idea what is wrong
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
This looks like the server is not using TLS. Any rsyslog error
messages in the server log?

Rainer

El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
> My version of rsyslogd on log sever:
> rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> PLATFORM: x86_64-suse-linux-gnu
> PLATFORM (lsb_release -d):
> FEATURE_REGEXP: Yes
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> 32bit Atomic operations supported: Yes
> 64bit Atomic operations supported: Yes
> memory allocator: system default
> Runtime Instrumentation (slow code): No
> uuid support: Yes
> systemd support: Yes
> Config file: /etc/rsyslog.conf
> PID file: /var/run/rsyslogd.pid
> Number of Bits in RainerScript integers: 64
>
> # ######### Receiving Messages from Remote Hosts ##########.
> ########### Encrypting Syslog Traffic with TLS ##########
> # -- TLS Syslog Server:.
> ## make gtls driver the default
> $DefaultNetstreamDriver gtls
> #
> ## certificate files
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
>
> $ModLoad imtcp # load TCP listener
> #
> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> #$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
> $InputTCPServerStreamDriverAuthMode x509/name
> $InputTCPServerStreamDriverPermittedPeer *.domain.com
> $InputTCPServerRun 514 # start up listener at port 10514
> #
> #$EscapeControlCharactersOnReceive off
> #$Escape8BitCharactersOnReceive off
>
> $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> *.* ?RemoteServer
>
> Client conf:
> # certificate files - just CA for a client
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
>
> # set up the action
> $DefaultNetstreamDriver gtls # use gtls netstream driver
> $ActionSendStreamDriverMode 1 # require TLS for the connection
> $ActionSendStreamDriverAuthMode x509/name
>
> #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>
> # Only send log to SERVER.EXAMPLE.COM host
> $ActionSendStreamDriverPermittedPeer server.domain.com
> *.* @@(o) server.domain.com:514 # send (all) messages
>
> What have in log on server:
> 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> domain.coml#000#034#000#002@
> 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> 2022-05-25T14:44:32.887714+02:00 client.domain.com .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#0003#001#000#000.#000#005#000#005#001#000#000#000#000
> 2022-05-25T14:44:32.887714+02:00 client.domain.com #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#001#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000 #004#001#010#011#010#004#004#003#010#007#00
> 5#001#010
>
> Before 15 may working fine.
> I don’t have any idea what is wrong
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Hi

When I turn off TLS work fine :/

I does`t see any errors on server logs

-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Wednesday, May 25, 2022 6:39 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

This looks like the server is not using TLS. Any rsyslog error messages in the server log?

Rainer

El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
> My version of rsyslogd on log sever:
> rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> PLATFORM: x86_64-suse-linux-gnu
> PLATFORM (lsb_release -d):
> FEATURE_REGEXP: Yes
> GSSAPI Kerberos 5 support: Yes
> FEATURE_DEBUG (debug build, slow code): No
> 32bit Atomic operations supported: Yes
> 64bit Atomic operations supported: Yes
> memory allocator: system default
> Runtime Instrumentation (slow code): No
> uuid support: Yes
> systemd support: Yes
> Config file: /etc/rsyslog.conf
> PID file: /var/run/rsyslogd.pid
> Number of Bits in RainerScript integers: 64
>
> # ######### Receiving Messages from Remote Hosts ##########.
> ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> Syslog Server:.
> ## make gtls driver the default
> $DefaultNetstreamDriver gtls
> #
> ## certificate files
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
>
> $ModLoad imtcp # load TCP listener
> #
> $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> authenticated $InputTCPServerStreamDriverAuthMode x509/name
> $InputTCPServerStreamDriverPermittedPeer *.domain.com
> $InputTCPServerRun 514 # start up listener at port 10514 #
> #$EscapeControlCharactersOnReceive off #$Escape8BitCharactersOnReceive
> off
>
> $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> *.* ?RemoteServer
>
> Client conf:
> # certificate files - just CA for a client
> $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
>
> # set up the action
> $DefaultNetstreamDriver gtls # use gtls netstream driver
> $ActionSendStreamDriverMode 1 # require TLS for the connection
> $ActionSendStreamDriverAuthMode x509/name
>
> #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
>
> # Only send log to SERVER.EXAMPLE.COM host
> $ActionSendStreamDriverPermittedPeer server.domain.com
> *.* @@(o) server.domain.com:514 # send (all) messages
>
> What have in log on server:
> 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> domain.coml#000#034#000#002@
> 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> 2022-05-25T14:44:32.887714+02:00 client.domain.com
> .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#00
> 03#001#000#000.#000#005#000#005#001#000#000#000#000
> 2022-05-25T14:44:32.887714+02:00 client.domain.com
> #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#0
> 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000
> #004#001#010#011#010#004#004#003#010#007#00
> 5#001#010
>
> Before 15 may working fine.
> I don’t have any idea what is wrong
>
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
can you do a debug log on the server side, make sure TLS is enabled
and run rsyslog through the startup phase? I would assume that we see
useful information.

quick doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html

Rainer

El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
>
> When I turn off TLS work fine :/
>
> I does`t see any errors on server logs
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Wednesday, May 25, 2022 6:39 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> This looks like the server is not using TLS. Any rsyslog error messages in the server log?
>
> Rainer
>
> El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> > My version of rsyslogd on log sever:
> > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > PLATFORM: x86_64-suse-linux-gnu
> > PLATFORM (lsb_release -d):
> > FEATURE_REGEXP: Yes
> > GSSAPI Kerberos 5 support: Yes
> > FEATURE_DEBUG (debug build, slow code): No
> > 32bit Atomic operations supported: Yes
> > 64bit Atomic operations supported: Yes
> > memory allocator: system default
> > Runtime Instrumentation (slow code): No
> > uuid support: Yes
> > systemd support: Yes
> > Config file: /etc/rsyslog.conf
> > PID file: /var/run/rsyslogd.pid
> > Number of Bits in RainerScript integers: 64
> >
> > # ######### Receiving Messages from Remote Hosts ##########.
> > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > Syslog Server:.
> > ## make gtls driver the default
> > $DefaultNetstreamDriver gtls
> > #
> > ## certificate files
> > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> >
> > $ModLoad imtcp # load TCP listener
> > #
> > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > $InputTCPServerRun 514 # start up listener at port 10514 #
> > #$EscapeControlCharactersOnReceive off #$Escape8BitCharactersOnReceive
> > off
> >
> > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > *.* ?RemoteServer
> >
> > Client conf:
> > # certificate files - just CA for a client
> > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> >
> > # set up the action
> > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > $ActionSendStreamDriverAuthMode x509/name
> >
> > #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
> >
> > # Only send log to SERVER.EXAMPLE.COM host
> > $ActionSendStreamDriverPermittedPeer server.domain.com
> > *.* @@(o) server.domain.com:514 # send (all) messages
> >
> > What have in log on server:
> > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > domain.coml#000#034#000#002@
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#00
> > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001#0
> > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000
> > #004#001#010#011#010#004#004#003#010#007#00
> > 5#001#010
> >
> > Before 15 may working fine.
> > I don’t have any idea what is wrong
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Debug log:

5028.756561447:main thread : rsyslogd.c:
5028.756591154:main thread : rsyslogd.c:
5028.756599828:main thread : rsyslogd.c: ********************************************************************************
5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
5028.756604775:main thread : rsyslogd.c: ********************************************************************************
5028.756609995:main thread : janitor.c: janitorRun() called
5033.189177560:main thread : rsyslogd.c: DoDie called.
5033.189238695:main thread : rsyslogd.c: awaking mainthread
5033.189262942:main thread : janitor.c: janitorRun() called
5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
5033.189289381:main thread : rsyslogd.c: exiting on signal 2
5033.189291603:main thread : rsyslogd.c: Terminating input threads...
5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
5033.190033534:main thread : rsyslogd.c: Terminating main queue...
5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker awoke from idle processing
5033.190074442:main Q:Reg/w0 : queue.c: DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore, nElem 0
5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete batch from store, new sizes: log 0, phys 0
5033.190082092:main Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0 sz phys 0
5033.190103817:main Q:Reg/w0 : queue.c: regular consumer finished, iret=4, szlog 0 sz phys 0
5033.190106754:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5, bInactivityTOOccured=0
5033.190109572:main Q:Reg/w0 : wti.c: DDDD: wti 0x55dc13e0df60: worker cleanup action instances
5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30
5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190
5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0
5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released module 'lmnsd_ptcp', reference count now 1
5033.190206154:main Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0
5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released module 'lmnetstrms', reference count now 5
5033.190245353:main Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet', reference count now 5
5033.190251310:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 2, ptr (nil)
5033.190253540:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 3, ptr (nil)
5033.190255659:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5, ptr (nil)
5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 6, ptr (nil)
5033.190262021:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 7, ptr (nil)
5033.190264115:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 8, ptr (nil)
5033.190266224:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10, ptr (nil)
5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 11, ptr (nil)
5033.190272890:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 12, ptr (nil)
5033.190274894:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 13, ptr (nil)
5033.190276953:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15, ptr (nil)
5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil)
5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil)
5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil)
5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting
5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
5033.190400418:main thread : rsyslogd.c: Terminating outputs...
5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
5033.190702315:main thread : rsyslogd.c: destructing current config...
5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
5033.190786550:main thread : modules.c: Unloading module builtin:omfile
5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
5033.190795495:main thread : modules.c: Unloading module builtin-shell
5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
5033.190817745:main thread : modules.c: Unloading module lmtcpclt
5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190856622:main thread : modules.c: Unloading module builtin:smfile
5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190878217:main thread : modules.c: Unloading module immark.so
5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190903458:main thread : modules.c: Unloading module imuxsock.so
5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190931871:main thread : modules.c: Unloading module imklog.so
5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
5033.190950930:main thread : modules.c: Unloading module imtcp
5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
5033.191091922:main thread : modules.c: Unloading module lmnetstrms
5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
5033.191135781:main thread : modules.c: Unloading module lmnet
5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye

-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Thursday, May 26, 2022 12:54 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.

quick doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html

Rainer

El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
>
> When I turn off TLS work fine :/
>
> I does`t see any errors on server logs
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Wednesday, May 25, 2022 6:39 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> This looks like the server is not using TLS. Any rsyslog error messages in the server log?
>
> Rainer
>
> El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> > My version of rsyslogd on log sever:
> > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > PLATFORM: x86_64-suse-linux-gnu
> > PLATFORM (lsb_release -d):
> > FEATURE_REGEXP: Yes
> > GSSAPI Kerberos 5 support: Yes
> > FEATURE_DEBUG (debug build, slow code): No
> > 32bit Atomic operations supported: Yes
> > 64bit Atomic operations supported: Yes
> > memory allocator: system default
> > Runtime Instrumentation (slow code): No
> > uuid support: Yes
> > systemd support: Yes
> > Config file: /etc/rsyslog.conf
> > PID file: /var/run/rsyslogd.pid
> > Number of Bits in RainerScript integers: 64
> >
> > # ######### Receiving Messages from Remote Hosts ##########.
> > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > Syslog Server:.
> > ## make gtls driver the default
> > $DefaultNetstreamDriver gtls
> > #
> > ## certificate files
> > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> >
> > $ModLoad imtcp # load TCP listener
> > #
> > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > $InputTCPServerRun 514 # start up listener at port 10514 #
> > #$EscapeControlCharactersOnReceive off
> > #$Escape8BitCharactersOnReceive off
> >
> > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > *.* ?RemoteServer
> >
> > Client conf:
> > # certificate files - just CA for a client
> > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> >
> > # set up the action
> > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > $ActionSendStreamDriverAuthMode x509/name
> >
> > #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
> >
> > # Only send log to SERVER.EXAMPLE.COM host
> > $ActionSendStreamDriverPermittedPeer server.domain.com
> > *.* @@(o) server.domain.com:514 # send (all) messages
> >
> > What have in log on server:
> > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > domain.coml#000#034#000#002@
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#
> > 00
> > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001
> > #0
> > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000
> > #004#001#010#011#010#004#004#003#010#007#00
> > 5#001#010
> >
> > Before 15 may working fine.
> > I don’t have any idea what is wrong
> >
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Did you use the regular method right at the top of rsyslog.conf? I ask
because only the shutdown can be seen, not the startup.

