import rsyslog-8.2102.0-111.el9

.gitignore

@@ -0,0 +1,3 @@
+SOURCES/qpid-proton-0.34.0.tar.gz
+SOURCES/rsyslog-8.2102.0.tar.gz
+SOURCES/rsyslog-doc-8.2102.0.tar.gz

.rsyslog.metadata

@@ -0,0 +1,3 @@
+390e5cb87a6331cf0ce451d7f6552e2c0d97f706 SOURCES/qpid-proton-0.34.0.tar.gz
+fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
+9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz

SOURCES/openssl3-compatibility.patch

@@ -0,0 +1,83 @@
+diff -up ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig ./qpid-proton-0.34.0/c/src/ssl/openssl.c
+--- ./qpid-proton-0.34.0/c/src/ssl/openssl.c.orig	2021-06-01 09:29:27.976842727 +0200
++++ ./qpid-proton-0.34.0/c/src/ssl/openssl.c	2021-06-01 09:31:05.232015887 +0200
+@@ -353,65 +353,6 @@ static int verify_callback(int preverify
+   return preverify_ok;
+ }
+ 
+-// This was introduced in v1.1
+-#if OPENSSL_VERSION_NUMBER < 0x10100000
+-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+-{
+-  dh->p = p;
+-  dh->q = q;
+-  dh->g = g;
+-  return 1;
+-}
+-#endif
+-
+-// this code was generated using the command:
+-// "openssl dhparam -C -2 2048"
+-static DH *get_dh2048(void)
+-{
+-  static const unsigned char dhp_2048[]={
+-    0xAE,0xF7,0xE9,0x66,0x26,0x7A,0xAC,0x0A,0x6F,0x1E,0xCD,0x81,
+-    0xBD,0x0A,0x10,0x7E,0xFA,0x2C,0xF5,0x2D,0x98,0xD4,0xE7,0xD9,
+-    0xE4,0x04,0x8B,0x06,0x85,0xF2,0x0B,0xA3,0x90,0x15,0x56,0x0C,
+-    0x8B,0xBE,0xF8,0x48,0xBB,0x29,0x63,0x75,0x12,0x48,0x9D,0x7E,
+-    0x7C,0x24,0xB4,0x3A,0x38,0x7E,0x97,0x3C,0x77,0x95,0xB0,0xA2,
+-    0x72,0xB6,0xE9,0xD8,0xB8,0xFA,0x09,0x1B,0xDC,0xB3,0x80,0x6E,
+-    0x32,0x0A,0xDA,0xBB,0xE8,0x43,0x88,0x5B,0xAB,0xC3,0xB2,0x44,
+-    0xE1,0x95,0x85,0x0A,0x0D,0x13,0xE2,0x02,0x1E,0x96,0x44,0xCF,
+-    0xA0,0xD8,0x46,0x32,0x68,0x63,0x7F,0x68,0xB3,0x37,0x52,0xCE,
+-    0x3A,0x4E,0x48,0x08,0x7F,0xD5,0x53,0x00,0x59,0xA8,0x2C,0xCB,
+-    0x51,0x64,0x3D,0x5F,0xEF,0x0E,0x5F,0xE6,0xAF,0xD9,0x1E,0xA2,
+-    0x35,0x64,0x37,0xD7,0x4C,0xC9,0x24,0xFD,0x2F,0x75,0xBB,0x3A,
+-    0x15,0x82,0x76,0x4D,0xC2,0x8B,0x1E,0xB9,0x4B,0xA1,0x33,0xCF,
+-    0xAA,0x3B,0x7C,0xC2,0x50,0x60,0x6F,0x45,0x69,0xD3,0x6B,0x88,
+-    0x34,0x9B,0xE4,0xF8,0xC6,0xC7,0x5F,0x10,0xA1,0xBA,0x01,0x8C,
+-    0xDA,0xD1,0xA3,0x59,0x9C,0x97,0xEA,0xC3,0xF6,0x02,0x55,0x5C,
+-    0x92,0x1A,0x39,0x67,0x17,0xE2,0x9B,0x27,0x8D,0xE8,0x5C,0xE9,
+-    0xA5,0x94,0xBB,0x7E,0x16,0x6F,0x53,0x5A,0x6D,0xD8,0x03,0xC2,
+-    0xAC,0x7A,0xCD,0x22,0x98,0x8E,0x33,0x2A,0xDE,0xAB,0x12,0xC0,
+-    0x0B,0x7C,0x0C,0x20,0x70,0xD9,0x0B,0xAE,0x0B,0x2F,0x20,0x9B,
+-    0xA4,0xED,0xFD,0x49,0x0B,0xE3,0x4A,0xF6,0x28,0xB3,0x98,0xB0,
+-    0x23,0x1C,0x09,0x33,
+-  };
+-  static const unsigned char dhg_2048[]={
+-    0x02,
+-  };
+-  DH *dh = DH_new();
+-  BIGNUM *dhp_bn, *dhg_bn;
+-
+-  if (dh == NULL)
+-    return NULL;
+-  dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+-  dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+-  if (dhp_bn == NULL || dhg_bn == NULL
+-      || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+-    DH_free(dh);
+-    BN_free(dhp_bn);
+-    BN_free(dhg_bn);
+-    return NULL;
+-  }
+-  return dh;
+-}
+-
+ typedef struct {
+   char *id;
+   SSL_SESSION *session;
+@@ -542,13 +483,6 @@ static bool pni_init_ssl_domain( pn_ssl_
+   domain->default_seclevel = SSL_CTX_get_security_level(domain->ctx);
+ # endif
+ 
+-  DH *dh = get_dh2048();
+-  if (dh) {
+-    SSL_CTX_set_tmp_dh(domain->ctx, dh);
+-    DH_free(dh);
+-    SSL_CTX_set_options(domain->ctx, SSL_OP_SINGLE_DH_USE);
+-  }
+-
+   return true;
+ }
+ 

SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch

@@ -0,0 +1,93 @@
+diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c
+--- ./plugins/imjournal/imjournal.c.default-tag	2018-05-17 08:50:11.416418022 -0400
++++ ./plugins/imjournal/imjournal.c	2018-05-17 08:53:02.884418022 -0400
+@@ -78,6 +78,7 @@ static struct configSettings_s {
+ 	int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */
+ 	int bFsync;
+ 	int bRemote;
++	char *dfltTag;
+ } cs;
+ 
+ static rsRetVal facilityHdlr(uchar **pp, void *pVal);
+@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[]
+ 	{ "usepid", eCmdHdlrString, 0 },
+ 	{ "workaroundjournalbug", eCmdHdlrBinary, 0 },
+ 	{ "fsync", eCmdHdlrBinary, 0 },
+-	{ "remote", eCmdHdlrBinary, 0 }
++	{ "remote", eCmdHdlrBinary, 0 },
++	{ "defaulttag", eCmdHdlrGetWord, 0 }
+ };
+ static struct cnfparamblk modpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk =
+ #define DFLT_persiststateinterval 10
+ #define DFLT_SEVERITY pri2sev(LOG_NOTICE)
+ #define DFLT_FACILITY pri2fac(LOG_USER)
++#define DFLT_TAG "journal"
+ 
+ static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */
+ 
+@@ -268,7 +271,7 @@ readjournal(void)
+ 
+ 	/* Information from messages */
+ 	char *message = NULL;
+-	char *sys_iden;
++	char *sys_iden = NULL;
+ 	char *sys_iden_help = NULL;
+ 
+ 	const void *get;
+@@ -331,7 +334,7 @@ readjournal(void)
+ 	if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
+ 		CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
+ 	} else {
+-		CHKmalloc(sys_iden = strdup("journal"));
++		CHKmalloc(sys_iden = strdup(cs.dfltTag));
+ 	}
+ 
+ 	/* trying to get PID, default is "SYSLOG_PID" property */
+@@ -654,6 +657,11 @@ CODESTARTrunInput
+ 			"\"usepidfromsystem\" is depricated, use \"usepid\" instead");
+ 	}
+ 
++	if (cs.dfltTag == NULL) {
++		cs.dfltTag = strdup(DFLT_TAG);
++	}
++
++
+ 	if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) {
+ 		pidFieldName = "_PID";
+ 		bPidFallBack = 0;
+@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad
+ 	cs.bWorkAroundJournalBug = 1;
+ 	cs.bFsync = 0;
+ 	cs.bRemote = 0;
++	cs.dfltTag = NULL;
+ ENDbeginCnfLoad
+ 
+ 
+@@ -754,6 +763,7 @@ BEGINfreeCnf
+ CODESTARTfreeCnf
+ 	free(cs.stateFile);
+ 	free(cs.usePid);
++	free(cs.dfltTag);
+ 	free(journalContext.cursor);
+ 	statsobj.Destruct(&(statsCounter.stats));
+ ENDfreeCnf
+@@ -832,6 +842,8 @@ CODESTARTsetModCnf
+ 			cs.bFsync = (int) pvals[i].val.d.n;
+ 		} else if (!strcmp(modpblk.descr[i].name, "remote")) {
+ 			cs.bRemote = (int) pvals[i].val.d.n;
++		} else if (!strcmp(modpblk.descr[i].name, "defaulttag")) {
++			cs.dfltTag = (char *)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else {
+ 			dbgprintf("imjournal: program error, non-handled "
+ 				"param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
+@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr
+ 		facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID));
+ 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary,
+ 		NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID));
++	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournaldefaulttag", 0, eCmdHdlrGetWord,
++		NULL, &cs.dfltTag, STD_LOADABLE_MODULE_ID));
+ ENDmodInit
+ /* vim:set ai:
+  */

SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch

@@ -0,0 +1,67 @@
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-02-17 11:52:17.460043970 +0100
++++ rsyslog-8.2102.0/runtime/rsconf.c	2023-02-17 12:00:49.881602881 +0100
+@@ -33,9 +33,6 @@
+ #include <sys/resource.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-#ifdef ENABLE_LIBCAPNG
+-	#include <cap-ng.h>
+-#endif
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
+ 				"could not set requested group id: %s via setgid()", szBuf);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
+-	if (res) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
+-		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+-	}
+-#endif
+ 
+ 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
+ 				iUid, szBuf);
+ 	}
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	res = setuid(iUid);
+-	// res = setuid(cnf->globals.uidDropPriv);
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(iUid, -1, capng_flags);
+-#endif
+ 
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-02-17 11:52:00.011011019 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-02-17 11:58:37.322491823 +0100
+@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
+ 		CAP_LEASE,
+ 		CAP_NET_ADMIN,
+ 		CAP_NET_BIND_SERVICE,
+-		CAP_PERFMON,
+ 		CAP_SETGID,
+ 		CAP_SETUID,
++		CAP_DAC_OVERRIDE,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,

SOURCES/rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch

@@ -0,0 +1,21 @@
+diff -up rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig rsyslog-8.2102.0/plugins/omrelp/omrelp.c
+--- rsyslog-8.2102.0/plugins/omrelp/omrelp.c.orig	2021-06-15 12:46:14.758589030 +0200
++++ rsyslog-8.2102.0/plugins/omrelp/omrelp.c	2021-06-15 12:47:08.130516632 +0200
+@@ -303,7 +303,7 @@ ENDfreeCnf
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->sizeWindow = 0;
+-	pData->timeout = 90;
++	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->rebindInterval = 0;
+ 	pData->bEnableTLS = DFLT_ENABLE_TLS;
+@@ -365,7 +365,7 @@ setInstParamDefaults(instanceData *pData
+ 	pData->target = NULL;
+ 	pData->port = NULL;
+ 	pData->tplName = NULL;
+-	pData->timeout = 90;
++	pData->timeout = 5;
+ 	pData->connTimeout = 10;
+ 	pData->sizeWindow = 0;
+ 	pData->rebindInterval = 0;

SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch

@@ -0,0 +1,47 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc rsyslog-8.2102.0/doc/configuration/modules/imfile.html
+--- rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc	2021-02-15 12:53:31.000000000 +0100
++++ rsyslog-8.2102.0/doc/configuration/modules/imfile.html	2022-03-29 10:35:07.187827004 +0200
+@@ -294,6 +294,28 @@ rsyslog needs write permissions to work
+ also might require SELinux definitions (or similar for other enhanced security
+ systems).</p>
+ </div>
++<div class="section" id="deletestateonfilemove">
++<h4>deleteStateOnFileMove<a class="headerlink" href="#deletestateonfilemove" title="Permalink to this headline">¶</a></h4>
++<table border="1" class="colwidths-auto parameter-table docutils">
++<thead valign="bottom">
++<tr class="row-odd"><th class="head">type</th>
++<th class="head">default</th>
++<th class="head">mandatory</th>
++<th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
++</tr>
++</thead>
++<tbody valign="top">
++<tr class="row-even"><td>binary</td>
++<td>off</td>
++<td>no</td>
++<td>none</td>
++</tr>
++</tbody>
++</table>
++<p>This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.</p>
++
++<p>However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.</p>
++</div>
+ </div>
+ <div class="section" id="input-parameters">
+ <h3>Input Parameters<a class="headerlink" href="#input-parameters" title="Permalink to this headline">¶</a></h3>
+@@ -1214,6 +1236,7 @@ and Others.</p>
+ <li><a class="reference internal" href="#sortfiles">sortFiles</a></li>
+ <li><a class="reference internal" href="#pollinginterval">PollingInterval</a></li>
+ <li><a class="reference internal" href="#statefile-directory">statefile.directory</a></li>
++<li><a class="reference internal" href="#deletestateonfilemove">deleteStateOnFileMove</a></li>
+ </ul>
+ </li>
+ <li><a class="reference internal" href="#input-parameters">Input Parameters</a><ul>
+@@ -1311,4 +1334,4 @@ and Others.</p>
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch

@@ -0,0 +1,162 @@
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2022-03-28 12:51:03.572554843 +0200
+@@ -259,6 +259,7 @@ struct modConfData_s {
+ 				   Must be manually reset to 0 if desired. Helper for
+ 				   polling mode.
+ 				 */
++	sbool deleteStateOnFileMove;
+ };
+ static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
+ static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */
+@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[]
+ 	{ "sortfiles", eCmdHdlrBinary, 0 },
+ 	{ "statefile.directory", eCmdHdlrString, 0 },
+ 	{ "normalizepath", eCmdHdlrBinary, 0 },
+-	{ "mode", eCmdHdlrGetWord, 0 }
++	{ "mode", eCmdHdlrGetWord, 0 },
++	{ "deletestateonfilemove", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk modpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -545,11 +547,20 @@ static int
+ in_setupWatch(act_obj_t *const act, const int is_file)
+ {
+ 	int wd = -1;
++	int flags;
+ 	if(runModConf->opMode != OPMODE_INOTIFY)
+ 		goto done;
+ 
+-	wd = inotify_add_watch(ino_fd, act->name,
+-		(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
++	// wd = inotify_add_watch(ino_fd, act->name,
++	// 	(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
++	if(is_file)
++		flags = IN_MODIFY|IN_DONT_FOLLOW;
++	else if(runModConf->deleteStateOnFileMove)
++		flags = IN_CREATE|IN_DELETE|IN_MOVED_TO;
++	else
++		flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO;
++	wd = inotify_add_watch(ino_fd, act->name, flags);
++
+ 	if(wd < 0) {
+ 		if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */
+ 			DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name);
+@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const
+ 	char basename[MAXFNAME];
+ 	DEFiRet;
+ 	int fd = -1;
+-	
++
+ 	DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---");
+ 	for(act = edge->active ; act != NULL ; act = act->next) {
+ 		if(!strcmp(act->name, name)) {
+@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co
+ 	if(act == NULL)
+ 		return;
+ 
+-	DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+-		act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
+-		act->in_move);
++	// DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++	// 	act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
++	// 	act->in_move);
++	if (runModConf->deleteStateOnFileMove) {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted);
++	} else {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm,
++			is_deleted, act->in_move);
++	}
++
+ 	if(act->is_symlink && is_deleted) {
+ 		act_obj_t *target_act;
+ 		for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) {
+@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co
+ 		pollFile(act); /* get any left-over data */
+ 		if(inst->bRMStateOnDel) {
+ 			statefn = getStateFileName(act, statefile, sizeof(statefile));
+-			getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			// getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check!
+ 			statefn = toDel;
+ 		}
+ 		persistStrmState(act);
+ 		strm.Destruct(&act->pStrm);
+ 		/* we delete state file after destruct in case strm obj initiated a write */
+-		if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
++		// if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
++		if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) {
+ 			DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn);
+ 			unlink((char*)statefn);
+ 		}
+@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co
+ 	}
+ 	#ifdef HAVE_INOTIFY_INIT
+ 	if(act->wd != -1) {
++		inotify_rm_watch(ino_fd, act->wd);
+ 		wdmapDel(act->wd);
+ 	}
+ 	#endif
+@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad
+ 	loadModConf->timeoutGranularity = 1000; /* default: 1 second */
+ 	loadModConf->haveReadTimeouts = 0; /* default: no timeout */
+ 	loadModConf->normalizePath = 1;
++	loadModConf->deleteStateOnFileMove = 0;
+ 	loadModConf->sortFiles = GLOB_NOSORT;
+ 	loadModConf->stateFileDirectory = NULL;
+ 	loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1);
+@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf
+ 			loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(modpblk.descr[i].name, "normalizepath")) {
+ 			loadModConf->normalizePath = (sbool) pvals[i].val.d.n;
++		} else if(!strcmp(modpblk.descr[i].name, "deletestateonfilemove")) {
++			loadModConf->deleteStateOnFileMove = (sbool) pvals[i].val.d.n;
+ 		} else if(!strcmp(modpblk.descr[i].name, "mode")) {
+ 			if(!es_strconstcmp(pvals[i].val.d.estr, "polling"))
+ 				loadModConf->opMode = OPMODE_POLLING;
+@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev
+ 	DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n",
+ 		ev->mask, etry->act->edge->is_file, etry->act->name);
+ 
+-	if((ev->mask & IN_MOVED_FROM)) {
+-		flag_in_move(etry->act->edge->node->edges, ev->name);
+-	}
+-	if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
+-		fs_node_walk(etry->act->edge->node, poll_tree);
+-	} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
+-		in_handleFileEvent(ev, etry); // esentially poll_file()!
++	// if((ev->mask & IN_MOVED_FROM)) {
++	// 	flag_in_move(etry->act->edge->node->edges, ev->name);
++	// }
++	// if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
++	// 	in_handleFileEvent(ev, etry); // esentially poll_file()!
++	// } else {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// }
++	if(!runModConf->deleteStateOnFileMove) {
++		if((ev->mask & IN_MOVED_FROM)) {
++			flag_in_move(etry->act->edge->node->edges, ev->name);
++		}
++		if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
++			fs_node_walk(etry->act->edge->node, poll_tree);
++		} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
++			in_handleFileEvent(ev, etry); // esentially poll_file()!
++		} else {
++			fs_node_walk(etry->act->edge->node, poll_tree);
++		}
+ 	} else {
+-		fs_node_walk(etry->act->edge->node, poll_tree);
++		if((ev->mask & IN_MODIFY) && etry->act->edge->is_file && !(etry->act->is_symlink)) {
++			in_handleFileEvent(ev, etry); // esentially poll_file()!
++		} else {
++			fs_node_walk(etry->act->edge->node, poll_tree);
++		}
+ 	}
++
+ done:	return;
+ }
+ 

SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch

@@ -0,0 +1,163 @@
+diff -up rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan rsyslog-8.2102.0/contrib/imdocker/imdocker.c
+--- rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/contrib/imdocker/imdocker.c	2021-07-22 14:10:31.877231143 +0200
+@@ -1527,6 +1527,7 @@ process_json(sbool isInit, const char* j
+ 									pInstances->last_container_id,
+ 									(unsigned)pInstances->last_container_created);
+ 						}
++						// coverity[leaked_storage : FALSE]
+ 						CHKiRet(dockerContLogsInstSetUrlById(isInit, pInst,
+ 									pInstances->curlm, containerId));
+ 						CHKiRet(dockerContLogReqsAdd(pInstances, pInst));
+diff -up rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c
+--- rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c	2021-07-22 14:10:31.877231143 +0200
+@@ -324,7 +324,6 @@ BEGINnewActInst
+ 	struct cnfparamvals *pvals;
+ 	int i;
+ 	int iNumTpls;
+-	uchar *keydup = NULL;
+ CODESTARTnewActInst
+ 	if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL)
+ 		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+@@ -417,14 +416,11 @@ CODESTARTnewActInst
+ 	CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)pData->tplName, OMSR_NO_RQD_TPL_OPTS));
+ 
+ 	if (pData->dynaKey) {
+-		CHKmalloc(keydup = ustrdup(pData->key));
+ 		CHKiRet(OMSRsetEntry(*ppOMSR, 1, ustrdup(pData->key), OMSR_NO_RQD_TPL_OPTS));
+-		keydup = NULL; /* handed over */
+ 	}
+ 
+ CODE_STD_FINALIZERnewActInst
+ 	cnfparamvalsDestruct(pvals, &actpblk);
+-	free(keydup);
+ ENDnewActInst
+ 
+ 
+diff -up rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c
+--- rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c	2021-07-22 14:10:31.877231143 +0200
+@@ -778,6 +778,7 @@ static rsRetVal publishRabbitMQ(wrkrInst
+ 		ABORT_FINALIZE(RS_RET_RABBITMQ_CONN_ERR);
+ 	}
+ 
++	// coverity[identical_branches : FALSE]
+ 	if (manage_error(amqp_basic_publish(self->a_conn, 1, exchange, routing_key,
+ 			0, 0, p_amqp_props, body_bytes), "amqp_basic_publish")) {
+ 		/* error already notified */
+diff -up rsyslog-8.2102.0/grammar/rainerscript.c.covscan rsyslog-8.2102.0/grammar/rainerscript.c
+--- rsyslog-8.2102.0/grammar/rainerscript.c.covscan	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0/grammar/rainerscript.c	2021-07-22 14:10:31.878231140 +0200
+@@ -2814,7 +2814,7 @@ evalVar(struct cnfvar *__restrict__ cons
+ 		if(bMustBeFreed)
+ 			free(pszProp);
+ 	}
+-
++	// coverity[leaked_storage : FALSE]
+ }
+ 
+ /* perform a string comparision operation against a while array. Semantic is
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan rsyslog-8.2102.0/plugins/imfile/imfile.c
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2021-07-22 14:10:31.878231140 +0200
+@@ -1278,6 +1278,7 @@ static void ATTR_NONNULL(1)
+ getFileID(act_obj_t *const act)
+ {
+ 	char tmp_id[FILE_ID_HASH_SIZE];
++	// coverity[buffer_size_warning : FALSE]
+ 	strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
+ 	act->file_id[0] = '\0';
+ 	assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
+@@ -1290,6 +1291,7 @@ getFileID(act_obj_t *const act)
+ 		DBGPRINTF("getFileID partial or error read, ret %d\n", r);
+ 	}
+ 	if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
++		// coverity[buffer_size_warning : FALSE]
+ 		strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
+ 	}
+ 	DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
+@@ -1544,6 +1546,7 @@ openFileWithoutStateFile(act_obj_t *cons
+ 		const int fd = open(act->name, O_RDONLY | O_CLOEXEC);
+ 		if(fd >= 0) {
+ 			act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END);
++			close(fd);
+ 			if(act->pStrm->iCurrOffs < 0) {
+ 				act->pStrm->iCurrOffs = 0;
+ 				LogError(errno, RS_RET_ERR, "imfile: could not query current "
+diff -up rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan rsyslog-8.2102.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imptcp/imptcp.c	2021-07-22 14:10:31.878231140 +0200
+@@ -1920,6 +1920,7 @@ lstnActivity(ptcplstn_t *const pLstn)
+ 	}
+ 
+ finalize_it:
++	// coverity[leaked_handle : FALSE]
+ 	RETiRet;
+ }
+ 
+diff -up rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c
+--- rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c	2021-07-22 14:10:31.879231138 +0200
+@@ -394,7 +394,7 @@ CODEmodInit_QueryRegCFSLineHdlr
+ 		ABORT_FINALIZE(RS_RET_NO_MSG_PASSING);
+ 	}
+ 
+-	
++	// coverity[identical_branches : FALSE]
+ 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
+ 				    resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
+ ENDmodInit
+diff -up rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c
+--- rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c	2021-07-22 14:10:31.879231138 +0200
+@@ -368,6 +368,7 @@ writeDataError(wrkrInstanceData_t *const
+ 	}
+ 
+ finalize_it:
++	// coverity[leaked_storage : FALSE]
+ 	RETiRet;
+ }
+ 
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-07-22 14:17:06.183174167 +0200
+@@ -227,7 +227,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
+ 	pThis->bOurKeyIsInit = 1;
+ 	CHKgnutls(gnutls_x509_privkey_import(pThis->ourKey, &data, GNUTLS_X509_FMT_PEM));
+ 	free(data.data);
+-
++	data.data = NULL;
+ 
+ finalize_it:
+ 	if(iRet == RS_RET_CERTLESS) {
+diff -up rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan rsyslog-8.2102.0/runtime/nsd_ptcp.c
+--- rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan	2021-02-15 08:20:04.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_ptcp.c	2021-07-22 14:10:31.879231138 +0200
+@@ -191,6 +191,7 @@ SetTlsVerifyDepth(nsd_t __attribute__((u
+ 	nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert((pThis), nsd_ptcp);
++	// coverity[identical_branches : FALSE]
+ 	if (verifyDepth == 0) {
+ 		FINALIZE;
+ 	}
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.covscan rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2021-07-22 14:10:31.879231138 +0200
+@@ -293,6 +293,7 @@ writePidFile(void)
+ 		free((void*)tmpPidFile);
+ 	}
+ finalize_it:
++	// coverity[leaked_storage : FALSE]
+ 	RETiRet;
+ }
+ 
+@@ -1026,6 +1027,7 @@ splitOversizeMessage(smsg_t *const pMsg)
+ 	/* if necessary, write partial last segment */
+ 	if(len_last_segment != 0) {
+ 		CHKmalloc(pMsg_seg = MsgDup(pMsg));
++		// coverity[copy_paste_error : FALSE]
+ 		MsgSetRawMsg(pMsg_seg, rawmsg + (nsegments * maxlen), len_last_segment);
+ 		submitMsg2(pMsg_seg);
+ 	}

SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch

@@ -0,0 +1,20 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-15 12:30:35.238832058 +0200
++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-15 12:32:04.699721356 +0200
+@@ -565,6 +565,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
++	fflush(sf);
++
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -586,6 +588,7 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
++		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);

SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch

@@ -0,0 +1,102 @@
+diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
+--- rsyslog-8.2102.0/runtime/cfsysline.c.orig	2021-08-04 07:16:02.663163106 +0200
++++ rsyslog-8.2102.0/runtime/cfsysline.c	2021-08-04 07:18:05.952490008 +0200
+@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	do {
+@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 			LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
+ 		}
+ 		iRet = RS_RET_NOT_FOUND;
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
+-			exit(1); /* good exit */
+-		}
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
+ 
+ 	if(ppwBuf == NULL) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+-			iRet = RS_RET_NOT_FOUND;
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
++		iRet = RS_RET_NOT_FOUND;
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2021-08-04 07:18:19.301633677 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2021-08-04 07:19:02.409019106 +0200
+@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "environment", eCmdHdlrArray, 0 },
+ 	{ "processinternalmessages", eCmdHdlrBinary, 0 },
+ 	{ "umask", eCmdHdlrFileCreateMode, 0 },
+-	{ "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
+ 	{ "internal.developeronly.options", eCmdHdlrInt, 0 },
+ 	{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
+ 	{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
+@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
+ 			glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
+ 			loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
+-		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+-			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
+ 			*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2021-08-04 07:19:13.103104854 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.c	2021-08-04 07:19:44.635357684 +0200
+@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
+ 	pThis->globals.maxErrMsgToStderr = -1;
+ 	pThis->globals.umask = -1;
+ 	pThis->globals.gidDropPrivKeepSupplemental = 0;
+-	pThis->globals.abortOnIDResolutionFail = 1;
+ 	pThis->templates.root = NULL;
+ 	pThis->templates.last = NULL;
+ 	pThis->templates.lastStatic = NULL;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2021-08-04 07:20:15.848607958 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.h	2021-08-04 07:20:42.782823920 +0200
+@@ -73,7 +73,6 @@ struct globals_s {
+ 	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
+ 	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
+ 	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
+-	int abortOnIDResolutionFail;
+ 	int umask;		/* umask to use */
+ 	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */
+ 

SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch

@@ -0,0 +1,26 @@
+diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
+--- rsyslog-8.2102.0/runtime/ratelimit.c.orig	2021-07-27 10:37:50.972903104 +0200
++++ rsyslog-8.2102.0/runtime/ratelimit.c	2021-07-27 10:38:26.141002988 +0200
+@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ {
+ 	DEFiRet;
+ 	rsRetVal localRet;
+-	int severity = 0;
+ 
+ 	*ppRepMsg = NULL;
+ 
+@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ 				DBGPRINTF("Message discarded, parsing error %d\n", localRet);
+ 				ABORT_FINALIZE(RS_RET_DISCARDMSG);
+ 			}
+-			severity = pMsg->iSeverity;
+ 		}
+ 	}
+ 
+ 	/* Only the messages having severity level at or below the
+ 	 * treshold (the value is >=) are subject to ratelimiting. */
+-	if(ratelimit->interval && (severity >= ratelimit->severity)) {
++	if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
+ 		char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
+ 		snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
+ 			getAPPNAME(pMsg, 0));

SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch

@@ -0,0 +1,11 @@
+diff -up ./rsyslog-8.2102.0/runtime/nsd_gtls.c.ori ./rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.ori	2022-01-17 15:50:08.285827256 +0100
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-01-17 15:52:33.282594512 +0100
+@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+ 	pNew->dataTypeCheck = pThis->dataTypeCheck;
++	pNew->bSANpriority = pThis->bSANpriority;
+ 
+ 	/* if we reach this point, we are in TLS mode */
+ 	iRet = gtlsInitSession(pNew);

SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch

@@ -0,0 +1,215 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2022-04-11 09:26:17.826271989 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-04-11 09:33:28.702012052 +0200
+@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+-	DBGPRINTF("gtlsRecordRecv: start\n");
++	DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n",
++		gnutls_record_check_pending(pThis->sess),
++		(gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") );
+ 
+ 	lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF);
+ 	if(lenRcvd >= 0) {
+@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 					(NSD_GTLS_MAX_RCVBUF+lenRcvd));
+ 				pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd;
+ 			} else {
+-				goto sslerr;
++				if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
++					goto sslerragain;	/* Go to ERR AGAIN handling */
++				} else {
++					/* Do all other error handling */
++					int gnuRet = lenRcvd;
++					ABORTgnutls;
++				}
+ 			}
+ 		}
+ 	} else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
+-sslerr:
+-		pThis->rtryCall = gtlsRtry_recv;
+-		dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n");
+-		ABORT_FINALIZE(RS_RET_RETRY);
++sslerragain:
++		/* Check if the underlaying file descriptor needs to read or write data!*/
++		if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) {
++			pThis->rtryCall = gtlsRtry_recv;
++			dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n");
++			ABORT_FINALIZE(RS_RET_RETRY);
++		} else {
++			uchar *pErr = gtlsStrerror(lenRcvd);
++			LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) "
++				"- this could be caused by a broken connection. GnuTLS reports: %s\n",
++				lenRcvd, pErr);
++			free(pErr);
++			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
++		}
+ 	} else {
+ 		int gnuRet = lenRcvd;
+ 		ABORTgnutls;
+@@ -1978,6 +1996,7 @@ static rsRetVal
+ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
+ {
+ 	int iSent;
++	int wantsWriteData = 0;
+ 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *
+ 			break;
+ 		}
+ 		if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) {
++			/* Check if the underlaying file descriptor needs to read or write data!*/
++			wantsWriteData = gnutls_record_get_direction(pThis->sess);
+ 			uchar *pErr = gtlsStrerror(iSent);
+-			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this "
+-				"could be caused by a broken connection. GnuTLS reports: %s \n",
+-				iSent, pErr);
++			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this "
++				"could be caused by a broken connection. GnuTLS reports: %s\n",
++				iSent, wantsWriteData, pErr);
+ 			free(pErr);
+ 			gnutls_perror(iSent);
+ 			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h
+--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig	2022-04-11 09:26:32.744262781 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.h	2022-04-11 09:34:29.909982895 +0200
+@@ -33,6 +33,11 @@ typedef enum {
+ 	gtlsRtry_recv = 2
+ } gtlsRtryCall_t;		/**< IDs of calls that needs to be retried */
+ 
++typedef enum {
++	gtlsDir_READ = 0,	/**< GNUTLS wants READ */
++	gtlsDir_WRITE = 1	/**< GNUTLS wants WRITE */
++} gtlsDirection_t;
++
+ typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */
+ 
+ /* the nsd_gtls object */
+diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c
+--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig	2022-04-11 09:26:42.529256742 +0200
++++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c	2022-04-11 09:38:27.425869737 +0200
+@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsdsel_gtls);
+ 	ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls);
++	DBGPRINTF("Add on nsd %p:\n", pNsdGTLS);
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			++pThis->iBufferRcvReady;
+@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 		}
+ 	}
+ 
++	dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp);
++
+ 	/* if we reach this point, we need no special handling */
+ 	CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp));
+ 
+@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead
+ 	if(pThis->iBufferRcvReady > 0) {
+ 		/* we still have data ready! */
+ 		*piNumReady = pThis->iBufferRcvReady;
+-		dbgprintf("nsdsel_gtls: doing dummy select, data present\n");
++		dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n",
++			pThis, pThis->iBufferRcvReady);
+ 	} else {
+ 		iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady);
+ 	}
+@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 	DEFiRet;
+ 	int gnuRet;
+ 
+-	dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
++	dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
+ 
+ 	/* We follow a common scheme here: first, we do the systen call and
+ 	 * then we check the result. So far, the result is checked after the
+@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 		case gtlsRtry_handshake:
+ 			gnuRet = gnutls_handshake(pNsd->sess);
+ 			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
+-				dbgprintf("GnuTLS handshake retry did not finish - "
++				dbgprintf("doRetry: GnuTLS handshake retry did not finish - "
+ 					"setting to retry (this is OK and can happen)\n");
+ 				FINALIZE;
+ 			} else if(gnuRet == 0) {
+@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd)
+ 			}
+ 			break;
+ 		case gtlsRtry_recv:
+-			dbgprintf("retrying gtls recv, nsd: %p\n", pNsd);
+-			CHKiRet(gtlsRecordRecv(pNsd));
+-			pNsd->rtryCall = gtlsRtry_None; /* we are done */
++			dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd);
++			iRet = gtlsRecordRecv(pNsd);
++			if (iRet == RS_RET_RETRY) {
++				// Check if there is pending data
++				size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess);
++				if (stBytesLeft > 0) {
++					// We are in retry and more data waiting, finalize it
++					goto finalize_it;
++				} else {
++					dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending"
++						"data on nsd: %p\n", pNsd);
++				}
++			}
++			pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */
+ 			gnuRet = 0;
+ 			break;
+ 		case gtlsRtry_None:
+@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd,
+ 		 * socket. -- rgerhards, 2010-11-20
+ 		 */
+ 		if(pThis->iBufferRcvReady) {
+-			dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n");
++			dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis);
+ 			*pbIsReady = 0;
+ 			FINALIZE;
+ 		}
+diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c
+--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig	2022-04-11 09:27:00.376245726 +0200
++++ rsyslog-8.2102.0/runtime/tcpsrv.c	2022-04-11 09:41:57.885777708 +0200
+@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 	int oserr = 0;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+-	DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm);
++	prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++	DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer);
+ 	/* Receive message */
+ 	iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr);
+ 	switch(iRet) {
+ 	case RS_RET_CLOSED:
+ 		if(pThis->bEmitMsgOnClose) {
+ 			errno = 0;
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote "
+ 				"peer %s.\n", (*ppSess)->pStrm, pszPeer);
+ 		}
+@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 			/* in this case, something went awfully wrong.
+ 			 * We are instructed to terminate the session.
+ 			 */
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer);
+ 			CHKiRet(closeSess(pThis, ppSess, pPoll));
+ 		}
+ 		break;
+ 	default:
+-		prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++		// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 		LogError(oserr, iRet, "netstream session %p from %s will be closed due to error",
+ 				(*ppSess)->pStrm, pszPeer);
+ 		CHKiRet(closeSess(pThis, ppSess, pPoll));
+@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset
+ 		while(iTCPSess != -1) {
+ 			/* TODO: access to pNsd is NOT really CLEAN, use method... */
+ 			CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD));
++			DBGPRINTF("tcpsrv process session %d:\n", iTCPSess);
+ 			/* now get next... */
+ 			iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess);
+ 		}

SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch

@@ -0,0 +1,51 @@
+--- a/source/configuration/actions.rst	2020-01-13 09:35:54.000000000 +0100
++++ b/source/configuration/actions.rst	2022-03-09 10:46:23.945881936 +0100
+@@ -90,6 +90,12 @@
+    provided to the action in question, the action name as well as
+    the rsyslog status code roughly explaining why it failed.
+ 
++-  **action.errorfile.maxsize** integer
++
++   In some cases, error file needs to be limited in size.
++   This option allows specifying a maximum size, in bytes, for the error file.
++   When error file reaches that size, no more errors are written to it.
++
+ -  **action.execOnlyOnceEveryInterval** integer
+ 
+    Execute action only if the last execute is at last seconds in the
+--- a/build/_sources/configuration/actions.rst.txt	2020-01-13 09:35:54.000000000 +0100
++++ b/build/_sources/configuration/actions.rst.txt	2022-03-09 11:17:44.391213038 +0100
+@@ -90,6 +90,12 @@
+    provided to the action in question, the action name as well as
+    the rsyslog status code roughly explaining why it failed.
+ 
++-  **action.errorfile.maxsize** integer
++
++   In some cases, error file needs to be limited in size.
++   This option allows specifying a maximum size, in bytes, for the error file.
++   When error file reaches that size, no more errors are written to it.
++
+ -  **action.execOnlyOnceEveryInterval** integer
+ 
+    Execute action only if the last execute is at last seconds in the
+--- a/build/configuration/actions.html	2021-02-15 12:53:30.000000000 +0100
++++ b/build/configuration/actions.html	2022-03-09 11:27:04.035799702 +0100
+@@ -122,6 +122,11 @@
+ provided to the action in question, the action name as well as
+ the rsyslog status code roughly explaining why it failed.</p>
+ </li>
++<li><p class="first"><strong>action.errorfile.maxsize</strong> integer</p>
++<p>In some cases, error file needs to be limited in size.
++This option allows specifying a maximum size, in bytes, for the error file.
++When error file reaches that size, no more errors are written to it.</p>
++</li>
+ <li><p class="first"><strong>action.execOnlyOnceEveryInterval</strong> integer</p>
+ <p>Execute action only if the last execute is at last seconds in the
+ past (more info in ommail, but may be used with any action)</p>
+@@ -672,4 +677,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch

@@ -0,0 +1,192 @@
+--- rsyslog-8.2102.0-ori/action.c	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/action.c	2022-03-10 11:00:11.027242300 +0100
+@@ -198,6 +198,7 @@
+ 	{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
+ 	{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
+ 	{ "action.errorfile", eCmdHdlrString, 0 },
++	{ "action.errorfile.maxsize", eCmdHdlrInt, 0 },
+ 	{ "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */
+ 	{ "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */
+ 	{ "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */
+@@ -400,6 +401,8 @@
+ 	pThis->iResumeRetryCount = 0;
+ 	pThis->pszName = NULL;
+ 	pThis->pszErrFile = NULL;
++	pThis->maxErrFileSize = 0;
++	pThis->errFileWritten = 0;
+ 	pThis->pszExternalStateFile = NULL;
+ 	pThis->fdErrFile = -1;
+ 	pThis->bWriteAllMarkMsgs = 1;
+@@ -1436,6 +1439,14 @@
+ 				pThis->pszName, pThis->pszErrFile);
+ 			goto done;
+ 		}
++		if (pThis->maxErrFileSize > 0) {
++			struct stat statbuf;
++			if (fstat(pThis->fdErrFile, &statbuf) == -1) {
++				LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
++				goto done;
++			}
++			pThis->errFileWritten += statbuf.st_size;
++		}
+ 	}
+ 
+ 	for(int i = 0 ; i < nparams ; ++i) {
+@@ -1454,16 +1465,26 @@
+ 		char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
+ 		if(rendered == NULL)
+ 			goto done;
+-		const size_t toWrite = strlen(rendered) + 1;
+-		/* note: we use the '\0' inside the string to store a LF - we do not
+-		 * otherwise need it and it safes us a copy/realloc.
+-		 */
+-		rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
+-		const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
+-		if(wrRet != (ssize_t) toWrite) {
+-			LogError(errno, RS_RET_IO_ERROR,
+-				"action %s: error writing errorFile %s, write returned %lld",
+-				pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++		size_t toWrite = strlen(rendered) + 1;
++		// Check if need to truncate the amount of bytes to write
++		if (pThis->maxErrFileSize > 0) {
++			if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) {
++				// Truncate to the pending available
++				toWrite = pThis->maxErrFileSize - pThis->errFileWritten;
++			}
++			pThis->errFileWritten += toWrite;
++		}
++		if(toWrite > 0) {
++			/* note: we use the '\0' inside the string to store a LF - we do not
++			 * otherwise need it and it safes us a copy/realloc.
++			 */
++			rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
++			const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
++			if(wrRet != (ssize_t) toWrite) {
++				LogError(errno, RS_RET_IO_ERROR,
++					"action %s: error writing errorFile %s, write returned %lld",
++					pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++			}
+ 		}
+ 		free(rendered);
+ 
+@@ -2048,6 +2069,8 @@
+ 			continue; /* this is handled seperately during module select! */
+ 		} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
+ 			pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);
++		} else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) {
++			pAction->maxErrFileSize = pvals[i].val.d.n;
+ 		} else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) {
+ 			pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) {
+--- rsyslog-8.2102.0-ori/action.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0-changes/action.h	2022-03-04 11:36:47.024588972 +0100
+@@ -77,6 +77,8 @@
+ 	/* error file */
+ 	const char *pszErrFile;
+ 	int fdErrFile;
++	size_t maxErrFileSize;
++	size_t errFileWritten;
+ 	pthread_mutex_t mutErrFile;
+ 	/* external stat file system */
+ 	const char *pszExternalStateFile;
+--- rsyslog-8.2102.0-ori/tests/Makefile.am	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/Makefile.am	2022-03-04 11:38:01.625095709 +0100
+@@ -695,7 +695,8 @@
+ 	mysql-actq-mt.sh \
+ 	mysql-actq-mt-withpause.sh \
+ 	action-tx-single-processing.sh \
+-	action-tx-errfile.sh
++	action-tx-errfile.sh \
++	action-tx-errfile-maxsize.sh
+ 
+ mysql-basic.log: mysqld-start.log
+ mysql-basic-cnf6.log: mysqld-start.log
+@@ -2156,6 +2157,8 @@
+ 	sndrcv_omudpspoof_nonstdpt.sh \
+ 	sndrcv_gzip.sh \
+ 	action-tx-single-processing.sh \
++	omfwd-errfile-maxsize.sh \
++	action-tx-errfile-maxsize.sh \
+ 	action-tx-errfile.sh \
+ 	testsuites/action-tx-errfile.result \
+ 	pipeaction.sh \
+--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh	2022-03-04 11:39:02.060506234 +0100
+@@ -0,0 +1,17 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++
++export MAX_ERROR_SIZE=1999
++
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh	2022-03-04 11:59:22.592796989 +0100
+@@ -0,0 +1,35 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++
++. ${srcdir:=.}/diag.sh init
++
++export NUMMESSAGES=50 # enough to generate big file
++export MAX_ERROR_SIZE=100
++
++generate_conf
++add_conf '
++$ModLoad ../plugins/ommysql/.libs/ommysql
++global(errormessagestostderr.maxnumber="5")
++
++template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on")
++
++if((not($msg contains "error")) and ($msg contains "msgnum:")) then {
++	set $.num = field($msg, 58, 2);
++	if $.num % 2 == 0 then {
++		set $!facility = $syslogfacility;
++	} else {
++		set $/cntr = 0;
++	}
++	action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl"
++	       db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++}
++'
++mysql_prep_for_test
++startup
++injectmsg
++shutdown_when_empty
++wait_shutdown
++mysql_get_data
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh	2022-03-08 16:24:01.174365289 +0100
+@@ -0,0 +1,19 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++ERRFILE=$(mktemp)
++export MAX_ERROR_SIZE=1999
++export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100))
++dd if=/dev/urandom of=${ERRFILE}  bs=1 count=${INITIAL_FILE_SIZE}
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${ERRFILE}
++file_size_check ${ERRFILE} ${MAX_ERROR_SIZE}
++exit_test
++rm ${ERRFILE}

SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch

@@ -0,0 +1,25 @@
+--- rsyslog-8.2102.0/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
++++ rsyslog-8.2102.0.backup.doc.202209071236/doc/configuration/global/index.html	2022-09-07 12:33:21.318360707 +0200
+@@ -119,7 +119,14 @@
+ <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
+ Defaults to ptcp.</p>
+ </li>
+-<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
++<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>  
++</li>
++<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
++This directive allows to configure multiple additional extra CA files.
++This is intended for SSL certificate chains to work appropriately,
++as the different CA files in the chain need to be specified.
++It must be remarked that this directive only works with the OpenSSL driver.
++</p>
+ </li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
+ </li>
+@@ -311,4 +318,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch

@@ -0,0 +1,682 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-06 11:13:31.538674778 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-06 10:37:26.440149338 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-06 11:12:06.198378210 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
++	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
++/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -830,6 +834,13 @@
+ 	return(pszDfltNetstrmDrvr == NULL ? DFLT_NETSTRM_DRVR : pszDfltNetstrmDrvr);
+ }
+ 
++/* return the additional ca extra files */
++static uchar*
++GetNetstrmDrvrCAExtraFiles(void)
++{
++	return(pszNetstrmDrvrCAExtraFiles);
++}
++
+ 
+ /* return the current default netstream driver CA File */
+ static uchar*
+@@ -925,6 +936,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -945,6 +957,8 @@
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+ 	pszDfltNetstrmDrvrCertFile = NULL;
++	free(pszNetstrmDrvrCAExtraFiles);
++	pszNetstrmDrvrCAExtraFiles = NULL;
+ 	free(LocalHostNameOverride);
+ 	LocalHostNameOverride = NULL;
+ 	free(oversizeMsgErrorFile);
+@@ -1350,6 +1364,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
++		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
++			free(pszNetstrmDrvrCAExtraFiles);
++			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1563,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
++	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
++	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+@@ -1579,6 +1598,7 @@
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	free(pszDfltNetstrmDrvrCertFile);
++	free(pszNetstrmDrvrCAExtraFiles);
+ 	free(pszWorkDir);
+ 	free(LocalDomain);
+ 	free(LocalHostName);
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-06 11:25:18.144130340 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
++static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -413,7 +414,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
++	const char *caFile, *certFile, *keyFile, *extraCaFile;
++	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -450,9 +452,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
++	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
++	if(extraCaFiles == NULL) {
++	        bHaveExtraCAFiles = 0;
++	} else {
++	        bHaveExtraCAFiles = 1;
++	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
++	if(bHaveExtraCAFiles == 1) {
++		while((extraCaFile = strsep(&extraCaFiles, ","))) {
++			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
++				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
++					"Check at least: 1) file path is correct, 2) file exist, "
++					"3) permissions are correct, 4) file content is correct. "
++					"Open ssl error info may follow in next messages");
++				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
++				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
++			}
++ 		}
++	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "
+@@ -476,7 +496,7 @@
+ 				"Open ssl error info may follow in next messages");
+ 		osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+ 		ABORT_FINALIZE(RS_RET_TLS_KEY_ERR);
+-	}
++	}	
+ 
+ 	/* Set CTX Options */
+ 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);		/* Disable insecure SSLv2 Protocol */
+--- rsyslog-8.2102.0.ori/tests/Makefile.am	2022-09-06 10:37:26.447149363 +0200
++++ rsyslog-8.2102.0/tests/Makefile.am	2022-09-06 12:05:55.443600359 +0200
+@@ -1247,7 +1247,8 @@
+ 	sndrcv_tls_ossl_servercert_gtls_clientanon.sh \
+ 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
+ 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
+-	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh
++	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
++	sndrcv_ossl_cert_chain.sh
+ endif
+ endif
+ 
+@@ -2575,6 +2576,7 @@
+ 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
+ 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
+ 	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
++	sndrcv_ossl_cert_chain.sh \
+ 	omtcl.sh \
+ 	omtcl.tcl \
+ 	pmsnare-default.sh \
+--- rsyslog-8.2102.0.ori/tests/sndrcv_ossl_cert_chain.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/sndrcv_ossl_cert_chain.sh	2022-09-06 10:48:41.512496691 +0200
+@@ -0,0 +1,76 @@
++#!/bin/bash
++# alorbach, 2019-01-16
++# This file is part of the rsyslog project, released  under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++export NUMMESSAGES=1000
++# uncomment for debugging support:
++#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
++export RSYSLOG_DEBUGLOG="log"
++generate_conf
++export PORT_RCVR="$(get_free_port)"
++### This is important, as it must be exactly the same
++### as the ones configured in used certificates
++export HOSTNAME="fedora"
++add_conf '
++global(
++    DefaultNetstreamDriver="ossl"
++    DefaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-cert.pem'"
++    DefaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/server-cert.pem'"
++    DefaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/server-key.pem'"
++    NetstreamDriverCAExtraFiles="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
++)
++
++module(	load="../plugins/imtcp/.libs/imtcp"
++	StreamDriver.Name="ossl"
++	StreamDriver.Mode="1"
++        PermittedPeer="'$HOSTNAME'"
++	StreamDriver.AuthMode="x509/name" )
++# then SENDER sends to this port (not tcpflood!)
++input(	type="imtcp" port="'$PORT_RCVR'" )
++
++$template outfmt,"%msg:F,58:2%\n"
++$template dynfile,"'$RSYSLOG_OUT_LOG'" # trick to use relative path names!
++:msg, contains, "msgnum:" ?dynfile;outfmt
++'
++startup
++export RSYSLOG_DEBUGLOG="log2"
++#valgrind="valgrind"
++generate_conf 2
++export TCPFLOOD_PORT="$(get_free_port)"
++add_conf '
++global(
++	defaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
++	defaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/client-cert.pem'"
++	defaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/client-key.pem'"
++)
++
++# Note: no TLS for the listener, this is for tcpflood!
++$ModLoad ../plugins/imtcp/.libs/imtcp
++input(	type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" )
++
++# set up the action
++action(	type="omfwd"
++	protocol="tcp"
++	target="127.0.0.1"
++	port="'$PORT_RCVR'"
++	StreamDriver="ossl"
++	StreamDriverMode="1"
++	StreamDriverAuthMode="x509/name"
++        StreamDriverPermittedPeers="'$HOSTNAME'"
++	)
++' 2
++startup 2
++
++# now inject the messages into instance 2. It will connect to instance 1,
++# and that instance will record the data.
++tcpflood -m$NUMMESSAGES -i1
++wait_file_lines
++# shut down sender when everything is sent, receiver continues to run concurrently
++shutdown_when_empty 2
++wait_shutdown 2
++# now it is time to stop the receiver as well
++shutdown_when_empty
++wait_shutdown
++
++seq_check 1 $NUMMESSAGES
++exit_test
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
+++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIE6jCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMG0xCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxHTAbBgNVBAMTFHJzeXNsb2crY2hhaW4rY2Fyb290MIIB
++ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuqAAv1OIGwQqCi1Mflrq8Buo
++G3UtiD8cMEovjzndFV4Ww5fm+R2vCv+tHq6a85mLL0wdqXh+/bAyDzxaULheXZel
++rGPuUFEH2BpOwKXBd31Vx1x32aN9iaoaND/JVQSp+9PeP9zyKeZIN2vFSyNK7LCA
++hdDXVoYeTktXMbm0vB2vMKk+5Vzc7WfyMfrdDvciuULzLU1RzRS2/RkHNlve5iVQ
++XbNN6CpVtXb0K/kcp4SQIVbNTD/g6Z3JnewSWwqjM9/axTC17rpqhsxaWk712Zjo
++lYeuWKfaF9eRXU951u/vrXMMRkDZe0cq5OiTbc1uUQag7uXkbUtEk5HDSihUWwxz
++MegUdUBXFN6EJ7OauWFOeyVJbbvPRa3q9fdlLILvv5/9SiMim6avcj6DlyUz2RhC
++YPh/gJHItuIbZ6hEU+aKqiDYMTHyibRoqOMZgsc8Vo1JAHQTI6gA8JQtGtjEbzIR
++GFkQkj4tvAQQgl5fs9nuweH9GoIaBl1IoIVZyR9PAgMBAAGjgZQwgZEwDwYDVR0T
++AQH/BAUwAwEB/zAkBgNVHREEHTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3Jh
++MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUr/RYFo8A1eqBi3sGMwqNvwHVk5sw
++KQYDVR0fBCIwIDAeoBygGoYYaHR0cDovLzEyNy4wLjAuMS9nZXRjcmwvMA0GCSqG
++SIb3DQEBCwUAA4IBgQBn/NZeqYon25QY1RmjYkCQ0B+uXsquGURETP30hQ+ltbbG
++u4jP+ll+oYkGVt1+eBi8Qw+rf8Qk3Q/+jmCoGS9vVjQc97r3YJxnFb3zB4HDCWdZ
++qXK7GeBlFA4XAtJO0ya8HCx4znuXKiNwqrJJHyyW2gvkY9raRkKOzj3/9jQXgAw4
++1d8NR9SxjKA2PnCSWNdVQOAm4us2tJXJexvbRx+b9Yu8LgUX/AdT4zqkIV8n6oFV
++XNaGyOsDN/+4JEsKbBixL+g3Y6yQHrwKMYq/Gh1WF33u2yYCzMU4Lw9AoYRG0jHi
++iAFchiwneGdC7E+To+qNdH5QJY38ZI7kWg3ADcXzwhTmvVUz5DNub9raE6yZZ4uf
++CyTGAJjH9USuhwH3unmB0kDjEOExIJHm+9uNA8S/81cwoCl2pz/hzr2fQwR2YLSa
++ox9p6cnQmnkL2j2QXhTvjDIswJmxuR43yqDIZUlx6cq1pTSJeN+8WcB2iK61p4DH
++JhH8af3aLUI5FNNgjas=
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,26 @@
++-----BEGIN CERTIFICATE-----
++MIIEXjCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitjbGllbnQwggEiMA0G
++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSIbnL1ViRk9CAPerSirUpBtnR4qYD
++XzPSkVJzX5PKLJkeJ6z6oIPoioh59+70ipL5K4ETkmbUFaKP+Lrk7l53BvAnP8Ba
++1rWNV2gzgyiihGCs7N/iamh9Rzj5lQCvzUJhiTcphcptV+0IIf9rbEggEazbSg1A
++BHxS8EBUx+ddVJc6MAlEbA/sstkqfE14k8YZPZlU9ZmLjyHbsQbfXFegYee6WMP0
++M7CqrMZ0ZWvDRWgqWOE+b8agmIKPb2VxJXuR3iXBJk8ANcrRzn/tXShMuGK5KiWL
++a6mFrzR6w55DgjIAKkmPO43jMO/qbWB91RVys/ztK7qIoXm3yadOeIU1AgMBAAGj
++gYwwgYkwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAkBgNVHREE
++HTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3JhMB0GA1UdDgQWBBSoW3Alxk4+
++6Uwv80/UE5C5rT4e6TAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAN
++BgkqhkiG9w0BAQsFAAOCAYEA5Nbnwixitghw9Zg3DANXFXiOsQBx7KEup7+x7edw
++n9r2raqNJEjT2Fv+ClEA3CIdPF+4wjoolOPezrNJxKO3UpYCQeO4ZU/QVl8BX8NB
++4v1rUqXsvhE//4FcLvMM+6n8Nrtt1VRhks8N0b0p/md9dFKGucd4otPZm0sbOrsg
++nrhDYzZiFAzJg3zFwOOHzxP6iKj2mfq+2XRiKl7SlbnEj/8l21Ne1V+mDV5++AEZ
++N/quuf8zYHwwuc3Y8K84doow9yBpFqrpBbazb8586utrAbTbytCqskzImFIjo5Oa
++1ujWArMDsVGGr+NzFWwCTz8VTNNJ5H1cBin0gT41/OwUQv8DIJqzmSFTg9Uqmb2V
++ZwjIvMGE4Tz8phzD0IbSXYmQsSeku4olIDM1d+vLvBlipGAeInmA+nZmeZwdD04c
++poqUj+H3mj1r6WOlk2ivV0TUZKO/JHydkBVf2EQJlEmGuSq/7S889fx3GT7jGcOb
++gl5LlIaraMgA48dK8gJUWtJh
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem	2022-09-06 12:10:13.808498227 +0200
+@@ -0,0 +1,134 @@
++Public Key Info:
++	Public Key Algorithm: RSA
++	Key Security Level: Medium (2048 bits)
++
++modulus:
++	00:d2:21:b9:cb:d5:58:91:93:d0:80:3d:ea:d2:8a:b5
++	29:06:d9:d1:e2:a6:03:5f:33:d2:91:52:73:5f:93:ca
++	2c:99:1e:27:ac:fa:a0:83:e8:8a:88:79:f7:ee:f4:8a
++	92:f9:2b:81:13:92:66:d4:15:a2:8f:f8:ba:e4:ee:5e
++	77:06:f0:27:3f:c0:5a:d6:b5:8d:57:68:33:83:28:a2
++	84:60:ac:ec:df:e2:6a:68:7d:47:38:f9:95:00:af:cd
++	42:61:89:37:29:85:ca:6d:57:ed:08:21:ff:6b:6c:48
++	20:11:ac:db:4a:0d:40:04:7c:52:f0:40:54:c7:e7:5d
++	54:97:3a:30:09:44:6c:0f:ec:b2:d9:2a:7c:4d:78:93
++	c6:19:3d:99:54:f5:99:8b:8f:21:db:b1:06:df:5c:57
++	a0:61:e7:ba:58:c3:f4:33:b0:aa:ac:c6:74:65:6b:c3
++	45:68:2a:58:e1:3e:6f:c6:a0:98:82:8f:6f:65:71:25
++	7b:91:de:25:c1:26:4f:00:35:ca:d1:ce:7f:ed:5d:28
++	4c:b8:62:b9:2a:25:8b:6b:a9:85:af:34:7a:c3:9e:43
++	82:32:00:2a:49:8f:3b:8d:e3:30:ef:ea:6d:60:7d:d5
++	15:72:b3:fc:ed:2b:ba:88:a1:79:b7:c9:a7:4e:78:85
++	35:
++
++public exponent:
++	01:00:01:
++
++private exponent:
++	1f:0c:c4:bb:8d:e6:ec:7b:ff:0f:34:17:02:cd:64:3f
++	8f:b7:97:ff:f9:af:fd:dd:56:7c:0a:c6:e9:94:99:07
++	46:08:e2:ab:f8:cc:c7:31:11:67:61:3e:75:9c:c4:ed
++	3a:cc:66:e2:51:7b:c8:52:fa:16:74:16:89:c5:7f:47
++	ef:4a:85:42:32:56:39:eb:d1:da:dc:96:e0:06:9d:1d
++	1a:7b:f2:f4:92:2c:4f:0c:53:fd:e3:43:55:3a:a5:05
++	ee:0b:ac:8f:02:2a:0b:46:36:cc:40:d9:d1:31:ca:e6
++	92:36:0c:a1:40:9b:f9:0d:b5:e3:b2:5d:d4:bc:27:5a
++	17:fd:3f:bd:8e:44:55:f2:e3:96:ac:cc:11:be:65:01
++	55:98:92:92:ac:59:46:fd:e2:11:80:eb:18:56:6a:82
++	3c:79:ec:30:b7:06:9b:97:55:74:36:17:7e:d8:c6:95
++	4e:a5:e1:55:5a:2a:d6:5d:cc:86:39:88:82:ba:31:19
++	98:d7:26:28:09:fe:b4:38:fe:1b:43:19:19:4f:ae:f2
++	27:18:d6:07:9a:c2:1c:66:2d:5a:e6:22:2e:ca:71:26
++	dc:76:8f:2e:f3:84:e3:61:5f:77:d3:63:8a:d0:6b:42
++	2a:6f:1b:98:91:b9:82:8d:d4:c4:f3:92:98:b4:a4:f1
++
++
++prime1:
++	00:e1:f4:19:35:e3:e2:e7:14:a6:56:8b:45:f9:2b:19
++	bb:13:b3:66:73:44:5d:ca:69:cb:73:d9:78:5a:0f:fd
++	de:ba:74:b3:53:70:a9:ab:52:22:34:78:a2:26:4a:aa
++	8f:1b:65:c1:3e:df:65:8c:9b:9a:70:04:ae:70:f6:ea
++	c4:e5:20:fa:16:e0:4f:56:f4:7b:d1:14:cc:94:e1:3c
++	58:02:82:98:20:cd:13:cf:a2:49:13:7a:88:c1:84:72
++	97:4f:1b:e8:d5:cb:6d:43:dd:d2:b8:09:dd:4f:ee:ce
++	03:0b:c4:c2:9b:cf:3d:a0:a3:57:fd:1c:c9:eb:af:ae
++	67:
++
++prime2:
++	00:ee:13:05:f0:4c:13:e2:f8:27:53:c4:ad:89:d9:31
++	b9:1b:e8:17:b9:db:36:cd:54:0c:15:eb:50:85:e4:8b
++	03:c4:f2:6d:a0:41:dc:99:21:7e:1e:8a:a1:5e:86:fe
++	53:d2:72:53:73:8a:7e:a2:43:83:d5:af:b0:e0:1a:89
++	b5:3f:b3:26:d2:8e:92:0d:ed:d1:29:ee:c5:f1:ff:fc
++	67:2c:a6:5d:4c:27:40:8a:5c:a1:23:d4:3f:11:bb:eb
++	51:84:be:83:ec:73:3c:2e:ff:43:f6:74:16:b8:95:36
++	2a:0b:1e:04:81:04:08:7a:40:21:dd:fb:dd:97:0a:76
++	03:
++
++coefficient:
++	00:a0:4c:15:4b:85:2f:81:6b:2e:e7:68:31:84:84:09
++	c4:45:55:01:da:3d:25:9d:37:67:ab:19:0b:1f:d3:9f
++	fc:09:12:31:66:5a:93:d8:d9:f2:00:c7:f7:03:0d:2b
++	9d:2d:b8:38:d0:82:de:03:e7:21:03:29:4f:2a:2b:b5
++	70:a3:bc:5b:bd:0e:f1:8b:bc:22:58:4a:b4:8f:fd:f5
++	d4:f3:99:31:b1:db:f6:1d:d9:12:a2:48:0a:d0:05:1a
++	72:dc:8e:30:67:3c:e0:6a:b5:dc:93:6f:e4:17:79:a1
++	63:2e:25:78:ef:86:d7:9c:f3:dd:5b:d2:bd:62:4f:44
++	f9:
++
++exp1:
++	60:a2:e2:49:5f:0e:83:20:1c:c7:f4:c6:d7:7b:2c:85
++	0b:36:f6:01:24:63:2c:97:b4:b0:f6:78:77:a4:51:42
++	79:e2:41:73:d5:42:6b:88:34:22:d6:d9:1a:a1:62:72
++	d4:17:df:df:40:f2:10:81:d8:3a:42:76:4c:cf:fd:b6
++	79:fc:71:99:69:13:e5:af:a8:68:d2:89:70:bf:27:ec
++	c8:1e:0c:6c:32:e9:5f:2b:1c:2f:dd:7f:31:ac:b0:c9
++	af:c6:d2:fc:e5:04:f5:3a:a0:cd:9f:42:6c:d6:48:7b
++	9b:03:ea:eb:72:65:fc:17:00:21:bb:b7:4c:3a:95:cf
++
++
++exp2:
++	00:a1:a7:61:1c:ed:4b:83:8e:24:86:08:c2:1d:1b:d1
++	5b:73:cb:80:70:be:9c:d3:87:02:3d:cf:ee:79:3b:d9
++	f8:d1:3e:1b:99:f9:9e:a4:8b:cd:6b:47:8e:92:f4:ee
++	b4:53:ed:35:24:fb:21:49:64:b6:9b:de:14:27:d7:5d
++	32:28:f2:a8:a5:c8:10:fc:4c:42:fe:4a:17:36:5f:2f
++	2f:8f:6d:d7:63:e2:33:3c:bf:f0:da:b7:3f:ab:f7:01
++	ad:f4:88:b8:63:51:4b:c8:4d:a4:04:30:87:4d:06:64
++	24:e0:2f:9d:b7:4c:d9:c4:c8:cf:36:3f:d3:12:c0:13
++	a9:
++
++
++Public Key PIN:
++	pin-sha256:I1Gv1FM9aCxvuCmF0uDnbDbIJgm1TFB2dtJV5v2iCEA=
++Public Key ID:
++	sha256:2351afd4533d682c6fb82985d2e0e76c36c82609b54c507676d255e6fda20840
++	sha1:a85b7025c64e3ee94c2ff34fd41390b9ad3e1ee9
++
++-----BEGIN RSA PRIVATE KEY-----
++MIIEpAIBAAKCAQEA0iG5y9VYkZPQgD3q0oq1KQbZ0eKmA18z0pFSc1+TyiyZHies
+++qCD6IqIeffu9IqS+SuBE5Jm1BWij/i65O5edwbwJz/AWta1jVdoM4MoooRgrOzf
++4mpofUc4+ZUAr81CYYk3KYXKbVftCCH/a2xIIBGs20oNQAR8UvBAVMfnXVSXOjAJ
++RGwP7LLZKnxNeJPGGT2ZVPWZi48h27EG31xXoGHnuljD9DOwqqzGdGVrw0VoKljh
++Pm/GoJiCj29lcSV7kd4lwSZPADXK0c5/7V0oTLhiuSoli2upha80esOeQ4IyACpJ
++jzuN4zDv6m1gfdUVcrP87Su6iKF5t8mnTniFNQIDAQABAoIBAB8MxLuN5ux7/w80
++FwLNZD+Pt5f/+a/93VZ8CsbplJkHRgjiq/jMxzERZ2E+dZzE7TrMZuJRe8hS+hZ0
++FonFf0fvSoVCMlY569Ha3JbgBp0dGnvy9JIsTwxT/eNDVTqlBe4LrI8CKgtGNsxA
++2dExyuaSNgyhQJv5DbXjsl3UvCdaF/0/vY5EVfLjlqzMEb5lAVWYkpKsWUb94hGA
++6xhWaoI8eewwtwabl1V0Nhd+2MaVTqXhVVoq1l3MhjmIgroxGZjXJigJ/rQ4/htD
++GRlPrvInGNYHmsIcZi1a5iIuynEm3HaPLvOE42Ffd9NjitBrQipvG5iRuYKN1MTz
++kpi0pPECgYEA4fQZNePi5xSmVotF+SsZuxOzZnNEXcppy3PZeFoP/d66dLNTcKmr
++UiI0eKImSqqPG2XBPt9ljJuacASucPbqxOUg+hbgT1b0e9EUzJThPFgCgpggzRPP
++okkTeojBhHKXTxvo1cttQ93SuAndT+7OAwvEwpvPPaCjV/0cyeuvrmcCgYEA7hMF
++8EwT4vgnU8StidkxuRvoF7nbNs1UDBXrUIXkiwPE8m2gQdyZIX4eiqFehv5T0nJT
++c4p+okOD1a+w4BqJtT+zJtKOkg3t0SnuxfH//Gcspl1MJ0CKXKEj1D8Ru+tRhL6D
++7HM8Lv9D9nQWuJU2KgseBIEECHpAId373ZcKdgMCgYBgouJJXw6DIBzH9MbXeyyF
++Czb2ASRjLJe0sPZ4d6RRQnniQXPVQmuINCLW2RqhYnLUF9/fQPIQgdg6QnZMz/22
++efxxmWkT5a+oaNKJcL8n7MgeDGwy6V8rHC/dfzGssMmvxtL85QT1OqDNn0Js1kh7
++mwPq63Jl/BcAIbu3TDqVzwKBgQChp2Ec7UuDjiSGCMIdG9Fbc8uAcL6c04cCPc/u
