Ubuntu
rsyslog package

Merge ~xypron/ubuntu/+source/rsyslog:merge-lp2045033-noble-8.2312.0-2 into ubuntu/+source/rsyslog:debian/sid

Proposed by Heinrich Schuchardt on 2024-01-03

Status:

Superseded

Proposed branch:

~xypron/ubuntu/+source/rsyslog:merge-lp2045033-noble-8.2312.0-2

Merge into:

ubuntu/+source/rsyslog:debian/sid

Diff against target:

3196 lines (+2584/-43)

37 files modified

debian/00rsyslog.conf (+12/-0)
debian/50-default.conf (+48/-0)
debian/NEWS (+30/-0)
debian/README.apparmor (+132/-0)
debian/README.apparmor.rsyslog.d (+16/-0)
debian/apparmor/rsyslog-gnutls.apparmor (+3/-0)
debian/apparmor/rsyslog-mysql.apparmor (+20/-0)
debian/apparmor/rsyslog-openssl.apparmor (+3/-0)
debian/apparmor/rsyslog-pgsql.apparmor (+9/-0)
debian/changelog (+1788/-0)
debian/clean (+6/-0)
debian/control (+7/-2)
debian/dmesg.service (+13/-0)
debian/patches/omusrmsg-bugfix-potential-double-free-which-can-caus.patch (+69/-0)
debian/patches/series (+1/-0)
debian/reload-apparmor-profile (+14/-0)
debian/rsyslog-gnutls.install (+1/-0)
debian/rsyslog-mysql.install (+1/-0)
debian/rsyslog-openssl.install (+1/-0)
debian/rsyslog-pgsql.install (+1/-0)
debian/rsyslog.conf (+10/-26)
debian/rsyslog.dirs (+1/-0)
debian/rsyslog.docs (+1/-0)
debian/rsyslog.install (+6/-1)
debian/rsyslog.logcheck.ignore.server (+3/-0)
debian/rsyslog.postinst (+29/-0)
debian/rsyslog.postrm (+13/-0)
debian/rsyslog.service (+4/-8)
debian/rules (+8/-2)
debian/tests/apparmor-include-mechanism (+92/-0)
debian/tests/control (+20/-0)
debian/tests/logcheck (+13/-4)
debian/tests/simple-logger (+24/-0)
debian/tests/simple-mysql (+29/-0)
debian/tests/simple-pgsql (+25/-0)
debian/tests/utils (+76/-0)
debian/usr.sbin.rsyslogd (+55/-0)

Related bugs:

Bug #2028935: Merge rsyslog 8.2306.0-2

Undecided

Fix Released

Link a bug report

Reviewer	Date Requested	Status
Nick Rosbrook (community)		Needs Fixing on 2024-01-05
Ubuntu Sponsors	2024-01-03	Pending
git-ubuntu import	2024-01-03	Pending
Review via email: mp+457913@code.launchpad.net

This proposal has been superseded by a proposal from 2024-01-06.

Revision history for this message

Nick Rosbrook (enr0n) wrote on 2024-01-05:

The new changes look good to me. My only comments are about the changelog. I'm not sure if it really matters, but I think it would be best to follow the usual conventions, e.g.

* Merge with Debian unstable (LP: #2045033). Remaining changes:

instead of:

Merge with Debian unstable (LP: #2045033)

* Remaining changes:

Also, since you dropped a change, it would be good to elaborate briefly on why it was dropped. In this case it looks like Debian made the same change, so I would say something like:

* Dropped changes, included in Debian:
...

Finally, you have two of each "merge-changelogs" and "reconstruct-changelog" commits which is odd. If you make manual changes to the changelog, I think the convention is to name the commit "update changelog" or simply "changelog".

review: Needs Fixing

Unmerged commits

ed3634b... by Heinrich Schuchardt on 2024-01-03

update changelog

Signed-off-by: Heinrich Schuchardt <email address hidden>

0307c87... by Heinrich Schuchardt on 2024-01-03

merge-changelogs

61082ac... by Heinrich Schuchardt on 2024-01-03

reconstruct-changelog

cf8759e... by Heinrich Schuchardt on 2024-01-03

merge-changelogs

66275f3... by Nick Rosbrook on 2023-07-03

update-maintainer

e33b992... by Heinrich Schuchardt on 2023-12-14

ubuntu: fix double free in tools/omusrmsg.c

omusrmsg frees a string which points to OS/system library memory. When
the os/libs clean up, it frees the memory as well. This results in a
double free.

d/p/omusrmsg-bugfix-potential-double-free-which-can-caus.patch

Signed-off-by: Heinrich Schuchardt <email address hidden>

233598d... by Heinrich Schuchardt on 2023-12-13

ubuntu: adjust sandboxing

While Debian runs the rsyslog service as root we use user syslog and group
syslog. The sandboxing rules that Debian added are not compatible with
this.

Remove:

- PrivateTmp=yes
- PrivateDevices=yes
- ProtectSystem=full
- ProtectKernelTunables=yes
- ProtectKernelModules=yes
- ProtectControlGroups=yes

Change:

- ProtectHome=yes -> ProtectHome=readonly

Signed-off-by: Heinrich Schuchardt <email address hidden>

963fc51... by Heinrich Schuchardt on 2023-12-13

ubuntu: add CAP_MAC_ADMIN, CAP_SETUID, CAP_SETGID

While Debian runs the rsyslog service as root we use user syslog and group
syslog. Dropping from root requires CAP_SETUID and CAP_SETGID.

CAP_MAC_ADMIN is needed for reloading the apparmor profile via
ExecStartPre.

Signed-off-by: Heinrich Schuchardt <email address hidden>

3ec26ec... by Lukas Märdian on 2023-09-05

Amend list of expected messages d/rsyslog.logcheck.ignore.server

to fix armhf autopkgtest (LP: #2028935)

7f4c622... by Heinrich Schuchardt on 2023-08-23

ubuntu: fix debian/tests/logcheck - timing

When stopping rsyslogd allow some time to finish writing the log file.

Ensure that we evaluate the log written by rsyslogd and collected via
journalctl for the same time interval.

Signed-off-by: Heinrich Schuchardt <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Heinrich Schuchardt

git-ubuntu developers

Ubuntu
rsyslog package

Merge ~xypron/ubuntu/+source/rsyslog:merge-lp2045033-noble-8.2312.0-2 into ubuntu/+source/rsyslog:debian/sid