Rainer

El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Debug log:
>
> 5028.756561447:main thread : rsyslogd.c:
> 5028.756591154:main thread : rsyslogd.c:
> 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> 5028.756609995:main thread : janitor.c: janitorRun() called
> 5033.189177560:main thread : rsyslogd.c: DoDie called.
> 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> 5033.189262942:main thread : janitor.c: janitorRun() called
> 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker awoke from idle processing
> 5033.190074442:main Q:Reg/w0 : queue.c: DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore, nElem 0
> 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete batch from store, new sizes: log 0, phys 0
> 5033.190082092:main Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0 sz phys 0
> 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer finished, iret=4, szlog 0 sz phys 0
> 5033.190106754:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5, bInactivityTOOccured=0
> 5033.190109572:main Q:Reg/w0 : wti.c: DDDD: wti 0x55dc13e0df60: worker cleanup action instances
> 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30
> 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190
> 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0
> 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released module 'lmnsd_ptcp', reference count now 1
> 5033.190206154:main Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0
> 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released module 'lmnetstrms', reference count now 5
> 5033.190245353:main Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet', reference count now 5
> 5033.190251310:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 2, ptr (nil)
> 5033.190253540:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 3, ptr (nil)
> 5033.190255659:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5, ptr (nil)
> 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 6, ptr (nil)
> 5033.190262021:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 7, ptr (nil)
> 5033.190264115:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 8, ptr (nil)
> 5033.190266224:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10, ptr (nil)
> 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 11, ptr (nil)
> 5033.190272890:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 12, ptr (nil)
> 5033.190274894:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 13, ptr (nil)
> 5033.190276953:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15, ptr (nil)
> 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil)
> 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil)
> 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil)
> 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting
> 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> 5033.190702315:main thread : rsyslogd.c: destructing current config...
> 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190878217:main thread : modules.c: Unloading module immark.so
> 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190931871:main thread : modules.c: Unloading module imklog.so
> 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> 5033.190950930:main thread : modules.c: Unloading module imtcp
> 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> 5033.191135781:main thread : modules.c: Unloading module lmnet
> 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 12:54 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
>
> quick doc: https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>
> Rainer
>
> El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> >
> > When I turn off TLS work fine :/
> >
> > I does`t see any errors on server logs
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Wednesday, May 25, 2022 6:39 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> >
> > Rainer
> >
> > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > > My version of rsyslogd on log sever:
> > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > PLATFORM: x86_64-suse-linux-gnu
> > > PLATFORM (lsb_release -d):
> > > FEATURE_REGEXP: Yes
> > > GSSAPI Kerberos 5 support: Yes
> > > FEATURE_DEBUG (debug build, slow code): No
> > > 32bit Atomic operations supported: Yes
> > > 64bit Atomic operations supported: Yes
> > > memory allocator: system default
> > > Runtime Instrumentation (slow code): No
> > > uuid support: Yes
> > > systemd support: Yes
> > > Config file: /etc/rsyslog.conf
> > > PID file: /var/run/rsyslogd.pid
> > > Number of Bits in RainerScript integers: 64
> > >
> > > # ######### Receiving Messages from Remote Hosts ##########.
> > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > Syslog Server:.
> > > ## make gtls driver the default
> > > $DefaultNetstreamDriver gtls
> > > #
> > > ## certificate files
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > >
> > > $ModLoad imtcp # load TCP listener
> > > #
> > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > #$EscapeControlCharactersOnReceive off
> > > #$Escape8BitCharactersOnReceive off
> > >
> > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > *.* ?RemoteServer
> > >
> > > Client conf:
> > > # certificate files - just CA for a client
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > >
> > > # set up the action
> > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > $ActionSendStreamDriverAuthMode x509/name
> > >
> > > #$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
> > >
> > > # Only send log to SERVER.EXAMPLE.COM host
> > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > *.* @@(o) server.domain.com:514 # send (all) messages
> > >
> > > What have in log on server:
> > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > domain.coml#000#034#000#002@
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000...#
> > > 00
> > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#001
> > > #0
> > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#000
> > > #004#001#010#011#010#004#004#003#010#007#00
> > > 5#001#010
> > >
> > > Before 15 may working fine.
> > > I don’t have any idea what is wrong
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
I`m put on top my /etc/rsyslog.d/my.conf file

When I put it

#$DebugFile /var/log/rsyslog.debug
#$DebugLevel 2

On top rsyslogd.conf nothing happends. No new logs in debug file ?


-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Thursday, May 26, 2022 6:33 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.

Rainer

El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Debug log:
>
> 5028.756561447:main thread : rsyslogd.c:
> 5028.756591154:main thread : rsyslogd.c:
> 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> 5028.756609995:main thread : janitor.c: janitorRun() called
> 5033.189177560:main thread : rsyslogd.c: DoDie called.
> 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> 5033.189262942:main thread : janitor.c: janitorRun() called
> 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore,
> nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete
> batch from store, new sizes: log 0, phys 0 5033.190082092:main
> Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released
> module 'lmnsd_ptcp', reference count now 1 5033.190206154:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released
> module 'lmnetstrms', reference count now 5 5033.190245353:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10,
> ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15,
> ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> 5033.190702315:main thread : rsyslogd.c: destructing current config...
> 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190878217:main thread : modules.c: Unloading module immark.so
> 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190931871:main thread : modules.c: Unloading module imklog.so
> 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> 5033.190950930:main thread : modules.c: Unloading module imtcp
> 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> 5033.191135781:main thread : modules.c: Unloading module lmnet
> 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 12:54 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
>
> quick doc:
> https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>
> Rainer
>
> El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> >
> > When I turn off TLS work fine :/
> >
> > I does`t see any errors on server logs
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Wednesday, May 25, 2022 6:39 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> >
> > Rainer
> >
> > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > > My version of rsyslogd on log sever:
> > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > PLATFORM: x86_64-suse-linux-gnu
> > > PLATFORM (lsb_release -d):
> > > FEATURE_REGEXP: Yes
> > > GSSAPI Kerberos 5 support: Yes
> > > FEATURE_DEBUG (debug build, slow code): No
> > > 32bit Atomic operations supported: Yes
> > > 64bit Atomic operations supported: Yes
> > > memory allocator: system default
> > > Runtime Instrumentation (slow code): No
> > > uuid support: Yes
> > > systemd support: Yes
> > > Config file: /etc/rsyslog.conf
> > > PID file: /var/run/rsyslogd.pid
> > > Number of Bits in RainerScript integers: 64
> > >
> > > # ######### Receiving Messages from Remote Hosts ##########.
> > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > Syslog Server:.
> > > ## make gtls driver the default
> > > $DefaultNetstreamDriver gtls
> > > #
> > > ## certificate files
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > >
> > > $ModLoad imtcp # load TCP listener #
> > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > #$EscapeControlCharactersOnReceive off
> > > #$Escape8BitCharactersOnReceive off
> > >
> > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > *.* ?RemoteServer
> > >
> > > Client conf:
> > > # certificate files - just CA for a client
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > >
> > > # set up the action
> > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > $ActionSendStreamDriverAuthMode x509/name
> > >
> > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > authenticated
> > >
> > > # Only send log to SERVER.EXAMPLE.COM host
> > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > *.* @@(o) server.domain.com:514 # send (all) messages
> > >
> > > What have in log on server:
> > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > domain.coml#000#034#000#002@
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > .#
> > > 00
> > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0
> > > 01
> > > #0
> > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00
> > > 0
> > > #004#001#010#011#010#004#004#003#010#007#00
> > > 5#001#010
> > >
> > > Before 15 may working fine.
> > > I don’t have any idea what is wrong
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
It's commented out... Remove hash marks.

Sent from phone, thus brief.

Grzegorz Zalewski via rsyslog <rsyslog@lists.adiscon.com> schrieb am Fr.,
27. Mai 2022, 07:45:

> I`m put on top my /etc/rsyslog.d/my.conf file
>
> When I put it
>
> #$DebugFile /var/log/rsyslog.debug
> #$DebugLevel 2
>
> On top rsyslogd.conf nothing happends. No new logs in debug file ?
>
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 6:33 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or
> requests for sensitive information.
>
> Did you use the regular method right at the top of rsyslog.conf? I ask
> because only the shutdown can be seen, not the startup.
>
> Rainer
>
> El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Debug log:
> >
> > 5028.756561447:main thread : rsyslogd.c:
> > 5028.756591154:main thread : rsyslogd.c:
> > 5028.756599828:main thread : rsyslogd.c:
> ********************************************************************************
> > 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to
> true at 08:03:48
> > 5028.756604775:main thread : rsyslogd.c:
> ********************************************************************************
> > 5028.756609995:main thread : janitor.c: janitorRun() called
> > 5033.189177560:main thread : rsyslogd.c: DoDie called.
> > 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> > 5033.189262942:main thread : janitor.c: janitorRun() called
> > 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd
> shutting down
> > 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd
> shutting down: signaling new internal message via SIGTTOU: 'rsyslogd
> shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> > 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> > 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> > 5033.189295410:main thread : ../threads.c: request term via SIGTTIN
> for input thread 'immark' 0x7ffab236f700
> > 5033.189298582:main thread : ../threads.c: thread immark: initiating
> termination, timeout 1000 ms
> > 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain
> immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> > 5033.189379910:main thread : ../threads.c: non-cancel input thread
> termination succeeded for thread immark 0x7ffab236f700
> > 5033.189585841:main thread : ../threads.c: request term via SIGTTIN
> for input thread 'imuxsock' 0x7ffab1f6e700
> > 5033.189589416:main thread : ../threads.c: thread imuxsock:
> initiating termination, timeout 1000 ms
> > 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain
> imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> > 5033.189653202:main thread : ../threads.c: non-cancel input thread
> termination succeeded for thread imuxsock 0x7ffab1f6e700
> > 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix
> socket file[0] /dev/log
> > 5033.189678050:main thread : ../threads.c: request term via canceling
> for input thread imklog
> > 5033.189730551:main thread : ../threads.c: request term via SIGTTIN
> for input thread 'imtcp' 0x7ffab176c700
> > 5033.189734384:main thread : ../threads.c: thread imtcp: initiating
> termination, timeout 1000 ms
> > 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> > 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting
> for 0 workers
> > 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain
> imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> > 5033.189787733:main thread : ../threads.c: non-cancel input thread
> termination succeeded for thread imtcp 0x7ffab176c700
> > 5033.189862021:main thread : modules.c: file netstrms.c released
> module 'lmnsd_gtls', reference count now 1
> > 5033.189873247:main thread : iminternal.c: signaling new internal
> message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0"
> x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> > 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> > 5033.190038517:main thread : main Q: queue.c: shutdown: begin to
> destruct queue
> > 5033.190041457:main thread : main Q: queue.c: initiating worker
> thread shutdown sequence 0x55dc13dff4d0
> > 5033.190043715:main thread : main Q: queue.c: trying shutdown of
> regular workers
> > 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread
> 0x7ffaa3fff700
> > 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on
> worker thread termination, 1 still running
> > 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> > awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> > DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> > 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore,
> > nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete
> > batch from store, new sizes: log 0, phys 0 5033.190082092:main
> > Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> > sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> > finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> > wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> > bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> > wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30
> 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr
> 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c
> released module 'lmnsd_gtls', reference count now 0 5033.190147864:main
> Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count,
> unloading...
> > 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> > 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released
> > module 'lmnsd_ptcp', reference count now 1 5033.190206154:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp',
> reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module
> 'lmnsd_ptcp' has zero reference count, unloading...
> > 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> > 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released
> > module 'lmnetstrms', reference count now 5 5033.190245353:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> > reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> > 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> > ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> > 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10,
> > ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> > 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15,
> > ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c:
> wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c:
> main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> > 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread
> 0x7ffaa3fff700
> > 5033.190368540:main thread : main Q: queue.c: regular queue workers
> shut down.
> > 5033.190371158:main thread : main Q: queue.c: checking to see if we
> need to cancel any worker threads of the primary queue
> > 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated
> worker
> > 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully
> terminated
> > 5033.190378718:main thread : main Q: queue.c: worker threads
> terminated, remaining queue size log 0, phys 0.
> > 5033.190385043:main thread : main Q: queue.c: queue (type 0) will
> lose 0 messages, destroying...
> > 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> > 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> > 5033.190406235:main thread : ruleset.c: destructAllActions: queue
> shutdown
> > 5033.190408990:main thread : ruleset.c: shutting down queue workers
> for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> > 5033.190411048:main thread : ruleset.c: destructAllActions: action
> and conf stmt shutdown
> > 5033.190422196:main thread : ruleset.c: shutting down actions and
> conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> > 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190431381:main thread : omfile.c: Removing entry 0 for file
> '/var/log/server/syslog.log' from dynaCache.
> > 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file
> 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> > 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c:
> strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no
> need to flush)
> > 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file
> 13(/var/log/server/syslog.log) closing
> > 5033.190451652:main thread : omfile.c: Removing entry 1 for file
> '/var/log/client.domain.com/user.log' from dynaCache.
> > 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file
> 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> > 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c:
> strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush,
> buflen 0 (no need to flush)
> > 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file
> 16(/var/log/client.domain.com/user.log) closing
> > 5033.190463135:main thread : omfile.c: Removing entry 2 for file
> '/var/log/server/auth.log' from dynaCache.
> > 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file
> 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> > 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c:
> strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no
> need to flush)
> > 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file
> 17(/var/log/server/auth.log) closing
> > 5033.190475382:main thread : omfile.c: Removing entry 3 for file
> '/var/log/server/authpriv.log' from dynaCache.
> > 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file
> 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> > 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c:
> strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0
> (no need to flush)
> > 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file
> 18(/var/log/server/authpriv.log) closing
> > 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb540, type 'OR'
> > 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb3a0, type 'AND'
> > 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dc5ea0, type 'F'
> > 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb380, type 'NOT'
> > 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb360, type 'AND'
> > 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb290, type 'CMP_CONTAINS'
> > 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd0940, type 'V'
> > 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb270, type 'S'
> > 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb340, type 'CMP_CONTAINS'
> > 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb2d0, type 'V'
> > 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dcb320, type 'S'
> > 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dc5f10, type 'F'
> > 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190530576:main thread : action-4-builtin:omusrmsg queue:
> queue.c: shutdown: begin to destruct queue
> > 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5af0, type 'OR'
> > 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd1d50, type 'CMP_EQ'
> > 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dda810, type 'V'
> > 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd1d30, type 'S'
> > 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> > 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd2830, type 'V'
> > 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5ab0, type 'S'
> > 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd4ae0, type 'AND'
> > 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd4a30, type 'OR'
> > 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5e20, type 'CMP_EQ'
> > 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5950, type 'V'
> > 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5de0, type 'S'
> > 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd4a10, type 'CMP_EQ'
> > 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5980, type 'V'
> > 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd49f0, type 'S'
> > 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dc5fb0, type 'F'
> > 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd58b0, type 'AND'
> > 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dc6050, type 'F'
> > 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5890, type 'AND'
> > 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd57c0, type 'CMP_CONTAINS'
> > 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd4910, type 'V'
> > 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd57a0, type 'S'
> > 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5870, type 'CMP_CONTAINS'
> > 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5800, type 'V'
> > 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr
> 0x55dc13dd5850, type 'S'
> > 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file
> 14(/var/log/messages) closing, bDeleteOnClose 0
> > 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c:
> strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to
> flush)
> > 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file
> 14(/var/log/messages) closing
> > 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c:
> shutdown: begin to destruct queue
> > 5033.190697344:main thread : ruleset.c: destructing ruleset
> 0x55dc13db9520, name 0x55dc13db9560
> > 5033.190700295:main thread : rsyslogd.c: all primary multi-thread
> sources have been terminated - now doing aux cleanup...
> > 5033.190702315:main thread : rsyslogd.c: destructing current config...
> > 5033.190704909:main thread : rsconf.c: calling
> freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> > 5033.190707318:main thread : rsconf.c: calling
> freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> > 5033.190709986:main thread : rsconf.c: calling
> freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> > 5033.190713355:main thread : rsconf.c: calling
> freeCnf(0x55dc13dc7750) for module 'immark.so'
> > 5033.190716019:main thread : rsconf.c: calling
> freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> > 5033.190718553:main thread : rsconf.c: calling
> freeCnf(0x55dc13dca860) for module 'imklog.so'
> > 5033.190721080:main thread : rsconf.c: calling
> freeCnf(0x55dc13dce700) for module 'imtcp'
> > 5033.190770096:main thread : parser.c: destructing parser
> 'rsyslog.rfc5424'
> > 5033.190772594:main thread : parser.c: destructing parser
> 'rsyslog.rfc3164'
> > 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser
> instance 0x55dc13db8c50
> > 5033.190782063:main thread : modules.c: file rsyslogd.c released
> module 'lmnet', reference count now 4
> > 5033.190784438:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 4
> > 5033.190786550:main thread : modules.c: Unloading module
> builtin:omfile
> > 5033.190789213:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 4
> > 5033.190791251:main thread : modules.c: Unloading module
> builtin:ompipe
> > 5033.190793495:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 4
> > 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> > 5033.190797779:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 4
> > 5033.190799779:main thread : modules.c: Unloading module
> builtin:omdiscard
> > 5033.190801963:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 4
> > 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> > 5033.190806440:main thread : modules.c: file omfwd.c released module
> 'lmnet', reference count now 3
> > 5033.190808989:main thread : modules.c: file omfwd.c released module
> 'lmnetstrms', reference count now 4
> > 5033.190811446:main thread : modules.c: file omfwd.c released module
> 'lmnetstrms', reference count now 3
> > 5033.190813714:main thread : modules.c: file omfwd.c released module
> 'lmtcpclt', reference count now 0
> > 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero
> reference count, unloading...
> > 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> > 5033.190839888:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190843191:main thread : modules.c: Unloading module
> builtin:omusrmsg
> > 5033.190845438:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190847453:main thread : modules.c: Unloading module
> builtin:pmrfc5424
> > 5033.190850027:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190852192:main thread : modules.c: Unloading module
> builtin:pmrfc3164
> > 5033.190854646:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190856622:main thread : modules.c: Unloading module
> builtin:smfile
> > 5033.190859169:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190861201:main thread : modules.c: Unloading module
> builtin:smtradfile
> > 5033.190863571:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> > 5033.190867983:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190870023:main thread : modules.c: Unloading module
> builtin:smtradfwd
> > 5033.190876126:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190878217:main thread : modules.c: Unloading module immark.so
> > 5033.190900578:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> > 5033.190929023:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190931871:main thread : modules.c: Unloading module imklog.so
> > 5033.190944049:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 3
> > 5033.190946751:main thread : modules.c: module lmnetstrms NOT
> unloaded because it still has a refcount of 3
> > 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded
> because it still has a refcount of 2
> > 5033.190950930:main thread : modules.c: Unloading module imtcp
> > 5033.190954270:main thread : modules.c: file imtcp.c released module
> 'lmnet', reference count now 2
> > 5033.190956666:main thread : modules.c: file imtcp.c released module
> 'lmnetstrms', reference count now 2
> > 5033.190959070:main thread : modules.c: file imtcp.c released module
> 'lmtcpsrv', reference count now 1
> > 5033.190961401:main thread : modules.c: file imtcp.c released module
> 'lmtcpsrv', reference count now 0
> > 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero
> reference count, unloading...
> > 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> > 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was
> called 0 times
> > 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was
> called 0 times
> > 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was
> called 0 times
> > 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was
> called 0 times
> > 5033.191082074:main thread : modules.c: file tcpsrv.c released module
> 'lmnetstrms', reference count now 1
> > 5033.191084651:main thread : modules.c: file tcpsrv.c released module
> 'lmnet', reference count now 1
> > 5033.191087761:main thread : modules.c: file tcps_sess.c released
> module 'lmnetstrms', reference count now 0
> > 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero
> reference count, unloading...
> > 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> > 5033.191128059:main thread : modules.c: module lmnet NOT unloaded
> because it still has a refcount of 1
> > 5033.191131700:main thread : modules.c: file conf.c released module
> 'lmnet', reference count now 0
> > 5033.191133723:main thread : modules.c: module 'lmnet' has zero
> reference count, unloading...
> > 5033.191135781:main thread : modules.c: Unloading module lmnet
> > 5033.191152212:main thread : strgen.c: destructing strgen
> 'RSYSLOG_FileFormat'
> > 5033.191155173:main thread : strgen.c: destructing strgen
> 'RSYSLOG_TraditionalFileFormat'
> > 5033.191157204:main thread : strgen.c: destructing strgen
> 'RSYSLOG_ForwardFormat'
> > 5033.191159298:main thread : strgen.c: destructing strgen
> 'RSYSLOG_TraditionalForwardFormat'
> > 5033.191164325:main thread : rsyslog.c: rsyslog runtime
> de-initialized, current users 0
> > 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Thursday, May 26, 2022 12:54 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or
> requests for sensitive information.
> >
> > can you do a debug log on the server side, make sure TLS is enabled and
> run rsyslog through the startup phase? I would assume that we see useful
> information.
> >
> > quick doc:
> > https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
> >
> > Rainer
> >
> > El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > >
> > > When I turn off TLS work fine :/
> > >
> > > I does`t see any errors on server logs
> > >
> > > -----Original Message-----
> > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > Sent: Wednesday, May 25, 2022 6:39 PM
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> > >
> > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or
> requests for sensitive information.
> > >
> > > This looks like the server is not using TLS. Any rsyslog error
> messages in the server log?
> > >
> > > Rainer
> > >
> > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > > (<rsyslog@lists.adiscon.com>) escribió:
> > > >
> > > > Hi
> > > > My version of rsyslogd on log sever:
> > > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > > PLATFORM: x86_64-suse-linux-gnu
> > > > PLATFORM (lsb_release -d):
> > > > FEATURE_REGEXP: Yes
> > > > GSSAPI Kerberos 5 support: Yes
> > > > FEATURE_DEBUG (debug build, slow code): No
> > > > 32bit Atomic operations supported: Yes
> > > > 64bit Atomic operations supported: Yes
> > > > memory allocator: system default
> > > > Runtime Instrumentation (slow code): No
> > > > uuid support: Yes
> > > > systemd support: Yes
> > > > Config file: /etc/rsyslog.conf
> > > > PID file: /var/run/rsyslogd.pid
> > > > Number of Bits in RainerScript integers: 64
> > > >
> > > > # ######### Receiving Messages from Remote Hosts ##########.
> > > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > > Syslog Server:.
> > > > ## make gtls driver the default
> > > > $DefaultNetstreamDriver gtls
> > > > #
> > > > ## certificate files
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > > >
> > > > $ModLoad imtcp # load TCP listener #
> > > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > > #$EscapeControlCharactersOnReceive off
> > > > #$Escape8BitCharactersOnReceive off
> > > >
> > > > $template RemoteServer,
> "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > > *.* ?RemoteServer
> > > >
> > > > Client conf:
> > > > # certificate files - just CA for a client
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > > >
> > > > # set up the action
> > > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > > $ActionSendStreamDriverAuthMode x509/name
> > > >
> > > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > > authenticated
> > > >
> > > > # Only send log to SERVER.EXAMPLE.COM host
> > > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > > *.* @@(o) server.domain.com:514 # send (all) messages
> > > >
> > > > What have in log on server:
> > > > 2022-05-25T14:44:32.782021+02:00 client.domain.com
> #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > > domain.coml#000#034#000#002@
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > > .#
> > > > 00
> > > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0
> > > > 01
> > > > #0
> > > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00
> > > > 0
> > > > #004#001#010#011#010#004#004#003#010#007#00
> > > > 5#001#010
> > > >
> > > > Before 15 may working fine.
> > > > I don’t have any idea what is wrong
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Was removed when I tested it

