.gitignore

@@ -1,3 +1,3 @@
 SOURCES/qpid-proton-0.39.0.tar.gz
-SOURCES/rsyslog-8.2310.0.tar.gz
-SOURCES/rsyslog-doc-8.2310.0.tar.gz
+SOURCES/rsyslog-8.2102.0.tar.gz
+SOURCES/rsyslog-doc-8.2102.0.tar.gz

.rsyslog.metadata

@@ -1,3 +1,3 @@
 e2fe5aada26415aeb1902435a8acf5ee388cb2cf SOURCES/qpid-proton-0.39.0.tar.gz
-702012a5ed36fe2a07bed78f80de1915787aac75 SOURCES/rsyslog-8.2310.0.tar.gz
-9016da3bc06acdbde78ad83d129582c22fe444a1 SOURCES/rsyslog-doc-8.2310.0.tar.gz
+fdda78ed808e7a0dca03ead9227a0a5d913a050f SOURCES/rsyslog-8.2102.0.tar.gz
+9c2188d435cb5f79c1c35749003bd2a61e7f2d07 SOURCES/rsyslog-doc-8.2102.0.tar.gz

SOURCES/rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch

@@ -1,7 +1,7 @@
-diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/plugins/imjournal/imjournal.c
---- rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig	2023-10-10 16:42:39.771369418 +0200
-+++ rsyslog-8.2310.0/plugins/imjournal/imjournal.c	2023-10-10 16:51:39.839133580 +0200
-@@ -87,6 +87,7 @@ static struct configSettings_s {
+diff -up ./plugins/imjournal/imjournal.c.default-tag ./plugins/imjournal/imjournal.c
+--- ./plugins/imjournal/imjournal.c.default-tag	2018-05-17 08:50:11.416418022 -0400
++++ ./plugins/imjournal/imjournal.c	2018-05-17 08:53:02.884418022 -0400
+@@ -78,6 +78,7 @@ static struct configSettings_s {
  	int bWorkAroundJournalBug; /* deprecated, left for backwards compatibility only */
  	int bFsync;
  	int bRemote;
@@ -9,7 +9,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  } cs;
  
  static rsRetVal facilityHdlr(uchar **pp, void *pVal);
-@@ -106,7 +107,8 @@ static struct cnfparamdescr modpdescr[]
+@@ -93,7 +94,8 @@ static struct cnfparamdescr modpdescr[]
  	{ "usepid", eCmdHdlrString, 0 },
  	{ "workaroundjournalbug", eCmdHdlrBinary, 0 },
  	{ "fsync", eCmdHdlrBinary, 0 },
@@ -19,7 +19,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  };
  static struct cnfparamblk modpblk =
  	{ CNFPARAMBLK_VERSION,
-@@ -117,6 +119,7 @@ static struct cnfparamblk modpblk =
+@@ -104,6 +106,7 @@ static struct cnfparamblk modpblk =
  #define DFLT_persiststateinterval 10
  #define DFLT_SEVERITY pri2sev(LOG_NOTICE)
  #define DFLT_FACILITY pri2fac(LOG_USER)
@@ -27,27 +27,37 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  
  static int bLegacyCnfModGlobalsPermitted = 1;/* are legacy module-global config parameters permitted? */
  
-@@ -458,7 +461,7 @@ readjournal(void)
- 	} else if (journalGetData("_COMM", &get, &length) >= 0) {
- 		CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden));
+@@ -268,7 +271,7 @@ readjournal(void)
+ 
+ 	/* Information from messages */
+ 	char *message = NULL;
+-	char *sys_iden;
++	char *sys_iden = NULL;
+ 	char *sys_iden_help = NULL;
+ 
+ 	const void *get;
+@@ -331,7 +334,7 @@ readjournal(void)
+ 	if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
+ 		CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
  	} else {
 -		CHKmalloc(sys_iden = strdup("journal"));
 +		CHKmalloc(sys_iden = strdup(cs.dfltTag));
  	}
  
  	/* trying to get PID, default is "SYSLOG_PID" property */
-@@ -826,6 +829,10 @@ CODESTARTrunInput
- 			"\"usepidfromsystem\" is deprecated, use \"usepid\" instead");
+@@ -654,6 +657,11 @@ CODESTARTrunInput
+ 			"\"usepidfromsystem\" is depricated, use \"usepid\" instead");
  	}
  
 +	if (cs.dfltTag == NULL) {
 +		cs.dfltTag = strdup(DFLT_TAG);
 +	}
++
 +
  	if (cs.usePid && (strcmp(cs.usePid, "system") == 0)) {
  		pidFieldName = "_PID";
  		bPidFallBack = 0;
-@@ -914,6 +921,7 @@ CODESTARTbeginCnfLoad
+@@ -732,6 +740,7 @@ CODESTARTbeginCnfLoad
  	cs.bWorkAroundJournalBug = 1;
  	cs.bFsync = 0;
  	cs.bRemote = 0;
@@ -55,7 +65,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  ENDbeginCnfLoad
  
  
-@@ -983,6 +991,7 @@ BEGINfreeCnf
+@@ -754,6 +763,7 @@ BEGINfreeCnf
  CODESTARTfreeCnf
  	free(cs.stateFile);
  	free(cs.usePid);
@@ -63,7 +73,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  	free(journalContext.cursor);
  	statsobj.Destruct(&(statsCounter.stats));
  ENDfreeCnf
-@@ -1077,6 +1086,8 @@ CODESTARTsetModCnf
+@@ -832,6 +842,8 @@ CODESTARTsetModCnf
  			cs.bFsync = (int) pvals[i].val.d.n;
  		} else if (!strcmp(modpblk.descr[i].name, "remote")) {
  			cs.bRemote = (int) pvals[i].val.d.n;
@@ -72,7 +82,7 @@ diff -up rsyslog-8.2310.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2310.0/pl
  		} else {
  			dbgprintf("imjournal: program error, non-handled "
  				"param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
-@@ -1144,6 +1155,8 @@ CODEmodInit_QueryRegCFSLineHdlr
+@@ -799,6 +820,8 @@ CODEmodInit_QueryRegCFSLineHdlr
  		facilityHdlr, &cs.iDfltFacility, STD_LOADABLE_MODULE_ID));
  	CHKiRet(omsdRegCFSLineHdlr((uchar *)"imjournalusepidfromsystem", 0, eCmdHdlrBinary,
  		NULL, &cs.bUseJnlPID, STD_LOADABLE_MODULE_ID));

SOURCES/rsyslog-8.2102.0-capabilities-capnetraw.patch

@@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-03-06 09:33:13.969300666 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-03-06 09:33:35.089326502 +0100
+@@ -2164,6 +2164,7 @@ main(int argc, char **argv)
+ 		CAP_SETGID,
+ 		CAP_SETUID,
+ 		CAP_DAC_OVERRIDE,
++		CAP_NET_RAW,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,

SOURCES/rsyslog-8.2102.0-capabilities-drop-credential.patch

@@ -0,0 +1,67 @@
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-02-17 11:52:17.460043970 +0100
++++ rsyslog-8.2102.0/runtime/rsconf.c	2023-02-17 12:00:49.881602881 +0100
+@@ -33,9 +33,6 @@
+ #include <sys/resource.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
+-#ifdef ENABLE_LIBCAPNG
+-	#include <cap-ng.h>
+-#endif
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -549,7 +546,7 @@ rsRetVal doDropPrivGid(void)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -567,15 +564,6 @@ rsRetVal doDropPrivGid(void)
+ 				"could not set requested group id: %s via setgid()", szBuf);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
+-	if (res) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
+-		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
+-	}
+-#endif
+ 
+ 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+@@ -613,13 +601,8 @@ static void doDropPrivUid(int iUid)
+ 				iUid, szBuf);
+ 	}
+ 
+-#ifndef ENABLE_LIBCAPNG
++
+ 	res = setuid(iUid);
+-	// res = setuid(cnf->globals.uidDropPriv);
+-#else
+-	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
+-	res = capng_change_id(iUid, -1, capng_flags);
+-#endif
+ 
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-02-17 11:52:00.011011019 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-02-17 11:58:37.322491823 +0100
+@@ -2161,9 +2161,9 @@ main(int argc, char **argv)
+ 		CAP_LEASE,
+ 		CAP_NET_ADMIN,
+ 		CAP_NET_BIND_SERVICE,
+-		CAP_PERFMON,
+ 		CAP_SETGID,
+ 		CAP_SETUID,
++		CAP_DAC_OVERRIDE,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,

SOURCES/rsyslog-8.2102.0-libcapng-no-cap-support2.patch

@@ -0,0 +1,11 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-07-28 11:11:36.253771848 +0200
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-07-28 11:11:57.628795339 +0200
+@@ -1571,6 +1571,7 @@ initAll(int argc, char **argv)
+ 	capabilities_t capabilities[] = {
+ 		#define CAP_FIELD(code) { code, #code,  0 }
+ 		CAP_FIELD(CAP_BLOCK_SUSPEND),
++		CAP_FIELD(CAP_NET_RAW),
+ 		CAP_FIELD(CAP_CHOWN),
+ 		CAP_FIELD(CAP_IPC_LOCK),
+ 		CAP_FIELD(CAP_LEASE),

SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch

@@ -0,0 +1,47 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc rsyslog-8.2102.0/doc/configuration/modules/imfile.html
+--- rsyslog-8.2102.0/doc/configuration/modules/imfile.html.state-file-leaking-doc	2021-02-15 12:53:31.000000000 +0100
++++ rsyslog-8.2102.0/doc/configuration/modules/imfile.html	2022-03-29 10:35:07.187827004 +0200
+@@ -294,6 +294,28 @@ rsyslog needs write permissions to work
+ also might require SELinux definitions (or similar for other enhanced security
+ systems).</p>
+ </div>
++<div class="section" id="deletestateonfilemove">
++<h4>deleteStateOnFileMove<a class="headerlink" href="#deletestateonfilemove" title="Permalink to this headline">¶</a></h4>
++<table border="1" class="colwidths-auto parameter-table docutils">
++<thead valign="bottom">
++<tr class="row-odd"><th class="head">type</th>
++<th class="head">default</th>
++<th class="head">mandatory</th>
++<th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
++</tr>
++</thead>
++<tbody valign="top">
++<tr class="row-even"><td>binary</td>
++<td>off</td>
++<td>no</td>
++<td>none</td>
++</tr>
++</tbody>
++</table>
++<p>This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.</p>
++
++<p>However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.</p>
++</div>
+ </div>
+ <div class="section" id="input-parameters">
+ <h3>Input Parameters<a class="headerlink" href="#input-parameters" title="Permalink to this headline">¶</a></h3>
+@@ -1214,6 +1236,7 @@ and Others.</p>
+ <li><a class="reference internal" href="#sortfiles">sortFiles</a></li>
+ <li><a class="reference internal" href="#pollinginterval">PollingInterval</a></li>
+ <li><a class="reference internal" href="#statefile-directory">statefile.directory</a></li>
++<li><a class="reference internal" href="#deletestateonfilemove">deleteStateOnFileMove</a></li>
+ </ul>
+ </li>
+ <li><a class="reference internal" href="#input-parameters">Input Parameters</a><ul>
+@@ -1311,4 +1334,4 @@ and Others.</p>
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch

@@ -1,17 +1,7 @@
-From 0de0c4b274e7e33ed4a27b02d6046b62d612e29b Mon Sep 17 00:00:00 2001
-From: alakatos <alakatos@redhat.com>
-Date: Tue, 24 Oct 2023 15:43:19 +0200
-Subject: [PATCH] Do not preserve statefile on file move
-
----
- plugins/imfile/imfile.c | 45 ++++++++++++++++++++++++++++++-----------
- 1 file changed, 33 insertions(+), 12 deletions(-)
-
-diff --git a/plugins/imfile/imfile.c b/plugins/imfile/imfile.c
-index 5febd6db6..8769a185f 100644
---- a/plugins/imfile/imfile.c
-+++ b/plugins/imfile/imfile.c
-@@ -264,6 +264,7 @@ struct modConfData_s {
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking rsyslog-8.2102.0/plugins/imfile/imfile.c
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.state-file-leaking	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2022-03-28 12:51:03.572554843 +0200
+@@ -259,6 +259,7 @@ struct modConfData_s {
  				   Must be manually reset to 0 if desired. Helper for
  				   polling mode.
  				 */
@@ -19,7 +9,7 @@ index 5febd6db6..8769a185f 100644
  };
  static modConfData_t *loadModConf = NULL;/* modConf ptr to use for the current load process */
  static modConfData_t *runModConf = NULL;/* modConf ptr to use for run process */
-@@ -310,7 +311,8 @@ static struct cnfparamdescr modpdescr[] = {
+@@ -305,7 +306,8 @@ static struct cnfparamdescr modpdescr[]
  	{ "sortfiles", eCmdHdlrBinary, 0 },
  	{ "statefile.directory", eCmdHdlrString, 0 },
  	{ "normalizepath", eCmdHdlrBinary, 0 },
@@ -29,7 +19,7 @@ index 5febd6db6..8769a185f 100644
  };
  static struct cnfparamblk modpblk =
  	{ CNFPARAMBLK_VERSION,
-@@ -551,11 +553,18 @@ static int
+@@ -545,11 +547,20 @@ static int
  in_setupWatch(act_obj_t *const act, const int is_file)
  {
  	int wd = -1;
@@ -39,27 +29,77 @@ index 5febd6db6..8769a185f 100644
  
 -	wd = inotify_add_watch(ino_fd, act->name,
 -		(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
-+	if (is_file)
++	// wd = inotify_add_watch(ino_fd, act->name,
++	// 	(is_file) ? IN_MODIFY|IN_DONT_FOLLOW : IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO);
++	if(is_file)
 +		flags = IN_MODIFY|IN_DONT_FOLLOW;
-+	else if (runModConf->deleteStateOnFileMove)
++	else if(runModConf->deleteStateOnFileMove)
 +		flags = IN_CREATE|IN_DELETE|IN_MOVED_TO;
 +	else
 +		flags = IN_CREATE|IN_DELETE|IN_MOVED_FROM|IN_MOVED_TO;
-+
 +	wd = inotify_add_watch(ino_fd, act->name, flags);
++
  	if(wd < 0) {
  		if (errno == EACCES) { /* There is high probability of selinux denial on top-level paths */
  			DBGPRINTF("imfile: permission denied when adding watch for '%s'\n", act->name);
-@@ -1059,7 +1068,7 @@ act_obj_destroy(act_obj_t *const act, const int is_deleted)
+@@ -713,7 +724,7 @@ act_obj_add(fs_edge_t *const edge, const
+ 	char basename[MAXFNAME];
+ 	DEFiRet;
+ 	int fd = -1;
+-	
++
+ 	DBGPRINTF("act_obj_add: edge %p, name '%s' (source '%s')\n", edge, name, source? source : "---");
+ 	for(act = edge->active ; act != NULL ; act = act->next) {
+ 		if(!strcmp(act->name, name)) {
+@@ -977,9 +988,18 @@ act_obj_destroy(act_obj_t *const act, co
+ 	if(act == NULL)
+ 		return;
+ 
+-	DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
+-		act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
+-		act->in_move);
++	// DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++	// 	act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted,
++	// 	act->in_move);
++	if (runModConf->deleteStateOnFileMove) {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm, is_deleted);
++	} else {
++		DBGPRINTF("act_obj_destroy: act %p '%s' (source '%s'), wd %d, pStrm %p, is_deleted %d, in_move %d\n",
++			act, act->name, act->source_name? act->source_name : "---", act->wd, act->pStrm,
++			is_deleted, act->in_move);
++	}
++
+ 	if(act->is_symlink && is_deleted) {
+ 		act_obj_t *target_act;
+ 		for(target_act = act->edge->active ; target_act != NULL ; target_act = target_act->next) {
+@@ -996,13 +1016,15 @@ act_obj_destroy(act_obj_t *const act, co
+ 		pollFile(act); /* get any left-over data */
+ 		if(inst->bRMStateOnDel) {
+ 			statefn = getStateFileName(act, statefile, sizeof(statefile));
+-			getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			// getFullStateFileName(statefn, "", toDel, sizeof(toDel)); // TODO: check!
++			getFullStateFileName(statefn, act->file_id, toDel, sizeof(toDel)); // TODO: check!
+ 			statefn = toDel;
+ 		}
  		persistStrmState(act);
  		strm.Destruct(&act->pStrm);
  		/* we delete state file after destruct in case strm obj initiated a write */
 -		if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
-+		if(is_deleted && inst->bRMStateOnDel && (!act->in_move || runModConf->deleteStateOnFileMove)) {
++		// if(is_deleted && !act->in_move && inst->bRMStateOnDel) {
++		if(is_deleted && inst->bRMStateOnDel && (runModConf->deleteStateOnFileMove || !act->in_move)) {
  			DBGPRINTF("act_obj_destroy: deleting state file %s\n", statefn);
  			unlink((char*)statefn);
  		}
-@@ -2090,6 +2099,7 @@ CODESTARTbeginCnfLoad
+@@ -1012,6 +1034,7 @@ act_obj_destroy(act_obj_t *const act, co
+ 	}
+ 	#ifdef HAVE_INOTIFY_INIT
+ 	if(act->wd != -1) {
++		inotify_rm_watch(ino_fd, act->wd);
+ 		wdmapDel(act->wd);
+ 	}
+ 	#endif
+@@ -2026,6 +2049,7 @@ CODESTARTbeginCnfLoad
  	loadModConf->timeoutGranularity = 1000; /* default: 1 second */
  	loadModConf->haveReadTimeouts = 0; /* default: no timeout */
  	loadModConf->normalizePath = 1;
@@ -67,7 +107,7 @@ index 5febd6db6..8769a185f 100644
  	loadModConf->sortFiles = GLOB_NOSORT;
  	loadModConf->stateFileDirectory = NULL;
  	loadModConf->conf_tree = calloc(sizeof(fs_node_t), 1);
-@@ -2149,6 +2159,8 @@ CODESTARTsetModCnf
+@@ -2085,6 +2109,8 @@ CODESTARTsetModCnf
  			loadModConf->stateFileDirectory = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
  		} else if(!strcmp(modpblk.descr[i].name, "normalizepath")) {
  			loadModConf->normalizePath = (sbool) pvals[i].val.d.n;
@@ -76,7 +116,7 @@ index 5febd6db6..8769a185f 100644
  		} else if(!strcmp(modpblk.descr[i].name, "mode")) {
  			if(!es_strconstcmp(pvals[i].val.d.estr, "polling"))
  				loadModConf->opMode = OPMODE_POLLING;
-@@ -2452,16 +2464,25 @@ in_processEvent(struct inotify_event *ev)
+@@ -2388,16 +2414,35 @@ in_processEvent(struct inotify_event *ev
  	DBGPRINTF("in_processEvent process Event %x is_file %d, act->name '%s'\n",
  		ev->mask, etry->act->edge->is_file, etry->act->name);
  
@@ -87,7 +127,17 @@ index 5febd6db6..8769a185f 100644
 -		fs_node_walk(etry->act->edge->node, poll_tree);
 -	} else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
 -		in_handleFileEvent(ev, etry); // esentially poll_file()!
-+	if (!runModConf->deleteStateOnFileMove) {
++	// if((ev->mask & IN_MOVED_FROM)) {
++	// 	flag_in_move(etry->act->edge->node->edges, ev->name);
++	// }
++	// if(ev->mask & (IN_MOVED_FROM | IN_MOVED_TO))  {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// } else if(etry->act->edge->is_file && !(etry->act->is_symlink)) {
++	// 	in_handleFileEvent(ev, etry); // esentially poll_file()!
++	// } else {
++	// 	fs_node_walk(etry->act->edge->node, poll_tree);
++	// }
++	if(!runModConf->deleteStateOnFileMove) {
 +		if((ev->mask & IN_MOVED_FROM)) {
 +			flag_in_move(etry->act->edge->node->edges, ev->name);
 +		}
@@ -110,6 +160,3 @@ index 5febd6db6..8769a185f 100644
  done:	return;
  }
  