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

 diff --git a/debian/00rsyslog.conf b/debian/00rsyslog.conf
 new file mode 100644
 index 0000000..0eafde1
 --- /dev/null
 +++ b/debian/00rsyslog.conf
@@ -0,0 +1,12 @@
++# Override systemd's default tmpfiles.d/var.conf to make /var/log writable by
++# the syslog group, so that rsyslog can run as user.
++# See tmpfiles.d(5) for details.
++
++# Type Path    Mode UID  GID  Age Argument
++z /var/log 0775 root syslog -
++z /var/log/auth.log 0640 syslog adm -
++z /var/log/mail.err 0640 syslog adm -
++z /var/log/mail.log 0640 syslog adm -
++z /var/log/kern.log 0640 syslog adm -
++z /var/log/syslog 0640 syslog adm -
++d /var/spool/rsyslog 0700 syslog adm -
 diff --git a/debian/50-default.conf b/debian/50-default.conf
 new file mode 100644
 index 0000000..56217be
 --- /dev/null
 +++ b/debian/50-default.conf
@@ -0,0 +1,48 @@
++#  Default rules for rsyslog.
++#
++#			For more information see rsyslog.conf(5) and /etc/rsyslog.conf
++
++#
++# First some standard log files.  Log by facility.
++#
++auth,authpriv.*			/var/log/auth.log
++*.*;auth,authpriv.none		-/var/log/syslog
++#cron.*				/var/log/cron.log
++#daemon.*			-/var/log/daemon.log
++kern.*				-/var/log/kern.log
++#lpr.*				-/var/log/lpr.log
++mail.*				-/var/log/mail.log
++#user.*				-/var/log/user.log
++
++#
++# Logging for the mail system.  Split it up so that
++# it is easy to write scripts to parse these files.
++#
++#mail.info			-/var/log/mail.info
++#mail.warn			-/var/log/mail.warn
++mail.err			/var/log/mail.err
++
++#
++# Some "catch-all" log files.
++#
++#*.=debug;\
++#	auth,authpriv.none;\
++#	news.none;mail.none	-/var/log/debug
++#*.=info;*.=notice;*.=warn;\
++#	auth,authpriv.none;\
++#	cron,daemon.none;\
++#	mail,news.none		-/var/log/messages
++
++#
++# Emergencies are sent to everybody logged in.
++#
++*.emerg				:omusrmsg:*
++
++#
++# I like to have messages displayed on the console, but only on a virtual
++# console I usually leave idle.
++#
++#daemon,mail.*;\
++#	news.=crit;news.=err;news.=notice;\
++#	*.=debug;*.=info;\
++#	*.=notice;*.=warn	/dev/tty8
 diff --git a/debian/NEWS b/debian/NEWS
 index 085d921..bf860ba 100644
 --- a/debian/NEWS
 +++ b/debian/NEWS
@@ -28,6 +28,36 @@ rsyslog (8.2310.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Tue, 10 Oct 2023 17:03:41 +0200
++rsyslog (8.2210.0-3ubuntu2) lunar; urgency=medium
++
++  The apparmor profile of rsyslog now defaults to be enforced on a fresh
++  install and upgrades from an earlier version. Upgrades from this version
++  forward won't change the enforcement status.
++
++  Packages that add an rsyslog configuration that might be blocked by the
++  apparmor profile, can add an apparmor configuration snippet in
++
++  /etc/apparmor.d/rsyslog.d/
++
++  This file should preferably be named like <pkg>.apparmor, but only standard
++  backup extensions are excluded. See
++  https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L68
++  for a list.
++
++  When the rsyslog service is started, its systemd unit file first executes
++  the /usr/lib/rsyslog/reload-apparmor-profile script via ExecStartPre. That
++  script will reload the rsyslogd apparmor profile including the configuration
++  snippets in /etc/apparmor.d/rsyslogd.d/, if any.
++
++  The confinement status is not changed.
++
++  After this, the unit proceeds to start rsyslog as usual.
++
++  For more information, check the README.apparmor file in the documentation
++  directory of this package.
++
++ -- Andreas Hasenack <andreas@canonical.com>  Sun, 05 Feb 2023 15:42:31 -0300
++
  rsyslog (5.8.1-1) unstable; urgency=low
    The way rsyslog processes SIGHUP has changed. It no longer does a reload
 diff --git a/debian/README.apparmor b/debian/README.apparmor
 new file mode 100644
 index 0000000..ab5e706
 --- /dev/null
 +++ b/debian/README.apparmor
@@ -0,0 +1,132 @@
++# rsyslog and AppArmor
++
++Starting with version 8.2210.0-3ubuntu2, on fresh installs and upgrades from
++earlier versions, rsyslog will be confined by default with AppArmor in enforce
++mode.
++
++The AppArmor profile for rsyslog has a static component, and a dynamic one. It
++all starts with the main profile in `/etc/apparmor.d/usr.sbin.rsyslogd`. That
++profile has an include directive for the dynamic component in
++`/etc/apparmor.d/rsyslog.d`:
++
++    # apparmor snippets for rsyslog from other packages
++    include if exists <rsyslog.d>
++
++All files placed in `/etc/apparmor.d/rsyslog.d` will be included, with the
++exception of standard backup files like files ending in `~`, or with a suffix
++generated by `dpkg` when there was a config file prompt. The full list of
++exclusions is not really documented, but can be inspected in the source code at
++https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65.
++A `README` file is also ignored.
++
++When `rsyslog` is started, it will reload the apparmor profile, including all
++the snippets that may exist in the `rsyslog.d` include directory. This is done
++via a `ExecStartPre` call in the systemd unit file:
++
++    [Service]
++    Type=notify
++    ExecStartPre=/usr/lib/rsyslog/reload-apparmor-profile
++    ExecStart=/usr/sbin/rsyslogd -n -iNONE
++    ...
++
++Packages (and users) can place apparmor profile config file snippets in
++`/etc/apparmor.d/rsyslog.d/`. It is suggested that the filename be in the form
++of `<pkg>.apparmor`.
++
++For example, the `rsyslog-pgsql` debian package installs this file
++`/etc/apparmor.d/rsyslog.d/rsyslog-pgsql.apparmor`:
++
++    # PostgreSQL local access
++    include <abstractions/openssl>
++    include <abstractions/ssl_certs>
++    /etc/gss/mech.d/ r,
++    /etc/gss/mech.d/* r,
++    /{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
++
++When `rsyslog` starts, the `reload-apparmor-profile` will run and
++reload the `rsyslogd` apparmor profile just before rsyslogd itself is
++started. Note that the enforcement status of the profile (enforce, complain) is
++not changed.
++
++
++# Troubleshooting
++
++When rsyslog gets something denied, particularly if it's in an output module,
++it will retry a few times and eventually give up. It usually won´t crash, so
++the only way to notice something is wrong is by inspecting the logs, or, well,
++by noticing something isn't working, like logging to a database.
++
++Here are the most useful troubleshooting tips.
++
++
++## Watch the logs
++
++Look for rsyslog errors in the logs, particularly `/var/log/syslog`, or via
++`journalctl -u rsyslog.service -f`. For example, when it can't connect to a
++local MySQL server, messages like these will appear:
++
++    Jan 31 17:27:15 sender rsyslogd[82257]: ommysql: db error (2002): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (13)  [v8.2210.0]
++    Jan 31 17:27:15 sender rsyslogd[82257]: action 'action-8-ommysql' suspended (module 'ommysql'), retry 0. There should be messages before this one giving the reason for suspe>
++
++
++## Inspect dmesg/apparmor
++
++If the rsyslog apparmor profile is interfering with rsyslog, there will be
++messages about it in the `dmesg` output (or in the audit log, if `auditd` is
++installed). For example, for the mysql case:
++
++    [Tue Feb  7 12:35:28 2023] audit: type=1400 audit(1675773329.453:84): apparmor="DENIED" operation="connect" class="file" profile="rsyslogd" name="/run/mysqld/mysqld.sock" pid=15495 comm=72733A6D61696E20513A526567 requested_mask="wr" denied_mask="wr" fsuid=101 ouid=107
++
++Since the rsyslog apparmor profile now may include multiple files from
++`/etc/apparmor.d/rsyslog.d`, it helps to visualize the whole profile as one
++file. The `apparmor_parser` command can be used for that with the `-p` option:
++
++    # apparmor_parser -p /etc/apparmor.d/usr.sbin.rsyslogd
++    ...
++    ##included <rsyslog.d/rsyslog-mysql.apparmor>
++    # MySQL local server access
++    ...
++
++This will show all included files, including abstractions.
++
++
++# Example
++
++Here is an example of what it would look like to adapt a package that ships a
++rsyslog configuration that needs the rsyslog apparmor profile to be adjusted.
++
++The `prometheus-postfix-exporter` adds an rsyslog config that has it write logs
++to `/var/lib/prometheus/postfix-exporter/mail.log`, which is not allowed by the
++base rsyslog apparmor profile.
++
++This is what the fix for this package would look like:
++
++```diff
++
++diff --git a/debian/dirs b/debian/dirs
++index 6d3533d..50d9ad8 100644
++--- a/debian/dirs
+++++ b/debian/dirs
++@@ -1,3 +1,4 @@
++ etc/rsyslog.d
+++etc/apparmor.d/rsyslog.d
++ var/lib/prometheus/postfix-exporter
++ var/log/prometheus
++diff --git a/debian/rsyslog-prometheus-postfix-exporter.apparmor b/debian/rsyslog-prometheus-postfix-exporter.apparmor
++new file mode 100644
++index 0000000..1b9f85f
++--- /dev/null
+++++ b/debian/rsyslog-prometheus-postfix-exporter.apparmor
++@@ -0,0 +1 @@
+++  /var/lib/prometheus/postfix-exporter/mail.log rw,
++diff --git a/debian/rules b/debian/rules
++index e8ce2f9..ffcf383 100755
++--- a/debian/rules
+++++ b/debian/rules
++@@ -16,3 +16,5 @@ override_dh_auto_install:
++ 	dh_auto_install -- --no-source
++ 	install -m644 debian/rsyslog.conf \
++             debian/$(BINNAME)/etc/rsyslog.d/$(BINNAME).conf
+++	install -m644 debian/rsyslog-prometheus-postfix-exporter.apparmor \
+++			debian/$(BINNAME)/etc/apparmor.d/rsyslog.d
++```
 diff --git a/debian/README.apparmor.rsyslog.d b/debian/README.apparmor.rsyslog.d
 new file mode 100644
 index 0000000..030b9b9
 --- /dev/null
 +++ b/debian/README.apparmor.rsyslog.d
@@ -0,0 +1,16 @@
++# This directory is meant to be used by packages that need to augment the
++# existing rsyslogd profile with extra rules.  All files in here will be
++# included by the /etc/apparmor.d/usr.sbin.rsyslogd profile, subject to the
++# exclusion rules defined in
++#
++# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65
++#
++# and
++#
++# https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L132
++#
++# Please check the README.apparmor file in the documentation directory of the
++# rsyslog package for more information.
++#
++# For the usual overrides and other additions by local administrators, please
++# use the /etc/apparmor.d/local/ mechanism.
 diff --git a/debian/apparmor/rsyslog-gnutls.apparmor b/debian/apparmor/rsyslog-gnutls.apparmor
 new file mode 100644
 index 0000000..9d5147e
 --- /dev/null
 +++ b/debian/apparmor/rsyslog-gnutls.apparmor
@@ -0,0 +1,3 @@
++# GnuTLS library rules
++
++  /etc/gnutls/config r,
 diff --git a/debian/apparmor/rsyslog-mysql.apparmor b/debian/apparmor/rsyslog-mysql.apparmor
 new file mode 100644
 index 0000000..0f9ad34
 --- /dev/null
 +++ b/debian/apparmor/rsyslog-mysql.apparmor
@@ -0,0 +1,20 @@
++# MySQL local server access
++
++include <abstractions/openssl>
++
++/etc/mysql/my.cnf r,
++/etc/mysql/mysql.cnf r,
++/etc/mysql/my.cnf.fallback r,
++
++/etc/mysql/conf.d/ r,
++/etc/mysql/conf.d/mysql.cnf r,
++/etc/mysql/conf.d/mysqldump.cnf r,
++
++/etc/mysql/mysql.conf.d/ r,
++/etc/mysql/mysql.conf.d/mysql.cnf r,
++/etc/mysql/mysql.conf.d/mysqld.cnf r,
++
++/usr/share/mysql/charsets/Index.xml r,
++