Pozdrawiam/ Best regards,

Grzegorz Zalewski
IT Security Specialist
tel. +48 608 798 364
e-mail: Grzegorz.Zalewski@inteco.pl<mailto:Grzegorz.Zalewski@inteco.pl>
________________________________


[cid:image002.png@01D871A5.8C612970]

InTeco Business Solutions Sp. z o.o.
Mickiewicza 52, 64-510 Wronki
tel: +48 67 254 6813
www.inteco.pl<http://www.inteco.pl>

S?d Rejonowy Pozna?-Nowe Miasto i Wilda w Poznaniu, VIII Wydzia? Gospodarczy
KRS 0000325012 | REGON 301044119 | NIP 778-146-12-47
Zawarte w niniejszej wiadomo?ci lub w za??czonych dokumentach informacje s? POUFNE i przeznaczone tylko dla oznaczonego adresata.
Rozpowszechnianie ujawnianie i kopiowanie tych informacji jest zabronione. Je?eli niniejsza wiadomo?? dotar?a do Pa?stwa przez pomy?k?,
bardzo prosimy o powiadomienie nas o tym fakcie i natychmiastowe jej zniszczenie.
The information contained in this e-mail or attached documents is CONFIDENTIAL and is intended only for the use of the individual to whom
is addressed. If you are not the intended recipient or employee responsible to deliver to the intended recipient, you are hereby notified that
any dissemination, distribution or copying of the communication is strictly prohibited.
If you have received the e-mail in error please immediately notify us and destroy it.
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Friday, May 27, 2022 7:57 AM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????


[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
It's commented out... Remove hash marks.
Sent from phone, thus brief.

Grzegorz Zalewski via rsyslog <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>> schrieb am Fr., 27. Mai 2022, 07:45:
I`m put on top my /etc/rsyslog.d/my.conf file

When I put it

#$DebugFile /var/log/rsyslog.debug
#$DebugLevel 2

On top rsyslogd.conf nothing happends. No new logs in debug file ?


-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com<mailto:rgerhards@hq.adiscon.com>>
Sent: Thursday, May 26, 2022 6:33 PM
To: rsyslog-users <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl<mailto:Grzegorz.Zalewski@inteco.pl>>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.

Rainer

El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió:
>
> Debug log:
>
> 5028.756561447:main thread : rsyslogd.c:
> 5028.756591154:main thread : rsyslogd.c:
> 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> 5028.756609995:main thread : janitor.c: janitorRun() called
> 5033.189177560:main thread : rsyslogd.c: DoDie called.
> 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> 5033.189262942:main thread : janitor.c: janitorRun() called
> 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore,
> nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete
> batch from store, new sizes: log 0, phys 0 5033.190082092:main
> Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released
> module 'lmnsd_ptcp', reference count now 1 5033.190206154:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released
> module 'lmnetstrms', reference count now 5 5033.190245353:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10,
> ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15,
> ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log<http://client.domain.com/user.log>' from dynaCache.
> 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) closing, bDeleteOnClose 0
> 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) flush, buflen 0 (no need to flush)
> 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log<http://client.domain.com/user.log>) closing
> 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> 5033.190702315:main thread : rsyslogd.c: destructing current config...
> 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190878217:main thread : modules.c: Unloading module immark.so
> 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190931871:main thread : modules.c: Unloading module imklog.so
> 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> 5033.190950930:main thread : modules.c: Unloading module imtcp
> 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> 5033.191135781:main thread : modules.c: Unloading module lmnet
> 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com<mailto:rgerhards@hq.adiscon.com>>
> Sent: Thursday, May 26, 2022 12:54 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl<mailto:Grzegorz.Zalewski@inteco.pl>>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
>
> quick doc:
> https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>
> Rainer
>
> El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió:
> >
> > Hi
> >
> > When I turn off TLS work fine :/
> >
> > I does`t see any errors on server logs
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com<mailto:rgerhards@hq.adiscon.com>>
> > Sent: Wednesday, May 25, 2022 6:39 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl<mailto:Grzegorz.Zalewski@inteco.pl>>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> >
> > Rainer
> >
> > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com<mailto:rsyslog@lists.adiscon.com>>) escribió:
> > >
> > > Hi
> > > My version of rsyslogd on log sever:
> > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > PLATFORM: x86_64-suse-linux-gnu
> > > PLATFORM (lsb_release -d):
> > > FEATURE_REGEXP: Yes
> > > GSSAPI Kerberos 5 support: Yes
> > > FEATURE_DEBUG (debug build, slow code): No
> > > 32bit Atomic operations supported: Yes
> > > 64bit Atomic operations supported: Yes
> > > memory allocator: system default
> > > Runtime Instrumentation (slow code): No
> > > uuid support: Yes
> > > systemd support: Yes
> > > Config file: /etc/rsyslog.conf
> > > PID file: /var/run/rsyslogd.pid
> > > Number of Bits in RainerScript integers: 64
> > >
> > > # ######### Receiving Messages from Remote Hosts ##########.
> > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > Syslog Server:.
> > > ## make gtls driver the default
> > > $DefaultNetstreamDriver gtls
> > > #
> > > ## certificate files
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > >
> > > $ModLoad imtcp # load TCP listener #
> > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > $InputTCPServerStreamDriverPermittedPeer *.domain.com<http://domain.com>
> > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > #$EscapeControlCharactersOnReceive off
> > > #$Escape8BitCharactersOnReceive off
> > >
> > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > *.* ?RemoteServer
> > >
> > > Client conf:
> > > # certificate files - just CA for a client
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > >
> > > # set up the action
> > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > $ActionSendStreamDriverAuthMode x509/name
> > >
> > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > authenticated
> > >
> > > # Only send log to SERVER.EXAMPLE.COM<http://SERVER.EXAMPLE.COM> host
> > > $ActionSendStreamDriverPermittedPeer server.domain.com<http://server.domain.com>
> > > *.* @@(o) server.domain.com:514<http://server.domain.com:514> # send (all) messages
> > >
> > > What have in log on server:
> > > 2022-05-25T14:44:32.782021+02:00 client.domain.com<http://client.domain.com> #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > domain.coml#000#034#000#002@<mailto:domain.coml#000#034#000#002@>
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com<http://client.domain.com> #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com<http://client.domain.com>
> > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > .#
> > > 00
> > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com<http://client.domain.com>
> > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0
> > > 01
> > > #0
> > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00
> > > 0
> > > #004#001#010#011#010#004#004#003#010#007#00
> > > 5#001#010
> > >
> > > Before 15 may working fine.
> > > I don’t have any idea what is wrong
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Hi

Full debug log is here:

https://zerobin.net/?f2f43cf8cb4d97f5#7sHvQif7JI1F33B2zSaD8YVZpC2/anbBr2vMPG1k6Vk=

-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Thursday, May 26, 2022 6:33 PM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.

Rainer

El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Debug log:
>
> 5028.756561447:main thread : rsyslogd.c:
> 5028.756591154:main thread : rsyslogd.c:
> 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> 5028.756609995:main thread : janitor.c: janitorRun() called
> 5033.189177560:main thread : rsyslogd.c: DoDie called.
> 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> 5033.189262942:main thread : janitor.c: janitorRun() called
> 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore,
> nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete
> batch from store, new sizes: log 0, phys 0 5033.190082092:main
> Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released
> module 'lmnsd_ptcp', reference count now 1 5033.190206154:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released
> module 'lmnetstrms', reference count now 5 5033.190245353:main
> Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10,
> ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti
> 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15,
> ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> 5033.190702315:main thread : rsyslogd.c: destructing current config...
> 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190878217:main thread : modules.c: Unloading module immark.so
> 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190931871:main thread : modules.c: Unloading module imklog.so
> 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> 5033.190950930:main thread : modules.c: Unloading module imtcp
> 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> 5033.191135781:main thread : modules.c: Unloading module lmnet
> 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 12:54 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
>
> quick doc:
> https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
>
> Rainer
>
> El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> >
> > When I turn off TLS work fine :/
> >
> > I does`t see any errors on server logs
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Wednesday, May 25, 2022 6:39 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> >
> > Rainer
> >
> > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > > My version of rsyslogd on log sever:
> > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > PLATFORM: x86_64-suse-linux-gnu
> > > PLATFORM (lsb_release -d):
> > > FEATURE_REGEXP: Yes
> > > GSSAPI Kerberos 5 support: Yes
> > > FEATURE_DEBUG (debug build, slow code): No
> > > 32bit Atomic operations supported: Yes
> > > 64bit Atomic operations supported: Yes
> > > memory allocator: system default
> > > Runtime Instrumentation (slow code): No
> > > uuid support: Yes
> > > systemd support: Yes
> > > Config file: /etc/rsyslog.conf
> > > PID file: /var/run/rsyslogd.pid
> > > Number of Bits in RainerScript integers: 64
> > >
> > > # ######### Receiving Messages from Remote Hosts ##########.
> > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > Syslog Server:.
> > > ## make gtls driver the default
> > > $DefaultNetstreamDriver gtls
> > > #
> > > ## certificate files
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > >
> > > $ModLoad imtcp # load TCP listener #
> > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > #$EscapeControlCharactersOnReceive off
> > > #$Escape8BitCharactersOnReceive off
> > >
> > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > *.* ?RemoteServer
> > >
> > > Client conf:
> > > # certificate files - just CA for a client
> > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > >
> > > # set up the action
> > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > $ActionSendStreamDriverAuthMode x509/name
> > >
> > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > authenticated
> > >
> > > # Only send log to SERVER.EXAMPLE.COM host
> > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > *.* @@(o) server.domain.com:514 # send (all) messages
> > >
> > > What have in log on server:
> > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > domain.coml#000#034#000#002@
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > .#
> > > 00
> > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0
> > > 01
> > > #0
> > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00
> > > 0
> > > #004#001#010#011#010#004#004#003#010#007#00
> > > 5#001#010
> > >
> > > Before 15 may working fine.
> > > I don’t have any idea what is wrong
> > >
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
Thx, this looks correct, it's a bit puzzling. Is there a way to
download this file so that I can have a more in-depth look?

In any case, it looks like we need at least one failed message
transfer inside the log. Best also with a client debug log.