--- 
-2.41.0
-

SOURCES/rsyslog-8.2102.0-rhbz1938863-covscan.patch

@@ -0,0 +1,163 @@
+diff -up rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan rsyslog-8.2102.0/contrib/imdocker/imdocker.c
+--- rsyslog-8.2102.0/contrib/imdocker/imdocker.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/contrib/imdocker/imdocker.c	2021-07-22 14:10:31.877231143 +0200
+@@ -1527,6 +1527,7 @@ process_json(sbool isInit, const char* j
+ 									pInstances->last_container_id,
+ 									(unsigned)pInstances->last_container_created);
+ 						}
++						// coverity[leaked_storage : FALSE]
+ 						CHKiRet(dockerContLogsInstSetUrlById(isInit, pInst,
+ 									pInstances->curlm, containerId));
+ 						CHKiRet(dockerContLogReqsAdd(pInstances, pInst));
+diff -up rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c
+--- rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/contrib/omhiredis/omhiredis.c	2021-07-22 14:10:31.877231143 +0200
+@@ -324,7 +324,6 @@ BEGINnewActInst
+ 	struct cnfparamvals *pvals;
+ 	int i;
+ 	int iNumTpls;
+-	uchar *keydup = NULL;
+ CODESTARTnewActInst
+ 	if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL)
+ 		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+@@ -417,14 +416,11 @@ CODESTARTnewActInst
+ 	CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)pData->tplName, OMSR_NO_RQD_TPL_OPTS));
+ 
+ 	if (pData->dynaKey) {
+-		CHKmalloc(keydup = ustrdup(pData->key));
+ 		CHKiRet(OMSRsetEntry(*ppOMSR, 1, ustrdup(pData->key), OMSR_NO_RQD_TPL_OPTS));
+-		keydup = NULL; /* handed over */
+ 	}
+ 
+ CODE_STD_FINALIZERnewActInst
+ 	cnfparamvalsDestruct(pvals, &actpblk);
+-	free(keydup);
+ ENDnewActInst
+ 
+ 
+diff -up rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c
+--- rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/contrib/omrabbitmq/omrabbitmq.c	2021-07-22 14:10:31.877231143 +0200
+@@ -778,6 +778,7 @@ static rsRetVal publishRabbitMQ(wrkrInst
+ 		ABORT_FINALIZE(RS_RET_RABBITMQ_CONN_ERR);
+ 	}
+ 
++	// coverity[identical_branches : FALSE]
+ 	if (manage_error(amqp_basic_publish(self->a_conn, 1, exchange, routing_key,
+ 			0, 0, p_amqp_props, body_bytes), "amqp_basic_publish")) {
+ 		/* error already notified */
+diff -up rsyslog-8.2102.0/grammar/rainerscript.c.covscan rsyslog-8.2102.0/grammar/rainerscript.c
+--- rsyslog-8.2102.0/grammar/rainerscript.c.covscan	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0/grammar/rainerscript.c	2021-07-22 14:10:31.878231140 +0200
+@@ -2814,7 +2814,7 @@ evalVar(struct cnfvar *__restrict__ cons
+ 		if(bMustBeFreed)
+ 			free(pszProp);
+ 	}
+-
++	// coverity[leaked_storage : FALSE]
+ }
+ 
+ /* perform a string comparision operation against a while array. Semantic is
+diff -up rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan rsyslog-8.2102.0/plugins/imfile/imfile.c
+--- rsyslog-8.2102.0/plugins/imfile/imfile.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imfile/imfile.c	2021-07-22 14:10:31.878231140 +0200
+@@ -1278,6 +1278,7 @@ static void ATTR_NONNULL(1)
+ getFileID(act_obj_t *const act)
+ {
+ 	char tmp_id[FILE_ID_HASH_SIZE];
++	// coverity[buffer_size_warning : FALSE]
+ 	strncpy(tmp_id, (const char*)act->file_id, FILE_ID_HASH_SIZE);
+ 	act->file_id[0] = '\0';
+ 	assert(act->fd >= 0); /* fd must have been opened at act_obj_t creation! */
+@@ -1290,6 +1291,7 @@ getFileID(act_obj_t *const act)
+ 		DBGPRINTF("getFileID partial or error read, ret %d\n", r);
+ 	}
+ 	if (strncmp(tmp_id, act->file_id, FILE_ID_HASH_SIZE)) {/* save the old id for cleaning purposes */
++		// coverity[buffer_size_warning : FALSE]
+ 		strncpy(act->file_id_prev, tmp_id, FILE_ID_HASH_SIZE);
+ 	}
+ 	DBGPRINTF("getFileID for '%s', file_id_hash '%s'\n", act->name, act->file_id);
+@@ -1544,6 +1546,7 @@ openFileWithoutStateFile(act_obj_t *cons
+ 		const int fd = open(act->name, O_RDONLY | O_CLOEXEC);
+ 		if(fd >= 0) {
+ 			act->pStrm->iCurrOffs = lseek64(fd, 0, SEEK_END);
++			close(fd);
+ 			if(act->pStrm->iCurrOffs < 0) {
+ 				act->pStrm->iCurrOffs = 0;
+ 				LogError(errno, RS_RET_ERR, "imfile: could not query current "
+diff -up rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan rsyslog-8.2102.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.2102.0/plugins/imptcp/imptcp.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/plugins/imptcp/imptcp.c	2021-07-22 14:10:31.878231140 +0200
+@@ -1920,6 +1920,7 @@ lstnActivity(ptcplstn_t *const pLstn)
+ 	}
+ 
+ finalize_it:
++	// coverity[leaked_handle : FALSE]
+ 	RETiRet;
+ }
+ 
+diff -up rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c
+--- rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/plugins/mmjsonparse/mmjsonparse.c	2021-07-22 14:10:31.879231138 +0200
+@@ -394,7 +394,7 @@ CODEmodInit_QueryRegCFSLineHdlr
+ 		ABORT_FINALIZE(RS_RET_NO_MSG_PASSING);
+ 	}
+ 
+-	
++	// coverity[identical_branches : FALSE]
+ 	CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
+ 				    resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));
+ ENDmodInit
+diff -up rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c
+--- rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c.covscan	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/plugins/omclickhouse/omclickhouse.c	2021-07-22 14:10:31.879231138 +0200
+@@ -368,6 +368,7 @@ writeDataError(wrkrInstanceData_t *const
+ 	}
+ 
+ finalize_it:
++	// coverity[leaked_storage : FALSE]
+ 	RETiRet;
+ }
+ 
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2021-07-22 14:17:06.183174167 +0200
+@@ -227,7 +227,7 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
+ 	pThis->bOurKeyIsInit = 1;
+ 	CHKgnutls(gnutls_x509_privkey_import(pThis->ourKey, &data, GNUTLS_X509_FMT_PEM));
+ 	free(data.data);
+-
++	data.data = NULL;
+ 
+ finalize_it:
+ 	if(iRet == RS_RET_CERTLESS) {
+diff -up rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan rsyslog-8.2102.0/runtime/nsd_ptcp.c
+--- rsyslog-8.2102.0/runtime/nsd_ptcp.c.covscan	2021-02-15 08:20:04.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_ptcp.c	2021-07-22 14:10:31.879231138 +0200
+@@ -191,6 +191,7 @@ SetTlsVerifyDepth(nsd_t __attribute__((u
+ 	nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert((pThis), nsd_ptcp);
++	// coverity[identical_branches : FALSE]
+ 	if (verifyDepth == 0) {
+ 		FINALIZE;
+ 	}
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.covscan rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.covscan	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2021-07-22 14:10:31.879231138 +0200
+@@ -293,6 +293,7 @@ writePidFile(void)
+ 		free((void*)tmpPidFile);
+ 	}
+ finalize_it:
++	// coverity[leaked_storage : FALSE]
+ 	RETiRet;
+ }
+ 
+@@ -1026,6 +1027,7 @@ splitOversizeMessage(smsg_t *const pMsg)
+ 	/* if necessary, write partial last segment */
+ 	if(len_last_segment != 0) {
+ 		CHKmalloc(pMsg_seg = MsgDup(pMsg));
++		// coverity[copy_paste_error : FALSE]
+ 		MsgSetRawMsg(pMsg_seg, rawmsg + (nsegments * maxlen), len_last_segment);
+ 		submitMsg2(pMsg_seg);
+ 	}

SOURCES/rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch

@@ -0,0 +1,20 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2021-06-15 12:30:35.238832058 +0200
++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2021-06-15 12:32:04.699721356 +0200
+@@ -565,6 +565,8 @@ persistJournalState(void)
+ 		ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 	}
+ 
++	fflush(sf);
++
+ 	/* change the name of the file to the configured one */
+ 	if (rename(tmp_sf, cs.stateFile) < 0) {
+ 		LogError(errno, iRet, "imjournal: rename() failed for new path: '%s'", cs.stateFile);
+@@ -586,6 +588,7 @@ persistJournalState(void)
+ 			LogError(errno, RS_RET_IO_ERROR, "imjournal: fsync on '%s' failed", glbl.GetWorkDir());
+ 			ABORT_FINALIZE(RS_RET_IO_ERROR);
+ 		}
++		closedir(wd);
+ 	}
+ 
+ 	DBGPRINTF("Persisted journal to '%s'\n", cs.stateFile);

SOURCES/rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch

@@ -0,0 +1,102 @@
+diff -up rsyslog-8.2102.0/runtime/cfsysline.c.orig rsyslog-8.2102.0/runtime/cfsysline.c
+--- rsyslog-8.2102.0/runtime/cfsysline.c.orig	2021-08-04 07:16:02.663163106 +0200
++++ rsyslog-8.2102.0/runtime/cfsysline.c	2021-08-04 07:18:05.952490008 +0200
+@@ -353,13 +353,8 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract group name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract group name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	do {
+@@ -380,10 +375,6 @@ static rsRetVal doGetGID(uchar **pp, rsR
+ 			LogError(0, RS_RET_NOT_FOUND, "ID for group '%s' could not be found", szName);
+ 		}
+ 		iRet = RS_RET_NOT_FOUND;
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for group '%s' could not be found or error\n", szName);
+-			exit(1); /* good exit */
+-		}
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+@@ -418,25 +409,15 @@ static rsRetVal doGetUID(uchar **pp, rsR
+ 	assert(*pp != NULL);
+ 
+ 	if(getSubString(pp, (char*) szName, sizeof(szName), ' ')  != 0) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "could not extract user name: %s\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
+-			ABORT_FINALIZE(RS_RET_NOT_FOUND);
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "could not extract user name");
++		ABORT_FINALIZE(RS_RET_NOT_FOUND);
+ 	}
+ 
+ 	getpwnam_r((char*)szName, &pwBuf, stringBuf, sizeof(stringBuf), &ppwBuf);
+ 
+ 	if(ppwBuf == NULL) {
+-		if(loadConf->globals.abortOnIDResolutionFail) {
+-			fprintf(stderr, "ID for user '%s' could not be found or error\n", (char*)szName);
+-			exit(1); /* good exit */
+-		} else {
+-			LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
+-			iRet = RS_RET_NOT_FOUND;
+-		}
++		LogError(0, RS_RET_NOT_FOUND, "ID for user '%s' could not be found or error", (char*)szName);
++		iRet = RS_RET_NOT_FOUND;
+ 	} else {
+ 		if(pSetHdlr == NULL) {
+ 			/* we should set value directly to var */
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2021-08-04 07:18:19.301633677 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2021-08-04 07:19:02.409019106 +0200
+@@ -210,7 +210,6 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "environment", eCmdHdlrArray, 0 },
+ 	{ "processinternalmessages", eCmdHdlrBinary, 0 },
+ 	{ "umask", eCmdHdlrFileCreateMode, 0 },
+-	{ "security.abortonidresolutionfail", eCmdHdlrBinary, 0 },
+ 	{ "internal.developeronly.options", eCmdHdlrInt, 0 },
+ 	{ "internalmsg.ratelimit.interval", eCmdHdlrPositiveInt, 0 },
+ 	{ "internalmsg.ratelimit.burst", eCmdHdlrPositiveInt, 0 },
+@@ -1443,8 +1442,6 @@ glblDoneLoadCnf(void)
+ 			glblInputTimeoutShutdown = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "privdrop.group.keepsupplemental")) {
+ 			loadConf->globals.gidDropPrivKeepSupplemental = (int) cnfparamvals[i].val.d.n;
+-		} else if(!strcmp(paramblk.descr[i].name, "security.abortonidresolutionfail")) {
+-			loadConf->globals.abortOnIDResolutionFail = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.acladdhostnameonfail")) {
+ 			*(net.pACLAddHostnameOnFail) = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name, "net.aclresolvehostname")) {
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2021-08-04 07:19:13.103104854 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.c	2021-08-04 07:19:44.635357684 +0200
+@@ -156,7 +156,6 @@ static void cnfSetDefaults(rsconf_t *pTh
+ 	pThis->globals.maxErrMsgToStderr = -1;
+ 	pThis->globals.umask = -1;
+ 	pThis->globals.gidDropPrivKeepSupplemental = 0;
+-	pThis->globals.abortOnIDResolutionFail = 1;
+ 	pThis->templates.root = NULL;
+ 	pThis->templates.last = NULL;
+ 	pThis->templates.lastStatic = NULL;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2021-08-04 07:20:15.848607958 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.h	2021-08-04 07:20:42.782823920 +0200
+@@ -73,7 +73,6 @@ struct globals_s {
+ 	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
+ 	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
+ 	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
+-	int abortOnIDResolutionFail;
+ 	int umask;		/* umask to use */
+ 	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */
+ 

SOURCES/rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch

@@ -0,0 +1,26 @@
+diff -up rsyslog-8.2102.0/runtime/ratelimit.c.orig rsyslog-8.2102.0/runtime/ratelimit.c
+--- rsyslog-8.2102.0/runtime/ratelimit.c.orig	2021-07-27 10:37:50.972903104 +0200
++++ rsyslog-8.2102.0/runtime/ratelimit.c	2021-07-27 10:38:26.141002988 +0200
+@@ -235,7 +235,6 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ {
+ 	DEFiRet;
+ 	rsRetVal localRet;
+-	int severity = 0;
+ 
+ 	*ppRepMsg = NULL;
+ 
+@@ -246,13 +245,12 @@ ratelimitMsg(ratelimit_t *__restrict__ c
+ 				DBGPRINTF("Message discarded, parsing error %d\n", localRet);
+ 				ABORT_FINALIZE(RS_RET_DISCARDMSG);
+ 			}
+-			severity = pMsg->iSeverity;
+ 		}
+ 	}
+ 
+ 	/* Only the messages having severity level at or below the
+ 	 * treshold (the value is >=) are subject to ratelimiting. */
+-	if(ratelimit->interval && (severity >= ratelimit->severity)) {
++	if(ratelimit->interval && (pMsg->iSeverity >= ratelimit->severity)) {
+ 		char namebuf[512]; /* 256 for FGDN adn 256 for APPNAME should be enough */
+ 		snprintf(namebuf, sizeof namebuf, "%s:%s", getHOSTNAME(pMsg),
+ 			getAPPNAME(pMsg, 0));

SOURCES/rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch

@@ -0,0 +1,11 @@
+diff -up ./rsyslog-8.2102.0/runtime/nsd_gtls.c.ori ./rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.ori	2022-01-17 15:50:08.285827256 +0100
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-01-17 15:52:33.282594512 +0100
+@@ -1791,6 +1791,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
+ 	pNew->gnutlsPriorityString = pThis->gnutlsPriorityString;
+ 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
+ 	pNew->dataTypeCheck = pThis->dataTypeCheck;
++	pNew->bSANpriority = pThis->bSANpriority;
+ 
+ 	/* if we reach this point, we are in TLS mode */
+ 	iRet = gtlsInitSession(pNew);

SOURCES/rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch

@@ -0,0 +1,215 @@
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.c.orig rsyslog-8.2102.0/runtime/nsd_gtls.c
+--- rsyslog-8.2102.0/runtime/nsd_gtls.c.orig	2022-04-11 09:26:17.826271989 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.c	2022-04-11 09:33:28.702012052 +0200
+@@ -556,7 +556,9 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 	DEFiRet;
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+-	DBGPRINTF("gtlsRecordRecv: start\n");
++	DBGPRINTF("gtlsRecordRecv: start (Pending Data: %zd | Wanted Direction: %s)\n",
++		gnutls_record_check_pending(pThis->sess),
++		(gnutls_record_get_direction(pThis->sess) == gtlsDir_READ ? "READ" : "WRITE") );
+ 
+ 	lenRcvd = gnutls_record_recv(pThis->sess, pThis->pszRcvBuf, NSD_GTLS_MAX_RCVBUF);
+ 	if(lenRcvd >= 0) {
+@@ -581,14 +583,30 @@ gtlsRecordRecv(nsd_gtls_t *pThis)
+ 					(NSD_GTLS_MAX_RCVBUF+lenRcvd));
+ 				pThis->lenRcvBuf = NSD_GTLS_MAX_RCVBUF+lenRcvd;
+ 			} else {
+-				goto sslerr;
++				if (lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
++					goto sslerragain;	/* Go to ERR AGAIN handling */
++				} else {
++					/* Do all other error handling */
++					int gnuRet = lenRcvd;
++					ABORTgnutls;
++				}
+ 			}
+ 		}
+ 	} else if(lenRcvd == GNUTLS_E_AGAIN || lenRcvd == GNUTLS_E_INTERRUPTED) {
+-sslerr:
+-		pThis->rtryCall = gtlsRtry_recv;
+-		dbgprintf("GnuTLS receive requires a retry (this most probably is OK and no error condition)\n");
+-		ABORT_FINALIZE(RS_RET_RETRY);
++sslerragain:
++		/* Check if the underlaying file descriptor needs to read or write data!*/
++		if (gnutls_record_get_direction(pThis->sess) == gtlsDir_READ) {
++			pThis->rtryCall = gtlsRtry_recv;
++			dbgprintf("GnuTLS receive requires a retry, this most probably is OK and no error condition\n");
++			ABORT_FINALIZE(RS_RET_RETRY);
++		} else {
++			uchar *pErr = gtlsStrerror(lenRcvd);
++			LogError(0, RS_RET_GNUTLS_ERR, "GnuTLS receive error %zd has wrong read direction(wants write) "
++				"- this could be caused by a broken connection. GnuTLS reports: %s\n",
++				lenRcvd, pErr);
++			free(pErr);
++			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
++		}
+ 	} else {
+ 		int gnuRet = lenRcvd;
+ 		ABORTgnutls;
+@@ -1978,6 +1996,7 @@ static rsRetVal
+ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf)
+ {
+ 	int iSent;
++	int wantsWriteData = 0;
+ 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
+ 	DEFiRet;
+ 	ISOBJ_TYPE_assert(pThis, nsd_gtls);
+@@ -1998,10 +2017,12 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *
+ 			break;
+ 		}
+ 		if(iSent != GNUTLS_E_INTERRUPTED && iSent != GNUTLS_E_AGAIN) {
++			/* Check if the underlaying file descriptor needs to read or write data!*/
++			wantsWriteData = gnutls_record_get_direction(pThis->sess);
+ 			uchar *pErr = gtlsStrerror(iSent);
+-			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d - this "
+-				"could be caused by a broken connection. GnuTLS reports: %s \n",
+-				iSent, pErr);
++			LogError(0, RS_RET_GNUTLS_ERR, "unexpected GnuTLS error %d, wantsWriteData=%d - this "
++				"could be caused by a broken connection. GnuTLS reports: %s\n",
++				iSent, wantsWriteData, pErr);
+ 			free(pErr);
+ 			gnutls_perror(iSent);
+ 			ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+diff -up rsyslog-8.2102.0/runtime/nsd_gtls.h.orig rsyslog-8.2102.0/runtime/nsd_gtls.h
+--- rsyslog-8.2102.0/runtime/nsd_gtls.h.orig	2022-04-11 09:26:32.744262781 +0200
++++ rsyslog-8.2102.0/runtime/nsd_gtls.h	2022-04-11 09:34:29.909982895 +0200
+@@ -33,6 +33,11 @@ typedef enum {
+ 	gtlsRtry_recv = 2
+ } gtlsRtryCall_t;		/**< IDs of calls that needs to be retried */
+ 
++typedef enum {
++	gtlsDir_READ = 0,	/**< GNUTLS wants READ */
++	gtlsDir_WRITE = 1	/**< GNUTLS wants WRITE */
++} gtlsDirection_t;
++
+ typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */
+ 
+ /* the nsd_gtls object */
+diff -up rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig rsyslog-8.2102.0/runtime/nsdsel_gtls.c
+--- rsyslog-8.2102.0/runtime/nsdsel_gtls.c.orig	2022-04-11 09:26:42.529256742 +0200
++++ rsyslog-8.2102.0/runtime/nsdsel_gtls.c	2022-04-11 09:38:27.425869737 +0200
+@@ -81,6 +81,7 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 
+ 	ISOBJ_TYPE_assert(pThis, nsdsel_gtls);
+ 	ISOBJ_TYPE_assert(pNsdGTLS, nsd_gtls);
++	DBGPRINTF("Add on nsd %p:\n", pNsdGTLS);
+ 	if(pNsdGTLS->iMode == 1) {
+ 		if(waitOp == NSDSEL_RD && gtlsHasRcvInBuffer(pNsdGTLS)) {
+ 			++pThis->iBufferRcvReady;
+@@ -99,6 +100,8 @@ Add(nsdsel_t *pNsdsel, nsd_t *pNsd, nsds
+ 		}
+ 	}
+ 
++	dbgprintf("nsdsel_gtls: reached end on nsd %p, calling nsdsel_ptcp.Add with waitOp %d... \n", pNsdGTLS, waitOp);
++
+ 	/* if we reach this point, we need no special handling */
+ 	CHKiRet(nsdsel_ptcp.Add(pThis->pTcp, pNsdGTLS->pTcp, waitOp));
+ 
+@@ -120,7 +123,8 @@ Select(nsdsel_t *pNsdsel, int *piNumRead
+ 	if(pThis->iBufferRcvReady > 0) {
+ 		/* we still have data ready! */
+ 		*piNumReady = pThis->iBufferRcvReady;
+-		dbgprintf("nsdsel_gtls: doing dummy select, data present\n");
++		dbgprintf("nsdsel_gtls: doing dummy select for %p->iBufferRcvReady=%d, data present\n",
++			pThis, pThis->iBufferRcvReady);
+ 	} else {
+ 		iRet = nsdsel_ptcp.Select(pThis->pTcp, piNumReady);
+ 	}
+@@ -138,7 +142,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 	DEFiRet;
+ 	int gnuRet;
+ 
+-	dbgprintf("GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
++	dbgprintf("doRetry: GnuTLS requested retry of %d operation - executing\n", pNsd->rtryCall);
+ 
+ 	/* We follow a common scheme here: first, we do the systen call and
+ 	 * then we check the result. So far, the result is checked after the
+@@ -151,7 +155,7 @@ doRetry(nsd_gtls_t *pNsd)
+ 		case gtlsRtry_handshake:
+ 			gnuRet = gnutls_handshake(pNsd->sess);
+ 			if(gnuRet == GNUTLS_E_AGAIN || gnuRet == GNUTLS_E_INTERRUPTED) {
+-				dbgprintf("GnuTLS handshake retry did not finish - "
++				dbgprintf("doRetry: GnuTLS handshake retry did not finish - "
+ 					"setting to retry (this is OK and can happen)\n");
+ 				FINALIZE;
+ 			} else if(gnuRet == 0) {
+@@ -167,9 +171,20 @@ doRetry(nsd_gtls_t *pNsd)
+ 			}
+ 			break;
+ 		case gtlsRtry_recv:
+-			dbgprintf("retrying gtls recv, nsd: %p\n", pNsd);
+-			CHKiRet(gtlsRecordRecv(pNsd));
+-			pNsd->rtryCall = gtlsRtry_None; /* we are done */
++			dbgprintf("doRetry: retrying gtls recv, nsd: %p\n", pNsd);
++			iRet = gtlsRecordRecv(pNsd);
++			if (iRet == RS_RET_RETRY) {
++				// Check if there is pending data
++				size_t stBytesLeft = gnutls_record_check_pending(pNsd->sess);
++				if (stBytesLeft > 0) {
++					// We are in retry and more data waiting, finalize it
++					goto finalize_it;
++				} else {
++					dbgprintf("doRetry: gtlsRecordRecv returned RETRY, but there is no pending"
++						"data on nsd: %p\n", pNsd);
++				}
++			}
++			pNsd->rtryCall = gtlsRtry_None; /* no more data, we are done */
+ 			gnuRet = 0;
+ 			break;
+ 		case gtlsRtry_None:
+@@ -241,7 +256,7 @@ IsReady(nsdsel_t *pNsdsel, nsd_t *pNsd,
+ 		 * socket. -- rgerhards, 2010-11-20
+ 		 */
+ 		if(pThis->iBufferRcvReady) {
+-			dbgprintf("nsd_gtls: dummy read, buffer not available for this FD\n");
++			dbgprintf("nsd_gtls: dummy read, %p->buffer not available for this FD\n", pThis);
+ 			*pbIsReady = 0;
+ 			FINALIZE;
+ 		}
+diff -up rsyslog-8.2102.0/runtime/tcpsrv.c.orig rsyslog-8.2102.0/runtime/tcpsrv.c
+--- rsyslog-8.2102.0/runtime/tcpsrv.c.orig	2022-04-11 09:27:00.376245726 +0200
++++ rsyslog-8.2102.0/runtime/tcpsrv.c	2022-04-11 09:41:57.885777708 +0200
+@@ -609,14 +609,15 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 	int oserr = 0;
+ 
+ 	ISOBJ_TYPE_assert(pThis, tcpsrv);
+-	DBGPRINTF("netstream %p with new data\n", (*ppSess)->pStrm);
++	prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++	DBGPRINTF("netstream %p with new data from remote peer %s\n", (*ppSess)->pStrm, pszPeer);
+ 	/* Receive message */
+ 	iRet = pThis->pRcvData(*ppSess, buf, sizeof(buf), &iRcvd, &oserr);
+ 	switch(iRet) {
+ 	case RS_RET_CLOSED:
+ 		if(pThis->bEmitMsgOnClose) {
+ 			errno = 0;
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(0, RS_RET_PEER_CLOSED_CONN, "Netstream session %p closed by remote "
+ 				"peer %s.\n", (*ppSess)->pStrm, pszPeer);
+ 		}
+@@ -632,13 +633,13 @@ doReceive(tcpsrv_t *pThis, tcps_sess_t *
+ 			/* in this case, something went awfully wrong.
+ 			 * We are instructed to terminate the session.
+ 			 */
+-			prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++			// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 			LogError(oserr, localRet, "Tearing down TCP Session from %s", pszPeer);
+ 			CHKiRet(closeSess(pThis, ppSess, pPoll));
+ 		}
+ 		break;
+ 	default:
+-		prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
++		// prop.GetString((*ppSess)->fromHostIP, &pszPeer, &lenPeer);
+ 		LogError(oserr, iRet, "netstream session %p from %s will be closed due to error",
+ 				(*ppSess)->pStrm, pszPeer);
+ 		CHKiRet(closeSess(pThis, ppSess, pPoll));
+@@ -838,6 +839,7 @@ RunSelect(tcpsrv_t *pThis, nsd_epworkset
+ 		while(iTCPSess != -1) {
+ 			/* TODO: access to pNsd is NOT really CLEAN, use method... */
+ 			CHKiRet(nssel.Add(pSel, pThis->pSessions[iTCPSess]->pStrm, NSDSEL_RD));
++			DBGPRINTF("tcpsrv process session %d:\n", iTCPSess);
+ 			/* now get next... */
+ 			iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess);
+ 		}

SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch

@@ -0,0 +1,51 @@
+--- a/source/configuration/actions.rst	2020-01-13 09:35:54.000000000 +0100
++++ b/source/configuration/actions.rst	2022-03-09 10:46:23.945881936 +0100
+@@ -90,6 +90,12 @@
+    provided to the action in question, the action name as well as
+    the rsyslog status code roughly explaining why it failed.
+ 
++-  **action.errorfile.maxsize** integer
++
++   In some cases, error file needs to be limited in size.
++   This option allows specifying a maximum size, in bytes, for the error file.
++   When error file reaches that size, no more errors are written to it.
++
+ -  **action.execOnlyOnceEveryInterval** integer
+ 
+    Execute action only if the last execute is at last seconds in the
+--- a/build/_sources/configuration/actions.rst.txt	2020-01-13 09:35:54.000000000 +0100
++++ b/build/_sources/configuration/actions.rst.txt	2022-03-09 11:17:44.391213038 +0100
+@@ -90,6 +90,12 @@
+    provided to the action in question, the action name as well as
+    the rsyslog status code roughly explaining why it failed.
+ 
++-  **action.errorfile.maxsize** integer
++
++   In some cases, error file needs to be limited in size.
++   This option allows specifying a maximum size, in bytes, for the error file.
++   When error file reaches that size, no more errors are written to it.
++
+ -  **action.execOnlyOnceEveryInterval** integer
+ 
+    Execute action only if the last execute is at last seconds in the
+--- a/build/configuration/actions.html	2021-02-15 12:53:30.000000000 +0100
++++ b/build/configuration/actions.html	2022-03-09 11:27:04.035799702 +0100
+@@ -122,6 +122,11 @@
+ provided to the action in question, the action name as well as
+ the rsyslog status code roughly explaining why it failed.</p>
+ </li>
++<li><p class="first"><strong>action.errorfile.maxsize</strong> integer</p>
++<p>In some cases, error file needs to be limited in size.
++This option allows specifying a maximum size, in bytes, for the error file.
++When error file reaches that size, no more errors are written to it.</p>
++</li>
+ <li><p class="first"><strong>action.execOnlyOnceEveryInterval</strong> integer</p>
+ <p>Execute action only if the last execute is at last seconds in the
+ past (more info in ommail, but may be used with any action)</p>
+@@ -672,4 +677,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch

@@ -0,0 +1,192 @@
+--- rsyslog-8.2102.0-ori/action.c	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/action.c	2022-03-10 11:00:11.027242300 +0100
+@@ -198,6 +198,7 @@
+ 	{ "name", eCmdHdlrGetWord, 0 }, /* legacy: actionname */
+ 	{ "type", eCmdHdlrString, CNFPARAM_REQUIRED }, /* legacy: actionname */
+ 	{ "action.errorfile", eCmdHdlrString, 0 },
++	{ "action.errorfile.maxsize", eCmdHdlrInt, 0 },
+ 	{ "action.writeallmarkmessages", eCmdHdlrBinary, 0 }, /* legacy: actionwriteallmarkmessages */
+ 	{ "action.execonlyeverynthtime", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtime */
+ 	{ "action.execonlyeverynthtimetimeout", eCmdHdlrInt, 0 }, /* legacy: actionexeconlyeverynthtimetimeout */
+@@ -400,6 +401,8 @@
+ 	pThis->iResumeRetryCount = 0;
+ 	pThis->pszName = NULL;
+ 	pThis->pszErrFile = NULL;
++	pThis->maxErrFileSize = 0;
++	pThis->errFileWritten = 0;
+ 	pThis->pszExternalStateFile = NULL;
+ 	pThis->fdErrFile = -1;
+ 	pThis->bWriteAllMarkMsgs = 1;
+@@ -1436,6 +1439,14 @@
+ 				pThis->pszName, pThis->pszErrFile);
+ 			goto done;
+ 		}
++		if (pThis->maxErrFileSize > 0) {
++			struct stat statbuf;
++			if (fstat(pThis->fdErrFile, &statbuf) == -1) {
++				LogError(errno, RS_RET_ERR, "failed to fstat %s", pThis->pszErrFile);
++				goto done;
++			}
++			pThis->errFileWritten += statbuf.st_size;
++		}
+ 	}
+ 
+ 	for(int i = 0 ; i < nparams ; ++i) {
+@@ -1454,16 +1465,26 @@
+ 		char *const rendered = strdup((char*)fjson_object_to_json_string(etry));
+ 		if(rendered == NULL)
+ 			goto done;
+-		const size_t toWrite = strlen(rendered) + 1;
+-		/* note: we use the '\0' inside the string to store a LF - we do not
+-		 * otherwise need it and it safes us a copy/realloc.
+-		 */
+-		rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
+-		const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
+-		if(wrRet != (ssize_t) toWrite) {
+-			LogError(errno, RS_RET_IO_ERROR,
+-				"action %s: error writing errorFile %s, write returned %lld",
+-				pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++		size_t toWrite = strlen(rendered) + 1;
++		// Check if need to truncate the amount of bytes to write
++		if (pThis->maxErrFileSize > 0) {
++			if (pThis->errFileWritten + toWrite > pThis->maxErrFileSize) {
++				// Truncate to the pending available
++				toWrite = pThis->maxErrFileSize - pThis->errFileWritten;
++			}
++			pThis->errFileWritten += toWrite;
++		}
++		if(toWrite > 0) {
++			/* note: we use the '\0' inside the string to store a LF - we do not
++			 * otherwise need it and it safes us a copy/realloc.
++			 */
++			rendered[toWrite-1] = '\n'; /* NO LONGER A STRING! */
++			const ssize_t wrRet = write(pThis->fdErrFile, rendered, toWrite);
++			if(wrRet != (ssize_t) toWrite) {
++				LogError(errno, RS_RET_IO_ERROR,
++					"action %s: error writing errorFile %s, write returned %lld",
++					pThis->pszName, pThis->pszErrFile, (long long) wrRet);
++			}
+ 		}
+ 		free(rendered);
+ 
+@@ -2048,6 +2069,8 @@
+ 			continue; /* this is handled seperately during module select! */
+ 		} else if(!strcmp(pblk.descr[i].name, "action.errorfile")) {
+ 			pAction->pszErrFile = es_str2cstr(pvals[i].val.d.estr, NULL);
++		} else if(!strcmp(pblk.descr[i].name, "action.errorfile.maxsize")) {
++			pAction->maxErrFileSize = pvals[i].val.d.n;
+ 		} else if(!strcmp(pblk.descr[i].name, "action.externalstate.file")) {
+ 			pAction->pszExternalStateFile = es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(pblk.descr[i].name, "action.writeallmarkmessages")) {
+--- rsyslog-8.2102.0-ori/action.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0-changes/action.h	2022-03-04 11:36:47.024588972 +0100
+@@ -77,6 +77,8 @@
+ 	/* error file */
+ 	const char *pszErrFile;
+ 	int fdErrFile;
++	size_t maxErrFileSize;
++	size_t errFileWritten;
+ 	pthread_mutex_t mutErrFile;
+ 	/* external stat file system */
+ 	const char *pszExternalStateFile;
+--- rsyslog-8.2102.0-ori/tests/Makefile.am	2021-02-15 12:06:16.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/Makefile.am	2022-03-04 11:38:01.625095709 +0100
+@@ -695,7 +695,8 @@
+ 	mysql-actq-mt.sh \
+ 	mysql-actq-mt-withpause.sh \
+ 	action-tx-single-processing.sh \
+-	action-tx-errfile.sh
++	action-tx-errfile.sh \
++	action-tx-errfile-maxsize.sh
+ 
+ mysql-basic.log: mysqld-start.log
+ mysql-basic-cnf6.log: mysqld-start.log
+@@ -2156,6 +2157,8 @@
+ 	sndrcv_omudpspoof_nonstdpt.sh \
+ 	sndrcv_gzip.sh \
+ 	action-tx-single-processing.sh \
++	omfwd-errfile-maxsize.sh \
++	action-tx-errfile-maxsize.sh \
+ 	action-tx-errfile.sh \
+ 	testsuites/action-tx-errfile.result \
+ 	pipeaction.sh \
+--- rsyslog-8.2102.0-ori/tests/omfwd-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize.sh	2022-03-04 11:39:02.060506234 +0100
+@@ -0,0 +1,17 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++
++export MAX_ERROR_SIZE=1999
++
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0-ori/tests/action-tx-errfile-maxsize.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/action-tx-errfile-maxsize.sh	2022-03-04 11:59:22.592796989 +0100
+@@ -0,0 +1,35 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++
++. ${srcdir:=.}/diag.sh init
++
++export NUMMESSAGES=50 # enough to generate big file
++export MAX_ERROR_SIZE=100
++
++generate_conf
++add_conf '
++$ModLoad ../plugins/ommysql/.libs/ommysql
++global(errormessagestostderr.maxnumber="5")
++
++template(type="string" name="tpl" string="insert into SystemEvents (Message, Facility) values (\"%msg%\", %$!facility%)" option.sql="on")
++
++if((not($msg contains "error")) and ($msg contains "msgnum:")) then {
++	set $.num = field($msg, 58, 2);
++	if $.num % 2 == 0 then {
++		set $!facility = $syslogfacility;
++	} else {
++		set $/cntr = 0;
++	}
++	action(type="ommysql" name="mysql_action_errfile_maxsize" server="127.0.0.1" template="tpl"
++	       db="'$RSYSLOG_DYNNAME'" uid="rsyslog" pwd="testbench" action.errorfile="'$RSYSLOG2_OUT_LOG'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++}
++'
++mysql_prep_for_test
++startup
++injectmsg
++shutdown_when_empty
++wait_shutdown
++mysql_get_data
++check_file_exists ${RSYSLOG2_OUT_LOG}
++file_size_check ${RSYSLOG2_OUT_LOG} ${MAX_ERROR_SIZE}
++exit_test
+--- rsyslog-8.2102.0/tests/omfwd-errfile-maxsize-filled.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0-changes/tests/omfwd-errfile-maxsize-filled.sh	2022-03-08 16:24:01.174365289 +0100
+@@ -0,0 +1,19 @@
++#!/bin/bash
++# part of the rsyslog project, released under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++ERRFILE=$(mktemp)
++export MAX_ERROR_SIZE=1999
++export INITIAL_FILE_SIZE=$((MAX_ERROR_SIZE - 100))
++dd if=/dev/urandom of=${ERRFILE}  bs=1 count=${INITIAL_FILE_SIZE}
++generate_conf
++add_conf '
++action(type="omfwd" target="1.2.3.4" port="1234" Protocol="tcp" NetworkNamespace="doesNotExist"
++       action.errorfile="'$ERRFILE'" action.errorfile.maxsize="'$MAX_ERROR_SIZE'")
++'
++startup
++shutdown_when_empty
++wait_shutdown
++check_file_exists ${ERRFILE}
++file_size_check ${ERRFILE} ${MAX_ERROR_SIZE}
++exit_test
++rm ${ERRFILE}

SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch

@@ -0,0 +1,25 @@
+--- rsyslog-8.2102.0/doc/configuration/global/index.html	2021-02-15 12:53:30.000000000 +0100
++++ rsyslog-8.2102.0.backup.doc.202209071236/doc/configuration/global/index.html	2022-09-07 12:33:21.318360707 +0200
+@@ -119,7 +119,14 @@
+ <a class="reference internal" href="../../concepts/netstrm_drvr.html"><span class="doc">network stream driver</span></a> to use.
+ Defaults to ptcp.</p>
+ </li>
+-<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>
++<li><p class="first"><strong>$DefaultNetstreamDriverCAFile</strong> &lt;/path/to/cafile.pem&gt;</p>  
++</li>
++<li><p class="first"><strong>$NetstreamDriverCAExtraFiles</strong> &lt;/path/to/extracafile.pem&gt; -
++This directive allows to configure multiple additional extra CA files.
++This is intended for SSL certificate chains to work appropriately,
++as the different CA files in the chain need to be specified.
++It must be remarked that this directive only works with the OpenSSL driver.
++</p>
+ </li>
+ <li><p class="first"><strong>$DefaultNetstreamDriverCertFile</strong> &lt;/path/to/certfile.pem&gt;</p>
+ </li>
+@@ -311,4 +318,4 @@
+     <div class="footer" role="contentinfo">
+     </div>
+   </body>
+-</html>
+\ No newline at end of file
++</html>