++/{,var/}run/mysqld/mysqld.sock rw,
++
 diff --git a/debian/apparmor/rsyslog-openssl.apparmor b/debian/apparmor/rsyslog-openssl.apparmor
 new file mode 100644
 index 0000000..f561b40
 --- /dev/null
 +++ b/debian/apparmor/rsyslog-openssl.apparmor
@@ -0,0 +1,3 @@
++# OpenSSL library rules
++
++  /etc/ssl/openssl.cnf r,
 diff --git a/debian/apparmor/rsyslog-pgsql.apparmor b/debian/apparmor/rsyslog-pgsql.apparmor
 new file mode 100644
 index 0000000..3111a70
 --- /dev/null
 +++ b/debian/apparmor/rsyslog-pgsql.apparmor
@@ -0,0 +1,9 @@
++# PostgreSQL local access
++
++include <abstractions/openssl>
++include <abstractions/ssl_certs>
++
++/etc/gss/mech.d/ r,
++/etc/gss/mech.d/* r,
++/{,var/}run/postgresql/.s.PGSQL.*[0-9] rw,
++
 diff --git a/debian/changelog b/debian/changelog
 index 1cc1817..a4f313c 100644
 --- a/debian/changelog
 +++ b/debian/changelog
@@ -1,3 +1,83 @@
++rsyslog (8.2312.0-2ubuntu1) noble; urgency=medium
++
++  Merge with Debian unstable (LP: #2045033). Remaining changes:
++    - d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
++      tmpfiles.d snippet to ensure that the syslog group can write into
++      /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add AppArmor profile, enabled by default, with support for
++      AppArmor configuration snippets:
++      + d/rsyslog.install: install apparmor rule
++      + d/rsyslog.postinst: remove disabling of apparmor on upgrades if
++        we are upgrading from a version older than $now.
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3), Build-Depends on
++        dh-apparmor
++      + d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
++        profile for mysql plugin
++      + d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
++        profile for postgresql plugin
++      + d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the gnutls plugin
++      + d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the openssl plugin
++      + New script to reload apparmor profile:
++        - d/rsyslog.service: reload apparmor profile in ExecStartPre and
++          set StandardError to journal so we can see errors from the
++          script
++        - d/rsyslog.install: install reload-apparmor-profile
++        - d/reload-apparmor-profile: script to reload the
++          rsyslogd apparmor profile
++      + d/NEWS: add info about apparmor changes in the Ubuntu packaging
++      + d/rsyslog.docs, d/README.apparmor: explains how the dynamic
++        component of the rsyslog apparmor profile is applied
++      + d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
++        README file in the apparmor include directory for rsyslog
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/rsyslog.install: remove mmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as
++      non log-rotated log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - Add DEP8 tests (LP #1906333): + d/t/control, d/t/simple-logger:
++      simple logger test
++    + d/t/utils: common function(s)
++    + d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a MySQL server
++    + d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a PostgreSQL server
++    + d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d include mechanism used by the rsyslog apparmor profile
++    + ubuntu: update debian/rsyslog.logcheck.ignore.server
++    + Amend list of expected messages d/rsyslog.logcheck.ignore.server
++      to fix6 armhf autopkgtest (LP #2028935)
++
++  * New changes:
++    + ubuntu: add CAP_MAC_ADMIN, CAP_SETUID, CAP_SETGID
++    + ubuntu: adjust sandboxing
++    + d/p/omusrmsg-bugfix-potential-double-free-which-can-caus.patch
++
++  * Dropped changes, included in Debian:
++    + ubuntu: fix debian/tests/logcheck - apparmor restrictions
++
++ -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com>  Wed, 03 Jan 2024 14:20:22 +0100
++
  rsyslog (8.2312.0-2) unstable; urgency=medium
    * Add CAP_DAC_OVERRIDE to CapabilityBoundingSet in rsyslog.service.
@@ -71,6 +151,87 @@ rsyslog (8.2308.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Wed, 16 Aug 2023 08:03:33 +0200
++rsyslog (8.2306.0-2ubuntu2) mantic; urgency=medium
++
++  * Amend list of expected messages d/rsyslog.logcheck.ignore.server
++    to fix armhf autopkgtest (LP: #2028935)
++
++ -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com>  Mon, 04 Sep 2023 15:33:45 +0200
++
++rsyslog (8.2306.0-2ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2028935)
++  * New change:
++    - d/test/logcheck: fix failures caused by apparmor and timing
++  * Remaining changes:
++    - d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
++      tmpfiles.d snippet to ensure that the syslog group can write into
++      /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add AppArmor profile, enabled by default, with support for
++      AppArmor configuration snippets:
++      + d/rsyslog.install: install apparmor rule
++      + d/rsyslog.postinst: remove disabling of apparmor on upgrades if
++        we are upgrading from a version older than $now.
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3), Build-Depends on
++        dh-apparmor
++      + d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
++        profile for mysql plugin
++      + d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
++        profile for postgresql plugin
++      + d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the gnutls plugin
++      + d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the openssl plugin
++      + New script to reload apparmor profile:
++        - d/rsyslog.service: reload apparmor profile in ExecStartPre and
++          set StandardError to journal so we can see errors from the
++          script
++        - d/rsyslog.install: install reload-apparmor-profile
++        - d/reload-apparmor-profile: script to reload the
++          rsyslogd apparmor profile
++      + d/NEWS: add info about apparmor changes in the Ubuntu packaging
++      + d/rsyslog.docs, d/README.apparmor: explains how the dynamic
++        component of the rsyslog apparmor profile is applied
++      + d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
++        README file in the apparmor include directory for rsyslog
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/rsyslog.install: remove mmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as non
++      log-rotated log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - Add DEP8 tests (LP #1906333):
++      + d/t/utils: common function(s)
++      + d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a
++        MySQL server
++      + d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a
++        PostgreSQL server
++      + d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d
++        include mechanism used by the rsyslog apparmor profile
++
++ -- Heinrich Schuchardt <heinrich.schuchardt@canonical.com>  Wed, 23 Aug 2023 11:26:01 +0200
++
  rsyslog (8.2306.0-2) unstable; urgency=medium
    [ Richard Lewis ]
@@ -89,6 +250,78 @@ rsyslog (8.2306.0-2) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Mon, 10 Jul 2023 23:14:06 +0200
++rsyslog (8.2306.0-1ubuntu1) mantic; urgency=medium
++
++  * Merge with Debian unstable (LP: #2025678). Remaining changes:
++    - d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
++      tmpfiles.d snippet to ensure that the syslog group can write into
++      /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add AppArmor profile, enabled by default, with support for
++      AppArmor configuration snippets:
++      + d/rsyslog.install: install apparmor rule
++      + d/rsyslog.postinst: remove disabling of apparmor on upgrades if
++        we are upgrading from a version older than $now.
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3), Build-Depends on
++        dh-apparmor
++      + d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
++        profile for mysql plugin
++      + d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
++        profile for postgresql plugin
++      + d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the gnutls plugin
++      + d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the openssl plugin
++      + New script to reload apparmor profile:
++        - d/rsyslog.service: reload apparmor profile in ExecStartPre and
++          set StandardError to journal so we can see errors from the
++          script
++        - d/rsyslog.install: install reload-apparmor-profile
++        - d/reload-apparmor-profile: script to reload the
++          rsyslogd apparmor profile
++      + d/NEWS: add info about apparmor changes in the Ubuntu packaging
++      + d/rsyslog.docs, d/README.apparmor: explains how the dynamic
++        component of the rsyslog apparmor profile is applied
++      + d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
++        README file in the apparmor include directory for rsyslog
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/rsyslog.install: remove mmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as non
++      log-rotated log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - Add DEP8 tests (LP #1906333):
++      + d/t/control, d/t/simple-logger: simple logger test
++      + d/t/utils: common function(s)
++      + d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a
++        MySQL server
++      + d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a
++        PostgreSQL server
++      + d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d
++        include mechanism used by the rsyslog apparmor profile
++
++ -- Nick Rosbrook <nick.rosbrook@canonical.com>  Mon, 03 Jul 2023 14:04:04 -0400
++
  rsyslog (8.2306.0-1) unstable; urgency=medium
    * New upstream version 8.2306.0
@@ -101,6 +334,100 @@ rsyslog (8.2304.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Sat, 17 Jun 2023 18:44:36 +0200
++rsyslog (8.2302.0-1ubuntu3) lunar; urgency=medium
++
++  * d/usr.sbin.rsyslog: allow access to /dev/console on the AppArmor policy
++    (LP: #2009230)
++
++ -- Georgia Garcia <georgia.garcia@canonical.com>  Fri, 24 Mar 2023 11:28:25 -0300
++
++rsyslog (8.2302.0-1ubuntu2) lunar; urgency=medium
++
++  * d/t/simple-*, d/t/control: ignore aa-enforce error, which can happen
++    on armhf in the Ubuntu DEP8 infrastructure, and allow-stderr for
++    these tests (LP: #2008393)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 23 Feb 2023 18:56:07 -0300
++
++rsyslog (8.2302.0-1ubuntu1) lunar; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - d/00rsyslog.conf, d/rsyslog.postinst, d/rsyslog.install: Install
++      tmpfiles.d snippet to ensure that the syslog group can write into
++      /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add AppArmor profile, enabled by default, with support for
++      AppArmor configuration snippets:
++      + d/rsyslog.install: install apparmor rule
++      + d/rsyslog.postinst: remove disabling of apparmor on upgrades if
++        we are upgrading from a version older than $now.
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3), Build-Depends on
++        dh-apparmor