Rainer

El vie, 27 may 2022 a las 9:07, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
>
> Full debug log is here:
>
> https://zerobin.net/?f2f43cf8cb4d97f5#7sHvQif7JI1F33B2zSaD8YVZpC2/anbBr2vMPG1k6Vk=
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 6:33 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.
>
> Rainer
>
> El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Debug log:
> >
> > 5028.756561447:main thread : rsyslogd.c:
> > 5028.756591154:main thread : rsyslogd.c:
> > 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> > 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> > 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> > 5028.756609995:main thread : janitor.c: janitorRun() called
> > 5033.189177560:main thread : rsyslogd.c: DoDie called.
> > 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> > 5033.189262942:main thread : janitor.c: janitorRun() called
> > 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> > 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> > 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> > 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> > 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> > 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> > 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> > 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> > 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> > 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> > 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> > 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> > 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> > 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> > 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> > 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> > 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> > 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> > 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> > 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> > 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> > 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> > 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> > 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> > 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> > 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> > 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> > 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> > awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> > DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> > 5033.190076537:main Q:Reg/w0 : queue.c: rger: deleteBatchFromQStore,
> > nElem 0 5033.190079265:main Q:Reg/w0 : queue.c: doDeleteBatch: delete
> > batch from store, new sizes: log 0, phys 0 5033.190082092:main
> > Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> > sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> > finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> > wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> > bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> > wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> > 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module lmnsd_gtls
> > 5033.190165121:main Q:Reg/w0 : modules.c: file nsdsel_gtls.c released
> > module 'lmnsd_ptcp', reference count now 1 5033.190206154:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> > 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module lmnsd_ptcp
> > 5033.190215279:main Q:Reg/w0 : modules.c: file nsd_ptcp.c released
> > module 'lmnetstrms', reference count now 5 5033.190245353:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> > reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> > 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> > ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> > 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 10,
> > ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> > 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 15,
> > ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> > 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> > 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> > 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> > 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> > 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> > 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> > 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> > 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> > 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> > 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> > 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> > 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> > 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> > 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> > 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> > 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> > 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> > 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> > 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> > 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> > 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> > 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> > 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> > 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> > 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> > 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> > 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> > 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> > 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> > 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> > 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> > 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> > 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> > 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> > 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> > 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> > 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> > 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> > 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> > 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> > 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> > 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> > 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> > 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> > 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> > 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> > 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> > 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> > 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> > 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> > 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> > 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> > 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> > 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> > 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> > 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> > 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> > 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> > 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> > 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> > 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> > 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> > 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> > 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> > 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> > 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> > 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> > 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> > 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> > 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> > 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> > 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> > 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> > 5033.190702315:main thread : rsyslogd.c: destructing current config...
> > 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> > 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> > 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> > 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> > 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> > 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> > 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> > 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> > 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> > 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> > 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> > 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> > 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> > 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> > 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> > 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> > 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> > 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> > 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> > 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> > 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> > 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> > 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> > 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> > 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> > 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> > 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> > 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> > 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> > 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190878217:main thread : modules.c: Unloading module immark.so
> > 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> > 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190931871:main thread : modules.c: Unloading module imklog.so
> > 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> > 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> > 5033.190950930:main thread : modules.c: Unloading module imtcp
> > 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> > 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> > 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> > 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> > 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> > 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> > 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> > 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> > 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> > 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> > 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> > 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> > 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> > 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> > 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> > 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> > 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> > 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> > 5033.191135781:main thread : modules.c: Unloading module lmnet
> > 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> > 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> > 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> > 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> > 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> > 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Thursday, May 26, 2022 12:54 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
> >
> > quick doc:
> > https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
> >
> > Rainer
> >
> > El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > >
> > > When I turn off TLS work fine :/
> > >
> > > I does`t see any errors on server logs
> > >
> > > -----Original Message-----
> > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > Sent: Wednesday, May 25, 2022 6:39 PM
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> > >
> > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> > >
> > > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> > >
> > > Rainer
> > >
> > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > > (<rsyslog@lists.adiscon.com>) escribió:
> > > >
> > > > Hi
> > > > My version of rsyslogd on log sever:
> > > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > > PLATFORM: x86_64-suse-linux-gnu
> > > > PLATFORM (lsb_release -d):
> > > > FEATURE_REGEXP: Yes
> > > > GSSAPI Kerberos 5 support: Yes
> > > > FEATURE_DEBUG (debug build, slow code): No
> > > > 32bit Atomic operations supported: Yes
> > > > 64bit Atomic operations supported: Yes
> > > > memory allocator: system default
> > > > Runtime Instrumentation (slow code): No
> > > > uuid support: Yes
> > > > systemd support: Yes
> > > > Config file: /etc/rsyslog.conf
> > > > PID file: /var/run/rsyslogd.pid
> > > > Number of Bits in RainerScript integers: 64
> > > >
> > > > # ######### Receiving Messages from Remote Hosts ##########.
> > > > ########### Encrypting Syslog Traffic with TLS ########## # -- TLS
> > > > Syslog Server:.
> > > > ## make gtls driver the default
> > > > $DefaultNetstreamDriver gtls
> > > > #
> > > > ## certificate files
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > > >
> > > > $ModLoad imtcp # load TCP listener #
> > > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > > #$EscapeControlCharactersOnReceive off
> > > > #$Escape8BitCharactersOnReceive off
> > > >
> > > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > > *.* ?RemoteServer
> > > >
> > > > Client conf:
> > > > # certificate files - just CA for a client
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > > >
> > > > # set up the action
> > > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > > $ActionSendStreamDriverAuthMode x509/name
> > > >
> > > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > > authenticated
> > > >
> > > > # Only send log to SERVER.EXAMPLE.COM host
> > > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > > *.* @@(o) server.domain.com:514 # send (all) messages
> > > >
> > > > What have in log on server:
> > > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > > domain.coml#000#034#000#002@
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > > .#
> > > > 00
> > > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000#0
> > > > 01
> > > > #0
> > > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#00
> > > > 0
> > > > #004#001#010#011#010#004#004#003#010#007#00
> > > > 5#001#010
> > > >
> > > > Before 15 may working fine.
> > > > I don’t have any idea what is wrong
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
I`m fix it

But problem was in new version I must downgrade rsyslog and work`s again. New version was corrupted ?:

zypper install --force rsyslog=8.39.0-4.10.1
Loading repository data...
Reading installed packages...
Forcing installation of 'rsyslog-8.39.0-4.10.1.x86_64' from repository 'opensuse-leap15.3-critic-prod-openSUSE-Leap-15.3-Pool for x86_64'.
Resolving package dependencies...

Problem: the installed rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 requires 'rsyslog = 8.2106.0', but this requirement cannot be provided
Solution 1: downgrade of rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 to rsyslog-module-gtls-8.39.0-4.10.1.x86_64
Solution 2: do not install rsyslog-8.39.0-4.10.1.x86_64
Solution 3: break rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1
Resolving dependencies...
Resolving package dependencies...

The following 2 packages are going to be downgraded:
rsyslog rsyslog-module-gtls

2 packages to downgrade.
Overall download size: 718.8 KiB. Already cached: 0 B. After the operation, 184.3 KiB will be freed.
Continue? [y/n/v/...? shows all options] (y): y
Retrieving package rsyslog-8.39.0-4.10.1.x86_64 (1/2), 662.2 KiB ( 2.3 MiB unpacked)
Retrieving: rsyslog-8.39.0-4.10.1.x86_64.rpm ..........................................................................................................................................................................................[done]
Retrieving package rsyslog-module-gtls-8.39.0-4.10.1.x86_64 (2/2), 56.6 KiB ( 36.4 KiB unpacked)
Retrieving: rsyslog-module-gtls-8.39.0-4.10.1.x86_64.rpm ..............................................................................................................................................................................[done]

Checking for file conflicts: ..........................................................................................................................................................................................................[done]
Updating /etc/sysconfig/syslog ...
(1/2) Installing: rsyslog-8.39.0-4.10.1.x86_64 ........................................................................................................................................................................................[done]
(2/2) Installing: rsyslog-module-gtls-8.39.0-4.10.1.x86_64 ............................................................................................................................................................................[done]

-----Original Message-----
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
Sent: Friday, May 27, 2022 9:11 AM
To: rsyslog-users <rsyslog@lists.adiscon.com>
Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????

[EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.

Thx, this looks correct, it's a bit puzzling. Is there a way to download this file so that I can have a more in-depth look?

In any case, it looks like we need at least one failed message transfer inside the log. Best also with a client debug log.

Rainer

El vie, 27 may 2022 a las 9:07, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> Hi
>
> Full debug log is here:
>
> https://zerobin.net/?f2f43cf8cb4d97f5#7sHvQif7JI1F33B2zSaD8YVZpC2/anbB
> r2vMPG1k6Vk=
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Thursday, May 26, 2022 6:33 PM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.
>
> Rainer
>
> El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Debug log:
> >
> > 5028.756561447:main thread : rsyslogd.c:
> > 5028.756591154:main thread : rsyslogd.c:
> > 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> > 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> > 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> > 5028.756609995:main thread : janitor.c: janitorRun() called
> > 5033.189177560:main thread : rsyslogd.c: DoDie called.
> > 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> > 5033.189262942:main thread : janitor.c: janitorRun() called
> > 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> > 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> > 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> > 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> > 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> > 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> > 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> > 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> > 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> > 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> > 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> > 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> > 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> > 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> > 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> > 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> > 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> > 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> > 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> > 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> > 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> > 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> > 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> > 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> > 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> > 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> > 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> > 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> > awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> > DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> > 5033.190076537:main Q:Reg/w0 : queue.c: rger:
> > deleteBatchFromQStore, nElem 0 5033.190079265:main Q:Reg/w0 :
> > queue.c: doDeleteBatch: delete batch from store, new sizes: log 0,
> > phys 0 5033.190082092:main
> > Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> > sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> > finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> > wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> > bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> > wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> > 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module
> > lmnsd_gtls 5033.190165121:main Q:Reg/w0 : modules.c: file
> > nsdsel_gtls.c released module 'lmnsd_ptcp', reference count now 1
> > 5033.190206154:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> > 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module
> > lmnsd_ptcp 5033.190215279:main Q:Reg/w0 : modules.c: file
> > nsd_ptcp.c released module 'lmnetstrms', reference count now 5
> > 5033.190245353:main
> > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> > reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> > 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> > ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> > 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action
> > 10, ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti
> > 0x55dc13e0df60, action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> > wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> > 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action
> > 15, ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> > 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> > 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> > 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> > 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> > 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> > 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> > 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> > 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> > 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> > 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> > 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> > 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> > 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> > 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> > 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> > 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> > 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> > 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> > 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> > 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> > 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> > 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> > 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> > 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> > 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> > 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> > 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> > 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> > 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> > 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> > 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> > 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> > 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> > 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> > 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> > 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> > 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> > 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> > 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> > 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> > 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> > 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> > 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> > 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> > 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> > 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> > 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> > 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> > 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> > 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> > 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> > 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> > 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> > 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> > 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> > 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> > 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> > 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> > 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> > 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> > 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> > 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> > 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> > 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> > 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> > 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> > 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> > 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> > 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> > 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> > 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> > 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> > 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> > 5033.190702315:main thread : rsyslogd.c: destructing current config...
> > 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> > 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> > 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> > 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> > 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> > 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> > 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> > 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> > 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> > 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> > 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> > 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> > 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> > 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> > 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> > 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> > 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> > 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> > 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> > 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> > 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> > 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> > 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> > 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> > 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> > 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> > 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> > 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> > 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> > 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190878217:main thread : modules.c: Unloading module immark.so
> > 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> > 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190931871:main thread : modules.c: Unloading module imklog.so
> > 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> > 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> > 5033.190950930:main thread : modules.c: Unloading module imtcp
> > 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> > 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> > 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> > 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> > 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> > 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> > 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> > 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> > 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> > 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> > 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> > 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> > 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> > 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> > 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> > 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> > 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> > 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> > 5033.191135781:main thread : modules.c: Unloading module lmnet
> > 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> > 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> > 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> > 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> > 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> > 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Thursday, May 26, 2022 12:54 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
> >
> > quick doc:
> > https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
> >
> > Rainer
> >
> > El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Hi
> > >
> > > When I turn off TLS work fine :/
> > >
> > > I does`t see any errors on server logs
> > >
> > > -----Original Message-----
> > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > Sent: Wednesday, May 25, 2022 6:39 PM
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> > >
> > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> > >
> > > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> > >
> > > Rainer
> > >
> > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > > (<rsyslog@lists.adiscon.com>) escribió:
> > > >
> > > > Hi
> > > > My version of rsyslogd on log sever:
> > > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > > PLATFORM: x86_64-suse-linux-gnu
> > > > PLATFORM (lsb_release -d):
> > > > FEATURE_REGEXP: Yes
> > > > GSSAPI Kerberos 5 support: Yes
> > > > FEATURE_DEBUG (debug build, slow code): No
> > > > 32bit Atomic operations supported: Yes
> > > > 64bit Atomic operations supported: Yes
> > > > memory allocator: system default
> > > > Runtime Instrumentation (slow code): No
> > > > uuid support: Yes
> > > > systemd support: Yes
> > > > Config file: /etc/rsyslog.conf
> > > > PID file: /var/run/rsyslogd.pid
> > > > Number of Bits in RainerScript integers: 64
> > > >
> > > > # ######### Receiving Messages from Remote Hosts ##########.
> > > > ########### Encrypting Syslog Traffic with TLS ########## # --
> > > > TLS Syslog Server:.
> > > > ## make gtls driver the default
> > > > $DefaultNetstreamDriver gtls
> > > > #
> > > > ## certificate files
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > > >
> > > > $ModLoad imtcp # load TCP listener #
> > > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > > #$EscapeControlCharactersOnReceive off
> > > > #$Escape8BitCharactersOnReceive off
> > > >
> > > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > > *.* ?RemoteServer
> > > >
> > > > Client conf:
> > > > # certificate files - just CA for a client
> > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > > >
> > > > # set up the action
> > > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > > $ActionSendStreamDriverAuthMode x509/name
> > > >
> > > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > > authenticated
> > > >
> > > > # Only send log to SERVER.EXAMPLE.COM host
> > > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > > *.* @@(o) server.domain.com:514 # send (all) messages
> > > >
> > > > What have in log on server:
> > > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > > domain.coml#000#034#000#002@
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > > .#
> > > > 00
> > > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000
> > > > #0
> > > > 01
> > > > #0
> > > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#
> > > > 00
> > > > 0
> > > > #004#001#010#011#010#004#004#003#010#007#00
> > > > 5#001#010
> > > >
> > > > Before 15 may working fine.
> > > > I don’t have any idea what is wrong
> > > >
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > NOTE
> > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Rsyslog bad external log encoding ?????? [ In reply to ]
There seems to be a problem with the latest OBS build. I will see how
I can resolve it.