SOURCES/rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch

@@ -0,0 +1,682 @@
+--- rsyslog-8.2102.0.ori/runtime/glbl.h	2020-10-03 19:06:47.000000000 +0200
++++ rsyslog-8.2102.0/runtime/glbl.h	2022-09-06 11:13:31.538674778 +0200
+@@ -72,6 +72,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles, uchar*)
+ 	SIMP_PROP(ParserControlCharacterEscapePrefix, uchar)
+ 	SIMP_PROP(ParserDropTrailingLFOnReception, int)
+ 	SIMP_PROP(ParserEscapeControlCharactersOnReceive, int)
+--- rsyslog-8.2102.0.ori/runtime/glbl.c	2022-09-06 10:37:26.440149338 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2022-09-06 11:12:06.198378210 +0200
+@@ -122,6 +122,7 @@
+ static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+ static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+ static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
++static uchar *pszNetstrmDrvrCAExtraFiles = NULL; /* list of additional CAExtraFiles */
+ int bTerminateInputs = 0;		/* global switch that inputs shall terminate ASAP (1=> terminate) */
+ static uchar cCCEscapeChar = '#'; /* character to be used to start an escape sequence for control chars */
+ static int bDropTrailingLF = 1; /* drop trailing LF's on reception? */
+@@ -176,6 +177,7 @@
+ 	{ "defaultnetstreamdriverkeyfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdrivercertfile", eCmdHdlrString, 0 },
+ 	{ "defaultnetstreamdriver", eCmdHdlrString, 0 },
++	{ "netstreamdrivercaextrafiles", eCmdHdlrString, 0 },
+ 	{ "maxmessagesize", eCmdHdlrSize, 0 },
+ 	{ "oversizemsg.errorfile", eCmdHdlrGetWord, 0 },
+ 	{ "oversizemsg.report", eCmdHdlrBinary, 0 },
+@@ -307,6 +309,8 @@
+ /* TODO: use custom function which frees existing value */
+ SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*)
+ /* TODO: use custom function which frees existing value */
++SIMP_PROP_SET(NetstrmDrvrCAExtraFiles, pszNetstrmDrvrCAExtraFiles, uchar*)
++/* TODO: use custom function which frees existing value */
+ 
+ #undef SIMP_PROP
+ #undef SIMP_PROP_SET
+@@ -830,6 +834,13 @@
+ 	return(pszDfltNetstrmDrvr == NULL ? DFLT_NETSTRM_DRVR : pszDfltNetstrmDrvr);
+ }
+ 
++/* return the additional ca extra files */
++static uchar*
++GetNetstrmDrvrCAExtraFiles(void)
++{
++	return(pszNetstrmDrvrCAExtraFiles);
++}
++
+ 
+ /* return the current default netstream driver CA File */
+ static uchar*
+@@ -925,6 +936,7 @@
+ 	SIMP_PROP(DfltNetstrmDrvrCAF)
+ 	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+ 	SIMP_PROP(DfltNetstrmDrvrCertFile)
++	SIMP_PROP(NetstrmDrvrCAExtraFiles)
+ #ifdef USE_UNLIMITED_SELECT
+ 	SIMP_PROP(FdSetSize)
+ #endif
+@@ -945,6 +957,8 @@
+ 	pszDfltNetstrmDrvrKeyFile = NULL;
+ 	free(pszDfltNetstrmDrvrCertFile);
+ 	pszDfltNetstrmDrvrCertFile = NULL;
++	free(pszNetstrmDrvrCAExtraFiles);
++	pszNetstrmDrvrCAExtraFiles = NULL;
+ 	free(LocalHostNameOverride);
+ 	LocalHostNameOverride = NULL;
+ 	free(oversizeMsgErrorFile);
+@@ -1350,6 +1364,9 @@
+ 			free(pszDfltNetstrmDrvr);
+ 			pszDfltNetstrmDrvr = (uchar*)
+ 				es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
++		} else if(!strcmp(paramblk.descr[i].name, "netstreamdrivercaextrafiles")) {
++			free(pszNetstrmDrvrCAExtraFiles);
++			pszNetstrmDrvrCAExtraFiles = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(paramblk.descr[i].name, "preservefqdn")) {
+ 			bPreserveFQDN = (int) cnfparamvals[i].val.d.n;
+ 		} else if(!strcmp(paramblk.descr[i].name,
+@@ -1546,6 +1563,8 @@
+ 	&pszDfltNetstrmDrvrKeyFile, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL,
+ 	&pszDfltNetstrmDrvrCertFile, NULL));
++	CHKiRet(regCfSysLineHdlr((uchar *)"netstreamdrivercaextrafiles", 0, eCmdHdlrGetWord, NULL,
++	&pszNetstrmDrvrCAExtraFiles, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostname", 0, eCmdHdlrGetWord, NULL, &LocalHostNameOverride, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"localhostipif", 0, eCmdHdlrGetWord, setLocalHostIPIF, NULL, NULL));
+ 	CHKiRet(regCfSysLineHdlr((uchar *)"optimizeforuniprocessor", 0, eCmdHdlrGoneAway, NULL, NULL, NULL));
+@@ -1579,6 +1598,7 @@
+ 	free(pszDfltNetstrmDrvrCAF);
+ 	free(pszDfltNetstrmDrvrKeyFile);
+ 	free(pszDfltNetstrmDrvrCertFile);
++	free(pszNetstrmDrvrCAExtraFiles);
+ 	free(pszWorkDir);
+ 	free(LocalDomain);
+ 	free(LocalHostName);
+--- rsyslog-8.2102.0.ori/runtime/nsd_ossl.c	2021-01-18 11:21:14.000000000 +0100
++++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-09-06 11:25:18.144130340 +0200
+@@ -88,6 +88,7 @@
+ static short bHaveCA;
+ static short bHaveCert;
+ static short bHaveKey;
++static short bHaveExtraCAFiles;
+ static int bAnonInit;
+ static MUTEX_TYPE anonInit_mut = PTHREAD_MUTEX_INITIALIZER;
+ 
+@@ -413,7 +414,8 @@
+ {
+ 	DEFiRet;
+ 	DBGPRINTF("openssl: entering osslGlblInit\n");
+-	const char *caFile, *certFile, *keyFile;
++	const char *caFile, *certFile, *keyFile, *extraCaFile;
++	char *extraCaFiles;
+ 
+ 	/* Setup OpenSSL library */
+ 	if((opensslh_THREAD_setup() == 0) || !SSL_library_init()) {
+@@ -450,9 +452,27 @@
+ 	} else {
+ 		bHaveKey = 1;
+ 	}
++	extraCaFiles = (char*) glbl.GetNetstrmDrvrCAExtraFiles();
++	if(extraCaFiles == NULL) {
++	        bHaveExtraCAFiles = 0;
++	} else {
++	        bHaveExtraCAFiles = 1;
++	}
+ 
+ 	/* Create main CTX Object */
+ 	ctx = SSL_CTX_new(SSLv23_method());
++	if(bHaveExtraCAFiles == 1) {
++		while((extraCaFile = strsep(&extraCaFiles, ","))) {
++			if(SSL_CTX_load_verify_locations(ctx, extraCaFile, NULL) != 1) {
++				LogError(0, RS_RET_TLS_CERT_ERR, "Error: Extra Certificate file could not be accessed. "
++					"Check at least: 1) file path is correct, 2) file exist, "
++					"3) permissions are correct, 4) file content is correct. "
++					"Open ssl error info may follow in next messages");
++				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
++				ABORT_FINALIZE(RS_RET_TLS_CERT_ERR);
++			}
++ 		}
++	}
+ 	if(bHaveCA == 1 && SSL_CTX_load_verify_locations(ctx, caFile, NULL) != 1) {
+ 		LogError(0, RS_RET_TLS_CERT_ERR, "Error: CA certificate could not be accessed. "
+ 				"Check at least: 1) file path is correct, 2) file exist, "
+@@ -476,7 +496,7 @@
+ 				"Open ssl error info may follow in next messages");
+ 		osslLastSSLErrorMsg(0, NULL, LOG_ERR, "osslGlblInit");
+ 		ABORT_FINALIZE(RS_RET_TLS_KEY_ERR);
+-	}
++	}	
+ 
+ 	/* Set CTX Options */
+ 	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);		/* Disable insecure SSLv2 Protocol */
+--- rsyslog-8.2102.0.ori/tests/Makefile.am	2022-09-06 10:37:26.447149363 +0200
++++ rsyslog-8.2102.0/tests/Makefile.am	2022-09-06 12:05:55.443600359 +0200
+@@ -1247,7 +1247,8 @@
+ 	sndrcv_tls_ossl_servercert_gtls_clientanon.sh \
+ 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
+ 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
+-	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh
++	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
++	sndrcv_ossl_cert_chain.sh
+ endif
+ endif
+ 
+@@ -2575,6 +2576,7 @@
+ 	sndrcv_tls_ossl_serveranon_gtls_clientanon.sh \
+ 	sndrcv_tls_gtls_servercert_ossl_clientanon.sh \
+ 	sndrcv_tls_gtls_serveranon_ossl_clientanon.sh \
++	sndrcv_ossl_cert_chain.sh \
+ 	omtcl.sh \
+ 	omtcl.tcl \
+ 	pmsnare-default.sh \
+--- rsyslog-8.2102.0.ori/tests/sndrcv_ossl_cert_chain.sh	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/sndrcv_ossl_cert_chain.sh	2022-09-06 10:48:41.512496691 +0200
+@@ -0,0 +1,76 @@
++#!/bin/bash
++# alorbach, 2019-01-16
++# This file is part of the rsyslog project, released  under ASL 2.0
++. ${srcdir:=.}/diag.sh init
++export NUMMESSAGES=1000
++# uncomment for debugging support:
++#export RSYSLOG_DEBUG="debug nostdout noprintmutexaction"
++export RSYSLOG_DEBUGLOG="log"
++generate_conf
++export PORT_RCVR="$(get_free_port)"
++### This is important, as it must be exactly the same
++### as the ones configured in used certificates
++export HOSTNAME="fedora"
++add_conf '
++global(
++    DefaultNetstreamDriver="ossl"
++    DefaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-cert.pem'"
++    DefaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/server-cert.pem'"
++    DefaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/server-key.pem'"
++    NetstreamDriverCAExtraFiles="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
++)
++
++module(	load="../plugins/imtcp/.libs/imtcp"
++	StreamDriver.Name="ossl"
++	StreamDriver.Mode="1"
++        PermittedPeer="'$HOSTNAME'"
++	StreamDriver.AuthMode="x509/name" )
++# then SENDER sends to this port (not tcpflood!)
++input(	type="imtcp" port="'$PORT_RCVR'" )
++
++$template outfmt,"%msg:F,58:2%\n"
++$template dynfile,"'$RSYSLOG_OUT_LOG'" # trick to use relative path names!
++:msg, contains, "msgnum:" ?dynfile;outfmt
++'
++startup
++export RSYSLOG_DEBUGLOG="log2"
++#valgrind="valgrind"
++generate_conf 2
++export TCPFLOOD_PORT="$(get_free_port)"
++add_conf '
++global(
++	defaultNetstreamDriverCAFile="'$srcdir/testsuites/certchain/ca-root-cert.pem'"
++	defaultNetstreamDriverCertFile="'$srcdir/testsuites/certchain/client-cert.pem'"
++	defaultNetstreamDriverKeyFile="'$srcdir/testsuites/certchain/client-key.pem'"
++)
++
++# Note: no TLS for the listener, this is for tcpflood!
++$ModLoad ../plugins/imtcp/.libs/imtcp
++input(	type="imtcp" port="0" listenPortFileName="'$RSYSLOG_DYNNAME'.tcpflood_port" )
++
++# set up the action
++action(	type="omfwd"
++	protocol="tcp"
++	target="127.0.0.1"
++	port="'$PORT_RCVR'"
++	StreamDriver="ossl"
++	StreamDriverMode="1"
++	StreamDriverAuthMode="x509/name"
++        StreamDriverPermittedPeers="'$HOSTNAME'"
++	)
++' 2
++startup 2
++
++# now inject the messages into instance 2. It will connect to instance 1,
++# and that instance will record the data.
++tcpflood -m$NUMMESSAGES -i1
++wait_file_lines
++# shut down sender when everything is sent, receiver continues to run concurrently
++shutdown_when_empty 2
++wait_shutdown 2
++# now it is time to stop the receiver as well
++shutdown_when_empty
++wait_shutdown
++
++seq_check 1 $NUMMESSAGES
++exit_test
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
+++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/ca-root-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/ca-root-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIE6jCCA1KgAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMG0xCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxHTAbBgNVBAMTFHJzeXNsb2crY2hhaW4rY2Fyb290MIIB
++ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAuqAAv1OIGwQqCi1Mflrq8Buo
++G3UtiD8cMEovjzndFV4Ww5fm+R2vCv+tHq6a85mLL0wdqXh+/bAyDzxaULheXZel
++rGPuUFEH2BpOwKXBd31Vx1x32aN9iaoaND/JVQSp+9PeP9zyKeZIN2vFSyNK7LCA
++hdDXVoYeTktXMbm0vB2vMKk+5Vzc7WfyMfrdDvciuULzLU1RzRS2/RkHNlve5iVQ
++XbNN6CpVtXb0K/kcp4SQIVbNTD/g6Z3JnewSWwqjM9/axTC17rpqhsxaWk712Zjo
++lYeuWKfaF9eRXU951u/vrXMMRkDZe0cq5OiTbc1uUQag7uXkbUtEk5HDSihUWwxz
++MegUdUBXFN6EJ7OauWFOeyVJbbvPRa3q9fdlLILvv5/9SiMim6avcj6DlyUz2RhC
++YPh/gJHItuIbZ6hEU+aKqiDYMTHyibRoqOMZgsc8Vo1JAHQTI6gA8JQtGtjEbzIR
++GFkQkj4tvAQQgl5fs9nuweH9GoIaBl1IoIVZyR9PAgMBAAGjgZQwgZEwDwYDVR0T
++AQH/BAUwAwEB/zAkBgNVHREEHTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3Jh
++MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUr/RYFo8A1eqBi3sGMwqNvwHVk5sw
++KQYDVR0fBCIwIDAeoBygGoYYaHR0cDovLzEyNy4wLjAuMS9nZXRjcmwvMA0GCSqG
++SIb3DQEBCwUAA4IBgQBn/NZeqYon25QY1RmjYkCQ0B+uXsquGURETP30hQ+ltbbG
++u4jP+ll+oYkGVt1+eBi8Qw+rf8Qk3Q/+jmCoGS9vVjQc97r3YJxnFb3zB4HDCWdZ
++qXK7GeBlFA4XAtJO0ya8HCx4znuXKiNwqrJJHyyW2gvkY9raRkKOzj3/9jQXgAw4
++1d8NR9SxjKA2PnCSWNdVQOAm4us2tJXJexvbRx+b9Yu8LgUX/AdT4zqkIV8n6oFV
++XNaGyOsDN/+4JEsKbBixL+g3Y6yQHrwKMYq/Gh1WF33u2yYCzMU4Lw9AoYRG0jHi
++iAFchiwneGdC7E+To+qNdH5QJY38ZI7kWg3ADcXzwhTmvVUz5DNub9raE6yZZ4uf
++CyTGAJjH9USuhwH3unmB0kDjEOExIJHm+9uNA8S/81cwoCl2pz/hzr2fQwR2YLSa
++ox9p6cnQmnkL2j2QXhTvjDIswJmxuR43yqDIZUlx6cq1pTSJeN+8WcB2iK61p4DH
++JhH8af3aLUI5FNNgjas=
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,26 @@
++-----BEGIN CERTIFICATE-----
++MIIEXjCCAsagAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitjbGllbnQwggEiMA0G
++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSIbnL1ViRk9CAPerSirUpBtnR4qYD
++XzPSkVJzX5PKLJkeJ6z6oIPoioh59+70ipL5K4ETkmbUFaKP+Lrk7l53BvAnP8Ba
++1rWNV2gzgyiihGCs7N/iamh9Rzj5lQCvzUJhiTcphcptV+0IIf9rbEggEazbSg1A
++BHxS8EBUx+ddVJc6MAlEbA/sstkqfE14k8YZPZlU9ZmLjyHbsQbfXFegYee6WMP0
++M7CqrMZ0ZWvDRWgqWOE+b8agmIKPb2VxJXuR3iXBJk8ANcrRzn/tXShMuGK5KiWL
++a6mFrzR6w55DgjIAKkmPO43jMO/qbWB91RVys/ztK7qIoXm3yadOeIU1AgMBAAGj
++gYwwgYkwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAjAkBgNVHREE
++HTAbggZmZWRvcmGHBH8AAAGBC3Jvb3RAZmVkb3JhMB0GA1UdDgQWBBSoW3Alxk4+
++6Uwv80/UE5C5rT4e6TAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAN
++BgkqhkiG9w0BAQsFAAOCAYEA5Nbnwixitghw9Zg3DANXFXiOsQBx7KEup7+x7edw
++n9r2raqNJEjT2Fv+ClEA3CIdPF+4wjoolOPezrNJxKO3UpYCQeO4ZU/QVl8BX8NB
++4v1rUqXsvhE//4FcLvMM+6n8Nrtt1VRhks8N0b0p/md9dFKGucd4otPZm0sbOrsg
++nrhDYzZiFAzJg3zFwOOHzxP6iKj2mfq+2XRiKl7SlbnEj/8l21Ne1V+mDV5++AEZ
++N/quuf8zYHwwuc3Y8K84doow9yBpFqrpBbazb8586utrAbTbytCqskzImFIjo5Oa
++1ujWArMDsVGGr+NzFWwCTz8VTNNJ5H1cBin0gT41/OwUQv8DIJqzmSFTg9Uqmb2V
++ZwjIvMGE4Tz8phzD0IbSXYmQsSeku4olIDM1d+vLvBlipGAeInmA+nZmeZwdD04c
++poqUj+H3mj1r6WOlk2ivV0TUZKO/JHydkBVf2EQJlEmGuSq/7S889fx3GT7jGcOb
++gl5LlIaraMgA48dK8gJUWtJh
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/client-key.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/client-key.pem	2022-09-06 12:10:13.808498227 +0200
+@@ -0,0 +1,134 @@
++Public Key Info:
++	Public Key Algorithm: RSA
++	Key Security Level: Medium (2048 bits)
++
++modulus:
++	00:d2:21:b9:cb:d5:58:91:93:d0:80:3d:ea:d2:8a:b5
++	29:06:d9:d1:e2:a6:03:5f:33:d2:91:52:73:5f:93:ca
++	2c:99:1e:27:ac:fa:a0:83:e8:8a:88:79:f7:ee:f4:8a
++	92:f9:2b:81:13:92:66:d4:15:a2:8f:f8:ba:e4:ee:5e
++	77:06:f0:27:3f:c0:5a:d6:b5:8d:57:68:33:83:28:a2
++	84:60:ac:ec:df:e2:6a:68:7d:47:38:f9:95:00:af:cd
++	42:61:89:37:29:85:ca:6d:57:ed:08:21:ff:6b:6c:48
++	20:11:ac:db:4a:0d:40:04:7c:52:f0:40:54:c7:e7:5d
++	54:97:3a:30:09:44:6c:0f:ec:b2:d9:2a:7c:4d:78:93
++	c6:19:3d:99:54:f5:99:8b:8f:21:db:b1:06:df:5c:57
++	a0:61:e7:ba:58:c3:f4:33:b0:aa:ac:c6:74:65:6b:c3
++	45:68:2a:58:e1:3e:6f:c6:a0:98:82:8f:6f:65:71:25
++	7b:91:de:25:c1:26:4f:00:35:ca:d1:ce:7f:ed:5d:28
++	4c:b8:62:b9:2a:25:8b:6b:a9:85:af:34:7a:c3:9e:43
++	82:32:00:2a:49:8f:3b:8d:e3:30:ef:ea:6d:60:7d:d5
++	15:72:b3:fc:ed:2b:ba:88:a1:79:b7:c9:a7:4e:78:85
++	35:
++
++public exponent:
++	01:00:01:
++
++private exponent:
++	1f:0c:c4:bb:8d:e6:ec:7b:ff:0f:34:17:02:cd:64:3f
++	8f:b7:97:ff:f9:af:fd:dd:56:7c:0a:c6:e9:94:99:07
++	46:08:e2:ab:f8:cc:c7:31:11:67:61:3e:75:9c:c4:ed
++	3a:cc:66:e2:51:7b:c8:52:fa:16:74:16:89:c5:7f:47
++	ef:4a:85:42:32:56:39:eb:d1:da:dc:96:e0:06:9d:1d