++      + d/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local,
++        /etc/apparmor.d/rsyslog.d
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
++        profile for mysql plugin
++      + d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
++        profile for postgresql plugin
++      + d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the gnutls plugin
++      + d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
++        apparmor profile for the openssl plugin
++      + New script to reload apparmor profile:
++        - d/rsyslog.service: reload apparmor profile in ExecStartPre and
++          set StandardError to journal so we can see errors from the
++          script
++        - d/rsyslog.install: install reload-apparmor-profile
++        - d/reload-apparmor-profile: script to reload the
++          rsyslogd apparmor profile
++      + d/NEWS: add info about apparmor changes in the Ubuntu packaging
++      + d/rsyslog.docs, d/README.apparmor: explains how the dynamic
++        component of the rsyslog apparmor profile is applied
++      + d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
++        README file in the apparmor include directory for rsyslog
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/rsyslog.install: remove mmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - d/dmesg.service, d/rsyslog.install: provide /var/log/dmesg.log as non
++      log-rotated log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - Add DEP8 tests (LP #1906333):
++      + d/t/control, d/t/simple-logger: simple logger test
++      + d/t/utils: common function(s)
++      + d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a
++        MySQL server
++      + d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a
++        PostgreSQL server
++      + d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d
++        include mechanism used by the rsyslog apparmor profile
++  * Added:
++    - d/rsyslog.dirs: no need to install force-complain, disable, and
++      local, under /etc/apparmor.d: "local" is handled by dh_apparmor,
++      and the others we don't use anymore because the profile is no
++      longer installed disabled
++
++ -- Andreas Hasenack <andreas@canonical.com>  Thu, 23 Feb 2023 13:58:38 -0300
++
  rsyslog (8.2302.0-1) unstable; urgency=medium
    * New upstream version 8.2302.0
@@ -118,6 +445,88 @@ rsyslog (8.2212.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Wed, 07 Dec 2022 13:58:48 +0100
++rsyslog (8.2210.0-3ubuntu2) lunar; urgency=medium
++
++  * Support apparmor profile snippets:
++    - d/usr.sbin.rsyslogd: add "include if exists" for the rsyslog.d
++      directory, and remove the now unnecessary  mysql and postgresql
++      sections
++    - d/rsyslog.preinst: don't disable the apparmor profile on install
++    - d/rsyslog.postinst: remove disabling of apparmor on upgrades if we
++      are upgrading from a version older than $now.
++    - d/rsyslog.dirs: install /etc/apparmor.d/rsyslog.d/
++    - d/{apparmor/rsyslog-mysql,rsyslog-mysql.install}: add apparmor
++      profile for mysql plugin
++    - d/{apparmor/rsyslog-pgsql,rsyslog-pgsql.install}: add apparmor
++      profile for postgresql plugin
++    - d/{apparmor/rsyslog-gnutls.apparmor,rsyslog-gnutls.install}: add
++      apparmor profile for the gnutls plugin
++    - d/{apparmor/rsyslog-openssl.apparmor,rsyslog-gnutls.install}: add
++      apparmor profile for the openssl plugin
++    - New script to reload apparmor profile:
++      + d/rsyslog.service: reload apparmor profile in ExecStartPre and
++        set StandardError to journal so we can see errors from the
++        script
++      + d/rsyslog.install: install reload-apparmor-profile
++      + d/reload-apparmor-profile: script to reload the
++        rsyslogd apparmor profile
++    - d/NEWS: add info about apparmor changes in the Ubuntu packaging
++    - d/rsyslog.docs, d/README.apparmor: explains how the dynamic
++      component of the rsyslog apparmor profile is applied
++    - d/README.apparmor.rsyslog.d, d/rsyslog.install: install a specific
++      README file in the apparmor include directory for rsyslog
++  * Add DEP8 tests (LP: #1906333):
++    - d/t/control, d/t/simple-logger: simple logger test
++    - d/t/utils: common function(s)
++    - d/t/control, d/t/simple-mysql: DEP8 test using rsyslog with a
++      MySQL server
++    - d/t/control, d/t/simple-pgsql: DEP8 test using rsyslog with a
++      PostgreSQL server
++    - d/t/apparmor-include-mechanism: DEP8 test for the rsyslog.d
++      include mechanism used by the rsyslog apparmor profile
++
++ -- Andreas Hasenack <andreas@canonical.com>  Fri, 17 Feb 2023 14:22:27 -0300
++
++rsyslog (8.2210.0-3ubuntu1) lunar; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/control: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 07 Nov 2022 13:08:41 -0800
++
  rsyslog (8.2210.0-3) unstable; urgency=medium
    * Stop splitting up mail.*
@@ -161,6 +570,53 @@ rsyslog (8.2210.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Wed, 19 Oct 2022 11:00:47 +0200
++rsyslog (8.2208.0-1ubuntu2) kinetic; urgency=medium
++
++  * Mark debian/rsyslog.install executable, lost on merge because of MoM
++    bug.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Tue, 16 Aug 2022 03:15:29 +0000
++
++rsyslog (8.2208.0-1ubuntu1) kinetic; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as syslog:syslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/control: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 15 Aug 2022 18:07:45 -0700
++
  rsyslog (8.2208.0-1) unstable; urgency=medium
    * New upstream version 8.2208.0
@@ -186,6 +642,50 @@ rsyslog (8.2204.1-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Mon, 09 May 2022 15:44:08 +0200
++rsyslog (8.2204.0-1ubuntu1) kinetic; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++    - debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++      to adhere to new DMESG_RESTRICT restrictions.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 01 May 2022 14:04:12 -0700
++
  rsyslog (8.2204.0-1) unstable; urgency=medium
    * New upstream version 8.2204.0
@@ -201,6 +701,58 @@ rsyslog (8.2202.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Wed, 16 Feb 2022 09:40:07 +0100
++rsyslog (8.2112.0-2ubuntu2) jammy; urgency=medium
++
++  * Re-add build-dependency on liblognorm-dev, also needed for
++    rsyslog-kubernetes.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 30 Dec 2021 07:22:05 +0000
++
++rsyslog (8.2112.0-2ubuntu1) jammy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++    - debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++      to adhere to new DMESG_RESTRICT restrictions.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 29 Dec 2021 17:15:17 -0800
++
  rsyslog (8.2112.0-2) unstable; urgency=medium
    * Enable SNMP output plugin (Closes: #604895)
@@ -215,12 +767,108 @@ rsyslog (8.2112.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Sun, 19 Dec 2021 20:44:12 +0100
++rsyslog (8.2110.0-4ubuntu1) jammy; urgency=low
++
++  * Merge from Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++    - debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++      to adhere to new DMESG_RESTRICT restrictions.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 13 Dec 2021 23:16:46 -0800
++
  rsyslog (8.2110.0-4) unstable; urgency=medium
    * mmanon: relax IPv6 detection - improve anonymization (Closes: #1000335)
   -- Michael Biebl <biebl@debian.org>  Mon, 22 Nov 2021 16:25:17 +0100
++rsyslog (8.2110.0-3ubuntu2) jammy; urgency=medium
++
++  * No-change rebuild against libssl3
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 09 Dec 2021 00:16:44 +0000
++
++rsyslog (8.2110.0-3ubuntu1) jammy; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop [mm|pm]normalize modules, depending on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize & --enable-pmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++    - debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++      to adhere to new DMESG_RESTRICT restrictions.
++
++ -- Lukas Märdian <slyon@ubuntu.com>  Tue, 16 Nov 2021 11:21:05 +0100
++
  rsyslog (8.2110.0-3) unstable; urgency=medium
    * Enable pmciscoios parser module (Closes: #929608)
@@ -271,6 +919,57 @@ rsyslog (8.2106.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Sun, 15 Aug 2021 19:41:55 +0200
++rsyslog (8.2102.0-2ubuntu2) impish; urgency=medium
++
++  * No-change rebuild to build packages with zstd compression.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 07 Oct 2021 12:24:00 +0200
++
++rsyslog (8.2102.0-2ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++    - debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++      to adhere to new DMESG_RESTRICT restrictions.
++
++ -- Balint Reczey <rbalint@ubuntu.com>  Wed, 24 Feb 2021 18:30:21 +0100
++
  rsyslog (8.2102.0-2) unstable; urgency=medium
    * testbench: changed tlscommands for librelp tls tests.
@@ -301,6 +1000,60 @@ rsyslog (8.2012.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Tue, 08 Dec 2020 18:43:01 +0100
++rsyslog (8.2010.0-1ubuntu2) hirsute; urgency=medium
++
++  * debian/dmesg.service: Change /var/log/dmesg from 0644 to 0640
++    to adhere to new DMESG_RESTRICT restrictions. (LP: #1912122)
++
++ -- Matthew Ruffell <matthew.ruffell@canonical.com>  Mon, 18 Jan 2021 13:34:48 +1300
++
++rsyslog (8.2010.0-1ubuntu1) hirsute; urgency=medium
++
++  * Merge with Debian unstable. Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++    - d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>"
++      syntax.
++  * Dropped changes:
++    - d/p/Increase-timeouts-in-imfile-basic-2GB-file-and-imfile-tru.patch:
++      bump even further for riscv64
++      [ Accepted by Debian. ]
++
++ -- Sergio Durigan Junior <sergio.durigan@canonical.com>  Fri, 27 Nov 2020 14:43:28 -0500
++
  rsyslog (8.2010.0-1) unstable; urgency=medium
    * New upstream version 8.2010.0
@@ -323,6 +1076,54 @@ rsyslog (8.2008.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Mon, 31 Aug 2020 18:04:06 +0200
++rsyslog (8.2006.0-2ubuntu1) groovy; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * Merge with Debian unstable (LP: #1885125). Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++  * Added changes
++    - d/p/Increase-timeouts-in-imfile-basic-2GB-file-and-imfile-tru.patch: bump
++      even further for riscv64 to avoid FTBFS
++
++  [ Simon Deziel ]
++  * d/usr.sbin.rsyslogd: apparmor: use preferred "profile <shortname>" syntax.
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 25 Jun 2020 14:54:01 +0200
++
  rsyslog (8.2006.0-2) unstable; urgency=medium
    * Revert upstream changes which caused /dev/log from journald being
@@ -363,6 +1164,58 @@ rsyslog (8.2002.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Wed, 26 Feb 2020 17:10:44 +0100
++rsyslog (8.2001.0-1ubuntu1) focal; urgency=medium
++
++  [ Christian Ehrhardt ]
++  * Merge with Debian unstable (LP: #1862762). Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++      + debian/50-default.conf: separated default rules
++      + d/rsyslog.install: install default rules