Thx for the info,
Rainer

El vie, 27 may 2022 a las 12:45, Grzegorz Zalewski via rsyslog
(<rsyslog@lists.adiscon.com>) escribió:
>
> I`m fix it
>
> But problem was in new version I must downgrade rsyslog and work`s again. New version was corrupted ?:
>
> zypper install --force rsyslog=8.39.0-4.10.1
> Loading repository data...
> Reading installed packages...
> Forcing installation of 'rsyslog-8.39.0-4.10.1.x86_64' from repository 'opensuse-leap15.3-critic-prod-openSUSE-Leap-15.3-Pool for x86_64'.
> Resolving package dependencies...
>
> Problem: the installed rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 requires 'rsyslog = 8.2106.0', but this requirement cannot be provided
> Solution 1: downgrade of rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 to rsyslog-module-gtls-8.39.0-4.10.1.x86_64
> Solution 2: do not install rsyslog-8.39.0-4.10.1.x86_64
> Solution 3: break rsyslog-module-gtls-8.2106.0-150200.4.26.1.x86_64 by ignoring some of its dependencies
>
> Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1
> Resolving dependencies...
> Resolving package dependencies...
>
> The following 2 packages are going to be downgraded:
> rsyslog rsyslog-module-gtls
>
> 2 packages to downgrade.
> Overall download size: 718.8 KiB. Already cached: 0 B. After the operation, 184.3 KiB will be freed.
> Continue? [y/n/v/...? shows all options] (y): y
> Retrieving package rsyslog-8.39.0-4.10.1.x86_64 (1/2), 662.2 KiB ( 2.3 MiB unpacked)
> Retrieving: rsyslog-8.39.0-4.10.1.x86_64.rpm ..........................................................................................................................................................................................[done]
> Retrieving package rsyslog-module-gtls-8.39.0-4.10.1.x86_64 (2/2), 56.6 KiB ( 36.4 KiB unpacked)
> Retrieving: rsyslog-module-gtls-8.39.0-4.10.1.x86_64.rpm ..............................................................................................................................................................................[done]
>
> Checking for file conflicts: ..........................................................................................................................................................................................................[done]
> Updating /etc/sysconfig/syslog ...
> (1/2) Installing: rsyslog-8.39.0-4.10.1.x86_64 ........................................................................................................................................................................................[done]
> (2/2) Installing: rsyslog-module-gtls-8.39.0-4.10.1.x86_64 ............................................................................................................................................................................[done]
>
> -----Original Message-----
> From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> Sent: Friday, May 27, 2022 9:11 AM
> To: rsyslog-users <rsyslog@lists.adiscon.com>
> Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
>
> [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
>
> Thx, this looks correct, it's a bit puzzling. Is there a way to download this file so that I can have a more in-depth look?
>
> In any case, it looks like we need at least one failed message transfer inside the log. Best also with a client debug log.
>
> Rainer
>
> El vie, 27 may 2022 a las 9:07, Grzegorz Zalewski via rsyslog
> (<rsyslog@lists.adiscon.com>) escribió:
> >
> > Hi
> >
> > Full debug log is here:
> >
> > https://zerobin.net/?f2f43cf8cb4d97f5#7sHvQif7JI1F33B2zSaD8YVZpC2/anbB
> > r2vMPG1k6Vk=
> >
> > -----Original Message-----
> > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > Sent: Thursday, May 26, 2022 6:33 PM
> > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> >
> > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> >
> > Did you use the regular method right at the top of rsyslog.conf? I ask because only the shutdown can be seen, not the startup.
> >
> > Rainer
> >
> > El jue, 26 may 2022 a las 13:21, Grzegorz Zalewski via rsyslog
> > (<rsyslog@lists.adiscon.com>) escribió:
> > >
> > > Debug log:
> > >
> > > 5028.756561447:main thread : rsyslogd.c:
> > > 5028.756591154:main thread : rsyslogd.c:
> > > 5028.756599828:main thread : rsyslogd.c: ********************************************************************************
> > > 5028.756602615:main thread : rsyslogd.c: Switching debugging_on to true at 08:03:48
> > > 5028.756604775:main thread : rsyslogd.c: ********************************************************************************
> > > 5028.756609995:main thread : janitor.c: janitorRun() called
> > > 5033.189177560:main thread : rsyslogd.c: DoDie called.
> > > 5033.189238695:main thread : rsyslogd.c: awaking mainthread
> > > 5033.189262942:main thread : janitor.c: janitorRun() called
> > > 5033.189269019:main thread : errmsg.c: Called LogMsg, msg: rsyslogd shutting down
> > > 5033.189271584:main thread : operatingstate.c: osf: MSG rsyslogd shutting down: signaling new internal message via SIGTTOU: 'rsyslogd shutting down [v8.2106.0 try https://www.rsyslog.com/e/0 ]'
> > > 5033.189289381:main thread : rsyslogd.c: exiting on signal 2
> > > 5033.189291603:main thread : rsyslogd.c: Terminating input threads...
> > > 5033.189295410:main thread : ../threads.c: request term via SIGTTIN for input thread 'immark' 0x7ffab236f700
> > > 5033.189298582:main thread : ../threads.c: thread immark: initiating termination, timeout 1000 ms
> > > 5033.189348883:immark.c : ../threads.c: thrdStarter: usrThrdMain immark - 0x7ffab236f700 returned with iRet 0, exiting now.
> > > 5033.189379910:main thread : ../threads.c: non-cancel input thread termination succeeded for thread immark 0x7ffab236f700
> > > 5033.189585841:main thread : ../threads.c: request term via SIGTTIN for input thread 'imuxsock' 0x7ffab1f6e700
> > > 5033.189589416:main thread : ../threads.c: thread imuxsock: initiating termination, timeout 1000 ms
> > > 5033.189613241:imuxsock.c : ../threads.c: thrdStarter: usrThrdMain imuxsock - 0x7ffab1f6e700 returned with iRet 0, exiting now.
> > > 5033.189653202:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imuxsock 0x7ffab1f6e700
> > > 5033.189665632:main thread : imuxsock.c: imuxsock: unlinking unix socket file[0] /dev/log
> > > 5033.189678050:main thread : ../threads.c: request term via canceling for input thread imklog
> > > 5033.189730551:main thread : ../threads.c: request term via SIGTTIN for input thread 'imtcp' 0x7ffab176c700
> > > 5033.189734384:main thread : ../threads.c: thread imtcp: initiating termination, timeout 1000 ms
> > > 5033.189757496:imtcp.c : nsdsel_ptcp.c: nsdsel_ptcp received EINTR
> > > 5033.189774472:imtcp.c : tcpsrv.c: tcpsrv terminating, waiting for 0 workers
> > > 5033.189778040:imtcp.c : ../threads.c: thrdStarter: usrThrdMain imtcp - 0x7ffab176c700 returned with iRet 0, exiting now.
> > > 5033.189787733:main thread : ../threads.c: non-cancel input thread termination succeeded for thread imtcp 0x7ffab176c700
> > > 5033.189862021:main thread : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 1
> > > 5033.189873247:main thread : iminternal.c: signaling new internal message via SIGTTOU: '[origin software="rsyslogd" swVersion="8.2106.0" x-pid="19998" x-info="https://www.rsyslog.com"] exiting on signal 2.'
> > > 5033.190033534:main thread : rsyslogd.c: Terminating main queue...
> > > 5033.190038517:main thread : main Q: queue.c: shutdown: begin to destruct queue
> > > 5033.190041457:main thread : main Q: queue.c: initiating worker thread shutdown sequence 0x55dc13dff4d0
> > > 5033.190043715:main thread : main Q: queue.c: trying shutdown of regular workers
> > > 5033.190050545:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > > 5033.190054214:main thread : wtp.c: main Q:Reg: waiting 1499ms on worker thread termination, 1 still running
> > > 5033.190070048:main Q:Reg/w0 : wti 0x55dc13e0df60: wti.c: worker
> > > awoke from idle processing 5033.190074442:main Q:Reg/w0 : queue.c:
> > > DeleteProcessedBatch: we deleted 0 objects and enqueued 0 objects
> > > 5033.190076537:main Q:Reg/w0 : queue.c: rger:
> > > deleteBatchFromQStore, nElem 0 5033.190079265:main Q:Reg/w0 :
> > > queue.c: doDeleteBatch: delete batch from store, new sizes: log 0,
> > > phys 0 5033.190082092:main
> > > Q:Reg/w0 : main Q: queue.c: dequeued 0 consumable elements, szlog 0
> > > sz phys 0 5033.190103817:main Q:Reg/w0 : queue.c: regular consumer
> > > finished, iret=4, szlog 0 sz phys 0 5033.190106754:main Q:Reg/w0 :
> > > wti 0x55dc13e0df60: wti.c: terminating worker terminateRet=5,
> > > bInactivityTOOccured=0 5033.190109572:main Q:Reg/w0 : wti.c: DDDD:
> > > wti 0x55dc13e0df60: worker cleanup action instances 5033.190111828:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 0, ptr 0x7ffa98000f30 5033.190115766:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 1, ptr 0x7ffa98001190 5033.190143536:main Q:Reg/w0 : modules.c: file netstrms.c released module 'lmnsd_gtls', reference count now 0 5033.190147864:main Q:Reg/w0 : modules.c: module 'lmnsd_gtls' has zero reference count, unloading...
> > > 5033.190150937:main Q:Reg/w0 : modules.c: Unloading module
> > > lmnsd_gtls 5033.190165121:main Q:Reg/w0 : modules.c: file
> > > nsdsel_gtls.c released module 'lmnsd_ptcp', reference count now 1
> > > 5033.190206154:main
> > > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnsd_ptcp', reference count now 0 5033.190208707:main Q:Reg/w0 : modules.c: module 'lmnsd_ptcp' has zero reference count, unloading...
> > > 5033.190210845:main Q:Reg/w0 : modules.c: Unloading module
> > > lmnsd_ptcp 5033.190215279:main Q:Reg/w0 : modules.c: file
> > > nsd_ptcp.c released module 'lmnetstrms', reference count now 5
> > > 5033.190245353:main
> > > Q:Reg/w0 : modules.c: file nsd_gtls.c released module 'lmnet',
> > > reference count now 5 5033.190251310:main Q:Reg/w0 : wti.c: wti
> > > 0x55dc13e0df60, action 2, ptr (nil) 5033.190253540:main Q:Reg/w0 :
> > > wti.c: wti 0x55dc13e0df60, action 3, ptr (nil) 5033.190255659:main
> > > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 4, ptr (nil)
> > > 5033.190257753:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 5,
> > > ptr (nil) 5033.190259842:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60,
> > > action 6, ptr (nil) 5033.190262021:main Q:Reg/w0 : wti.c: wti
> > > 0x55dc13e0df60, action 7, ptr (nil) 5033.190264115:main Q:Reg/w0 :
> > > wti.c: wti 0x55dc13e0df60, action 8, ptr (nil) 5033.190266224:main
> > > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 9, ptr (nil)
> > > 5033.190268445:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action
> > > 10, ptr (nil) 5033.190270854:main Q:Reg/w0 : wti.c: wti
> > > 0x55dc13e0df60, action 11, ptr (nil) 5033.190272890:main Q:Reg/w0 :
> > > wti.c: wti 0x55dc13e0df60, action 12, ptr (nil) 5033.190274894:main Q:Reg/w0 :
> > > wti.c: wti 0x55dc13e0df60, action 13, ptr (nil) 5033.190276953:main
> > > Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 14, ptr 0x7ffa98005980