++	1a:7b:f2:f4:92:2c:4f:0c:53:fd:e3:43:55:3a:a5:05
++	ee:0b:ac:8f:02:2a:0b:46:36:cc:40:d9:d1:31:ca:e6
++	92:36:0c:a1:40:9b:f9:0d:b5:e3:b2:5d:d4:bc:27:5a
++	17:fd:3f:bd:8e:44:55:f2:e3:96:ac:cc:11:be:65:01
++	55:98:92:92:ac:59:46:fd:e2:11:80:eb:18:56:6a:82
++	3c:79:ec:30:b7:06:9b:97:55:74:36:17:7e:d8:c6:95
++	4e:a5:e1:55:5a:2a:d6:5d:cc:86:39:88:82:ba:31:19
++	98:d7:26:28:09:fe:b4:38:fe:1b:43:19:19:4f:ae:f2
++	27:18:d6:07:9a:c2:1c:66:2d:5a:e6:22:2e:ca:71:26
++	dc:76:8f:2e:f3:84:e3:61:5f:77:d3:63:8a:d0:6b:42
++	2a:6f:1b:98:91:b9:82:8d:d4:c4:f3:92:98:b4:a4:f1
++
++
++prime1:
++	00:e1:f4:19:35:e3:e2:e7:14:a6:56:8b:45:f9:2b:19
++	bb:13:b3:66:73:44:5d:ca:69:cb:73:d9:78:5a:0f:fd
++	de:ba:74:b3:53:70:a9:ab:52:22:34:78:a2:26:4a:aa
++	8f:1b:65:c1:3e:df:65:8c:9b:9a:70:04:ae:70:f6:ea
++	c4:e5:20:fa:16:e0:4f:56:f4:7b:d1:14:cc:94:e1:3c
++	58:02:82:98:20:cd:13:cf:a2:49:13:7a:88:c1:84:72
++	97:4f:1b:e8:d5:cb:6d:43:dd:d2:b8:09:dd:4f:ee:ce
++	03:0b:c4:c2:9b:cf:3d:a0:a3:57:fd:1c:c9:eb:af:ae
++	67:
++
++prime2:
++	00:ee:13:05:f0:4c:13:e2:f8:27:53:c4:ad:89:d9:31
++	b9:1b:e8:17:b9:db:36:cd:54:0c:15:eb:50:85:e4:8b
++	03:c4:f2:6d:a0:41:dc:99:21:7e:1e:8a:a1:5e:86:fe
++	53:d2:72:53:73:8a:7e:a2:43:83:d5:af:b0:e0:1a:89
++	b5:3f:b3:26:d2:8e:92:0d:ed:d1:29:ee:c5:f1:ff:fc
++	67:2c:a6:5d:4c:27:40:8a:5c:a1:23:d4:3f:11:bb:eb
++	51:84:be:83:ec:73:3c:2e:ff:43:f6:74:16:b8:95:36
++	2a:0b:1e:04:81:04:08:7a:40:21:dd:fb:dd:97:0a:76
++	03:
++
++coefficient:
++	00:a0:4c:15:4b:85:2f:81:6b:2e:e7:68:31:84:84:09
++	c4:45:55:01:da:3d:25:9d:37:67:ab:19:0b:1f:d3:9f
++	fc:09:12:31:66:5a:93:d8:d9:f2:00:c7:f7:03:0d:2b
++	9d:2d:b8:38:d0:82:de:03:e7:21:03:29:4f:2a:2b:b5
++	70:a3:bc:5b:bd:0e:f1:8b:bc:22:58:4a:b4:8f:fd:f5
++	d4:f3:99:31:b1:db:f6:1d:d9:12:a2:48:0a:d0:05:1a
++	72:dc:8e:30:67:3c:e0:6a:b5:dc:93:6f:e4:17:79:a1
++	63:2e:25:78:ef:86:d7:9c:f3:dd:5b:d2:bd:62:4f:44
++	f9:
++
++exp1:
++	60:a2:e2:49:5f:0e:83:20:1c:c7:f4:c6:d7:7b:2c:85
++	0b:36:f6:01:24:63:2c:97:b4:b0:f6:78:77:a4:51:42
++	79:e2:41:73:d5:42:6b:88:34:22:d6:d9:1a:a1:62:72
++	d4:17:df:df:40:f2:10:81:d8:3a:42:76:4c:cf:fd:b6
++	79:fc:71:99:69:13:e5:af:a8:68:d2:89:70:bf:27:ec
++	c8:1e:0c:6c:32:e9:5f:2b:1c:2f:dd:7f:31:ac:b0:c9
++	af:c6:d2:fc:e5:04:f5:3a:a0:cd:9f:42:6c:d6:48:7b
++	9b:03:ea:eb:72:65:fc:17:00:21:bb:b7:4c:3a:95:cf
++
++
++exp2:
++	00:a1:a7:61:1c:ed:4b:83:8e:24:86:08:c2:1d:1b:d1
++	5b:73:cb:80:70:be:9c:d3:87:02:3d:cf:ee:79:3b:d9
++	f8:d1:3e:1b:99:f9:9e:a4:8b:cd:6b:47:8e:92:f4:ee
++	b4:53:ed:35:24:fb:21:49:64:b6:9b:de:14:27:d7:5d
++	32:28:f2:a8:a5:c8:10:fc:4c:42:fe:4a:17:36:5f:2f
++	2f:8f:6d:d7:63:e2:33:3c:bf:f0:da:b7:3f:ab:f7:01
++	ad:f4:88:b8:63:51:4b:c8:4d:a4:04:30:87:4d:06:64
++	24:e0:2f:9d:b7:4c:d9:c4:c8:cf:36:3f:d3:12:c0:13
++	a9:
++
++
++Public Key PIN:
++	pin-sha256:I1Gv1FM9aCxvuCmF0uDnbDbIJgm1TFB2dtJV5v2iCEA=
++Public Key ID:
++	sha256:2351afd4533d682c6fb82985d2e0e76c36c82609b54c507676d255e6fda20840
++	sha1:a85b7025c64e3ee94c2ff34fd41390b9ad3e1ee9
++
++-----BEGIN RSA PRIVATE KEY-----
++MIIEpAIBAAKCAQEA0iG5y9VYkZPQgD3q0oq1KQbZ0eKmA18z0pFSc1+TyiyZHies
+++qCD6IqIeffu9IqS+SuBE5Jm1BWij/i65O5edwbwJz/AWta1jVdoM4MoooRgrOzf
++4mpofUc4+ZUAr81CYYk3KYXKbVftCCH/a2xIIBGs20oNQAR8UvBAVMfnXVSXOjAJ
++RGwP7LLZKnxNeJPGGT2ZVPWZi48h27EG31xXoGHnuljD9DOwqqzGdGVrw0VoKljh
++Pm/GoJiCj29lcSV7kd4lwSZPADXK0c5/7V0oTLhiuSoli2upha80esOeQ4IyACpJ
++jzuN4zDv6m1gfdUVcrP87Su6iKF5t8mnTniFNQIDAQABAoIBAB8MxLuN5ux7/w80
++FwLNZD+Pt5f/+a/93VZ8CsbplJkHRgjiq/jMxzERZ2E+dZzE7TrMZuJRe8hS+hZ0
++FonFf0fvSoVCMlY569Ha3JbgBp0dGnvy9JIsTwxT/eNDVTqlBe4LrI8CKgtGNsxA
++2dExyuaSNgyhQJv5DbXjsl3UvCdaF/0/vY5EVfLjlqzMEb5lAVWYkpKsWUb94hGA
++6xhWaoI8eewwtwabl1V0Nhd+2MaVTqXhVVoq1l3MhjmIgroxGZjXJigJ/rQ4/htD
++GRlPrvInGNYHmsIcZi1a5iIuynEm3HaPLvOE42Ffd9NjitBrQipvG5iRuYKN1MTz
++kpi0pPECgYEA4fQZNePi5xSmVotF+SsZuxOzZnNEXcppy3PZeFoP/d66dLNTcKmr
++UiI0eKImSqqPG2XBPt9ljJuacASucPbqxOUg+hbgT1b0e9EUzJThPFgCgpggzRPP
++okkTeojBhHKXTxvo1cttQ93SuAndT+7OAwvEwpvPPaCjV/0cyeuvrmcCgYEA7hMF
++8EwT4vgnU8StidkxuRvoF7nbNs1UDBXrUIXkiwPE8m2gQdyZIX4eiqFehv5T0nJT
++c4p+okOD1a+w4BqJtT+zJtKOkg3t0SnuxfH//Gcspl1MJ0CKXKEj1D8Ru+tRhL6D
++7HM8Lv9D9nQWuJU2KgseBIEECHpAId373ZcKdgMCgYBgouJJXw6DIBzH9MbXeyyF
++Czb2ASRjLJe0sPZ4d6RRQnniQXPVQmuINCLW2RqhYnLUF9/fQPIQgdg6QnZMz/22
++efxxmWkT5a+oaNKJcL8n7MgeDGwy6V8rHC/dfzGssMmvxtL85QT1OqDNn0Js1kh7
++mwPq63Jl/BcAIbu3TDqVzwKBgQChp2Ec7UuDjiSGCMIdG9Fbc8uAcL6c04cCPc/u
++eTvZ+NE+G5n5nqSLzWtHjpL07rRT7TUk+yFJZLab3hQn110yKPKopcgQ/ExC/koX
++Nl8vL49t12PiMzy/8Nq3P6v3Aa30iLhjUUvITaQEMIdNBmQk4C+dt0zZxMjPNj/T
++EsATqQKBgQCgTBVLhS+Bay7naDGEhAnERVUB2j0lnTdnqxkLH9Of/AkSMWZak9jZ
++8gDH9wMNK50tuDjQgt4D5yEDKU8qK7Vwo7xbvQ7xi7wiWEq0j/311POZMbHb9h3Z
++EqJICtAFGnLcjjBnPOBqtdyTb+QXeaFjLiV474bXnPPdW9K9Yk9E+Q==
++-----END RSA PRIVATE KEY-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-cert.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-cert.pem	2022-09-06 10:48:41.513496694 +0200
+@@ -0,0 +1,55 @@
++-----BEGIN CERTIFICATE-----
++MIIEVTCCAr2gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBpMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMRkwFwYDVQQDExByc3lzbG9nK2NoYWluK2NhMB4XDTIy
++MDYwNjEzNDA0OVoXDTIzMDYwNjEzNDA0OVowbTELMAkGA1UEBhMCQ1oxEDAOBgNV
++BAgTB01vcmF2aWExDTALBgNVBAcTBEJybm8xEDAOBgNVBAoTB1JlZCBIYXQxDDAK
++BgNVBAsTA0dTUzEdMBsGA1UEAxMUcnN5c2xvZytjaGFpbitzZXJ2ZXIwggEiMA0G
++CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3mDP67/SPVbCCgInxXNr9sOLz2yWx
++fa4jtgdbgWK5mib4XdPYTdH6hRiur/n6yn9rzhDeFFMUhSwQpQ81OyZfUFNU0A0q
++x7AZMgVOm3ZqMDk8O57UfuSdURJJPsEwMzZ8Q5d6wyq7xheX0DZjB8LUN8J6SX4w
++K2Ok1wCBOQdfjvW09tOVqQK7puHq85UWsEBTiZ7ie1Fg6FLNscPVoavjNNyYAORM
++Vz0Byv1zBdJzBHufqHUdjX7uMkUPcKfiU/TjQWMRYF3Yp5z2wFohi4Zgtise7xW5
++SfgcAIjA1bm5xMIaiUxRUZHUhCaoj6c2vZygrFO7MuB/2ngoEbqZ57pdAgMBAAGj
++gYMwgYAwDAYDVR0TAQH/BAIwADAwBgNVHREEKTAnggZmZWRvcmGHBH8AAAGBF3Jv
++b3RAZmVkb3JhdGxzd3d3c2VydmVyMB0GA1UdDgQWBBRxxQqJoRCHlrmwDLcB0aU3
++W/QRbDAfBgNVHSMEGDAWgBQ7t+ub2L0VzaTLfpubh4rnDk2RmjANBgkqhkiG9w0B
++AQsFAAOCAYEAkheMCnXNDh2fOhMyOifBFKqlUUsYzZoYU5UNweZijdKAKxJ4zdsS
++i31a2IG4ePBPX7PShUUr2E1PEQ2XBDi/HcCoK54qcqzhxGS83Rf/2YxN4BjU8jaA
++7RhIA0fv5haKxxhjRIDT6vsAXPB0HM/f3Y+E21GVbsQVUE1pP8QrDkcU0EwIjEfW
++tFEBitmb0s/11d8/ZLdYAuvvfzDzuN9kuAcj5dkdpB5Wo9R3h2NXnD6EIWIUHn/I
++zwgXdb/n9gUI6jQMC6shFjXScVT2jgjfziWi/M66PBbtEbEnhOEKdbW0o2lPiL3j
++2UDj6fMshRBAnSoBtEYm/lywBs3vDUGpMUSQFIAwPgUkizAl5DEdmE9PLqRL9HNT
++UIg8tQql9Xr29edEiuMHpIyH8eEa+KI2CpKG3KfYDBMaC7z9MvkpYuSuIG3dsQxy
++YguWDH7c0iosQVpHx8dxj5Exj1/QOXcD5tAVY/+DBe48nRzDTlZmRGQjtqr6Nw0j
++BIXBoqaes0D4
++-----END CERTIFICATE-----
++-----BEGIN CERTIFICATE-----
++MIIFBzCCA2+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJDWjEQ
++MA4GA1UECBMHTW9yYXZpYTENMAsGA1UEBxMEQnJubzEQMA4GA1UEChMHUmVkIEhh
++dDEMMAoGA1UECxMDR1NTMR0wGwYDVQQDExRyc3lzbG9nK2NoYWluK2Nhcm9vdDAe
++Fw0yMjA2MDYxMzQwNDlaFw0yMzA2MDYxMzQwNDlaMGkxCzAJBgNVBAYTAkNaMRAw
++DgYDVQQIEwdNb3JhdmlhMQ0wCwYDVQQHEwRCcm5vMRAwDgYDVQQKEwdSZWQgSGF0
++MQwwCgYDVQQLEwNHU1MxGTAXBgNVBAMTEHJzeXNsb2crY2hhaW4rY2EwggGiMA0G
++CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQD6yDdc9T3oddk5smOhF8OkRXwb2nvC
++M4RPPiuiACvbVoc3UdW2e4NI77J75JzNQL3gQUpgxGcvWiQt3R67ecYgIWiq0zpi
++MrcU3S0dboK10A6NXtcVc4RgwUPf0c8toM975c/6q2XT9Q0SbcI7HKXdzTXQZJDz
++sqQ3UjJuoCLSl6Dd8M0HXJnd2HlF1h5JeIp5vGrCJzQ5SyO6b4jVODtx/uXBohGn
++2x8NdB7wO5NecDyryrwv+FsUXWS4NNmj917bBuXSx3SmW/G7e8AFvcHN8VG6AxH7
++nap+EWGQia+LNG489flgU3U7Ec8zpTrI1wU6bUi6lK/RPxU0ViCaceGjXfoNofIc
++gGJOSS0LaHjM+c4OhmKWrIJ59j2L/rlIvmfqRO3qgThF4eaOfQTbixe/oiy3gR85
+++X6YDXvBwTGZDD6OeG1fCzx/snQLiP3/dRv6LJFE8Krawc9OCOWRDRlIxubrkmYz
++LVBxcFgI4BBGNYVsaMSYrkCVaS2Rv1sNAi0CAwEAAaOBtTCBsjAPBgNVHRMBAf8E
++BTADAQH/MCQGA1UdEQQdMBuCBmZlZG9yYYcEfwAAAYELcm9vdEBmZWRvcmEwDgYD
++VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQ7t+ub2L0VzaTLfpubh4rnDk2RmjAfBgNV
++HSMEGDAWgBSv9FgWjwDV6oGLewYzCo2/AdWTmzApBgNVHR8EIjAgMB6gHKAahhho
++dHRwOi8vMTI3LjAuMC4xL2dldGNybC8wDQYJKoZIhvcNAQELBQADggGBADrv9nld
++FjKZCIVQCVxYc1/KFFnKo2KRCqvSdfb235Kx+5tSFWUsOfkSGjfLrv2+IFKSirFQ
++uFSac/qOrMo/W/4A+ypahG9Sx9PRD626/myr8exee2ygkcuGOuXvX3HkcpzNCmId
++ZS5ygtscFq3NdntwBJHe2ANOSJKIIBzC+gzn4r/V6PdxPEjiUrFs515/RBByi63r
++wWPeqvbaectyZyFIS0XN3LAjVb+zu0NQJqBpUGJlRBI1bRbPECu94LB8Huk/jgSJ
++OyFUKrnNeqaGqKnRfHxJxT/LjeTkQ/5cCOQTuE9IPbRvTykUzUQ3PrltwNqzAb44
++9Trqvqg+qGTfNuI7EZAO26zXbltYVZ+BmlULjKors49Ozq5l1JIevvq66etrE9oT
++DsII88MSIWn8bqaXETfKdIWtWu7Os7tmBTnfDQWGpNDJ3UwDpkyQPYJZJuSfELX0
++jpuWuE/1SbLxTx8eAe83z4yM3C21Kg5K2eJ0udagjM8xPdqYI8tF/4bNbA==
++-----END CERTIFICATE-----
+diff -Nuar rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem
+--- rsyslog-8.2102.0.ori/tests/testsuites/certchain/server-key.pem	1970-01-01 01:00:00.000000000 +0100
++++ rsyslog-8.2102.0/tests/testsuites/certchain/server-key.pem	2022-09-06 12:10:28.635549755 +0200
+@@ -0,0 +1,133 @@
++Public Key Info:
++	Public Key Algorithm: RSA
++	Key Security Level: Medium (2048 bits)
++
++modulus:
++	00:b7:98:33:fa:ef:f4:8f:55:b0:82:80:89:f1:5c:da
++	fd:b0:e2:f3:db:25:b1:7d:ae:23:b6:07:5b:81:62:b9
++	9a:26:f8:5d:d3:d8:4d:d1:fa:85:18:ae:af:f9:fa:ca
++	7f:6b:ce:10:de:14:53:14:85:2c:10:a5:0f:35:3b:26
++	5f:50:53:54:d0:0d:2a:c7:b0:19:32:05:4e:9b:76:6a
++	30:39:3c:3b:9e:d4:7e:e4:9d:51:12:49:3e:c1:30:33
++	36:7c:43:97:7a:c3:2a:bb:c6:17:97:d0:36:63:07:c2
++	d4:37:c2:7a:49:7e:30:2b:63:a4:d7:00:81:39:07:5f
++	8e:f5:b4:f6:d3:95:a9:02:bb:a6:e1:ea:f3:95:16:b0
++	40:53:89:9e:e2:7b:51:60:e8:52:cd:b1:c3:d5:a1:ab
++	e3:34:dc:98:00:e4:4c:57:3d:01:ca:fd:73:05:d2:73
++	04:7b:9f:a8:75:1d:8d:7e:ee:32:45:0f:70:a7:e2:53
++	f4:e3:41:63:11:60:5d:d8:a7:9c:f6:c0:5a:21:8b:86
++	60:b6:2b:1e:ef:15:b9:49:f8:1c:00:88:c0:d5:b9:b9
++	c4:c2:1a:89:4c:51:51:91:d4:84:26:a8:8f:a7:36:bd
++	9c:a0:ac:53:bb:32:e0:7f:da:78:28:11:ba:99:e7:ba
++	5d:
++
++public exponent:
++	01:00:01:
++
++private exponent:
++	68:06:20:25:a5:82:0f:18:c1:3b:20:33:88:83:51:3d
++	7e:d5:08:d0:79:a9:f8:89:0b:88:de:e0:55:0e:28:15
++	94:d1:12:f0:ae:55:61:8d:2d:8e:8f:a3:fb:e2:c2:8b
++	b1:fc:7f:08:25:c1:f1:15:87:a3:22:b2:dc:39:58:83
++	96:d2:b0:72:75:93:70:b3:71:83:2b:08:a0:03:57:25
++	5d:b8:a8:1b:55:51:54:9d:62:4b:17:1f:2c:7c:ef:f7
++	86:2f:12:0c:27:ba:f5:cb:c6:a0:69:03:f7:d6:74:e8
++	a3:73:58:b0:7d:84:33:81:70:eb:b5:48:82:94:8f:ea
++	4c:c7:9c:58:02:90:68:b1:64:29:df:a8:8a:69:15:d4
++	49:21:2f:aa:25:f1:e7:10:8b:93:37:ca:51:d3:4e:d6
++	de:cf:60:04:6b:10:41:1b:f5:0f:be:b7:2a:cd:41:44
++	50:25:be:e5:57:60:1e:3e:e9:d7:70:86:68:a6:4f:3d
++	7d:d8:0e:7f:9b:de:de:e6:02:35:33:9f:b6:68:bb:cd
++	2f:33:69:09:9e:da:91:6b:16:89:db:14:20:59:3a:92
++	7e:78:4e:e1:02:3f:c8:a5:3f:bd:f2:bc:3a:da:f2:97
++	06:f5:96:eb:c8:09:f7:04:cb:7f:e2:e2:12:52:d4:21
++
++
++prime1:
++	00:ed:e4:b8:72:ee:b0:9e:38:db:f8:e7:fa:52:a5:94
++	4a:4b:05:54:f0:96:23:72:d6:01:ba:9f:f4:3e:65:24
++	29:c0:47:4a:6f:a9:a4:02:36:c5:2c:c5:ea:cd:09:5c
++	2d:8e:3c:56:aa:e4:e7:85:32:a8:a7:4f:18:12:17:8c
++	93:15:07:da:3e:f4:df:33:7e:35:39:59:2d:f4:1c:ba
++	65:e8:42:c7:75:a0:c2:53:47:ad:ee:74:44:21:6a:42
++	75:7f:40:1f:8b:06:0e:df:c3:02:4d:50:58:75:f2:29
++	58:e2:0c:a0:7b:fe:be:c4:ab:76:ff:24:c1:4b:e6:ce
++	75:
++
++prime2:
++	00:c5:91:7c:48:59:dd:05:68:5c:8a:46:0b:3b:69:92
++	80:d1:c6:28:27:88:c8:a9:73:7c:32:ee:87:a7:31:29
++	ff:56:38:41:07:3e:0f:01:5c:cf:eb:93:db:e7:fb:b9
++	e7:15:94:93:ea:fa:f8:60:79:c6:16:d2:db:9b:64:5f
++	c3:b8:f0:52:c0:e7:ff:e0:9a:94:22:fb:7e:5e:80:8f
++	c0:ca:46:f4:87:91:e7:ad:6d:74:26:d1:fa:c0:f8:f5
++	7e:b3:0c:bb:23:5e:7d:5d:8b:c9:2e:68:76:be:d4:b4
++	75:de:3c:70:70:ad:1e:64:de:e4:1d:f7:df:af:46:0f
++	49:
++
++coefficient:
++	00:89:f1:2c:f9:14:89:25:21:7a:ad:75:30:f0:b1:e7
++	20:b3:14:14:d7:c9:b6:78:3c:c7:c8:92:3a:64:8e:47
++	d0:10:fc:01:a9:a6:25:a5:61:6d:8f:da:d4:85:fa:06
++	9f:a5:27:a8:7d:38:e2:67:19:65:ab:a9:00:52:8c:f3
++	51:fe:f9:a6:4f:ab:47:04:0a:86:ae:f0:fe:3d:2d:72
++	76:6d:ad:03:48:af:23:67:92:28:34:83:bc:45:7d:c0
++	45:ca:89:4a:4f:dd:11:a6:3a:5a:23:47:f4:7c:82:42
++	dc:e8:56:85:d8:1b:9d:08:9c:6e:ca:17:58:d7:d4:bb
++	77:
++
++exp1:
++	21:50:b8:ac:0f:d5:58:33:2a:4b:2f:61:95:15:6f:31
++	00:54:9c:d2:9c:94:16:4e:f6:2b:06:9f:93:e5:62:2d
++	1e:aa:5d:38:4a:0f:97:e7:c7:b1:3f:7e:64:7c:7d:16
++	3c:27:23:14:07:be:8c:9e:cd:93:b0:b5:f4:42:ac:03
++	25:1c:d6:69:9e:ad:6b:6e:af:51:7a:b5:be:cc:0f:26
++	9a:62:4f:c0:9f:64:d7:78:e0:58:d6:9b:7b:fa:7f:98
++	28:db:f8:0e:e6:28:4b:19:ea:46:9d:8b:e5:e8:a5:f5
++	b6:a2:82:0f:1b:5b:e7:fb:03:4d:33:fe:85:fc:aa:c9
++
++
++exp2:
++	59:36:db:22:68:c1:ef:a1:32:b8:95:ec:98:85:91:cc
++	6d:ed:c7:50:22:ea:49:ea:86:59:11:71:5c:44:4d:2c
++	aa:28:78:e4:e6:57:2c:4c:56:ef:90:33:2b:4c:76:a4
++	2d:10:8c:c2:fd:55:8f:6b:2d:d2:3c:a1:42:48:4f:1e
++	38:b2:fd:0b:73:38:0e:9a:7e:ee:55:16:b9:61:e0:88
++	34:4f:5a:38:a5:e0:32:66:4c:9f:03:0e:f2:78:f9:92
++	9f:13:ce:a5:a8:13:80:5c:91:1a:4d:bd:e1:6a:77:9b
++	0a:21:cc:bc:74:d0:56:c8:77:c6:38:9a:5f:b1:89:51
++
++
++
++Public Key PIN:
++	pin-sha256:FSR0pC1TUEe+ZMU7YSVDDmYP4hmDlsIJRKf4D8LiJZ8=
++Public Key ID:
++	sha256:152474a42d535047be64c53b6125430e660fe2198396c20944a7f80fc2e2259f
++	sha1:71c50a89a1108796b9b00cb701d1a5375bf4116c
++
++-----BEGIN RSA PRIVATE KEY-----
++MIIEowIBAAKCAQEAt5gz+u/0j1WwgoCJ8Vza/bDi89slsX2uI7YHW4FiuZom+F3T
++2E3R+oUYrq/5+sp/a84Q3hRTFIUsEKUPNTsmX1BTVNANKsewGTIFTpt2ajA5PDue
++1H7knVESST7BMDM2fEOXesMqu8YXl9A2YwfC1DfCekl+MCtjpNcAgTkHX471tPbT
++lakCu6bh6vOVFrBAU4me4ntRYOhSzbHD1aGr4zTcmADkTFc9Acr9cwXScwR7n6h1
++HY1+7jJFD3Cn4lP040FjEWBd2Kec9sBaIYuGYLYrHu8VuUn4HACIwNW5ucTCGolM
++UVGR1IQmqI+nNr2coKxTuzLgf9p4KBG6mee6XQIDAQABAoIBAGgGICWlgg8YwTsg
++M4iDUT1+1QjQean4iQuI3uBVDigVlNES8K5VYY0tjo+j++LCi7H8fwglwfEVh6Mi
++stw5WIOW0rBydZNws3GDKwigA1clXbioG1VRVJ1iSxcfLHzv94YvEgwnuvXLxqBp
++A/fWdOijc1iwfYQzgXDrtUiClI/qTMecWAKQaLFkKd+oimkV1EkhL6ol8ecQi5M3
++ylHTTtbez2AEaxBBG/UPvrcqzUFEUCW+5VdgHj7p13CGaKZPPX3YDn+b3t7mAjUz
++n7Zou80vM2kJntqRaxaJ2xQgWTqSfnhO4QI/yKU/vfK8Otrylwb1luvICfcEy3/i
++4hJS1CECgYEA7eS4cu6wnjjb+Of6UqWUSksFVPCWI3LWAbqf9D5lJCnAR0pvqaQC
++NsUsxerNCVwtjjxWquTnhTKop08YEheMkxUH2j703zN+NTlZLfQcumXoQsd1oMJT
++R63udEQhakJ1f0AfiwYO38MCTVBYdfIpWOIMoHv+vsSrdv8kwUvmznUCgYEAxZF8
++SFndBWhcikYLO2mSgNHGKCeIyKlzfDLuh6cxKf9WOEEHPg8BXM/rk9vn+7nnFZST
++6vr4YHnGFtLbm2Rfw7jwUsDn/+CalCL7fl6Aj8DKRvSHkeetbXQm0frA+PV+swy7
++I159XYvJLmh2vtS0dd48cHCtHmTe5B33369GD0kCgYAhULisD9VYMypLL2GVFW8x
++AFSc0pyUFk72Kwafk+ViLR6qXThKD5fnx7E/fmR8fRY8JyMUB76Mns2TsLX0QqwD
++JRzWaZ6ta26vUXq1vswPJppiT8CfZNd44FjWm3v6f5go2/gO5ihLGepGnYvl6KX1
++tqKCDxtb5/sDTTP+hfyqyQKBgFk22yJowe+hMriV7JiFkcxt7cdQIupJ6oZZEXFc
++RE0sqih45OZXLExW75AzK0x2pC0QjML9VY9rLdI8oUJITx44sv0LczgOmn7uVRa5
++YeCINE9aOKXgMmZMnwMO8nj5kp8TzqWoE4BckRpNveFqd5sKIcy8dNBWyHfGOJpf
++sYlRAoGBAInxLPkUiSUheq11MPCx5yCzFBTXybZ4PMfIkjpkjkfQEPwBqaYlpWFt
++j9rUhfoGn6UnqH044mcZZaupAFKM81H++aZPq0cECoau8P49LXJ2ba0DSK8jZ5Io
++NIO8RX3ARcqJSk/dEaY6WiNH9HyCQtzoVoXYG50InG7KF1jX1Lt3
++-----END RSA PRIVATE KEY-----