++      + d/rsyslog.postrm: clear default rules on purge
++      + d/rsyslog.postrm: remove conf file in postrm on purge. manage with ucf
++      + d/rsyslog.postinst: Adapt script to use ucf for Ubuntu's config files
++      + debian/control: Add Depends for ucf
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++      + d/rsyslog.install: install apparmor rule
++      + d/rules: use dh_apparmor to install profile before rsyslog is started
++      + d/control: suggests apparmor (>= 2.3)
++      + d/contrl: Build-Depends on dh-apparmor
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        /etc/apparmor.d/disable and /etc/apparmor.d/local
++      + d/usr.sbin.rsyslogd apparmor profile for rsyslogd
++      + debian/rsyslog.preinst: disable profile on clean installs.
++    - d/rules: Fix LDFLAGS to avoid segfault on receipt of first message
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++      + d/rules: drop --enable-mmnormalize
++      + d/control: drop build dependency on liblognorm-dev
++    - run as user syslog
++      + d/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++      + d/rsyslog.postinst: Create syslog user and add it to adm group
++      + d/rsyslog.postinst: Adapt privileges for /var/log
++      + debian/control: Add Depends for adduser
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++    - debian/clean: Delete some files left over by the test suite
++  * Dropped Changes:
++    - d/control: drop rsyslog-mongodb package from suggests
++      [ This part was forgotten to be droped in 8.32.0-1ubuntu1 ]
++    - d/rules: Build with --disable-silent-rules to get useful build logs.
++      [ was a no-op as verbose is the default ]
++    - d/rsyslog.postinst: Clean up temporary syslog.service symlink
++      [ Formerly missing in Changelog, now gone in Debian as well ]
++
++  [ Simon Deziel ]
++  * d/usr.sbin.rsyslogd: apparmor: fix typo in rule for (LP: #1827253).
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 11 Feb 2020 16:25:29 +0100
++
  rsyslog (8.2001.0-1) unstable; urgency=medium
    * New upstream version 8.2001.0
@@ -497,6 +1350,72 @@ rsyslog (8.1903.0-1) experimental; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Mon, 25 Mar 2019 22:47:54 +0100
++rsyslog (8.1901.0-1ubuntu4) eoan; urgency=medium
++
++  * No-change upload with strops.h and sys/strops.h removed in glibc.
++
++ -- Matthias Klose <doko@ubuntu.com>  Thu, 05 Sep 2019 11:08:26 +0000
++
++rsyslog (8.1901.0-1ubuntu3) eoan; urgency=medium
++
++  * No change rebuild for libmysqlclient21.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Mon, 12 Aug 2019 11:32:48 +0000
++
++rsyslog (8.1901.0-1ubuntu2) eoan; urgency=medium
++
++  [ Simon Deziel ]
++  * d/usr.sbin.rsyslogd: allow reading/mmap'ing rsyslog binary
++    This is required for usage inside containers (LP: #1827253)
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Wed, 03 Jul 2019 16:34:41 +0200
++
++rsyslog (8.1901.0-1ubuntu1) eoan; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the
++      syslog group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile, debian/usr.sbin.rsyslogd
++    - debian/rules:
++      + use dh_apparmor to install profile before rsyslog is started
++      + Fix LDFLAGS to avoid segfault on receipt of first message
++      + Build with --disable-silent-rules to get useful build logs.
++    - debian/control:
++      + suggests apparmor (>= 2.3)
++      + Build-Depends on dh-apparmor
++      + Drop Build-Depends for Universe Packages [only liblognorm-dev now]
++      + Add Depends for adduser and ucf.
++    - debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++      /etc/apparmor.d/disable and /etc/apparmor.d/local
++    - debian/rsyslog.preinst: disable profile on clean installs.
++    - debian/rsyslog.postinst:
++      + Adapt script to use ucf for Ubuntu's config files
++      + fix ownership of /var/spool/rsyslog.
++      + Create syslog user and add it to adm group
++      + Adapt privileges for /var/log
++    - debian/rsyslog.postrm:
++      + Remove file in postrm on purge. manage with ucf.
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++    - debian/clean: Delete some files left over by the test suite
++    - debian/dmesg.service: provide /var/log/dmesg.log as non log-rotated
++      log for boot-time kernel messages.
++  * Dropped changes, included in Debian:
++    - Disable liblogging-stdlog
++    - Add versioned dependency on lsb-base for the use of init_is_upstart.
++  * Dropped changes:
++    - debian/rsyslog.logcheck.ignore.server: don't suppress warnings about
++      duplicate tmpfiles.d lines, the duplication has now been properly
++      fixed.
++    - drop pre-bionic maintainer script handling of dropped upstart units.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 03 May 2019 14:50:33 -0700
++
  rsyslog (8.1901.0-1) unstable; urgency=medium
    * New upstream version 8.1901.0
@@ -611,6 +1530,124 @@ rsyslog (8.33.1-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Tue, 06 Mar 2018 18:52:11 +0100
++rsyslog (8.32.0-1ubuntu7) disco; urgency=medium
++
++  * Install dmesg.service (LP: #1450588) to provide /var/log/dmesg.log
++    as non log-rotated log for boot time kernel messages.
++    - debian/dmesg.service: new service to write /var/log/dmesg
++    - debian/rsyslog.install: install dmesg.service with rsyslog
++
++ -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 07 Mar 2019 14:00:30 +0100
++
++rsyslog (8.32.0-1ubuntu6) disco; urgency=medium
++
++  * No-change rebuild against libhiredis0.14
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 12 Nov 2018 08:49:09 +0000
++
++rsyslog (8.32.0-1ubuntu5) cosmic; urgency=medium
++
++  * Sometimes, debootstrap in livecd-rootfs, and other builds shoes
++    failure to debootstrap, hinting that rsyslog is at fault. Make
++    configure step more resiliant, in case tmpfiles call fails to pepper
++    over this issue. A reproducer for the debootstrap failure is still
++    desired.
++
++ -- Dimitri John Ledkov 🌈 <xnox@ubuntu.com>  Tue, 03 Jul 2018 10:26:55 +0100
++
++rsyslog (8.32.0-1ubuntu4) bionic; urgency=medium
++
++  [ Jamie Strandboge ]
++  * debian/usr.sbin.rsyslogd: updates for bionic (LP: #1766600)
++    - allow rsyslog modules in multiarch directories
++    - allow writing temporary pidfile
++
++  [ Dimitri John Ledkov ]
++  * Tolerate installing rsyslog, on systems without systemd installed. LP:
++    #1766574
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 24 Apr 2018 15:47:41 +0100
++
++rsyslog (8.32.0-1ubuntu3) bionic; urgency=medium
++
++  * tmpfiles.d: Let var.conf to create /var/log with 'd' directive, and
++    only adjust the permissions of /var/log with 'z' directive, thus
++    avoiding warnings about duplicate lines for path /var/log. LP:
++    #1730028
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 09 Apr 2018 14:44:54 +0100
++
++rsyslog (8.32.0-1ubuntu2) bionic; urgency=medium
++
++  * Ensure correct permissions on files that rsyslog writes to. LP:
++    #1761630
++  * Drop upgrade scripts from pre-xenial.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 09 Apr 2018 13:17:34 +0100
++
++rsyslog (8.32.0-1ubuntu1) bionic; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the syslog
++      group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile:
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/usr.sbin.rsyslogd: allow 'w' on /run/systemd/notify
++    - debian/rules:
++      + use dh_apparmor to install profile before rsyslog is
++      + Fix LDFLAGS to avoid segfault on receipt of first message
++      + Disable liblogging-stdlog since liblogging-stdlog-dev is in Universe
++      + Build with --disable-silent-rules to get useful build logs.
++    - debian/control:
++      + suggests apparmor (>= 2.3)
++      + Build-Depends on dh-apparmor
++      + Drop Build-Depends for Universe Packages [only liblognorm-dev now]
++      + Add Depends for adduser, ucf and lsb-base.
++      + Add versioned dependency on lsb-base for the use of init_is_upstart.
++    - debian/rsyslog.install:
++      + install profile to /etc/apparmor.d
++      + Install default rules and tmpfiles.d config file
++      + Drop install for files in packages that are not built
++    - debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++      /etc/apparmor.d/disable and /etc/apparmor.d/local
++    - debian/rsyslog.preinst: disable profile on clean installs.
++    - debian/rsyslog.postinst:
++      + Adapt script to use ucf for Ubuntu's conffiles
++      + fix ownership of /var/spool/rsyslog.
++      + Create syslog user and add it to adm group
++      + Adapt privileges for /var/log
++    - debian/rsyslog.postrm:
++      + Remove file in postrm on purge. manage with ucf.
++    - debian/rsyslog.logcheck.ignore.server: Suppress warning about duplicate
++      tmpfiles.d line for /var/log, from our debian/00rsyslog.conf.
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++  * Dropped changes due to archive re-org, packages will be in universe:
++    - Drop rsyslog-mongodb package, depends on libmongo-client which is not
++      in main.
++    - Drop kafka package, depends on librdkafka from universe.
++    - Drop rsyslog-czmq, depends on libczmq-dev from universe.
++    - debian/control:
++      + Drop Suggests for unbuilt packages
++  * Dropped changes, applied in Debian:
++    - Cherry pick restart on configuration changes fix from Debian (LP: #1668639)
++  * Dropped changes, applied upstream:
++    - debian/patches/fix-permitnonkernelfacility-1703987.patch: Fix
++      hetting of permitnonkernelfacility with new style config.
++      (LP: #1703987)
++    - fix-tls-connection-errrors.patch: Resolve unexpected GnuTLS error -50.
++      (LP: #1673717)
++  * Drop xconsole integration in 50-defaults (LP: #1746012)
++  * debian/clean: Delete some files left over by test suite so we can
++    build the source package again after building binaries
++
++ -- Julian Andres Klode <juliank@ubuntu.com>  Tue, 30 Jan 2018 20:36:24 +0100
++
  rsyslog (8.32.0-1) unstable; urgency=medium
    * New upstream version 8.32.0
@@ -820,6 +1857,131 @@ rsyslog (8.20.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Fri, 12 Aug 2016 22:46:32 +0200
++rsyslog (8.16.0-1ubuntu10) bionic; urgency=medium
++
++  * fix-tls-connection-errrors.patch: Resolve unexpected GnuTLS error -50.
++    (LP: #1673717)
++
++ -- Brian Murray <brian@ubuntu.com>  Mon, 06 Nov 2017 15:05:10 -0800
++
++rsyslog (8.16.0-1ubuntu9) artful; urgency=medium
++
++  * Correct typpo.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Mon, 21 Aug 2017 00:49:39 +0100
++
++rsyslog (8.16.0-1ubuntu8) artful; urgency=medium
++
++  * Drop upstart system jobs.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Sat, 19 Aug 2017 20:51:36 +0100
++
++rsyslog (8.16.0-1ubuntu7) artful; urgency=medium
++
++  * Cherry pick restart on configuration changes fix from Debian (LP: #1668639)
++    - Trigger restart on configuration changes.
++      Register a dpkg trigger on /etc/rsyslog.d that calls restart on
++      configuration changes. (Closes: #791337)