++eTvZ+NE+G5n5nqSLzWtHjpL07rRT7TUk+yFJZLab3hQn110yKPKopcgQ/ExC/koX
++Nl8vL49t12PiMzy/8Nq3P6v3Aa30iLhjUUvITaQEMIdNBmQk4C+dt0zZxMjPNj/T
++EsATqQKBgQCgTBVLhS+Bay7naDGEhAnERVUB2j0lnTdnqxkLH9Of/AkSMWZak9jZ
++8gDH9wMNK50tuDjQgt4D5yEDKU8qK7Vwo7xbvQ7xi7wiWEq0j/311POZMbHb9h3Z
++EqJICtAFGnLcjjBnPOBqtdyTb+QXeaFjLiV474bXnPPdW9K9Yk9E+Q==
++-----END RSA PRIVATE KEY-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,55 @@
++-----BEGIN CERTIFICATE-----
++MIIEVTCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitzZXJ2ZXIwggEiMA0G
++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3mDP67/SPVbCCgInxXNr9sOLz2yWx
++fa4jtgdbgWK5mib4XdPYTdH6hRiur/n6yn9rzhDeFFMUhSwQpQ81OyZfUFNU0A0q
++x7AZMgVOm3ZqMDk8O57UfuSdURJJPsEwMzZ8Q5d6wyq7xheX0DZjB8LUN8J6SX4w
++K2Ok1wCBOQdfjvW09tOVqQK7puHq85UWsEBTiZ7ie1Fg6FLNscPVoavjNNyYAORM
++Vz0Byv1zBdJzBHufqHUdjX7uMkUPcKfiU/TjQWMRYF3Yp5z2wFohi4Zgtise7xW5
++SfgcAIjA1bm5xMIaiUxRUZHUhCaoj6c2vZygrFO7MuB/2ngoEbqZ57pdAgMBAAGj
++gYMwgYAwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAnggZmZWRvcmGHBH8AAAGBF3Jv
++b3RAZmVkb3JhdGxzd3d3c2VydmVyMB0GA1UdDgQWBBRxxQqJoRCHlrmwDLcB0aU3
++W/QRbDAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjANBgkqhkiG9w0B
++AQsFAAOCAYEAkheMCnXNDh2fOhMyOifBFKqlUUsYzZoYU5UNweZijdKAKxJ4zdsS
++i31a2IG4ePBPX7PShUUr2E1PEQ2XBDi/HcCoK54qcqzhxGS83Rf/2YxN4BjU8jaA
++7RhIA0fv5haKxxhjRIDT6vsAXPB0HM/f3Y+E21GVbsQVUE1pP8QrDkcU0EwIjEfW
++tFEBitmb0s/11d8/ZLdYAuvvfzDzuN9kuAcj5dkdpB5Wo9R3h2NXnD6EIWIUHn/I
++zwgXdb/n9gUI6jQMC6shFjXScVT2jgjfziWi/M66PBbtEbEnhOEKdbW0o2lPiL3j
++2UDj6fMshRBAnSoBtEYm/lywBs3vDUGpMUSQFIAwPgUkizAl5DEdmE9PLqRL9HNT
++UIg8tQql9Xr29edEiuMHpIyH8eEa+KI2CpKG3KfYDBMaC7z9MvkpYuSuIG3dsQxy
++YguWDH7c0iosQVpHx8dxj5Exj1/QOXcD5tAVY/+DBe48nRzDTlZmRGQjtqr6Nw0j
++BIXBoqaes0D4
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
+++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem	2022-09-06 12:10:28.635549755 +0200
+@@ -0,0 +1,133 @@
++Public Key Info:
++	Public Key Algorithm: RSA
++	Key Security Level: Medium (2048 bits)
++
++modulus:
++	00:b7:98:33:fa:ef:f4:8f:55:b0:82:80:89:f1:5c:da
++	fd:b0:e2:f3:db:25:b1:7d:ae:23:b6:07:5b:81:62:b9
++	9a:26:f8:5d:d3:d8:4d:d1:fa:85:18:ae:af:f9:fa:ca
++	7f:6b:ce:10:de:14:53:14:85:2c:10:a5:0f:35:3b:26
++	5f:50:53:54:d0:0d:2a:c7:b0:19:32:05:4e:9b:76:6a
++	30:39:3c:3b:9e:d4:7e:e4:9d:51:12:49:3e:c1:30:33
++	36:7c:43:97:7a:c3:2a:bb:c6:17:97:d0:36:63:07:c2
++	d4:37:c2:7a:49:7e:30:2b:63:a4:d7:00:81:39:07:5f
++	8e:f5:b4:f6:d3:95:a9:02:bb:a6:e1:ea:f3:95:16:b0
++	40:53:89:9e:e2:7b:51:60:e8:52:cd:b1:c3:d5:a1:ab
++	e3:34:dc:98:00:e4:4c:57:3d:01:ca:fd:73:05:d2:73
++	04:7b:9f:a8:75:1d:8d:7e:ee:32:45:0f:70:a7:e2:53
++	f4:e3:41:63:11:60:5d:d8:a7:9c:f6:c0:5a:21:8b:86
++	60:b6:2b:1e:ef:15:b9:49:f8:1c:00:88:c0:d5:b9:b9
++	c4:c2:1a:89:4c:51:51:91:d4:84:26:a8:8f:a7:36:bd
++	9c:a0:ac:53:bb:32:e0:7f:da:78:28:11:ba:99:e7:ba
++	5d:
++
++public exponent:
++	01:00:01:
++
++private exponent:
++	68:06:20:25:a5:82:0f:18:c1:3b:20:33:88:83:51:3d
++	7e:d5:08:d0:79:a9:f8:89:0b:88:de:e0:55:0e:28:15
++	94:d1:12:f0:ae:55:61:8d:2d:8e:8f:a3:fb:e2:c2:8b
++	b1:fc:7f:08:25:c1:f1:15:87:a3:22:b2:dc:39:58:83
++	96:d2:b0:72:75:93:70:b3:71:83:2b:08:a0:03:57:25
++	5d:b8:a8:1b:55:51:54:9d:62:4b:17:1f:2c:7c:ef:f7
++	86:2f:12:0c:27:ba:f5:cb:c6:a0:69:03:f7:d6:74:e8
++	a3:73:58:b0:7d:84:33:81:70:eb:b5:48:82:94:8f:ea
++	4c:c7:9c:58:02:90:68:b1:64:29:df:a8:8a:69:15:d4
++	49:21:2f:aa:25:f1:e7:10:8b:93:37:ca:51:d3:4e:d6
++	de:cf:60:04:6b:10:41:1b:f5:0f:be:b7:2a:cd:41:44
++	50:25:be:e5:57:60:1e:3e:e9:d7:70:86:68:a6:4f:3d
++	7d:d8:0e:7f:9b:de:de:e6:02:35:33:9f:b6:68:bb:cd
++	2f:33:69:09:9e:da:91:6b:16:89:db:14:20:59:3a:92
++	7e:78:4e:e1:02:3f:c8:a5:3f:bd:f2:bc:3a:da:f2:97
++	06:f5:96:eb:c8:09:f7:04:cb:7f:e2:e2:12:52:d4:21
++
++
++prime1:
++	00:ed:e4:b8:72:ee:b0:9e:38:db:f8:e7:fa:52:a5:94
++	4a:4b:05:54:f0:96:23:72:d6:01:ba:9f:f4:3e:65:24
++	29:c0:47:4a:6f:a9:a4:02:36:c5:2c:c5:ea:cd:09:5c
++	2d:8e:3c:56:aa:e4:e7:85:32:a8:a7:4f:18:12:17:8c
++	93:15:07:da:3e:f4:df:33:7e:35:39:59:2d:f4:1c:ba
++	65:e8:42:c7:75:a0:c2:53:47:ad:ee:74:44:21:6a:42
++	75:7f:40:1f:8b:06:0e:df:c3:02:4d:50:58:75:f2:29
++	58:e2:0c:a0:7b:fe:be:c4:ab:76:ff:24:c1:4b:e6:ce
++	75:
++
++prime2:
++	00:c5:91:7c:48:59:dd:05:68:5c:8a:46:0b:3b:69:92
++	80:d1:c6:28:27:88:c8:a9:73:7c:32:ee:87:a7:31:29
++	ff:56:38:41:07:3e:0f:01:5c:cf:eb:93:db:e7:fb:b9
++	e7:15:94:93:ea:fa:f8:60:79:c6:16:d2:db:9b:64:5f
++	c3:b8:f0:52:c0:e7:ff:e0:9a:94:22:fb:7e:5e:80:8f
++	c0:ca:46:f4:87:91:e7:ad:6d:74:26:d1:fa:c0:f8:f5
++	7e:b3:0c:bb:23:5e:7d:5d:8b:c9:2e:68:76:be:d4:b4
++	75:de:3c:70:70:ad:1e:64:de:e4:1d:f7:df:af:46:0f
++	49:
++
++coefficient:
++	00:89:f1:2c:f9:14:89:25:21:7a:ad:75:30:f0:b1:e7
++	20:b3:14:14:d7:c9:b6:78:3c:c7:c8:92:3a:64:8e:47
++	d0:10:fc:01:a9:a6:25:a5:61:6d:8f:da:d4:85:fa:06
++	9f:a5:27:a8:7d:38:e2:67:19:65:ab:a9:00:52:8c:f3
++	51:fe:f9:a6:4f:ab:47:04:0a:86:ae:f0:fe:3d:2d:72
++	76:6d:ad:03:48:af:23:67:92:28:34:83:bc:45:7d:c0
++	45:ca:89:4a:4f:dd:11:a6:3a:5a:23:47:f4:7c:82:42
++	dc:e8:56:85:d8:1b:9d:08:9c:6e:ca:17:58:d7:d4:bb
++	77:
++
++exp1:
++	21:50:b8:ac:0f:d5:58:33:2a:4b:2f:61:95:15:6f:31
++	00:54:9c:d2:9c:94:16:4e:f6:2b:06:9f:93:e5:62:2d
++	1e:aa:5d:38:4a:0f:97:e7:c7:b1:3f:7e:64:7c:7d:16
++	3c:27:23:14:07:be:8c:9e:cd:93:b0:b5:f4:42:ac:03
++	25:1c:d6:69:9e:ad:6b:6e:af:51:7a:b5:be:cc:0f:26
++	9a:62:4f:c0:9f:64:d7:78:e0:58:d6:9b:7b:fa:7f:98
++	28:db:f8:0e:e6:28:4b:19:ea:46:9d:8b:e5:e8:a5:f5
++	b6:a2:82:0f:1b:5b:e7:fb:03:4d:33:fe:85:fc:aa:c9
++
++
++exp2:
++	59:36:db:22:68:c1:ef:a1:32:b8:95:ec:98:85:91:cc
++	6d:ed:c7:50:22:ea:49:ea:86:59:11:71:5c:44:4d:2c
++	aa:28:78:e4:e6:57:2c:4c:56:ef:90:33:2b:4c:76:a4
++	2d:10:8c:c2:fd:55:8f:6b:2d:d2:3c:a1:42:48:4f:1e
++	38:b2:fd:0b:73:38:0e:9a:7e:ee:55:16:b9:61:e0:88
++	34:4f:5a:38:a5:e0:32:66:4c:9f:03:0e:f2:78:f9:92
++	9f:13:ce:a5:a8:13:80:5c:91:1a:4d:bd:e1:6a:77:9b
++	0a:21:cc:bc:74:d0:56:c8:77:c6:38:9a:5f:b1:89:51
++
++
++
++Public Key PIN:
++	pin-sha256:FSR0pC1TUEe+ZMU7YSVDDmYP4hmDlsIJRKf4D8LiJZ8=
++Public Key ID:
++	sha256:152474a42d535047be64c53b6125430e660fe2198396c20944a7f80fc2e2259f
++	sha1:71c50a89a1108796b9b00cb701d1a5375bf4116c
++
++-----BEGIN RSA PRIVATE KEY-----
++MIIEowIBAAKCAQEAt5gz+u/0j1WwgoCJ8Vza/bDi89slsX2uI7YHW4FiuZom+F3T
++2E3R+oUYrq/5+sp/a84Q3hRTFIUsEKUPNTsmX1BTVNANKsewGTIFTpt2ajA5PDue
++1H7knVESST7BMDM2fEOXesMqu8YXl9A2YwfC1DfCekl+MCtjpNcAgTkHX471tPbT
++lakCu6bh6vOVFrBAU4me4ntRYOhSzbHD1aGr4zTcmADkTFc9Acr9cwXScwR7n6h1
++HY1+7jJFD3Cn4lP040FjEWBd2Kec9sBaIYuGYLYrHu8VuUn4HACIwNW5ucTCGolM
++UVGR1IQmqI+nNr2coKxTuzLgf9p4KBG6mee6XQIDAQABAoIBAGgGICWlgg8YwTsg
++M4iDUT1+1QjQean4iQuI3uBVDigVlNES8K5VYY0tjo+j++LCi7H8fwglwfEVh6Mi
++stw5WIOW0rBydZNws3GDKwigA1clXbioG1VRVJ1iSxcfLHzv94YvEgwnuvXLxqBp
++A/fWdOijc1iwfYQzgXDrtUiClI/qTMecWAKQaLFkKd+oimkV1EkhL6ol8ecQi5M3
++ylHTTtbez2AEaxBBG/UPvrcqzUFEUCW+5VdgHj7p13CGaKZPPX3YDn+b3t7mAjUz
++n7Zou80vM2kJntqRaxaJ2xQgWTqSfnhO4QI/yKU/vfK8Otrylwb1luvICfcEy3/i
++4hJS1CECgYEA7eS4cu6wnjjb+Of6UqWUSksFVPCWI3LWAbqf9D5lJCnAR0pvqaQC
++NsUsxerNCVwtjjxWquTnhTKop08YEheMkxUH2j703zN+NTlZLfQcumXoQsd1oMJT
++R63udEQhakJ1f0AfiwYO38MCTVBYdfIpWOIMoHv+vsSrdv8kwUvmznUCgYEAxZF8
++SFndBWhcikYLO2mSgNHGKCeIyKlzfDLuh6cxKf9WOEEHPg8BXM/rk9vn+7nnFZST
++6vr4YHnGFtLbm2Rfw7jwUsDn/+CalCL7fl6Aj8DKRvSHkeetbXQm0frA+PV+swy7
++I159XYvJLmh2vtS0dd48cHCtHmTe5B33369GD0kCgYAhULisD9VYMypLL2GVFW8x
++AFSc0pyUFk72Kwafk+ViLR6qXThKD5fnx7E/fmR8fRY8JyMUB76Mns2TsLX0QqwD
++JRzWaZ6ta26vUXq1vswPJppiT8CfZNd44FjWm3v6f5go2/gO5ihLGepGnYvl6KX1
++tqKCDxtb5/sDTTP+hfyqyQKBgFk22yJowe+hMriV7JiFkcxt7cdQIupJ6oZZEXFc
++RE0sqih45OZXLExW75AzK0x2pC0QjML9VY9rLdI8oUJITx44sv0LczgOmn7uVRa5
++YeCINE9aOKXgMmZMnwMO8nj5kp8TzqWoE4BckRpNveFqd5sKIcy8dNBWyHfGOJpf
++sYlRAoGBAInxLPkUiSUheq11MPCx5yCzFBTXybZ4PMfIkjpkjkfQEPwBqaYlpWFt
++j9rUhfoGn6UnqH044mcZZaupAFKM81H++aZPq0cECoau8P49LXJ2ba0DSK8jZ5Io
++NIO8RX3ARcqJSk/dEaY6WiNH9HyCQtzoVoXYG50InG7KF1jX1Lt3
++-----END RSA PRIVATE KEY-----

SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch

@@ -0,0 +1,195 @@
+diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac
+--- rsyslog-8.2102.0/configure.ac.orig	2022-11-21 11:39:40.717183684 +0100
++++ rsyslog-8.2102.0/configure.ac	2022-11-21 11:40:18.697206706 +0100
+@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes";
+ 	])
+ fi
+ 
++AC_ARG_ENABLE(libcap-ng,
++        [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
++        [case "${enableval}" in
++         yes) enable_libcapng="yes" ;;
++          no) enable_libcapng="no" ;;
++           *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
++         esac],
++        [enable_libcapng=no]
++)
++
++if test "$enable_libcapng" = "yes"; then
++        PKG_CHECK_MODULES(
++                [LIBCAPNG],
++                [libcap-ng >= 0.8.2],
++                [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
++                [AC_MSG_ERROR(libcap-ng is not present.)]
++        )
++        CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
++        LIBS="$LIBS $LIBCAPNG_LIBS"
++fi
++
++
+ 
+ #gssapi
+ AC_ARG_ENABLE(gssapi_krb5,
+@@ -2688,6 +2710,7 @@ echo "    liblogging-stdlog support enab
+ echo "    libsystemd enabled:                       $enable_libsystemd"
+ echo "    kafka static linking enabled:             $enable_kafka_static"
+ echo "    atomic operations enabled:                $enable_atomic_operations"
++echo "    libcap-ng support enabled:                $enable_libcapng"
+ echo
+ echo "---{ input plugins }---"
+ if test "$unamestr" != "AIX"; then
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2022-11-21 11:40:31.926214720 +0100
++++ rsyslog-8.2102.0/runtime/rsconf.c	2022-11-21 11:44:26.742356979 +0100
+@@ -33,6 +33,9 @@
+ #include <sys/resource.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void)
+ 	if(res) {
+ 		rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf));
+ 		LogError(0, RS_RET_ERR_DROP_PRIV,
+-				"could not set requested group id: %s", szBuf);
++				"could not set requested group id: %s via setgid()", szBuf);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
++#else
++	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
++	if (res) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
++		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++	}
++#endif
++
+ 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+ 		 ourConf->globals.gidDropPriv);
+@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid)
+ 				iUid, szBuf);
+ 	}
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	res = setuid(iUid);
++	// res = setuid(cnf->globals.uidDropPriv);
++#else
++	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(iUid, -1, capng_flags);
++#endif
++
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+ 		perror("could not set requested userid");
+diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h
+--- rsyslog-8.2102.0/runtime/rsyslog.h.orig	2022-11-21 11:45:09.007382588 +0100
++++ rsyslog-8.2102.0/runtime/rsyslog.h	2022-11-21 11:45:31.333396112 +0100
+@@ -582,6 +582,7 @@ enum rsRetVal_				/** return value. All
+ 	RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */
+ 	RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */
+ 	RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */
++	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
+ 
+ 	/* RainerScript error messages (range 1000.. 1999) */
+ 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2022-11-21 11:45:17.587387786 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2022-11-21 11:46:19.509425295 +0100
+@@ -38,6 +38,10 @@
+ #	include <systemd/sd-daemon.h>
+ #endif
+ 
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
++
+ #include "rsyslog.h"
+ #include "wti.h"
+ #include "ratelimit.h"
+@@ -321,7 +325,7 @@ checkStartupOK(void)
+ 		fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n");
+ 		ABORT_FINALIZE(RS_RET_ERR);
+ 	}
+-	
++
+ 	/* ok, we got a pid, let's check if the process is running */
+ 	const pid_t pid = (pid_t) pf_pid;
+ 	if(kill(pid, 0) == 0 || errno != ESRCH) {
+@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv)
+ 		localRet = RS_RET_OK;
+ 	}
+ 	CHKiRet(localRet);
+-	
++
+ 	CHKiRet(rsyslogd_InitStdRatelimiters());
+ 
+ 	if(bChDirRoot) {
+@@ -2019,7 +2023,7 @@ deinitAll(void)
+ 	/* close the inputs */
+ 	DBGPRINTF("Terminating input threads...\n");
+ 	glbl.SetGlobalInputTermination();
+-	
++
+ 	thrdTerminateAll();
+ 
+ 	/* and THEN send the termination log message (see long comment above) */
+@@ -2142,6 +2146,45 @@ main(int argc, char **argv)
+ 	if(log_dflt != NULL && !strcmp(log_dflt, "1"))
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
++
++#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc;
++	capng_clear(CAPNG_SELECT_BOTH);
++
++	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++		CAP_BLOCK_SUSPEND,
++		CAP_CHOWN,
++		CAP_IPC_LOCK,
++		CAP_LEASE,
++		CAP_NET_ADMIN,
++		CAP_NET_BIND_SERVICE,
++		CAP_PERFMON,
++		CAP_SETGID,
++		CAP_SETUID,
++		CAP_SYS_ADMIN,
++		CAP_SYS_CHROOT,
++		CAP_SYS_RESOURCE,
++		CAP_SYSLOG,
++		-1
++	)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
++		exit(-1);
++	}
++
++	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++			"could not transfer  the  specified  internal posix  capabilities "
++			"settings to the kernel, capng_apply=%d\n", capng_rc);
++		exit(-1);
++	}
++	DBGPRINTF("Capabilities were dropped successfully\n");
++#endif
++
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");

SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch

@@ -0,0 +1,20 @@
+diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
+index 6c24b5a2db..78cfc3bae2 100644
+--- a/plugins/imklog/imklog.c
++++ b/plugins/imklog/imklog.c
+@@ -453,6 +453,7 @@ ENDactivateCnf
+ 
+ BEGINfreeCnf
+ CODESTARTfreeCnf
++	free(pModConf->pszBindRuleset);
+ ENDfreeCnf
+ 
+ 
+@@ -475,7 +476,6 @@ CODESTARTmodExit
+ 	if(pInputName != NULL)
+ 		prop.Destruct(&pInputName);
+ 
+-	free(runModConf->pszBindRuleset);
+ 	/* release objects we used */
+ 	objRelease(glbl, CORE_COMPONENT);
+ 	objRelease(net, CORE_COMPONENT);

SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch

@@ -0,0 +1,30 @@
+diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig	2022-05-09 12:22:59.050623119 +0200
++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c	2022-05-09 12:34:39.979854853 +0200
+@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c
+--- rsyslog-8.37.0/runtime/tcps_sess.c.orig	2022-05-09 12:23:12.789627661 +0200
++++ rsyslog-8.37.0/runtime/tcps_sess.c	2022-05-09 12:36:51.426898549 +0200
+@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);

SOURCES/rsyslog.conf

@@ -0,0 +1,79 @@
+# rsyslog configuration file
+
+# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
+# or latest version online at http://www.rsyslog.com/doc/rsyslog_conf.html 
+# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
+
+#### GLOBAL DIRECTIVES ####
+
+# Where to place auxiliary files
+global(workDirectory="/var/lib/rsyslog")
+
+# Use default timestamp format
+module(load="builtin:omfile" Template="RSYSLOG_TraditionalFileFormat")
+
+# Include all config files in /etc/rsyslog.d/
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+#### MODULES ####
+
+module(load="imuxsock" 	  # provides support for local system logging (e.g. via logger command)
+       SysSock.Use="off") # Turn off message reception via local log socket; 
+			  # local messages are retrieved through imjournal now.
+module(load="imjournal" 	    # provides access to the systemd journal
+       StateFile="imjournal.state") # File to store the position in the journal
+#module(load="imklog") # reads kernel messages (the same are read from journald)
+#module(load="immark") # provides --MARK-- message capability
+
+# Provides UDP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imudp.html
+#module(load="imudp") # needs to be done just once
+#input(type="imudp" port="514")
+
+# Provides TCP syslog reception
+# for parameters see http://www.rsyslog.com/doc/imtcp.html
+#module(load="imtcp") # needs to be done just once
+#input(type="imtcp" port="514")
+
+#### RULES ####
+
+# Log all kernel messages to the console.
+# Logging much else clutters up the screen.
+#kern.*                                                 /dev/console
+
+# Log anything (except mail) of level info or higher.
+# Don't log private authentication messages!
+*.info;mail.none;authpriv.none;cron.none                /var/log/messages
+
+# The authpriv file has restricted access.
+authpriv.*                                              /var/log/secure
+
+# Log all the mail messages in one place.
+mail.*                                                  -/var/log/maillog
+
+
+# Log cron stuff
+cron.*                                                  /var/log/cron
+
+# Everybody gets emergency messages
+*.emerg                                                 :omusrmsg:*
+
+# Save news errors of level crit and higher in a special file.
+uucp,news.crit                                          /var/log/spooler
+
+# Save boot messages also to boot.log
+local7.*                                                /var/log/boot.log
+
+
+# ### sample forwarding rule ###
+#action(type="omfwd"  
+# # An on-disk queue is created for this action. If the remote host is
+# # down, messages are spooled to disk and sent when it is up again.
+#queue.filename="fwdRule1"       # unique name prefix for spool files
+#queue.maxdiskspace="1g"         # 1gb space limit (use as much as possible)
+#queue.saveonshutdown="on"       # save messages to disk on shutdown
+#queue.type="LinkedList"         # run asynchronously
+#action.resumeRetryCount="-1"    # infinite retries if host is down
+# # Remote Logging (we use TCP for reliable delivery)
+# # remote_host is: name/ip, e.g. 192.168.0.1, port optional e.g. 10514
+#Target="remote_host" Port="XXX" Protocol="tcp")

SOURCES/rsyslog.log

@@ -0,0 +1,12 @@
+/var/log/cron
+/var/log/maillog
+/var/log/messages
+/var/log/secure
+/var/log/spooler
+{
+    missingok
+    sharedscripts
+    postrotate
+        /usr/bin/systemctl -s HUP kill rsyslog.service >/dev/null 2>&1 || true
+    endscript
+}

SOURCES/rsyslog.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=System Logging Service
+;Requires=syslog.socket
+Documentation=man:rsyslogd(8)
+Documentation=https://www.rsyslog.com/doc/
+
+[Service]
+Type=notify
+EnvironmentFile=-/etc/sysconfig/rsyslog
+ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS
+ExecReload=/usr/bin/kill -HUP $MAINPID
+UMask=0066
+StandardOutput=null
+Restart=on-failure
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+;Alias=syslog.service

SOURCES/rsyslog.sysconfig

@@ -0,0 +1,5 @@
+# Options for rsyslogd
+# Syslogd options are deprecated since rsyslog v3.
+# If you want to use them, switch to compatibility mode 2 by "-c 2"
+# See rsyslogd(8) for more details
+SYSLOGD_OPTIONS=""