SOURCES/rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch

@@ -0,0 +1,195 @@
+diff -up rsyslog-8.2102.0/configure.ac.orig rsyslog-8.2102.0/configure.ac
+--- rsyslog-8.2102.0/configure.ac.orig	2022-11-21 11:39:40.717183684 +0100
++++ rsyslog-8.2102.0/configure.ac	2022-11-21 11:40:18.697206706 +0100
+@@ -387,6 +387,28 @@ if test "$enable_fmhash_xxhash" = "yes";
+ 	])
+ fi
+ 
++AC_ARG_ENABLE(libcap-ng,
++        [AS_HELP_STRING([--enable-libcap-ng],[Enable dropping capabilities to only the necessary set @<:@default=no@:>@])],
++        [case "${enableval}" in
++         yes) enable_libcapng="yes" ;;
++          no) enable_libcapng="no" ;;
++           *) AC_MSG_ERROR(bad value ${enableval} for --enable_libcapng) ;;
++         esac],
++        [enable_libcapng=no]
++)
++
++if test "$enable_libcapng" = "yes"; then
++        PKG_CHECK_MODULES(
++                [LIBCAPNG],
++                [libcap-ng >= 0.8.2],
++                [AC_DEFINE([ENABLE_LIBCAPNG], [1], [Indicator that libcap-ng is present])],
++                [AC_MSG_ERROR(libcap-ng is not present.)]
++        )
++        CFLAGS="$CFLAGS $LIBCAPNG_CFLAGS"
++        LIBS="$LIBS $LIBCAPNG_LIBS"
++fi
++
++
+ 
+ #gssapi
+ AC_ARG_ENABLE(gssapi_krb5,
+@@ -2688,6 +2710,7 @@ echo "    liblogging-stdlog support enab
+ echo "    libsystemd enabled:                       $enable_libsystemd"
+ echo "    kafka static linking enabled:             $enable_kafka_static"
+ echo "    atomic operations enabled:                $enable_atomic_operations"
++echo "    libcap-ng support enabled:                $enable_libcapng"
+ echo
+ echo "---{ input plugins }---"
+ if test "$unamestr" != "AIX"; then
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2022-11-21 11:40:31.926214720 +0100
++++ rsyslog-8.2102.0/runtime/rsconf.c	2022-11-21 11:44:26.742356979 +0100
+@@ -33,6 +33,9 @@
+ #include <sys/resource.h>
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
+ 
+ #include "rsyslog.h"
+ #include "obj.h"
+@@ -546,6 +549,7 @@ rsRetVal doDropPrivGid(void)
+ 	uchar szBuf[1024];
+ 	DEFiRet;
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	if(!ourConf->globals.gidDropPrivKeepSupplemental) {
+ 		res = setgroups(0, NULL); /* remove all supplemental group IDs */
+ 		if(res) {
+@@ -560,9 +564,19 @@ rsRetVal doDropPrivGid(void)
+ 	if(res) {
+ 		rs_strerror_r(errno, (char*)szBuf, sizeof(szBuf));
+ 		LogError(0, RS_RET_ERR_DROP_PRIV,
+-				"could not set requested group id: %s", szBuf);
++				"could not set requested group id: %s via setgid()", szBuf);
+ 		ABORT_FINALIZE(RS_RET_ERR_DROP_PRIV);
+ 	}
++#else
++	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(-1, ourConf->globals.gidDropPriv, capng_flags);
++	if (res) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not set requested group id %d via capng_change_id()", ourConf->globals.gidDropPriv);
++		ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++	}
++#endif
++
+ 	DBGPRINTF("setgid(%d): %d\n", ourConf->globals.gidDropPriv, res);
+ 	snprintf((char*)szBuf, sizeof(szBuf), "rsyslogd's groupid changed to %d",
+ 		 ourConf->globals.gidDropPriv);
+@@ -599,7 +613,14 @@ static void doDropPrivUid(int iUid)
+ 				iUid, szBuf);
+ 	}
+ 
++#ifndef ENABLE_LIBCAPNG
+ 	res = setuid(iUid);
++	// res = setuid(cnf->globals.uidDropPriv);
++#else
++	int capng_flags = ourConf->globals.gidDropPrivKeepSupplemental ? CAPNG_NO_FLAG : CAPNG_DROP_SUPP_GRP;
++	res = capng_change_id(iUid, -1, capng_flags);
++#endif
++
+ 	if(res) {
+ 		/* if we can not set the userid, this is fatal, so let's unconditionally abort */
+ 		perror("could not set requested userid");
+diff -up rsyslog-8.2102.0/runtime/rsyslog.h.orig rsyslog-8.2102.0/runtime/rsyslog.h
+--- rsyslog-8.2102.0/runtime/rsyslog.h.orig	2022-11-21 11:45:09.007382588 +0100
++++ rsyslog-8.2102.0/runtime/rsyslog.h	2022-11-21 11:45:31.333396112 +0100
+@@ -582,6 +582,7 @@ enum rsRetVal_				/** return value. All
+ 	RS_RET_RABBITMQ_CHANNEL_ERR = -2449, /**< RabbitMQ Connection error */
+ 	RS_RET_NO_WRKDIR_SET = -2450, /**< working directory not set, but desired by functionality */
+ 	RS_RET_ERR_QUEUE_FN_DUP = -2451, /**< duplicate queue file name */
++	RS_RET_LIBCAPNG_ERR = -2455, /**< error during dropping the capabilities */
+ 
+ 	/* RainerScript error messages (range 1000.. 1999) */
+ 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2022-11-21 11:45:17.587387786 +0100
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2022-11-21 11:46:19.509425295 +0100
+@@ -38,6 +38,10 @@
+ #	include <systemd/sd-daemon.h>
+ #endif
+ 
++#ifdef ENABLE_LIBCAPNG
++	#include <cap-ng.h>
++#endif
++
+ #include "rsyslog.h"
+ #include "wti.h"
+ #include "ratelimit.h"
+@@ -321,7 +325,7 @@ checkStartupOK(void)
+ 		fprintf(stderr, "rsyslogd: error reading pid file, cannot start up\n");
+ 		ABORT_FINALIZE(RS_RET_ERR);
+ 	}
+-	
++
+ 	/* ok, we got a pid, let's check if the process is running */
+ 	const pid_t pid = (pid_t) pf_pid;
+ 	if(kill(pid, 0) == 0 || errno != ESRCH) {
+@@ -1594,7 +1598,7 @@ initAll(int argc, char **argv)
+ 		localRet = RS_RET_OK;
+ 	}
+ 	CHKiRet(localRet);
+-	
++
+ 	CHKiRet(rsyslogd_InitStdRatelimiters());
+ 
+ 	if(bChDirRoot) {
+@@ -2019,7 +2023,7 @@ deinitAll(void)
+ 	/* close the inputs */
+ 	DBGPRINTF("Terminating input threads...\n");
+ 	glbl.SetGlobalInputTermination();
+-	
++
+ 	thrdTerminateAll();
+ 
+ 	/* and THEN send the termination log message (see long comment above) */
+@@ -2142,6 +2146,45 @@ main(int argc, char **argv)
+ 	if(log_dflt != NULL && !strcmp(log_dflt, "1"))
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
++
++#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc;
++	capng_clear(CAPNG_SELECT_BOTH);
++
++	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++		CAP_BLOCK_SUSPEND,
++		CAP_CHOWN,
++		CAP_IPC_LOCK,
++		CAP_LEASE,
++		CAP_NET_ADMIN,
++		CAP_NET_BIND_SERVICE,
++		CAP_PERFMON,
++		CAP_SETGID,
++		CAP_SETUID,
++		CAP_SYS_ADMIN,
++		CAP_SYS_CHROOT,
++		CAP_SYS_RESOURCE,
++		CAP_SYSLOG,
++		-1
++	)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not update the internal posix capabilities settings "
++				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
++		exit(-1);
++	}
++
++	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++		LogError(0, RS_RET_LIBCAPNG_ERR,
++			"could not transfer  the  specified  internal posix  capabilities "
++			"settings to the kernel, capng_apply=%d\n", capng_rc);
++		exit(-1);
++	}
++	DBGPRINTF("Capabilities were dropped successfully\n");
++#endif
++
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");

SOURCES/rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch

@@ -0,0 +1,12 @@
+diff -up rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig rsyslog-8.2102.0/plugins/imjournal/imjournal.c
+--- rsyslog-8.2102.0/plugins/imjournal/imjournal.c.orig	2023-05-19 10:32:32.467826852 +0200
++++ rsyslog-8.2102.0/plugins/imjournal/imjournal.c	2023-05-19 10:33:34.426902983 +0200
+@@ -452,6 +452,8 @@ readjournal(void)
+ 	/* Get message identifier, client pid and add ':' */
+ 	if (journalGetData("SYSLOG_IDENTIFIER", &get, &length) >= 0) {
+ 		CHKiRet(sanitizeValue(((const char *)get) + 18, length - 18, &sys_iden));
++	} else if (journalGetData("_COMM", &get, &length) >= 0) {
++		CHKiRet(sanitizeValue(((const char *)get) + 6, length - 6, &sys_iden));
+ 	} else {
+ 		CHKmalloc(sys_iden = strdup(cs.dfltTag));
+ 	}

SOURCES/rsyslog-8.2102.0-rhbz2157658-imklog.patch

@@ -0,0 +1,20 @@
+diff --git a/plugins/imklog/imklog.c b/plugins/imklog/imklog.c
+index 6c24b5a2db..78cfc3bae2 100644
+--- a/plugins/imklog/imklog.c
++++ b/plugins/imklog/imklog.c
+@@ -453,6 +453,7 @@ ENDactivateCnf
+ 
+ BEGINfreeCnf
+ CODESTARTfreeCnf
++	free(pModConf->pszBindRuleset);
+ ENDfreeCnf
+ 
+ 
+@@ -475,7 +476,6 @@ CODESTARTmodExit
+ 	if(pInputName != NULL)
+ 		prop.Destruct(&pInputName);
+ 
+-	free(runModConf->pszBindRuleset);
+ 	/* release objects we used */
+ 	objRelease(glbl, CORE_COMPONENT);
+ 	objRelease(net, CORE_COMPONENT);

SOURCES/rsyslog-8.2102.0-rhbz2157804-cstrlen.patch

@@ -0,0 +1,72 @@
+diff -up rsyslog-8.2102.0/parse.h.orig rsyslog-8.2102.0/parse.h
+--- rsyslog-8.2102.0/parse.h.orig	2023-05-09 09:10:09.236597063 +0200
++++ rsyslog-8.2102.0/parse.h	2023-05-09 09:10:26.913608034 +0200
+@@ -56,7 +56,7 @@ struct rsParsObject
+ 	rsObjID OID;			/**< object ID */
+ #endif
+ 	cstr_t *pCStr;		/**< pointer to the string object we are parsing */
+-	int iCurrPos;			/**< current parsing position (char offset) */
++	size_t iCurrPos;			/**< current parsing position (char offset) */
+ };
+ typedef struct rsParsObject rsParsObj;
+ 
+diff -up rsyslog-8.2102.0/runtime/stream.c.orig rsyslog-8.2102.0/runtime/stream.c
+--- rsyslog-8.2102.0/runtime/stream.c.orig	2023-05-09 09:10:34.122612508 +0200
++++ rsyslog-8.2102.0/runtime/stream.c	2023-05-09 09:12:47.934640583 +0200
+@@ -1071,7 +1071,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 	cstr_t *thisLine = NULL;
+ 	rsRetVal readCharRet;
+ 	const time_t tCurr = pThis->readTimeout ? getTime(NULL) : 0;
+-	int maxMsgSize = glblGetMaxLine();
++	size_t maxMsgSize = glblGetMaxLine();
+ 	DEFiRet;
+ 
+ 	do {
+@@ -1132,9 +1132,9 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 					}
+ 
+ 
+-					int currLineLen = cstrLen(thisLine);
++					size_t currLineLen = cstrLen(thisLine);
+ 					if(currLineLen > 0) {
+-						int len;
++						size_t len;
+ 						if((len = cstrLen(pThis->prevMsgSegment) + currLineLen) <
+ 						maxMsgSize) {
+ 							CHKiRet(cstrAppendCStr(pThis->prevMsgSegment, thisLine));
+@@ -1144,7 +1144,7 @@ strmReadMultiLine(strm_t *pThis, cstr_t
+ 								len = 0;
+ 							} else {
+ 								len = currLineLen-(len-maxMsgSize);
+-								for(int z=0; z<len; z++) {
++								for(size_t z=0; z<len; z++) {
+ 									cstrAppendChar(pThis->prevMsgSegment,
+ 										thisLine->pBuf[z]);
+ 								}
+diff -up rsyslog-8.2102.0/runtime/stringbuf.c.orig rsyslog-8.2102.0/runtime/stringbuf.c
+--- rsyslog-8.2102.0/runtime/stringbuf.c.orig	2023-05-09 09:09:37.627577446 +0200
++++ rsyslog-8.2102.0/runtime/stringbuf.c	2023-05-09 09:09:59.061590749 +0200
+@@ -474,7 +474,7 @@ finalize_it:
+  * This is due to performance reasons.
+  */
+ #ifndef NDEBUG
+-int cstrLen(cstr_t *pThis)
++size_t cstrLen(cstr_t *pThis)
+ {
+ 	rsCHECKVALIDOBJECT(pThis, OIDrsCStr);
+ 	return(pThis->iStrLen);
+diff -up rsyslog-8.2102.0/runtime/stringbuf.h.orig rsyslog-8.2102.0/runtime/stringbuf.h
+--- rsyslog-8.2102.0/runtime/stringbuf.h.orig	2023-05-09 09:08:05.199520082 +0200
++++ rsyslog-8.2102.0/runtime/stringbuf.h	2023-05-09 09:09:26.924570803 +0200
+@@ -144,9 +144,9 @@ rsRetVal cstrAppendCStr(cstr_t *pThis, c
+ 
+ /* now come inline-like functions */
+ #ifdef NDEBUG
+-#	define cstrLen(x) ((int)((x)->iStrLen))
++#	define cstrLen(x) ((size_t)((x)->iStrLen))
+ #else
+-	int cstrLen(cstr_t *pThis);
++	size_t cstrLen(cstr_t *pThis);
+ #endif
+ #define rsCStrLen(s) cstrLen((s))
+ 

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-0.patch

@@ -0,0 +1,37 @@
+diff -up rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c
+--- rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c.orig	2023-05-11 14:14:39.778187570 +0200
++++ rsyslog-8.2102.0/plugins/omelasticsearch/omelasticsearch.c	2023-05-11 14:15:36.254234445 +0200
+@@ -232,7 +232,11 @@ static rsRetVal curlSetup(wrkrInstanceDa
+ BEGINcreateInstance
+ CODESTARTcreateInstance
+ 	pData->fdErrFile = -1;
+-	pthread_mutex_init(&pData->mutErrFile, NULL);
++	if(pthread_mutex_init(&pData->mutErrFile, NULL) != 0) {
++		LogError(errno, RS_RET_ERR, "omelasticsearch: cannot create "
++			"error file mutex, failing this action");
++		ABORT_FINALIZE(RS_RET_ERR);
++	}
+ 	pData->caCertFile = NULL;
+ 	pData->myCertFile = NULL;
+ 	pData->myPrivKeyFile = NULL;
+@@ -240,6 +244,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
++finalize_it:
+ ENDcreateInstance
+ 
+ BEGINcreateWrkrInstance
+@@ -2165,10 +2170,12 @@ ENDfreeCnf
+ 
+ BEGINdoHUP
+ CODESTARTdoHUP
++	pthread_mutex_lock(&pData->mutErrFile);
+ 	if(pData->fdErrFile != -1) {
+ 		close(pData->fdErrFile);
+ 		pData->fdErrFile = -1;
+ 	}
++	pthread_mutex_unlock(&pData->mutErrFile);
+ ENDdoHUP
+ 
+ 

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-1.patch

@@ -0,0 +1,54 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..d7d6c68e60 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -116,6 +116,7 @@ typedef struct instanceConf_s {
+ 	uchar **serverBaseUrls;
+ 	int numServers;
+ 	long healthCheckTimeout;
++	long indexTimeout;
+ 	uchar *uid;
+ 	uchar *pwd;
+ 	uchar *authBuf;
+@@ -187,6 +188,7 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "server", eCmdHdlrArray, 0 },
+ 	{ "serverport", eCmdHdlrInt, 0 },
+ 	{ "healthchecktimeout", eCmdHdlrInt, 0 },
++	{ "indextimeout", eCmdHdlrInt, 0 },
+ 	{ "uid", eCmdHdlrGetWord, 0 },
+ 	{ "pwd", eCmdHdlrGetWord, 0 },
+ 	{ "searchindex", eCmdHdlrGetWord, 0 },
+@@ -355,6 +357,7 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\ttemplate='%s'\n", pData->tplName);
+ 	dbgprintf("\tnumServers=%d\n", pData->numServers);
+ 	dbgprintf("\thealthCheckTimeout=%lu\n", pData->healthCheckTimeout);
++	dbgprintf("\tindexTimeout=%lu\n", pData->indexTimeout);
+ 	dbgprintf("\tserverBaseUrls=");
+ 	for(i = 0 ; i < pData->numServers ; ++i)
+ 		dbgprintf("%c'%s'", i == 0 ? '[' : ' ', pData->serverBaseUrls[i]);
+@@ -1768,6 +1771,8 @@ curlPostSetup(wrkrInstanceData_t *const pWrkrData)
+ 	PTR_ASSERT_SET_TYPE(pWrkrData, WRKR_DATA_TYPE_ES);
+ 	curlSetupCommon(pWrkrData, pWrkrData->curlPostHandle);
+ 	curl_easy_setopt(pWrkrData->curlPostHandle, CURLOPT_POST, 1);
++	curl_easy_setopt(pWrkrData->curlPostHandle,
++		CURLOPT_TIMEOUT_MS, pWrkrData->pData->indexTimeout);
+ }
+ 
+ #define CONTENT_JSON "Content-Type: application/json; charset=utf-8"
+@@ -1797,6 +1802,7 @@ setInstParamDefaults(instanceData *const pData)
+ 	pData->serverBaseUrls = NULL;
+ 	pData->defaultPort = 9200;
+ 	pData->healthCheckTimeout = 3500;
++	pData->indexTimeout = 0;
+ 	pData->uid = NULL;
+ 	pData->pwd = NULL;
+ 	pData->authBuf = NULL;
+@@ -1865,6 +1871,8 @@ CODESTARTnewActInst
+ 			pData->defaultPort = (int) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "healthchecktimeout")) {
+ 			pData->healthCheckTimeout = (long) pvals[i].val.d.n;
++		} else if(!strcmp(actpblk.descr[i].name, "indextimeout")) {
++			pData->indexTimeout = (long) pvals[i].val.d.n;
+ 		} else if(!strcmp(actpblk.descr[i].name, "uid")) {
+ 			pData->uid = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "pwd")) {

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-2.patch

@@ -0,0 +1,43 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 0808c6054e..ed9359732c 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -877,14 +877,6 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 	int i;
+ 	int numitems;
+ 	fjson_object *items=NULL, *jo_errors = NULL;
+-	int errors = 0;
+-
+-	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
+-		errors = fjson_object_get_boolean(jo_errors);
+-		if (!errors && pWrkrData->pData->retryFailures) {
+-			return RS_RET_OK;
+-		}
+-	}
+ 
+ 	/*iterate over items*/
+ 	if(!fjson_object_object_get_ex(replyRoot, "items", &items)) {
+@@ -897,6 +889,15 @@ parseRequestAndResponseForContext(wrkrInstanceData_t *pWrkrData,fjson_object **p
+ 
+ 	numitems = fjson_object_array_length(items);
+ 
++	int errors = 0;
++	if(fjson_object_object_get_ex(replyRoot, "errors", &jo_errors)) {
++		errors = fjson_object_get_boolean(jo_errors);
++		if (!errors && pWrkrData->pData->retryFailures) {
++			STATSCOUNTER_ADD(indexSuccess, mutIndexSuccess, numitems);
++			return RS_RET_OK;
++		}
++	}
++
+ 	if (reqmsg) {
+ 		DBGPRINTF("omelasticsearch: Entire request %s\n", reqmsg);
+ 	} else {
+@@ -1267,6 +1268,7 @@ getDataRetryFailures(context *ctx,int itemStatus,char *request,char *response,
+ 				response);
+ 		}
+ 	}
++
+ 	need_free_omes = 0;
+ 	CHKiRet(msgAddJSON(msg, (uchar*)".omes", omes, 0, 0));
+ 	MsgSetRuleset(msg, ctx->retryRuleset);