++    - Update dpkg trigger to use try-restart.
++      Add try-restart action to SysV initscript for that, systemd supports
++      this natively.
++    - debian/control: Add Depends on init-system-helpers (>= 1.47~) to rsyslog.
++
++ -- Frode Nordahl <frode.nordahl@canonical.com>  Mon, 26 Jun 2017 06:29:30 +0000
++
++rsyslog (8.16.0-1ubuntu6) artful; urgency=medium
++
++  * debian/patches/fix-permitnonkernelfacility-1703987.patch: Fix
++    setting of permitnonkernelfacility with new style config.
++    (LP: #1703987)
++
++ -- Andreas Hasenack <andreas@canonical.com>  Wed, 12 Jul 2017 17:30:08 -0300
++
++rsyslog (8.16.0-1ubuntu5) yakkety; urgency=medium
++
++  * Use new syntax to enable non-kernel klog messages (LP: #1531622)
++
++ -- Simon Deziel <simon.deziel@gmail.com>  Thu, 08 Sep 2016 16:57:33 +0000
++
++rsyslog (8.16.0-1ubuntu4) yakkety; urgency=medium
++
++  * No-change rebuild against libjson-c3.
++
++ -- Graham Inggs <ginggs@ubuntu.com>  Thu, 28 Apr 2016 10:36:42 +0200
++
++rsyslog (8.16.0-1ubuntu3) xenial; urgency=medium
++
++  * Rebuild against libmysqlclient20.
++
++ -- Robie Basak <robie.basak@ubuntu.com>  Tue, 05 Apr 2016 13:01:12 +0000
++
++rsyslog (8.16.0-1ubuntu2) xenial; urgency=medium
++
++  * No-change rebuild for gnutls transition.
++
++ -- Matthias Klose <doko@ubuntu.com>  Wed, 17 Feb 2016 22:27:26 +0000
++
++rsyslog (8.16.0-1ubuntu1) xenial; urgency=low
++
++  * Merge from Debian unstable (LP: #1539483).  Remaining changes:
++    - debian/00rsyslog.conf Install tmpfiles.d snippet to ensure that the syslog
++      group can write into /var/log/.
++    - debian/50-default.conf: set of default rules for syslog
++    - debian/rsyslog.conf:
++      + enable $RepeatedMsgReduction to avoid bloating the syslog file.
++      + enable $KLogPermitNonKernelFacility for non-kernel klog messages
++      + Run as rsyslog:rsyslog, set $FileOwner to syslog
++      + Remove rules moved to 50-default.conf
++    - Add disabled by default AppArmor profile:
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/usr.sbin.rsyslogd: allow 'w' on /run/systemd/notify
++    - debian/rules:
++      + use dh_apparmor to install profile before rsyslog is
++      + Fix LDFLAGS to avoid segfault on receipt of first message
++      + Avoid buiding specific packages that rely on Universe deps restarted
++      + Disable liblogging-stdlog since liblogging-stdlog-dev is in Universe
++      + Build with --disable-silent-rules to get useful build logs.
++      + Disable build with dropped packages
++    - debian/control:
++      + suggests apparmor (>= 2.3)
++      + Build-Depends on dh-apparmor
++      + Drop Build-Depends for Universe Packages
++      + Drop Suggests for unbuilt packages
++      + Add Depends for adduser, ucf and lsb-base.
++      + Add versioned dependency on lsb-base for the use of init_is_upstart.
++    - debian/rsyslog.install:
++      + install profile to /etc/apparmor.d
++      + Install default rules and tmpfiles.d config file
++      + Drop install for files in packages that are not built
++    - debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++      /etc/apparmor.d/disable and /etc/apparmor.d/local
++    - debian/rsyslog.preinst: disable profile on clean installs.
++    - debian/rsyslog.postinst:
++      + Adapt script to use ucf for Ubuntu's conffiles
++      + fix ownership of /var/spool/rsyslog.
++      + Create syslog user and add it to adm group
++      + Adapt privileges for /var/log
++    - debian/rsyslog.postrm:
++      + Remove file in postrm on purge. manage with ucf.
++    - debian/rsyslog.logcheck.ignore.server: Suppress warning about duplicate
++      tmpfiles.d line for /var/log, from our debian/00rsyslog.conf.
++    - Drop rsyslog-mongodb package, depends on libmongo-client which is not
++      in main.
++    - Drop mmnormalize module, which depends on liblognorm from universe.
++    - Drop kafka package, depends on librdkafka from universe.
++    - Drop rsyslog-czmq, depends on libczmq-dev from universe.
++  * Dropped changes:
++    - debian/rsyslog.preinst: disable profile when upgrading from earlier than
++      when we shipped the profile as such a condition no longer exists
++    - debian/rsyslog.init: Adjust rsyslog init script to detect upstart,
++      making the upstart patches upstreamable to Debian.
++    - debian/control: Drop ubuntu-specific lsb-base version dependancy since
++      init_is_upstart is no longer used.
++    - debian/rsyslog.logrotate: Drop "service rsyslog rotate" delta.
++      invoke-rc.d is slightly better as it respects policy-rc.d
++
++ -- Louis Bouchard <louis.bouchard@ubuntu.com>  Tue, 02 Feb 2016 10:34:18 +0100
++
  rsyslog (8.16.0-1) unstable; urgency=medium
    * New upstream release.
@@ -837,6 +1999,50 @@ rsyslog (8.15.0-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Sun, 20 Dec 2015 17:36:00 +0100
++rsyslog (8.14.0-2ubuntu2) xenial; urgency=medium
++
++  * debian/usr.sbin.rsyslogd: allow 'w' on /run/systemd/notify (LP: #1530483)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 05 Jan 2016 09:51:20 -0600
++
++rsyslog (8.14.0-2ubuntu1) xenial; urgency=low
++
++  * Merge from Debian unstable (LP: #1521673).  Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - Add disabled by default AppArmor profile:
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/rules: use dh_apparmor to install profile before rsyslog is
++        restarted
++      + debian/control: suggests apparmor (>= 2.3)
++      + debian/rsyslog.install: install profile to /etc/apparmor.d
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        and /etc/apparmor.d/disable
++      + debian/rsyslog.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++      + debian/control: Build-Depends on dh-apparmor
++    - debian/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++    - Adjust rsyslog init script to detect upstart, making the upstart
++      patches upstreamable to Debian.
++    - Add versioned dependency on lsb-base for the use of init_is_upstart.
++  * Dropped changes:
++    - debian/patches/fix-testbench-buffer-overflow-ftbs.patch : superseded upstream.
++  * debian/rules: filter out -Wl,-Bsymbolic-functions only, instead of
++    overriding all LDFLAGS.
++  * Drop rsyslog-mongodb package, depends on libmongo-client which is not
++    in main.
++  * Drop mmnormalize module, which depends on liblognorm from universe.
++  * Drop kafka package, depends on librdkafka from universe.
++  * Drop rsyslog-czmq, depends on libczmq-dev from universe.
++  * Build with --disable-liblogging-stdlog since liblogging-stdlog-dev is
++    in Universe
++  * Build with --disable-silent-rules to get useful build logs.
++
++ -- Louis Bouchard <louis.bouchard@ubuntu.com>  Wed, 02 Dec 2015 12:09:39 +0100
++
  rsyslog (8.14.0-2) unstable; urgency=medium
    * Remove logging to /dev/xconsole from the default rsyslog configuration.
@@ -890,6 +2096,61 @@ rsyslog (8.12.0-2) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Tue, 15 Sep 2015 19:43:12 +0200
++rsyslog (8.12.0-1ubuntu3) xenial; urgency=medium
++
++  * debian/rsyslog.logcheck.ignore.server: Suppress warning about duplicate
++    tmpfiles.d line for /var/log, from our debian/00rsyslog.conf. Thanks to
++    sune-molgaard! (LP: #1484027).
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 29 Oct 2015 21:42:12 +0100
++
++rsyslog (8.12.0-1ubuntu2) wily; urgency=medium
++
++  * debian/patches/fix-testbench-buffer-overflow-ftbs.patch
++    - Fix FTBS on i386 and powerpc caused by buffer overflow
++      detection while running rsyslog testbench.
++
++ -- Louis Bouchard <louis.bouchard@ubuntu.com>  Wed, 02 Sep 2015 14:41:01 +0200
++
++rsyslog (8.12.0-1ubuntu1) wily; urgency=low
++
++  * Merge from Debian unstable (LP: #1464201).  Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - Add disabled by default AppArmor profile:
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/rules: use dh_apparmor to install profile before rsyslog is
++        restarted
++      + debian/control: suggests apparmor (>= 2.3)
++      + debian/rsyslog.install: install profile to /etc/apparmor.d
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        and /etc/apparmor.d/disable
++      + debian/rsyslog.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++      + debian/control: Build-Depends on dh-apparmor
++    - debian/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++    - Adjust rsyslog init script to detect upstart, making the upstart
++      patches upstreamable to Debian.
++    - Add versioned dependency on lsb-base for the use of init_is_upstart.
++  * Dropped changes:
++    - debian/patches/10-initgroups.patch : superseded upstream.
++    - debian/patches/11-fix-infinite-loop-openvz-vms.patch: superseded upstream.
++    - debian/patches/CVE-2014-3634.patch: superseded upstream.
++  * debian/rules: filter out -Wl,-Bsymbolic-functions only, instead of
++    overriding all LDFLAGS.
++  * Drop rsyslog-mongodb package, depends on libmongo-client which is not
++    in main.
++  * Drop mmnormalize module, which depends on liblognorm from universe.
++  * Drop kafka package, depends on librdkafka from universe.
++  * Build with --disable-liblogging-stdlog since liblogging-stdlog-dev is
++    in Universe
++  * Build with --disable-silent-rules to get useful build logs.
++
++ -- Louis Bouchard <louis.bouchard@ubuntu.com>  Mon, 31 Aug 2015 11:48:29 +0200
++
  rsyslog (8.12.0-1) unstable; urgency=medium
    * New upstream release.
@@ -1138,6 +2399,146 @@ rsyslog (7.4.8-1) unstable; urgency=medium
   -- Michael Biebl <biebl@debian.org>  Tue, 11 Mar 2014 19:52:49 +0100
++rsyslog (7.4.4-1ubuntu14) vivid; urgency=medium
++
++  * Applied updated upstream patch fixing infinite loop on OpenVZ VMs.
++    (LP: #1366829)
++
++ -- Paul Donohue <ubuntu-rsyslog@PaulSD.com>  Fri, 09 Jan 2015 10:50:36 -0500
++
++rsyslog (7.4.4-1ubuntu13) vivid; urgency=medium
++
++  * Applied upstream patch fixing infinite loop on OpenVZ VMs. Thanks to Paul
++    Donohue for the patch. (LP: #1366829)
++
++ -- Brian Murray <brian@ubuntu.com>  Thu, 18 Dec 2014 15:20:23 -0800
++
++rsyslog (7.4.4-1ubuntu12) vivid; urgency=medium
++
++  * Install debian/00rsyslog.conf tmpfiles.d snippet to ensure that the syslog
++    group can write into /var/log/. (LP: #1401984)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Tue, 16 Dec 2014 14:33:34 +0100
++
++rsyslog (7.4.4-1ubuntu11) utopic; urgency=medium
++
++  * SECURITY UPDATE: denial of service and possible code execution via
++    invalid PRI value
++    - debian/patches/CVE-2014-3634.patch: limit PRI values in
++      grammar/rainerscript.h, plugins/imfile/imfile.c,
++      plugins/imklog/imklog.c, plugins/imkmsg/imkmsg.c,
++      plugins/imsolaris/imsolaris.c, plugins/imuxsock/imuxsock.c,
++      runtime/msg.c, runtime/parser.c, runtime/rsyslog.h,
++      runtime/srutils.c, runtime/syslogd-types.h, runtime/typedefs.h,
++      tools/syslogd.c.
++    - CVE-2014-3634
++    - CVE-2014-3683
++
++ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 09 Oct 2014 13:01:54 -0400
++
++rsyslog (7.4.4-1ubuntu10) utopic; urgency=medium