> > > 5033.190280073:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action
> > > 15, ptr (nil) 5033.190282197:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 16, ptr (nil) 5033.190284591:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 17, ptr (nil) 5033.190286640:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60, action 18, ptr (nil) 5033.190289919:main Q:Reg/w0 : wti.c: wti 0x55dc13e0df60: exiting 5033.190292908:main Q:Reg/w0 : wtp.c: main Q:Reg: Worker thread 55dc13e0df60, terminated, num workers now 0
> > > 5033.190364038:main thread : wti.c: sent SIGTTIN to worker thread 0x7ffaa3fff700
> > > 5033.190368540:main thread : main Q: queue.c: regular queue workers shut down.
> > > 5033.190371158:main thread : main Q: queue.c: checking to see if we need to cancel any worker threads of the primary queue
> > > 5033.190374081:main thread : wti.c: main Q:Reg/w0: joining terminated worker
> > > 5033.190376375:main thread : wti.c: main Q:Reg/w0: worker fully terminated
> > > 5033.190378718:main thread : main Q: queue.c: worker threads terminated, remaining queue size log 0, phys 0.
> > > 5033.190385043:main thread : main Q: queue.c: queue (type 0) will lose 0 messages, destroying...
> > > 5033.190400418:main thread : rsyslogd.c: Terminating outputs...
> > > 5033.190404021:main thread : ruleset.c: rulesetDestructAllActions
> > > 5033.190406235:main thread : ruleset.c: destructAllActions: queue shutdown
> > > 5033.190408990:main thread : ruleset.c: shutting down queue workers for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset, queue (nil)
> > > 5033.190411048:main thread : ruleset.c: destructAllActions: action and conf stmt shutdown
> > > 5033.190422196:main thread : ruleset.c: shutting down actions and conf stmts for ruleset 0x55dc13db9520, name RSYSLOG_DefaultRuleset
> > > 5033.190426463:main thread : action-0-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190431381:main thread : omfile.c: Removing entry 0 for file '/var/log/server/syslog.log' from dynaCache.
> > > 5033.190439324:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing, bDeleteOnClose 0
> > > 5033.190442130:main thread : strm 0x7ffa980059d0: stream.c: strmFlushinternal: file 13(/var/log/server/syslog.log) flush, buflen 0 (no need to flush)
> > > 5033.190444280:main thread : strm 0x7ffa980059d0: stream.c: file 13(/var/log/server/syslog.log) closing
> > > 5033.190451652:main thread : omfile.c: Removing entry 1 for file '/var/log/client.domain.com/user.log' from dynaCache.
> > > 5033.190454065:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing, bDeleteOnClose 0
> > > 5033.190456336:main thread : strm 0x7ffa9800a950: stream.c: strmFlushinternal: file 16(/var/log/client.domain.com/user.log) flush, buflen 0 (no need to flush)
> > > 5033.190458429:main thread : strm 0x7ffa9800a950: stream.c: file 16(/var/log/client.domain.com/user.log) closing
> > > 5033.190463135:main thread : omfile.c: Removing entry 2 for file '/var/log/server/auth.log' from dynaCache.
> > > 5033.190465460:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing, bDeleteOnClose 0
> > > 5033.190467628:main thread : strm 0x7ffa9800cde0: stream.c: strmFlushinternal: file 17(/var/log/server/auth.log) flush, buflen 0 (no need to flush)
> > > 5033.190470101:main thread : strm 0x7ffa9800cde0: stream.c: file 17(/var/log/server/auth.log) closing
> > > 5033.190475382:main thread : omfile.c: Removing entry 3 for file '/var/log/server/authpriv.log' from dynaCache.
> > > 5033.190477683:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing, bDeleteOnClose 0
> > > 5033.190479851:main thread : strm 0x7ffa9800f130: stream.c: strmFlushinternal: file 18(/var/log/server/authpriv.log) flush, buflen 0 (no need to flush)
> > > 5033.190481986:main thread : strm 0x7ffa9800f130: stream.c: file 18(/var/log/server/authpriv.log) closing
> > > 5033.190488121:main thread : action-1-builtin:omfwd queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190493412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb540, type 'OR'
> > > 5033.190495967:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb3a0, type 'AND'
> > > 5033.190498210:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5ea0, type 'F'
> > > 5033.190502327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb380, type 'NOT'
> > > 5033.190504529:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb360, type 'AND'
> > > 5033.190506649:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb290, type 'CMP_CONTAINS'
> > > 5033.190508856:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd0940, type 'V'
> > > 5033.190511123:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb270, type 'S'
> > > 5033.190513881:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb340, type 'CMP_CONTAINS'
> > > 5033.190515927:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb2d0, type 'V'
> > > 5033.190518042:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dcb320, type 'S'
> > > 5033.190520192:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5f10, type 'F'
> > > 5033.190522701:main thread : action-2-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190526715:main thread : action-3-builtin:ompipe queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190530576:main thread : action-4-builtin:omusrmsg queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190534325:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5af0, type 'OR'
> > > 5033.190536429:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d50, type 'CMP_EQ'
> > > 5033.190541657:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dda810, type 'V'
> > > 5033.190543823:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd1d30, type 'S'
> > > 5033.190546016:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ad0, type 'CMP_STARTSWITH'
> > > 5033.190548232:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd2830, type 'V'
> > > 5033.190550335:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5ab0, type 'S'
> > > 5033.190552537:main thread : action-5-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190555932:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4ae0, type 'AND'
> > > 5033.190558030:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a30, type 'OR'
> > > 5033.190560214:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5e20, type 'CMP_EQ'
> > > 5033.190562327:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5950, type 'V'
> > > 5033.190564412:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5de0, type 'S'
> > > 5033.190566470:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4a10, type 'CMP_EQ'
> > > 5033.190568509:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5980, type 'V'
> > > 5033.190570599:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd49f0, type 'S'
> > > 5033.190572679:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc5fb0, type 'F'
> > > 5033.190575390:main thread : action-6-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190578760:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd58b0, type 'AND'
> > > 5033.190580822:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dc6050, type 'F'
> > > 5033.190583017:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5890, type 'AND'
> > > 5033.190585065:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57c0, type 'CMP_CONTAINS'
> > > 5033.190587099:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd4910, type 'V'
> > > 5033.190589145:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd57a0, type 'S'
> > > 5033.190591231:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5870, type 'CMP_CONTAINS'
> > > 5033.190593259:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5800, type 'V'
> > > 5033.190595284:main thread : rainerscript.c: cnfexprDestruct expr 0x55dc13dd5850, type 'S'
> > > 5033.190618132:main thread : action-7-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190622497:main thread : action-8-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190626890:main thread : action-9-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190640887:main thread : action-10-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190654111:main thread : action-11-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190657873:main thread : action-12-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190661614:main thread : action-13-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190664900:main thread : action-14-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190668788:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing, bDeleteOnClose 0
> > > 5033.190671084:main thread : strm 0x7ffa98007dd0: stream.c: strmFlushinternal: file 14(/var/log/messages) flush, buflen 0 (no need to flush)
> > > 5033.190673278:main thread : strm 0x7ffa98007dd0: stream.c: file 14(/var/log/messages) closing
> > > 5033.190678652:main thread : action-15-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190682221:main thread : action-16-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190686134:main thread : action-17-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190689802:main thread : action-18-builtin:omfile queue: queue.c: shutdown: begin to destruct queue
> > > 5033.190697344:main thread : ruleset.c: destructing ruleset 0x55dc13db9520, name 0x55dc13db9560
> > > 5033.190700295:main thread : rsyslogd.c: all primary multi-thread sources have been terminated - now doing aux cleanup...
> > > 5033.190702315:main thread : rsyslogd.c: destructing current config...
> > > 5033.190704909:main thread : rsconf.c: calling freeCnf(0x55dc13db75a0) for module 'builtin:omfile'
> > > 5033.190707318:main thread : rsconf.c: calling freeCnf(0x55dc13db7770) for module 'builtin:ompipe'
> > > 5033.190709986:main thread : rsconf.c: calling freeCnf(0x55dc13db8770) for module 'builtin:omfwd'
> > > 5033.190713355:main thread : rsconf.c: calling freeCnf(0x55dc13dc7750) for module 'immark.so'
> > > 5033.190716019:main thread : rsconf.c: calling freeCnf(0x55dc13dc9610) for module 'imuxsock.so'
> > > 5033.190718553:main thread : rsconf.c: calling freeCnf(0x55dc13dca860) for module 'imklog.so'
> > > 5033.190721080:main thread : rsconf.c: calling freeCnf(0x55dc13dce700) for module 'imtcp'
> > > 5033.190770096:main thread : parser.c: destructing parser 'rsyslog.rfc5424'
> > > 5033.190772594:main thread : parser.c: destructing parser 'rsyslog.rfc3164'
> > > 5033.190775196:main thread : pmrfc3164.c: pmrfc3164: free parser instance 0x55dc13db8c50
> > > 5033.190782063:main thread : modules.c: file rsyslogd.c released module 'lmnet', reference count now 4
> > > 5033.190784438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > > 5033.190786550:main thread : modules.c: Unloading module builtin:omfile
> > > 5033.190789213:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > > 5033.190791251:main thread : modules.c: Unloading module builtin:ompipe
> > > 5033.190793495:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > > 5033.190795495:main thread : modules.c: Unloading module builtin-shell