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-3.patch

@@ -0,0 +1,148 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index ed9359732c..8200403eaf 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -86,12 +86,14 @@ STATSCOUNTER_DEF(rebinds, mutRebinds)
+ static prop_t *pInputName = NULL;
+ 
+ #	define META_STRT "{\"index\":{\"_index\": \""
+-#	define META_STRT_CREATE "{\"create\":{\"_index\": \""
++#	define META_STRT_CREATE "{\"create\":{"    /* \"_index\": \" */
++#	define META_IX "\"_index\": \""
+ #	define META_TYPE "\",\"_type\":\""
+ #       define META_PIPELINE "\",\"pipeline\":\""
+ #	define META_PARENT "\",\"_parent\":\""
+ #	define META_ID "\", \"_id\":\""
+ #	define META_END  "\"}}\n"
++#	define META_END_NOQUOTE  " }}\n"
+ 
+ typedef enum {
+ 	ES_WRITE_INDEX,
+@@ -362,8 +364,8 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex);
+-	dbgprintf("\tsearch type='%s'\n", pData->searchType);
++	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
++        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -596,8 +598,8 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	assert(srchIndex != NULL);
+-	assert(srchType != NULL);
++	//assert(srchIndex != NULL);
++	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -633,9 +635,14 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		parent = NULL;
+ 	} else {
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-		r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
++		if(searchIndex != NULL) {
++			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
++			if(r == 0) r = es_addChar(&url, '/');
++			if(searchType != NULL) {
++				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
++			}
++		} else
++			r = 0;
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -692,7 +699,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	uchar *pipelineName;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	r += ustrlen((char *)message) + ustrlen(searchIndex) + ustrlen(searchType);
++	r += ustrlen((char *)message);
++        if(searchIndex != NULL)
++                r += ustrlen(searchIndex);
++        if(searchType != NULL)
++                r += ustrlen(searchType);
+ 
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -717,6 +728,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
++       	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -725,28 +737,43 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 	DEFiRet;
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+-	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
++	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE) {
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT_CREATE, sizeof(META_STRT_CREATE)-1);
+-	else
++		endQuote = 0;
++	} else
+ 		r = es_addBuf(&pWrkrData->batch.data, META_STRT, sizeof(META_STRT)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
++	if(searchIndex != NULL) {
++		endQuote = 1;
++		if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
++		if(searchType != NULL) {
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
++			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));
++		}
++	}
+ 	if(parent != NULL) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PARENT, sizeof(META_PARENT)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)parent, ustrlen(parent));
+ 	}
+ 	if(pipelineName != NULL && (!pWrkrData->pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_PIPELINE, sizeof(META_PIPELINE)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)pipelineName, ustrlen(pipelineName));
+ 	}
+ 	if(bulkId != NULL) {
++		endQuote = 1;
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_ID, sizeof(META_ID)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)bulkId, ustrlen(bulkId));
+ 	}
+-	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
++	if(endQuote == 0) {
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END_NOQUOTE, sizeof(META_END_NOQUOTE)-1);
++	} else {
++		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_END, sizeof(META_END)-1);
++	}
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)message, length);
+ 	if(r == 0) r = es_addBuf(&pWrkrData->batch.data, "\n", sizeof("\n")-1);
+ 	if(r != 0) {
+@@ -2094,6 +2121,8 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
++	//Only needed befor ES-Version 7.x
++	/*
+ 	if(pData->searchIndex == NULL)
+ 		pData->searchIndex = (uchar*) strdup("system");
+ 	if(pData->searchType == NULL)
+@@ -2104,6 +2133,7 @@ CODESTARTnewActInst
+ 			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+ 		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
+ 	}
++	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-4.patch

@@ -0,0 +1,118 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 8200403eaf..8b74d610df 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -130,6 +130,7 @@ typedef struct instanceConf_s {
+ 	uchar *timeout;
+ 	uchar *bulkId;
+ 	uchar *errorFile;
++	int esVersion;
+ 	sbool errorOnly;
+ 	sbool interleaved;
+ 	sbool dynSrchIdx;
+@@ -221,7 +222,8 @@ static struct cnfparamdescr actpdescr[] = {
+ 	{ "ratelimit.interval", eCmdHdlrInt, 0 },
+ 	{ "ratelimit.burst", eCmdHdlrInt, 0 },
+ 	{ "retryruleset", eCmdHdlrString, 0 },
+-	{ "rebindinterval", eCmdHdlrInt, 0 }
++	{ "rebindinterval", eCmdHdlrInt, 0 },
++	{ "esversion.major", eCmdHdlrPositiveInt, 0 }
+ };
+ static struct cnfparamblk actpblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -246,6 +248,7 @@ CODESTARTcreateInstance
+ 	pData->retryRulesetName = NULL;
+ 	pData->retryRuleset = NULL;
+ 	pData->rebindInterval = DEFAULT_REBIND_INTERVAL;
++	pData->esVersion = 0;
+ finalize_it:
+ ENDcreateInstance
+ 
+@@ -364,8 +367,10 @@ CODESTARTdbgPrintInstInfo
+ 	dbgprintf("\tdefaultPort=%d\n", pData->defaultPort);
+ 	dbgprintf("\tuid='%s'\n", pData->uid == NULL ? (uchar*)"(not configured)" : pData->uid);
+ 	dbgprintf("\tpwd=(%sconfigured)\n", pData->pwd == NULL ? "not " : "");
+-	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL ? (uchar*)"(not configured)" : pData->searchIndex);
+-        dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL ? (uchar*)"(not configured)" : pData->searchType);
++	dbgprintf("\tsearch index='%s'\n", pData->searchIndex == NULL
++			? (uchar*)"(not configured)" : pData->searchIndex);
++	dbgprintf("\tsearch type='%s'\n",  pData->searchType == NULL
++			? (uchar*)"(not configured)" : pData->searchType);
+ 	dbgprintf("\tpipeline name='%s'\n", pData->pipelineName);
+ 	dbgprintf("\tdynamic pipeline name=%d\n", pData->dynPipelineName);
+ 	dbgprintf("\tskipPipelineIfEmpty=%d\n", pData->skipPipelineIfEmpty);
+@@ -598,8 +603,6 @@ getIndexTypeAndParent(const instanceData *const pData, uchar **const tpls,
+ 	}
+ 
+ done:
+-	//assert(srchIndex != NULL);
+-	//assert(srchType != NULL);
+ 	return;
+ }
+ 
+@@ -700,11 +703,12 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 
+ 	getIndexTypeAndParent(pWrkrData->pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 	r += ustrlen((char *)message);
+-        if(searchIndex != NULL)
+-                r += ustrlen(searchIndex);
+-        if(searchType != NULL)
+-                r += ustrlen(searchType);
+-
++	if(searchIndex != NULL) {
++		r += ustrlen(searchIndex);
++	}
++	if(searchType != NULL) {
++		r += ustrlen(searchType);
++	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+ 	}
+@@ -728,7 +732,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ {
+ 	int length = strlen((char *)message);
+ 	int r;
+-       	int endQuote = 1;
++	int endQuote = 1;
+ 	uchar *searchIndex = NULL;
+ 	uchar *searchType;
+ 	uchar *parent = NULL;
+@@ -1990,6 +1994,8 @@ CODESTARTnewActInst
+ 			pData->retryRulesetName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ 		} else if(!strcmp(actpblk.descr[i].name, "rebindinterval")) {
+ 			pData->rebindInterval = (int) pvals[i].val.d.n;
++		} else if(!strcmp(actpblk.descr[i].name, "esversion.major")) {
++			pData->esVersion = pvals[i].val.d.n;
+ 		} else {
+ 			LogError(0, RS_RET_INTERNAL_ERROR, "omelasticsearch: program error, "
+ 				"non-handled param '%s'", actpblk.descr[i].name);
+@@ -2121,19 +2127,18 @@ CODESTARTnewActInst
+ 		CHKiRet(computeBaseUrl("localhost", pData->defaultPort, pData->useHttps, pData->serverBaseUrls));
+ 	}
+ 
+-	//Only needed befor ES-Version 7.x
+-	/*
+-	if(pData->searchIndex == NULL)
+-		pData->searchIndex = (uchar*) strdup("system");
+-	if(pData->searchType == NULL)
+-		pData->searchType = (uchar*) strdup("events");
++	if(pData->esVersion < 8) {
++		if(pData->searchIndex == NULL)
++			pData->searchIndex = (uchar*) strdup("system");
++		if(pData->searchType == NULL)
++			pData->searchType = (uchar*) strdup("events");
+ 
+-	if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
+-		LogError(0, RS_RET_CONFIG_ERROR,
+-			"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
+-		ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
++		if ((pData->writeOperation != ES_WRITE_INDEX) && (pData->bulkId == NULL)) {
++			LogError(0, RS_RET_CONFIG_ERROR,
++				"omelasticsearch: writeoperation '%d' requires bulkid", pData->writeOperation);
++			ABORT_FINALIZE(RS_RET_CONFIG_ERROR);
++		}
+ 	}
+-	*/
+ 
+ 	if (pData->retryFailures) {
+ 		CHKiRet(ratelimitNew(&pData->ratelimiter, "omelasticsearch", NULL));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-5.patch

@@ -0,0 +1,40 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index 76d5081d3b..f481ec3f7e 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -620,6 +620,8 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	uchar *parent;
+ 	uchar *bulkId;
+ 	char* baseUrl;
++	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
++	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+ 	int r;
+ 	DEFiRet;
+@@ -645,11 +647,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
+ 			if(r == 0) r = es_addChar(&url, '/');
+-			if(searchType != NULL) {
+-				if(r == 0) r = es_addBuf(&url, (char*)searchType, ustrlen(searchType));
+-			}
+-		} else
+-			r = 0;
++
++		if(searchType != NULL) {
++			actualSearchType = searchType;
++		}
++		if(r == 0) r = es_addChar(&url, '/');
++		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -693,7 +696,7 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 	const uchar *const message,
+ 	uchar **const tpls)
+ {
+-	size_t r = sizeof(META_TYPE)-1 + sizeof(META_END)-1 + sizeof("\n")-1;
++	size_t r = sizeof(META_END)-1 + sizeof("\n")-1;
+ 	if (pWrkrData->pData->writeOperation == ES_WRITE_CREATE)
+ 		r += sizeof(META_STRT_CREATE)-1;
+ 	else

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-6.patch

@@ -0,0 +1,53 @@
+diff --git a/plugins/omelasticsearch/omelasticsearch.c b/plugins/omelasticsearch/omelasticsearch.c
+index f481ec3f7e..b297a9274f 100644
+--- a/plugins/omelasticsearch/omelasticsearch.c
++++ b/plugins/omelasticsearch/omelasticsearch.c
+@@ -623,7 +623,7 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 	/* since 7.0, the API always requires /idx/_doc, so use that if searchType is not explicitly set */
+ 	uchar* actualSearchType = (uchar*)"_doc";
+ 	es_str_t *url;
+-	int r;
++	int r = 0;
+ 	DEFiRet;
+ 	instanceData *const pData = pWrkrData->pData;
+ 	char separator;
+@@ -646,13 +646,12 @@ setPostURL(wrkrInstanceData_t *const pWrkrData, uchar **const tpls)
+ 		getIndexTypeAndParent(pData, tpls, &searchIndex, &searchType, &parent, &bulkId, &pipelineName);
+ 		if(searchIndex != NULL) {
+ 			r = es_addBuf(&url, (char*)searchIndex, ustrlen(searchIndex));
++			if(searchType != NULL && searchType[0] != '\0') {
++				actualSearchType = searchType;
++			}
+ 			if(r == 0) r = es_addChar(&url, '/');
+-
+-		if(searchType != NULL) {
+-			actualSearchType = searchType;
++			if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		}
+-		if(r == 0) r = es_addChar(&url, '/');
+-		if(r == 0) r = es_addBuf(&url, (char*)actualSearchType, ustrlen(actualSearchType));
+ 		if(pipelineName != NULL && (!pData->skipPipelineIfEmpty || pipelineName[0] != '\0')) {
+ 			if(r == 0) r = es_addChar(&url, separator);
+ 			if(r == 0) r = es_addBuf(&url, "pipeline=", sizeof("pipeline=")-1);
+@@ -714,7 +713,11 @@ computeMessageSize(const wrkrInstanceData_t *const pWrkrData,
+ 		r += ustrlen(searchIndex);
+ 	}
+ 	if(searchType != NULL) {
+-		r += ustrlen(searchType);
++		if(searchType[0] == '\0') {
++			r += 4; // "_doc"
++		} else {
++			r += ustrlen(searchType);
++		}
+ 	}
+ 	if(parent != NULL) {
+ 		r += sizeof(META_PARENT)-1 + ustrlen(parent);
+@@ -759,7 +762,7 @@ buildBatch(wrkrInstanceData_t *pWrkrData, uchar *message, uchar **tpls)
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_IX, sizeof(META_IX)-1);
+ 		if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchIndex,
+ 				 ustrlen(searchIndex));
+-		if(searchType != NULL) {
++		if(searchType != NULL && searchType[0] != '\0') {
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, META_TYPE, sizeof(META_TYPE)-1);
+ 			if(r == 0) r = es_addBuf(&pWrkrData->batch.data, (char*)searchType,
+ 				 ustrlen(searchType));

SOURCES/rsyslog-8.2102.0-rhbz2192955-es-doc.patch

@@ -0,0 +1,32 @@
+diff -up rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html
+--- rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html.orig	2023-05-11 15:56:24.308601241 +0200
++++ rsyslog-8.2102.0/doc/configuration/modules/omelasticsearch.html	2023-05-11 15:57:11.000662477 +0200
+@@ -156,6 +156,28 @@ this timeframe. Defaults to 3500.</p>
+ <p><em>Note, the health check is verifying connectivity only, not the state of
+ the Elasticsearch cluster.</em></p>
+ </div>
++
++<div class="section" id="esVersion.major">
++  <span id="id2"></span><h4>esVersion.major<a class="headerlink" href="#esVersion.major" title="Permalink to this headline">¶</a></h4>
++  <table border="1" class="colwidths-auto parameter-table docutils">
++  <thead valign="bottom">
++  <tr class="row-odd"><th class="head">type</th>
++  <th class="head">default</th>
++  <th class="head">mandatory</th>
++  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
++  </tr>
++  </thead>
++  <tbody valign="top">
++  <tr class="row-even"><td>integer</td>
++  <td>0</td>
++  <td>no</td>
++  <td>none</td>
++  </tr>
++  </tbody>
++  </table>
++  <p>ElasticSearch is notoriously bad at maintaining backwards compatibility. For this reason, the setting can be used to configure the server’s major version number (e.g. 7, 8, …). As far as we know breaking changes only happen with major version changes. As of now, only value 8 triggers API changes. All other values select pre-version-8 API usage.</p>
++  </div>
++
+ <div class="section" id="searchindex">
+ <span id="id3"></span><h4>searchIndex<a class="headerlink" href="#searchindex" title="Permalink to this headline">¶</a></h4>
+ <table border="1" class="colwidths-auto parameter-table docutils">

SOURCES/rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch

@@ -0,0 +1,109 @@
+diff -up rsyslog-8.2102.0/runtime/glbl.c.orig rsyslog-8.2102.0/runtime/glbl.c
+--- rsyslog-8.2102.0/runtime/glbl.c.orig	2023-06-27 08:20:45.265387162 +0200
++++ rsyslog-8.2102.0/runtime/glbl.c	2023-06-27 08:20:45.262387154 +0200
+@@ -230,7 +230,8 @@ static struct cnfparamdescr cnfparamdesc
+ 	{ "reverselookup.cache.ttl.enable", eCmdHdlrBinary, 0 },
+ 	{ "shutdown.queue.doublesize", eCmdHdlrBinary, 0 },
+ 	{ "debug.files", eCmdHdlrArray, 0 },
+-	{ "debug.whitelist", eCmdHdlrBinary, 0 }
++	{ "debug.whitelist", eCmdHdlrBinary, 0 },
++	{ "libcapng.default", eCmdHdlrBinary, 0 }
+ };
+ static struct cnfparamblk paramblk =
+ 	{ CNFPARAMBLK_VERSION,
+@@ -1315,6 +1316,13 @@ glblDoneLoadCnf(void)
+ 		if(!strcmp(paramblk.descr[i].name, "workdirectory")) {
+ 			cstr = (uchar*) es_str2cstr(cnfparamvals[i].val.d.estr, NULL);
+ 			setWorkDir(NULL, cstr);
++		} else if(!strcmp(paramblk.descr[i].name, "libcapng.default")) {
++#ifdef ENABLE_LIBCAPNG
++			loadConf->globals.bAbortOnFailedLibcapngSetup = (int) cnfparamvals[i].val.d.n;
++#else
++			LogError(0, RS_RET_ERR, "rsyslog wasn't "
++				"compiled with libcap-ng support.");
++#endif
+ 		} else if(!strcmp(paramblk.descr[i].name, "variables.casesensitive")) {
+ 			const int val = (int) cnfparamvals[i].val.d.n;
+ 			fjson_global_do_case_sensitive_comparison(val);
+diff -up rsyslog-8.2102.0/runtime/rsconf.c.orig rsyslog-8.2102.0/runtime/rsconf.c
+--- rsyslog-8.2102.0/runtime/rsconf.c.orig	2023-06-27 08:20:45.265387162 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.c	2023-06-27 08:20:45.264387159 +0200
+@@ -146,6 +146,9 @@ int rsconfNeedDropPriv(rsconf_t *const c
+ 
+ static void cnfSetDefaults(rsconf_t *pThis)
+ {
++#ifdef ENABLE_LIBCAPNG
++	pThis->globals.bAbortOnFailedLibcapngSetup = 1;
++#endif
+ 	pThis->globals.bAbortOnUncleanConfig = 0;
+ 	pThis->globals.bReduceRepeatMsgs = 0;
+ 	pThis->globals.bDebugPrintTemplateList = 1;
+diff -up rsyslog-8.2102.0/runtime/rsconf.h.orig rsyslog-8.2102.0/runtime/rsconf.h
+--- rsyslog-8.2102.0/runtime/rsconf.h.orig	2023-06-27 08:20:45.265387162 +0200
++++ rsyslog-8.2102.0/runtime/rsconf.h	2023-06-27 08:20:45.260387149 +0200
+@@ -61,6 +61,9 @@ struct queuecnf_s {
+  * be re-set as often as the user likes).
+  */
+ struct globals_s {
++#ifdef ENABLE_LIBCAPNG
++	int bAbortOnFailedLibcapngSetup;
++#endif
+ 	int bDebugPrintTemplateList;
+ 	int bDebugPrintModuleList;
+ 	int bDebugPrintCfSysLineHandlerList;
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-06-27 08:20:45.245387109 +0200
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-06-27 08:31:35.250120215 +0200
+@@ -2151,7 +2151,7 @@ main(int argc, char **argv)
+ 	/*
+ 	 * Drop capabilities to the necessary set
+ 	 */
+-	int capng_rc;
++	int capng_rc, capng_failed = 0;
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 
+ 	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+@@ -2161,10 +2161,9 @@ main(int argc, char **argv)
+ 		CAP_LEASE,
+ 		CAP_NET_ADMIN,
+ 		CAP_NET_BIND_SERVICE,
++		CAP_DAC_OVERRIDE,
+ 		CAP_SETGID,
+ 		CAP_SETUID,
+-		CAP_DAC_OVERRIDE,
+-		CAP_NET_RAW,
+ 		CAP_SYS_ADMIN,
+ 		CAP_SYS_CHROOT,
+ 		CAP_SYS_RESOURCE,
+@@ -2173,17 +2172,25 @@ main(int argc, char **argv)
+ 	)) != 0) {
+ 		LogError(0, RS_RET_LIBCAPNG_ERR,
+ 				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d\n", capng_rc);
+-		exit(-1);
++				"based on the options passed to it, capng_updatev=%d", capng_rc);
++		capng_failed = 1;
+ 	}
+ 
+ 	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+ 		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer  the  specified  internal posix  capabilities "
+-			"settings to the kernel, capng_apply=%d\n", capng_rc);
+-		exit(-1);
++			"could not transfer the specified internal posix capabilities "
++			"settings to the kernel, capng_apply=%d", capng_rc);
++		capng_failed = 1;
++	}
++
++	if (capng_failed) {
++		DBGPRINTF("Capabilities were not dropped successfully.\n");
++		if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
++			exit(RS_RET_LIBCAPNG_ERR);
++		}
++	} else {
++		DBGPRINTF("Capabilities were dropped successfully\n");
+ 	}
+-	DBGPRINTF("Capabilities were dropped successfully\n");
+ #endif
+ 
+ 	initAll(argc, argv);