++
++  * debian/usr.sbin.rsyslog: allow 'rk' to /run/utmp (LP: #1366261)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 09 Sep 2014 10:26:20 -0500
++
++rsyslog (7.4.4-1ubuntu9) utopic; urgency=medium
++
++  * debian/usr.sbin.rsyslog: update for abstract socket mediation
++    (LP: #1362199)
++  * debian/control: Suggests apparmor >= 2.8.96~2541-0ubuntu4~
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Thu, 04 Sep 2014 09:45:43 -0500
++
++rsyslog (7.4.4-1ubuntu7) utopic; urgency=medium
++
++  * Build depend on libgcrypt20-dev.
++  * Build depend on libgnutls28-dev.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Fri, 08 Aug 2014 11:12:31 +0100
++
++rsyslog (7.4.4-1ubuntu6) utopic; urgency=medium
++
++  * debian/rsyslog.logrotate: Call "rotate" action for rotation instead of
++    "reload". (LP: #1331891)
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Thu, 31 Jul 2014 11:06:52 +0200
++
++rsyslog (7.4.4-1ubuntu5) utopic; urgency=medium
++
++  * Use "service" command in rsyslog's postrotate, since naked "reload"
++    fails under non-upstart init. (LP: #1331891)
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Tue, 08 Jul 2014 09:24:53 +0100
++
++rsyslog (7.4.4-1ubuntu4) utopic; urgency=medium
++
++  * Enable non-kernel facility klog messages. (LP: #1274444)
++
++ -- Chris J Arges <chris.j.arges@ubuntu.com>  Tue, 01 Jul 2014 14:59:40 -0500
++
++rsyslog (7.4.4-1ubuntu3) utopic; urgency=high
++
++  * No change rebuild against new dh_installinit, to call update-rc.d at
++    postinst.
++
++ -- Dimitri John Ledkov <xnox@ubuntu.com>  Wed, 28 May 2014 10:42:05 +0100
++
++rsyslog (7.4.4-1ubuntu2) trusty; urgency=low
++
++  * debian/rsyslog.postinst: Make sure /var/log is owned by group syslog and
++    is group-writeable (LP: #1256695).
++  * Ensure that rsyslogd can create files in group adm, even when dropping
++    group privileges to syslog (LP: #484336):
++    - debian/patches/10-initgroups.patch: Try to set appropriate
++      supplementary groups before dropping UID.
++    - debian/rsyslog.postinst: Add syslog user to group adm.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Wed, 04 Dec 2013 13:12:07 +0000
++
++rsyslog (7.4.4-1ubuntu1) trusty; urgency=low
++
++  * Merge from Debian unstable, remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file.
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - Add disabled by default AppArmor profile:
++      + debian/rsyslog.upstart: add pre-start stanza to load profile
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/rules: use dh_apparmor to install profile before rsyslog is
++        restarted
++      + debian/control: suggests apparmor (>= 2.3)
++      + debian/rsyslog.install: install profile to /etc/apparmor.d
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        and /etc/apparmor.d/disable
++      + debian/rsyslog.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++      + debian/control: Build-Depends on dh-apparmor
++    - debian/rsyslog.postrm: fixed typo "dissappear" to "disappear".
++    - debian/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++    - Adjust rsyslog init script to detect upstart, making the upstart
++      patches upstreamable to Debian.
++    - Add versioned dependency on lsb-base for the use of init_is_upstart.
++  * Dropped changes:
++    - debian/patches/04-fix_startup_deadlock.patch: superseded upstream.
++    - debian/patches/201-PreserveFQDN-not-working: originally from upstream.
++    - debian/patches/202-off-by-one-regression-1187808.patch: originally
++      from upstream.
++  * debian/rules: filter out -Wl,-Bsymbolic-functions only, instead of
++    overriding all LDFLAGS.
++  * Drop rsyslog-mongodb package, depends on libmongo-client which is not
++    in main.
++  * Drop mmnormalize module, which depends on liblognorm from universe.
++  * Build with --disable-silent-rules to get useful build logs.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 21 Oct 2013 15:31:38 -0700
++
  rsyslog (7.4.4-1) unstable; urgency=low
    * New upstream release.
@@ -1387,6 +2788,66 @@ rsyslog (5.8.11-3) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Tue, 05 Mar 2013 23:06:57 +0100
++rsyslog (5.8.11-2ubuntu4) saucy; urgency=low
++
++  * Adjust rsyslog init script to detect upstart, making the upstart
++    patches upstreamable to Debian.
++  * Add versioned dependency on lsb-base for the use of init_is_upstart.
++  * debian/patches/202-off-by-one-regression-1187808.patch: upstream fix
++    for an off-by-one error introduced in the previous cherry-pick, causing
++    rsyslog to fail to start in some environments.  Closes LP: #1187808.
++
++ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 05 Jun 2013 12:09:22 -0700
++
++rsyslog (5.8.11-2ubuntu3) saucy; urgency=low
++
++  * Fixes LP: #1022545 : $PreserveFQDN is not working properly
++    - Backport upstream fix
++
++ -- Louis Bouchard <louis.bouchard@canonical.com>  Thu, 25 Apr 2013 12:40:26 +0200
++
++rsyslog (5.8.11-2ubuntu2) raring-proposed; urgency=low
++
++  [ Pierre Carrier ]
++  * debian/patches/04-fix_startup_deadlock.patch:
++    - Fixes deadlock during startup (LP: #1169740)
++
++ -- Adam Stokes <adam.stokes@ubuntu.com>  Wed, 17 Apr 2013 09:33:32 -0400
++
++rsyslog (5.8.11-2ubuntu1) raring; urgency=low
++
++  * Merge from Debian unstable.  Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file.
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - debian/rules: build with LDFLAGS=""
++    - Add disabled by default AppArmor profile:
++      + debian/rsyslog.upstart: add pre-start stanza to load profile
++      + add debian/usr.sbin.rsyslogd profile
++      + debian/rules: use dh_apparmor to install profile before rsyslog is
++        restarted
++      + debian/control: suggests apparmor (>= 2.3)
++      + debian/rsyslog.install: install profile to /etc/apparmor.d
++      + debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++        and /etc/apparmor.d/disable
++      + debian/rsyslog.preinst: disable profile on clean install or upgrades
++        from earlier than when we shipped the profile
++      + debian/control: Build-Depends on dh-apparmor
++    - debian/rsyslog.postrm: fixed typo "dissappear" to "disappear".
++    - debian/rsyslog.postinst: fix ownership of /var/spool/rsyslog.
++  * Dropped:
++    - All Ubuntu specific patches; included upstream.
++    - debian/rsyslog.dirs: add /var/spool/rsyslog/.
++    - debian/rsyslog.conf: set $WorkDirectory to /var/spool/rsyslog.
++
++ -- James Page <james.page@ubuntu.com>  Fri, 07 Dec 2012 13:17:45 +0000
++
  rsyslog (5.8.11-2) unstable; urgency=low
    * Disable omstdout module again. Upstream doesn't consider it viable for
@@ -1455,6 +2916,103 @@ rsyslog (5.8.8-1) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Wed, 07 Mar 2012 00:42:56 +0100
++rsyslog (5.8.6-1ubuntu11) raring; urgency=low
++
++  * debian/patches/101-fix-rfc5424-instabilities.patch:
++    - bugfix: instabilities when using RFC5424 header fields (LP: #1059592)
++
++ -- Chris J Arges <chris.j.arges@canonical.com>  Tue, 04 Dec 2012 08:59:07 -0600
++
++rsyslog (5.8.6-1ubuntu10) raring; urgency=low
++
++  * debian/rsyslog.postinst: fix ownership of /var/spool/rsyslog (LP: #1075901)
++
++ -- Haw Loeung (hloeung) <haw.loeung@canonical.com>  Mon, 12 Nov 2012 12:57:23 +0100
++
++rsyslog (5.8.6-1ubuntu9) quantal; urgency=low
++
++  * Rebuild for new armel compiler default of ARMv5t.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Tue, 02 Oct 2012 16:49:57 +0100
++
++rsyslog (5.8.6-1ubuntu8) precise; urgency=low
++
++  * debian/rsyslog.postrm: fixed typo "dissappear" to "disappear" (LP: #846818)
++
++ -- Aditya Vaidya <kroq.gar78@gmail.com>  Fri, 23 Mar 2012 19:31:37 -0500
++
++rsyslog (5.8.6-1ubuntu7) precise; urgency=low
++
++  * debian/rsyslog.conf: set $WorkDirectory to /var/spool/rsyslog, which is
++    the example location in documentation. When not configured it defaults to
++    '/', which is undesirable. (LP: #918947, Closes: #656535)
++  * debian/rsyslog.dirs: add /var/spool/rsyslog/
++  * debian/usr.sbin.rsyslogd:
++    - adjust for $WorkDirectory
++    - allow 'r' on /var/log/** too (for imfile)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 07 Mar 2012 08:26:54 -0600
++
++rsyslog (5.8.6-1ubuntu6) precise; urgency=low
++
++  * debian/control: Build-Depends on dh-apparmor (LP: #948120)
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Tue, 06 Mar 2012 09:47:22 -0600
++
++rsyslog (5.8.6-1ubuntu5) precise; urgency=low
++
++  * Add disabled by default AppArmor profile (LP: #914820)
++    - debian/rsyslog.upstart: add pre-start stanza to load profile
++    - add debian/usr.sbin.rsyslogd profile
++    - debian/rules: use dh_apparmor to install profile before rsyslog is
++      restarted
++    - debian/control: suggests apparmor (>= 2.3)
++    - debian/rsyslog.install: install profile to /etc/apparmor.d
++    - debian/rsyslog.dirs: install /etc/apparmor.d/force-complain,
++      and /etc/apparmor.d/disable
++    - debian/rsyslog.preinst: disable profile on clean install or upgrades
++      from earlier than when we shipped the profile
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Wed, 11 Jan 2012 17:10:41 +0100
++
++rsyslog (5.8.6-1ubuntu4) precise; urgency=low
++
++  * debian/patches/100-imuxsock-allow-missing-date.patch
++    fix bug in imuxsock that truncated messages if they did not
++    contain a date field (LP: #905419).
++
++ -- Scott Moser <smoser@ubuntu.com>  Tue, 20 Dec 2011 11:55:11 -0500
++
++rsyslog (5.8.6-1ubuntu3) precise; urgency=low
++
++  * No-change rebuild to drop spurious libsfgcc1 dependency on armhf.
++
++ -- Adam Conrad <adconrad@ubuntu.com>  Fri, 02 Dec 2011 17:39:39 -0700
++
++rsyslog (5.8.6-1ubuntu2) precise; urgency=low
++
++  * Rebuild for libmysqlclient transition
++
++ -- Clint Byrum <clint@ubuntu.com>  Thu, 24 Nov 2011 00:23:23 -0800
++
++rsyslog (5.8.6-1ubuntu1) precise; urgency=low
++
++  * Resynchronise with Debian. Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file (LP #453444)
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - debian/rules: build with LDFLAGS=""
++  * Dropped:
++    - debian/patches/02-CVE-2011-3200.patch (fixed in upstream release)
++
++ -- Scott Moser <smoser@ubuntu.com>  Mon, 07 Nov 2011 13:54:56 -0500
++
  rsyslog (5.8.6-1) unstable; urgency=low
    * New upstream release.
@@ -1503,6 +3061,33 @@ rsyslog (5.8.2-1) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Tue, 21 Jun 2011 16:26:54 +0200
++rsyslog (5.8.1-1ubuntu2) oneiric; urgency=low
++
++  * debian/patches/02-CVE-2011-3200.patch: fix denial of service via off by
++    two
++    - CVE-2011-3200
++
++ -- Jamie Strandboge <jamie@ubuntu.com>  Mon, 03 Oct 2011 12:13:42 -0500
++
++rsyslog (5.8.1-1ubuntu1) oneiric; urgency=low
++
++  * Resynchronise with Debian (LP: #794230).  Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file (LP #453444)
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160). remove file in postrm on purge. manage with ucf.
++    - debian/rules: build with LDFLAGS=""
++  * Dropped:
++    - debian/control: Bump build-dependency on debhelper