> > > 5033.190797779:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > > 5033.190799779:main thread : modules.c: Unloading module builtin:omdiscard
> > > 5033.190801963:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 4
> > > 5033.190803931:main thread : modules.c: Unloading module builtin:omfwd
> > > 5033.190806440:main thread : modules.c: file omfwd.c released module 'lmnet', reference count now 3
> > > 5033.190808989:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 4
> > > 5033.190811446:main thread : modules.c: file omfwd.c released module 'lmnetstrms', reference count now 3
> > > 5033.190813714:main thread : modules.c: file omfwd.c released module 'lmtcpclt', reference count now 0
> > > 5033.190815745:main thread : modules.c: module 'lmtcpclt' has zero reference count, unloading...
> > > 5033.190817745:main thread : modules.c: Unloading module lmtcpclt
> > > 5033.190839888:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190843191:main thread : modules.c: Unloading module builtin:omusrmsg
> > > 5033.190845438:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190847453:main thread : modules.c: Unloading module builtin:pmrfc5424
> > > 5033.190850027:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190852192:main thread : modules.c: Unloading module builtin:pmrfc3164
> > > 5033.190854646:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190856622:main thread : modules.c: Unloading module builtin:smfile
> > > 5033.190859169:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190861201:main thread : modules.c: Unloading module builtin:smtradfile
> > > 5033.190863571:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190865540:main thread : modules.c: Unloading module builtin:smfwd
> > > 5033.190867983:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190870023:main thread : modules.c: Unloading module builtin:smtradfwd
> > > 5033.190876126:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190878217:main thread : modules.c: Unloading module immark.so
> > > 5033.190900578:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190903458:main thread : modules.c: Unloading module imuxsock.so
> > > 5033.190929023:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190931871:main thread : modules.c: Unloading module imklog.so
> > > 5033.190944049:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 3
> > > 5033.190946751:main thread : modules.c: module lmnetstrms NOT unloaded because it still has a refcount of 3
> > > 5033.190948843:main thread : modules.c: module lmtcpsrv NOT unloaded because it still has a refcount of 2
> > > 5033.190950930:main thread : modules.c: Unloading module imtcp
> > > 5033.190954270:main thread : modules.c: file imtcp.c released module 'lmnet', reference count now 2
> > > 5033.190956666:main thread : modules.c: file imtcp.c released module 'lmnetstrms', reference count now 2
> > > 5033.190959070:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 1
> > > 5033.190961401:main thread : modules.c: file imtcp.c released module 'lmtcpsrv', reference count now 0
> > > 5033.190963424:main thread : modules.c: module 'lmtcpsrv' has zero reference count, unloading...
> > > 5033.190965470:main thread : modules.c: Unloading module lmtcpsrv
> > > 5033.191000080:main thread : tcpsrv.c: tcpsrv: info: worker 0 was called 0 times
> > > 5033.191022031:main thread : tcpsrv.c: tcpsrv: info: worker 1 was called 0 times
> > > 5033.191042824:main thread : tcpsrv.c: tcpsrv: info: worker 2 was called 0 times
> > > 5033.191077377:main thread : tcpsrv.c: tcpsrv: info: worker 3 was called 0 times
> > > 5033.191082074:main thread : modules.c: file tcpsrv.c released module 'lmnetstrms', reference count now 1
> > > 5033.191084651:main thread : modules.c: file tcpsrv.c released module 'lmnet', reference count now 1
> > > 5033.191087761:main thread : modules.c: file tcps_sess.c released module 'lmnetstrms', reference count now 0
> > > 5033.191089779:main thread : modules.c: module 'lmnetstrms' has zero reference count, unloading...
> > > 5033.191091922:main thread : modules.c: Unloading module lmnetstrms
> > > 5033.191128059:main thread : modules.c: module lmnet NOT unloaded because it still has a refcount of 1
> > > 5033.191131700:main thread : modules.c: file conf.c released module 'lmnet', reference count now 0
> > > 5033.191133723:main thread : modules.c: module 'lmnet' has zero reference count, unloading...
> > > 5033.191135781:main thread : modules.c: Unloading module lmnet
> > > 5033.191152212:main thread : strgen.c: destructing strgen 'RSYSLOG_FileFormat'
> > > 5033.191155173:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalFileFormat'
> > > 5033.191157204:main thread : strgen.c: destructing strgen 'RSYSLOG_ForwardFormat'
> > > 5033.191159298:main thread : strgen.c: destructing strgen 'RSYSLOG_TraditionalForwardFormat'
> > > 5033.191164325:main thread : rsyslog.c: rsyslog runtime de-initialized, current users 0
> > > 5033.191166536:main thread : rsyslogd.c: Clean shutdown completed, bye
> > >
> > > -----Original Message-----
> > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > Sent: Thursday, May 26, 2022 12:54 PM
> > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> > >
> > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> > >
> > > can you do a debug log on the server side, make sure TLS is enabled and run rsyslog through the startup phase? I would assume that we see useful information.
> > >
> > > quick doc:
> > > https://www.rsyslog.com/doc/master/troubleshooting/howtodebug.html
> > >
> > > Rainer
> > >
> > > El jue, 26 may 2022 a las 8:18, Grzegorz Zalewski via rsyslog
> > > (<rsyslog@lists.adiscon.com>) escribió:
> > > >
> > > > Hi
> > > >
> > > > When I turn off TLS work fine :/
> > > >
> > > > I does`t see any errors on server logs
> > > >
> > > > -----Original Message-----
> > > > From: Rainer Gerhards <rgerhards@hq.adiscon.com>
> > > > Sent: Wednesday, May 25, 2022 6:39 PM
> > > > To: rsyslog-users <rsyslog@lists.adiscon.com>
> > > > Cc: Grzegorz Zalewski <Grzegorz.Zalewski@inteco.pl>
> > > > Subject: Re: [rsyslog] Rsyslog bad external log encoding ??????
> > > >
> > > > [EXTERNAL EMAIL] Please report any suspicious attachments, links, or requests for sensitive information.
> > > >
> > > > This looks like the server is not using TLS. Any rsyslog error messages in the server log?
> > > >
> > > > Rainer
> > > >
> > > > El mié, 25 may 2022 a las 15:02, Grzegorz Zalewski via rsyslog
> > > > (<rsyslog@lists.adiscon.com>) escribió:
> > > > >
> > > > > Hi
> > > > > My version of rsyslogd on log sever:
> > > > > rsyslogd 8.2106.0 (aka 2021.06) compiled with:
> > > > > PLATFORM: x86_64-suse-linux-gnu
> > > > > PLATFORM (lsb_release -d):
> > > > > FEATURE_REGEXP: Yes
> > > > > GSSAPI Kerberos 5 support: Yes
> > > > > FEATURE_DEBUG (debug build, slow code): No
> > > > > 32bit Atomic operations supported: Yes
> > > > > 64bit Atomic operations supported: Yes
> > > > > memory allocator: system default
> > > > > Runtime Instrumentation (slow code): No
> > > > > uuid support: Yes
> > > > > systemd support: Yes
> > > > > Config file: /etc/rsyslog.conf
> > > > > PID file: /var/run/rsyslogd.pid
> > > > > Number of Bits in RainerScript integers: 64
> > > > >
> > > > > # ######### Receiving Messages from Remote Hosts ##########.
> > > > > ########### Encrypting Syslog Traffic with TLS ########## # --
> > > > > TLS Syslog Server:.
> > > > > ## make gtls driver the default
> > > > > $DefaultNetstreamDriver gtls
> > > > > #
> > > > > ## certificate files
> > > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_server.pem
> > > > > $DefaultNetstreamDriverCertFile /etc/rsyslog-keys/server.pem
> > > > > $DefaultNetstreamDriverKeyFile /etc/rsyslog-keys/server.pem
> > > > >
> > > > > $ModLoad imtcp # load TCP listener #
> > > > > $InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
> > > > > #$InputTCPServerStreamDriverAuthMode anon # client is NOT
> > > > > authenticated $InputTCPServerStreamDriverAuthMode x509/name
> > > > > $InputTCPServerStreamDriverPermittedPeer *.domain.com
> > > > > $InputTCPServerRun 514 # start up listener at port 10514 #
> > > > > #$EscapeControlCharactersOnReceive off
> > > > > #$Escape8BitCharactersOnReceive off
> > > > >
> > > > > $template RemoteServer, "/var/log/%HOSTNAME%/%SYSLOGFACILITY-TEXT%.log"
> > > > > *.* ?RemoteServer
> > > > >
> > > > > Client conf:
> > > > > # certificate files - just CA for a client
> > > > > $DefaultNetstreamDriverCAFile /etc/rsyslog-keys/CA_client.pem
> > > > >
> > > > > # set up the action
> > > > > $DefaultNetstreamDriver gtls # use gtls netstream driver
> > > > > $ActionSendStreamDriverMode 1 # require TLS for the connection
> > > > > $ActionSendStreamDriverAuthMode x509/name
> > > > >
> > > > > #$ActionSendStreamDriverAuthMode anon # server is NOT
> > > > > authenticated
> > > > >
> > > > > # Only send log to SERVER.EXAMPLE.COM host
> > > > > $ActionSendStreamDriverPermittedPeer server.domain.com
> > > > > *.* @@(o) server.domain.com:514 # send (all) messages
> > > > >
> > > > > What have in log on server:
> > > > > 2022-05-25T14:44:32.782021+02:00 client.domain.com #010#005#005#003#010#010#006#001#010#013#010#006#006#003#002#001#002#003#000#026#000#000#000#027#000#000#000##000#000.#001#000#001#000#000#000#000#034#000#032#000#000#027server.
> > > > > domain.coml#000#034#000#002@
> > > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com #026#003#001#000.#001#000#000.#003#003·...?#030J#026#004..#037)#021n.#030..#021..rw..F..#000#0002.,?...
> > > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > > .+...#011.0?.#024./.#023#000...#0005#000...#000/#000...#0009#000..
> > > > > .#
> > > > > 00
> > > > > 03#001#000#000.#000#005#000#005#001#000#000#000#000
> > > > > 2022-05-25T14:44:32.887714+02:00 client.domain.com
> > > > > #000#026#000#024#000#027#000#030#000#031#000#035#000#036#001#000
> > > > > #0
> > > > > 01
> > > > > #0
> > > > > 01#001#002#001#003#001#004#000#013#000#002#001#000#000#015#000"#
> > > > > 00
> > > > > 0
> > > > > #004#001#010#011#010#004#004#003#010#007#00
> > > > > 5#001#010
> > > > >
> > > > > Before 15 may working fine.
> > > > > I don’t have any idea what is wrong
> > > > >
> > > > > _______________________________________________
> > > > > rsyslog mailing list
> > > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > > http://www.rsyslog.com/professional-services/
> > > > > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > > > > NOTE
> > > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > > > _______________________________________________
> > > > rsyslog mailing list
> > > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > > http://www.rsyslog.com/professional-services/
> > > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > > _______________________________________________
> > > rsyslog mailing list
> > > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > > http://www.rsyslog.com/professional-services/
> > > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE
> > WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.