SOURCES/rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch

@@ -0,0 +1,145 @@
+diff -up rsyslog-8.2102.0/tools/rsyslogd.c.orig rsyslog-8.2102.0/tools/rsyslogd.c
+--- rsyslog-8.2102.0/tools/rsyslogd.c.orig	2023-06-27 08:56:27.321174891 +0200
++++ rsyslog-8.2102.0/tools/rsyslogd.c	2023-06-27 08:58:17.977481782 +0200
+@@ -1557,6 +1557,88 @@ initAll(int argc, char **argv)
+ 	resetErrMsgsFlag();
+ 	localRet = rsconf.Load(&ourConf, ConfFile);
+ 
++	#ifdef ENABLE_LIBCAPNG
++	/*
++	 * Drop capabilities to the necessary set
++	 */
++	int capng_rc, capng_failed = 0;
++	typedef struct capabilities_s {
++		int capability; /* capability code */
++		const char *name; /* name of the capability to be displayed */
++		sbool present; /* is the capability present that is needed by rsyslog? if so we do not drop it */
++	} capabilities_t;
++
++	capabilities_t capabilities[] = {
++		#define CAP_FIELD(code) { code, #code,  0 }
++		CAP_FIELD(CAP_BLOCK_SUSPEND),
++		CAP_FIELD(CAP_CHOWN),
++		CAP_FIELD(CAP_IPC_LOCK),
++		CAP_FIELD(CAP_LEASE),
++		CAP_FIELD(CAP_NET_ADMIN),
++		CAP_FIELD(CAP_NET_BIND_SERVICE),
++		CAP_FIELD(CAP_DAC_OVERRIDE),
++		CAP_FIELD(CAP_SETGID),
++		CAP_FIELD(CAP_SETUID),
++		CAP_FIELD(CAP_SYS_ADMIN),
++		CAP_FIELD(CAP_SYS_CHROOT),
++		CAP_FIELD(CAP_SYS_RESOURCE),
++		CAP_FIELD(CAP_SYSLOG)
++		#undef CAP_FIELD
++	};
++
++	if (capng_have_capabilities(CAPNG_SELECT_CAPS) > CAPNG_NONE) {
++		/* Examine which capabilities are available to us, so we do not try to
++		   drop something that is not present. We need to do this in two steps,
++		   because capng_clear clears the capability set. In the second step,
++		   we add back those caps, which were present before clearing the selected
++		   posix capabilities set.
++		*/
++		unsigned long caps_len = sizeof(capabilities) / sizeof(capabilities_t);
++		for (unsigned long i = 0; i < caps_len; i++) {
++			if (capng_have_capability(CAPNG_EFFECTIVE, capabilities[i].capability)) {
++				capabilities[i].present = 1;
++			}
++		}
++
++		capng_clear(CAPNG_SELECT_BOTH);
++
++		for (unsigned long i = 0; i < caps_len; i++) {
++			if (capabilities[i].present) {
++				DBGPRINTF("The %s capability is present, "
++					"will try to preserve it.\n", capabilities[i].name);
++				if ((capng_rc = capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
++				capabilities[i].capability)) != 0) {
++					LogError(0, RS_RET_LIBCAPNG_ERR,
++							"could not update the internal posix capabilities settings "
++							"based on the options passed to it, capng_update=%d", capng_rc);
++					capng_failed = 1;
++				}
++			} else {
++				DBGPRINTF("The %s capability is not present, "
++					"will not try to preserve it.\n", capabilities[i].name);
++			}
++		}
++
++		if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
++			LogError(0, RS_RET_LIBCAPNG_ERR,
++				"could not transfer the specified internal posix capabilities "
++				"settings to the kernel, capng_apply=%d", capng_rc);
++			capng_failed = 1;
++		}
++
++		if (capng_failed) {
++			DBGPRINTF("Capabilities were not dropped successfully.\n");
++			if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
++				ABORT_FINALIZE(RS_RET_LIBCAPNG_ERR);
++			}
++		} else {
++			DBGPRINTF("Capabilities were dropped successfully\n");
++		}
++	} else {
++		DBGPRINTF("No capabilities to drop\n");
++	}
++#endif
++
+ 	if(fp_rs_full_conf_output != NULL) {
+ 		if(fp_rs_full_conf_output != stdout) {
+ 			fclose(fp_rs_full_conf_output);
+@@ -2147,52 +2229,6 @@ main(int argc, char **argv)
+ 		bProcessInternalMessages = 1;
+ 	dbgClassInit();
+ 
+-#ifdef ENABLE_LIBCAPNG
+-	/*
+-	 * Drop capabilities to the necessary set
+-	 */
+-	int capng_rc, capng_failed = 0;
+-	capng_clear(CAPNG_SELECT_BOTH);
+-
+-	if ((capng_rc = capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+-		CAP_BLOCK_SUSPEND,
+-		CAP_CHOWN,
+-		CAP_IPC_LOCK,
+-		CAP_LEASE,
+-		CAP_NET_ADMIN,
+-		CAP_NET_BIND_SERVICE,
+-		CAP_DAC_OVERRIDE,
+-		CAP_SETGID,
+-		CAP_SETUID,
+-		CAP_SYS_ADMIN,
+-		CAP_SYS_CHROOT,
+-		CAP_SYS_RESOURCE,
+-		CAP_SYSLOG,
+-		-1
+-	)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-				"could not update the internal posix capabilities settings "
+-				"based on the options passed to it, capng_updatev=%d", capng_rc);
+-		capng_failed = 1;
+-	}
+-
+-	if ((capng_rc = capng_apply(CAPNG_SELECT_BOTH)) != 0) {
+-		LogError(0, RS_RET_LIBCAPNG_ERR,
+-			"could not transfer the specified internal posix capabilities "
+-			"settings to the kernel, capng_apply=%d", capng_rc);
+-		capng_failed = 1;
+-	}
+-
+-	if (capng_failed) {
+-		DBGPRINTF("Capabilities were not dropped successfully.\n");
+-		if (loadConf->globals.bAbortOnFailedLibcapngSetup) {
+-			exit(RS_RET_LIBCAPNG_ERR);
+-		}
+-	} else {
+-		DBGPRINTF("Capabilities were dropped successfully\n");
+-	}
+-#endif
+-
+ 	initAll(argc, argv);
+ #ifdef HAVE_LIBSYSTEMD
+ 	sd_notify(0, "READY=1");

SOURCES/rsyslog-8.2310.0-do-not-preserve-statefile-on-file-move-doc.patch

@@ -1,42 +0,0 @@
-diff -up rsyslog-8.2310.0/doc/configuration/modules/imfile.html.orig rsyslog-8.2310.0/doc/configuration/modules/imfile.html
---- rsyslog-8.2310.0/doc/configuration/modules/imfile.html.orig	2023-11-06 09:34:00.022802039 +0100
-+++ rsyslog-8.2310.0/doc/configuration/modules/imfile.html	2023-11-06 09:37:02.086613055 +0100
-@@ -293,6 +293,30 @@ rsyslog needs write permissions to work
- also might require SELinux definitions (or similar for other enhanced security
- systems).</p>
- </div>
-+
-+<div class="section" id="deletestateonfilemove">
-+  <h4>deleteStateOnFileMove<a class="headerlink" href="#deletestateonfilemove" title="Permalink to this headline">¶</a></h4>
-+  <table border="1" class="colwidths-auto parameter-table docutils">
-+  <thead valign="bottom">
-+  <tr class="row-odd"><th class="head">type</th>
-+  <th class="head">default</th>
-+  <th class="head">mandatory</th>
-+  <th class="head"><code class="docutils literal notranslate"><span class="pre">obsolete</span> <span class="pre">legacy</span></code> directive</th>
-+  </tr>
-+  </thead>
-+  <tbody valign="top">
-+  <tr class="row-even"><td>binary</td>
-+  <td>off</td>
-+  <td>no</td>
-+  <td>none</td>
-+  </tr>
-+  </tbody>
-+  </table>
-+  <p>This parameter controls if state files are deleted if their associated main file is rotated via move. Usually, this is a good idea, because otherwise state files are not deleted when log rotation occurs.</p>
-+
-+<p>However, there is one situation where not deleting associated state file after log rotation makes sense: this is the case if a monitored file is later moved back to the same location as it was before.</p>
-+</div>
-+
- </div>
- <div class="section" id="input-parameters">
- <h3>Input Parameters<a class="headerlink" href="#input-parameters" title="Permalink to this headline">¶</a></h3>
-@@ -1237,6 +1261,7 @@ and Others.</p>
- <li><a class="reference internal" href="#sortfiles">sortFiles</a></li>
- <li><a class="reference internal" href="#pollinginterval">PollingInterval</a></li>
- <li><a class="reference internal" href="#statefile-directory">statefile.directory</a></li>
-+<li><a class="reference internal" href="#deletestateonfilemove">deleteStateOnFileMove</a></li>
- </ul>
- </li>
- <li><a class="reference internal" href="#input-parameters">Input Parameters</a><ul>

SOURCES/rsyslog-8.2310.0-omprog-binary-path.patch

@@ -1,41 +0,0 @@
-diff -up rsyslog-8.2310.0/doc/configuration/modules/omprog.html.orig rsyslog-8.2310.0/doc/configuration/modules/omprog.html
---- rsyslog-8.2310.0/doc/configuration/modules/omprog.html.orig	2024-01-05 13:21:14.474252913 +0100
-+++ rsyslog-8.2310.0/doc/configuration/modules/omprog.html	2024-01-05 13:25:09.128562192 +0100
-@@ -144,8 +144,11 @@ passed to the external program.</p>
- </tr>
- </tbody>
- </table>
--<p>Full path and command line parameters of the external program to execute.</p>
--<p>In legacy config, it is <strong>not possible</strong> to specify command line parameters.</p>
-+<p>Full path and command line parameters of the external program to execute.
-+  Arbitrary external programs should be placed under the /usr/libexec/rsyslog directory.
-+  That is, the binaries put in this namespaced directory are meant for the consumption
-+  of rsyslog, and are not intended to be executed by users.
-+  In legacy config, it is <strong>not possible</strong> to specify command line parameters.</p>
- </div>
- <div class="section" id="confirmmessages">
- <span id="id1"></span><h4>confirmMessages<a class="headerlink" href="#confirmmessages" title="Permalink to this headline">¶</a></h4>
-@@ -587,12 +590,12 @@ multiple processes.</p>
- <div class="section" id="example-command-line-arguments">
- <h3>Example: command line arguments<a class="headerlink" href="#example-command-line-arguments" title="Permalink to this headline">¶</a></h3>
- <p>In the following example, logs will be sent to a program <code class="docutils literal notranslate"><span class="pre">log.sh</span></code> located
--in <code class="docutils literal notranslate"><span class="pre">/path/to</span></code>. The program will receive the command line arguments
-+in <code class="docutils literal notranslate"><span class="pre">/usr/libexec/rsyslog</span></code>. The program will receive the command line arguments
- <code class="docutils literal notranslate"><span class="pre">p1</span></code>, <code class="docutils literal notranslate"><span class="pre">p2</span></code> and <code class="docutils literal notranslate"><span class="pre">--param3=&quot;value</span> <span class="pre">3&quot;</span></code>.</p>
- <div class="highlight-none notranslate"><div class="highlight"><pre><span></span>module(load=&quot;omprog&quot;)
- 
- action(type=&quot;omprog&quot;
--       binary=&quot;/path/to/log.sh p1 p2 --param3=\&quot;value 3\&quot;&quot;
-+       binary=&quot;/usr/libexec/rsyslog/log.sh p1 p2 --param3=\&quot;value 3\&quot;&quot;
-        template=&quot;RSYSLOG_TraditionalFileFormat&quot;)
- </pre></div>
- </div>
-@@ -618,7 +621,7 @@ rsyslog will kill and restart it.</p>
- 
- action(type=&quot;omprog&quot;
-        name=&quot;db_forward&quot;
--       binary=&quot;/usr/share/logging/db_forward.py&quot;
-+       binary=&quot;/usr/libexec/rsyslog/db_forward.py&quot;
-        confirmMessages=&quot;on&quot;
-        confirmTimeout=&quot;30000&quot;
-        queue.type=&quot;LinkedList&quot;

SOURCES/rsyslog-8.2310.0-remove-state-on-file-delete.patch

@@ -1,11 +0,0 @@
-diff -up rsyslog-8.2310.0/plugins/imfile/imfile.c.orig rsyslog-8.2310.0/plugins/imfile/imfile.c
---- rsyslog-8.2310.0/plugins/imfile/imfile.c.orig	2023-11-03 12:19:39.179103408 +0100
-+++ rsyslog-8.2310.0/plugins/imfile/imfile.c	2023-11-03 12:19:54.228237199 +0100
-@@ -1162,6 +1162,7 @@ fs_node_destroy(fs_node_t *const node)
- 	DBGPRINTF("node destroy: %p edges:\n", node);
- 
- 	for(edge = node->edges ; edge != NULL ; ) {
-+		detect_updates(edge);
- 		fs_node_destroy(edge->node);
- 		fs_edge_t *const toDel = edge;
- 		edge = edge->next;

SOURCES/rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch

@@ -0,0 +1,30 @@
+diff -up rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig rsyslog-8.37.0/plugins/imptcp/imptcp.c
+--- rsyslog-8.37.0/plugins/imptcp/imptcp.c.orig	2022-05-09 12:22:59.050623119 +0200
++++ rsyslog-8.37.0/plugins/imptcp/imptcp.c	2022-05-09 12:34:39.979854853 +0200
+@@ -1032,7 +1032,10 @@ processDataRcvd(ptcpsess_t *const __rest
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->peerName, &propPeerName, &lenPeerName);
+diff -up rsyslog-8.37.0/runtime/tcps_sess.c.orig rsyslog-8.37.0/runtime/tcps_sess.c
+--- rsyslog-8.37.0/runtime/tcps_sess.c.orig	2022-05-09 12:23:12.789627661 +0200
++++ rsyslog-8.37.0/runtime/tcps_sess.c	2022-05-09 12:36:51.426898549 +0200
+@@ -389,7 +389,10 @@ processDataRcvd(tcps_sess_t *pThis,
+ 			if(pThis->iOctetsRemain <= 200000000) {
+ 				pThis->iOctetsRemain = pThis->iOctetsRemain * 10 + c - '0';
+ 			}
+-			*(pThis->pMsg + pThis->iMsg++) = c;
++			// *(pThis->pMsg + pThis->iMsg++) = c;
++			if(pThis->iMsg < iMaxLine) {
++				*(pThis->pMsg + pThis->iMsg++) = c;
++			}
+ 		} else { /* done with the octet count, so this must be the SP terminator */
+ 			DBGPRINTF("TCP Message with octet-counter, size %d.\n", pThis->iOctetsRemain);
+ 			prop.GetString(pThis->fromHost, &propPeerName, &lenPeerName);

SOURCES/rsyslog.conf

@@ -19,7 +19,6 @@ module(load="imuxsock" 	  # provides support for local system logging (e.g. via
 			  # local messages are retrieved through imjournal now.
 module(load="imjournal" 	    # provides access to the systemd journal
        UsePid="system" # PID nummber is retrieved as the ID of the process the journal entry originates from
-       FileCreateMode="0644" # Set the access permissions for the state file
        StateFile="imjournal.state") # File to store the position in the journal
 #module(load="imklog") # reads kernel messages (the same are read from journald)
 #module(load="immark") # provides --MARK-- message capability

SPECS/rsyslog.spec

@@ -4,8 +4,8 @@
 
 Summary: Enhanced system logging and kernel message trapping daemon
 Name: rsyslog
-Version: 8.2310.0
-Release: 4%{?dist}
+Version: 8.2102.0
+Release: 117%{?dist}
 License: (GPLv3+ and ASL 2.0)
 URL: http://www.rsyslog.com/
 Source0: http://www.rsyslog.com/files/download/rsyslog/%{name}-%{version}.tar.gz
@@ -18,12 +18,38 @@ Source5: rsyslog.service
 # separatae sub-package with it statically linked(see rhbz#1713427)
 Source6: qpid-proton-0.39.0.tar.gz
 
-Patch1: rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag-v2.patch
-Patch2: rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
-Patch3: rsyslog-8.2310.0-do-not-preserve-statefile-on-file-move.patch
-Patch4: rsyslog-8.2310.0-do-not-preserve-statefile-on-file-move-doc.patch
-Patch5: rsyslog-8.2310.0-remove-state-on-file-delete.patch
-Patch6: rsyslog-8.2310.0-omprog-binary-path.patch
+Patch0:  rsyslog-8.2102.0-rhbz2064318-errfile-maxsize-doc.patch
+Patch1:  rsyslog-8.1911.0-rhbz1659898-imjournal-default-tag.patch
+Patch2:  rsyslog-8.2102.0-rhbz1960536-fdleak-on-fsync.patch
+Patch3:  rsyslog-8.2102.0-rhbz1886400-reduce-default-timeout.patch
+Patch4:  rsyslog-8.2102.0-rhbz1984616-imuxsock-ratelimit.patch
+Patch5:  rsyslog-8.2102.0-rhbz1984489-remove-abort-on-id-resolution-fail.patch
+Patch6:  rsyslog-8.2102.0-rhbz1938863-covscan.patch
+Patch7:  rsyslog-8.2102.0-rhbz2021076-prioritize-SAN.patch
+Patch8:  rsyslog-8.2102.0-rhbz2064318-errfile-maxsize.patch
+Patch10: rsyslog-8.2102.0-rhbz1909639-statefiles-fix.patch
+Patch11: rsyslog-8.2102.0-rhbz1909639-statefiles-doc.patch
+Patch12: rsyslog-8.2102.0-rhbz2046158-gnutls-broken-connection.patch
+Patch13: rsyslog-8.37.0-rhbz2081396-CVE-2022-24903.patch
+Patch14: rsyslog-8.2102.0-rhbz2124849-extra-ca-files.patch
+Patch15: rsyslog-8.2102.0-rhbz2124849-extra-ca-files-doc.patch
+Patch16: rsyslog-8.2102.0-rhbz2127404-libcap-ng.patch
+Patch17: rsyslog-8.2102.0-rhbz2157658-imklog.patch
+Patch18: rsyslog-8.2102.0-capabilities-drop-credential.patch
+Patch19: rsyslog-8.2102.0-capabilities-capnetraw.patch
+Patch20: rsyslog-8.2102.0-rhbz2157804-cstrlen.patch
+Patch21: rsyslog-8.2102.0-rhbz2129015-journal-COMM.patch
+Patch22: rsyslog-8.2102.0-rhbz2192955-es-0.patch
+Patch23: rsyslog-8.2102.0-rhbz2192955-es-1.patch
+Patch24: rsyslog-8.2102.0-rhbz2192955-es-2.patch
+Patch25: rsyslog-8.2102.0-rhbz2192955-es-3.patch
+Patch26: rsyslog-8.2102.0-rhbz2192955-es-4.patch
+Patch27: rsyslog-8.2102.0-rhbz2192955-es-5.patch
+Patch28: rsyslog-8.2102.0-rhbz2192955-es-6.patch
+Patch29: rsyslog-8.2102.0-rhbz2192955-es-doc.patch
+Patch30: rsyslog-8.2102.0-rhbz2216919-libcapng-default.patch
+Patch31: rsyslog-8.2102.0-rhbz2216919-libcapng-no-drop.patch
+Patch32: rsyslog-8.2102.0-libcapng-no-cap-support2.patch
 
 BuildRequires: make
 BuildRequires: gcc
@@ -44,7 +70,7 @@ BuildRequires: systemd-devel >= 204-8
 BuildRequires: zlib-devel
 BuildRequires: libcap-ng-devel
 
-Conflicts: selinux-policy < 38.1.29-1
+Conflicts: selinux-policy < 38.1.3-1
 
 Recommends: %{name}-logrotate = %version-%release
 Requires: bash >= 2.0
@@ -252,6 +278,7 @@ container metadata.
 %prep
 # set up rsyslog-doc sources
 %setup -q -a 1 -T -c
+%patch0 -p1
 
 rm -r LICENSE README.md source build/objects.inv
 mv build doc
@@ -260,12 +287,37 @@ mv build doc
 # Unpack qpid-proton for rhel
 %setup -q -D -T -b 6
 
-%patch -P 1 -p1
-%patch -P 2 -p1
-%patch -P 3 -p1
-%patch -P 4 -p1
-%patch -P 5 -p1
-%patch -P 6 -p1
+%patch1  -p1 -b .default-tag
+%patch2  -p1 -b .fd-leak-on-fsync
+%patch3  -p1 -b .timeout
+%patch4  -p1 -b .imuxsock-rate-limit
+%patch5  -p1 -b .abort-on-id-resolution-fail
+%patch6  -p1 -b .covscan
+%patch7  -p1 -b .prioritize-SAN
+%patch8  -p1 -b .errfile-maxsize
+%patch10 -p1 -b .statefile-fix
+%patch11 -p1
+%patch12 -p1 -b .gnutls-broken-connection
+%patch13 -p1 -b .CVE
+%patch14 -p1 -b .extra-ca-files
+%patch15 -p1 -b .extra-ca-files-doc
+%patch16 -p1 -b .libcap-ng
+%patch17 -p1 -b .imklog-leak
+%patch18 -p1 -b .capabilities-drop-credential
+%patch19 -p1 -b .capabilities-capnetraw
+%patch20 -p1 -b .cstrlen
+%patch21 -p1 -b .journalCOMM
+%patch22 -p1 -b .es0
+%patch23 -p1 -b .es1
+%patch24 -p1 -b .es2
+%patch25 -p1 -b .es3
+%patch26 -p1 -b .es4
+%patch27 -p1 -b .es5
+%patch28 -p1 -b .es6
+%patch29 -p1 -b .es-doc
+%patch30 -p1
+%patch31 -p1
+%patch32 -p1
 
 %build
 # Add additional flags as per https://one.redhat.com/rhel-developer-guide/#_what_are_the_required_flags
@@ -370,7 +422,6 @@ install -d -m 755 %{buildroot}%{_sysconfdir}/rsyslog.d
 install -d -m 700 %{buildroot}%{rsyslog_statedir}
 install -d -m 700 %{buildroot}%{rsyslog_pkidir}
 install -d -m 755 %{buildroot}%{rsyslog_docdir}/html
-install -d -m 755 %{buildroot}%{_libexecdir}/%{name}
 
 install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/rsyslog.conf
 install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/rsyslog
@@ -415,7 +466,6 @@ done
 %dir %{_sysconfdir}/rsyslog.d
 %dir %{rsyslog_statedir}
 %dir %{rsyslog_pkidir}
-%dir %{_libexecdir}/%{name}
 %{_sbindir}/rsyslogd
 %{_mandir}/man5/rsyslog.conf.5.gz
 %{_mandir}/man8/rsyslogd.8.gz
@@ -529,24 +579,6 @@ done
 
 
 %changelog
-* Tue Dec 12 2023 Attila Lakatos <alakatos@redhat.com> - 8.2310.0-4
-- new directory for arbitrary external programs needed by omprog module
-  Resolves: RHEL-8676
-
-* Mon Nov 06 2023 Attila Lakatos <alakatos@redhat.com> - 8.2310.0-3
-- Rebase to 8.2310.0
-  Resolves: RHEL-5196
-- Allow setting certificates for separate connections
-  Resolves: RHEL-937
-- Capability dropping feature can be turned off
-  Resolves: RHEL-943
-- imjournal: new module parameter filecreatemode
-  Resolves: RHEL-949
-
-* Wed Sep 06 2023 Patrik Koncity <pkoncity@redhat.com> - 8.2102.0-118
-- Add rsyslog CI for new MR in c9s
-  Resolves: RHEL-608
-
 * Fri Jul 28 2023 Attila Lakatos <alakatos@redhat.com> - 8.2102.0-117
 - Add back CAP_NET_RAW capability due to omudpspoof
   resolves: rhbz#2216919