++      debian now depends on dh >= 8
++
++ -- Scott Moser <smoser@ubuntu.com>  Thu, 02 Jun 2011 15:17:32 -0400
++
  rsyslog (5.8.1-1) unstable; urgency=low
    * New upstream release.
@@ -1654,6 +3239,47 @@ rsyslog (5.7.1-1) experimental; urgency=low
   -- Michael Biebl <biebl@debian.org>  Wed, 20 Oct 2010 01:48:39 +0200
++rsyslog (4.6.4-2ubuntu4) natty; urgency=low
++
++  * debian/50-default.conf: Disable redundant and non-synchronous log files by
++    default (this will only affect new installations), to reduce disk size
++    overhead and unnecessary wakeups and IO: daemon.log, lpr.log, user.log,
++    mail.{info,warn) (these are already in mail.log and syslog), debug,
++    messages.
++
++ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 12 Jan 2011 15:43:14 -0600
++
++rsyslog (4.6.4-2ubuntu3) natty; urgency=low
++
++  * Instead of removing /etc/default/rsyslog, patch the upstart job to
++    parse it as the old init script used to (LP: #570103)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 06 Dec 2010 14:56:18 -0500
++
++rsyslog (4.6.4-2ubuntu2) natty; urgency=low
++
++  * Remove debian/rsyslog.default as the upstart init script doesn't read
++    /etc/default/rsyslog (LP: #570103)
++
++ -- Stéphane Graber <stgraber@ubuntu.com>  Mon, 06 Dec 2010 14:47:32 -0500
++
++rsyslog (4.6.4-2ubuntu1) natty; urgency=low
++
++  * Resynchronise with Debian.  Remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/control: Bump build-dependency on debhelper for Upstart-aware
++      dh_installinit
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file (LP #453444)
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160)
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Mon, 06 Dec 2010 14:33:42 +0000
++
  rsyslog (4.6.4-2) unstable; urgency=low
    * debian/patches/02-tls_loop_fix.patch
@@ -1663,6 +3289,40 @@ rsyslog (4.6.4-2) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Tue, 30 Nov 2010 14:50:15 +0100
++rsyslog (4.6.4-1ubuntu2) natty; urgency=low
++
++  * Restore maintainer script code to install
++    /etc/rsyslog.d/50-default.conf, and refer to it again from rsyslog.conf.
++
++ -- Colin Watson <cjwatson@ubuntu.com>  Fri, 19 Nov 2010 18:31:24 +0000
++
++rsyslog (4.6.4-1ubuntu1) natty; urgency=low
++
++  * Merge from debian unstable (LP: #671533), remaining changes:
++    - Run as rsyslog:rsyslog, set $FileOwner to syslog
++    - Replace init script with debian/rsyslog.upstart.
++    - debian/control: Bump build-dependency on debhelper for Upstart-aware
++      dh_installinit
++    - debian/rsyslog.logrotate: Use reload command to restart rsyslog
++    - debian/rsyslog.conf: enable $RepeatedMsgReduction
++      to avoid bloating the syslog file (LP #453444)
++    - Add debian/rsyslog.dmesg.upstart to save initial dmesg into a file.
++      Install it in debian/rules.
++    - debian/50-default.conf: set of default rules for syslog (forwarded to
++      Debian #603160)
++  * Dropped changes:
++    - debian/patches/deroot.patch: this patch was introduced to support
++      earlier kernels and we don't support running natty on pre-karmic
++      kernels
++    - sysklogd → rsyslog upgrade was done pre-lucid (LTS) so drop all
++      the upgrade handling
++    - Restore to reading from /proc/kmsg: rsyslog can read directly from
++      /proc/kmsg now; dropped init script changes as they're obsolete
++      (even when actually using the init script which we don't, we have
++      the upstart script)
++
++ -- Lorenzo De Liso <blackz@ubuntu.com>  Fri, 05 Nov 2010 15:52:21 +0100
++
  rsyslog (4.6.4-1) unstable; urgency=low
    * New upstream release.
@@ -1775,6 +3435,100 @@ rsyslog (4.4.0-1) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Fri, 21 Aug 2009 23:08:45 +0200
++rsyslog (4.2.0-2ubuntu8) lucid; urgency=low
++
++  * debian/patches/deroot.patch:
++    - After opening /proc/kmsg, set the effective user to an unprivileged
++      one and attempt a zero-byte read from the file.  If this succeeds, we
++      know that this will work de-rooted; if this fails, we don't enable
++      kernel-message logging.  LP: #523610.
++
++ -- Scott James Remnant <scott@ubuntu.com>  Wed, 24 Feb 2010 18:21:54 +0000
++
++rsyslog (4.2.0-2ubuntu7) lucid; urgency=low
++
++  * debian/rules:
++    - Forgot to commit this change as part of previous upload to not
++      call dh_installinit
++
++ -- Scott James Remnant <scott@ubuntu.com>  Wed, 17 Feb 2010 13:03:31 +0000
++
++rsyslog (4.2.0-2ubuntu6) lucid; urgency=low
++
++  * debian/rsyslog.rsyslog-kmsg.upstart:
++    - Drop this additional job; kernel changes have meant that rsyslog
++      may read from /proc/kmsg directly after dropping privileges.
++      LP: #517773
++  * debian/rsyslog.preinst:
++    - Remove on upgrade
++  * debian/rsyslog.conf:
++    - Restore to reading from /proc/kmsg
++
++ -- Scott James Remnant <scott@ubuntu.com>  Wed, 17 Feb 2010 12:23:01 +0000
++
++rsyslog (4.2.0-2ubuntu5.1) karmic-proposed; urgency=low
++
++  * debian/rsyslog.conf:
++    - enable $RepeatedMsgReduction to avoid bloating the syslog
++      file (LP: #453444)
++
++ -- Michael Vogt <michael.vogt@ubuntu.com>  Fri, 23 Oct 2009 17:28:10 +0200
++
++rsyslog (4.2.0-2ubuntu5) karmic; urgency=low
++
++  Upstart fixups; LP: #430220
++  * debian/rsyslog.logrotate: Use start command to restart rsyslog
++  * debian/rsyslog.rsyslog-kmsg.upstart: Restore bs=1 parameter to dd
++  * debian/rsyslog.upstart: Move kmsg fifo creation/deletion to kmsg
++    upstart script.
++
++ -- Michael Terry <michael.terry@canonical.com>  Tue, 22 Sep 2009 16:10:24 -0700
++
++rsyslog (4.2.0-2ubuntu4) karmic; urgency=low
++
++  * debian/rsyslog.postrm: Don't delete syslog user
++  * debian/rsyslog.postinst: Stop sysklogd from deleting the syslog user
++    when removed.  LP: #401056
++
++ -- Michael Terry <michael.terry@canonical.com>  Mon, 21 Sep 2009 15:38:13 -0700
++
++rsyslog (4.2.0-2ubuntu3) karmic; urgency=low
++
++  FFE LP: #427356.
++
++  * Replace init script with multiple Upstart jobs.
++  * debian/control:
++    - Bump build-dependency on debhelper for Upstart-aware dh_installinit
++
++ -- Scott James Remnant <scott@ubuntu.com>  Tue, 15 Sep 2009 03:26:43 +0100
++
++rsyslog (4.2.0-2ubuntu2) karmic; urgency=low
++
++  * Fix log file ownership issues when HUPing an unprivileged rsyslog
++    LP: #407862
++    - debian/rsyslog.conf: Set $FileOwner to syslog
++    - debian/patches/deroot.patch: Always chown output files, since we may
++      not be able to read them on a HUP otherwise.
++
++ -- Michael Terry <michael.terry@canonical.com>  Mon, 31 Aug 2009 14:58:50 -0400
++
++rsyslog (4.2.0-2ubuntu1) karmic; urgency=low
++
++  [ Michael Terry ]
++  * Merge from debian unstable (LP: #413023), remaining changes:
++    - Run as rsyslog:rsyslog
++    - Allow reading /proc/kmsg when non-root
++    - Cleanly upgrade from sysklogd
++  * debian/patches/deroot.patch: Don't allow using the klogctl function to
++    read klog messages.  Rather, allow /proc/kmsg or nothing, since we have
++    special support for reading /proc/kmsg while unprivileged.
++
++  [ Neil Wilson ]
++  * debian/rsyslog.init: Set blocksize for dd (LP: #407862) and restore
++    reload init argument to original lightweight reload
++
++ -- Michael Terry <michael.terry@canonical.com>  Thu, 13 Aug 2009 15:43:29 -0400
++
  rsyslog (4.2.0-2) unstable; urgency=low
    * debian/rsyslog.logcheck.ignore.server
@@ -1790,6 +3544,40 @@ rsyslog (4.2.0-2) unstable; urgency=low
   -- Michael Biebl <biebl@debian.org>  Wed, 05 Aug 2009 01:12:09 +0200
++rsyslog (4.2.0-1ubuntu2) karmic; urgency=low
++
++  * Prefix Vcs-* fields with "XSBC-Original-" as we don't use git for the
++    Ubuntu packages.
++  * Strip local from rsyslog's postinst as it shouldn't be used outside of
++    functions; LP: #401060.
++
++ -- LoÃ¯c Minier <loic.minier@ubuntu.com>  Mon, 20 Jul 2009 14:30:14 +0200
++
++rsyslog (4.2.0-1ubuntu1) karmic; urgency=low
++
++  * Run as rsyslog:rsyslog (LP: #250827, LP: #388608)
++    - debian/control: Depend on adduser
++    - debian/rsyslog.postinst: Create syslog user
++    - debian/rsyslog.postrm: Delete syslog user on purge
++    - debian/rsyslog.conf: Use DropPriv config fields
++  * Allow reading /proc/kmsg when non-root
++    - debian/rsyslog.init: Spawn a dd instance that shovels the /proc/kmsg
++      data to a pipe that rsyslog can read (based on Martin Pitt's similar
++      change to sysklogd).
++    - debian/patches/deroot.patch: Support a KLogPath config field
++      to change where the klog plugin looks and only start input modules
++      after we drop privileges, as reading when root interferes with
++      future reads as syslog.
++    - debian/rsyslog.conf: Use KLogPath field to point to dd pipe
++  * Cleanly upgrade from sysklogd
++    - debian/default.conf, debian/rsyslog.conf:
++      Break out the default rules into their own config file
++    - debian/rsyslog.install: Install it in /usr/share/rsyslog
++    - debian/rsyslog.postinst: If present, copy /etc/syslog.conf into
++      /etc/rsyslog.d/default.conf.  Then merge our own default.conf
++
++ -- Michael Terry <michael.terry@canonical.com>  Mon, 29 Jun 2009 08:37:43 -0400
++
  rsyslog (4.2.0-1) unstable; urgency=low
    * New upstream release of the now stable v4 branch.
 diff --git a/debian/clean b/debian/clean
 new file mode 100644
 index 0000000..204cc93
 --- /dev/null
 +++ b/debian/clean
@@ -0,0 +1,6 @@
++tests/rsyslog.out.compare
++tests/rsyslog.pid.save
++tests/rsyslog2.pid.save
++tests/xlate.lkp_tbl
++tests/xlate_1.lkp_tbl
++tests/xlate_array.lkp_tbl
 diff --git a/debian/control b/debian/control
 index 3e0b40c..606b72c 100644
 --- a/debian/control
 +++ b/debian/control
@@ -1,9 +1,11 @@
  Source: rsyslog
  Section: admin
  Priority: optional
--Maintainer: Michael Biebl <biebl@debian.org>
++Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
++XSBC-Original-Maintainer: Michael Biebl <biebl@debian.org>
  Build-Depends: debhelper-compat (= 13),
                 dh-exec,
++               dh-apparmor,
                 autoconf-archive,
                 zlib1g-dev,
                 libzstd-dev (>= 1.4.0),
@@ -50,13 +52,16 @@ Provides: system-log-daemon,
  Pre-Depends: ${misc:Pre-Depends}
  Depends: ${shlibs:Depends},
           ${misc:Depends},
++         adduser,
++         ucf
  Recommends: logrotate
  Suggests: rsyslog-mysql | rsyslog-pgsql,
            rsyslog-mongodb,
            rsyslog-doc,
            rsyslog-openssl | rsyslog-gnutls,
            rsyslog-gssapi,
--          rsyslog-relp
++          rsyslog-relp,
++          apparmor (>= 2.8.96~2541-0ubuntu4~)
  Description: reliable system and kernel logging daemon
   Rsyslog is a multi-threaded implementation of syslogd (a system utility
   providing support for message logging), with features that include:
 diff --git a/debian/dmesg.service b/debian/dmesg.service
 new file mode 100644
 index 0000000..8fdfd44
 --- /dev/null
 +++ b/debian/dmesg.service
@@ -0,0 +1,13 @@
++[Unit]
++Description=Save initial kernel messages after boot
++
++[Service]
++Type=idle
++StandardOutput=file:/var/log/dmesg
++ExecStartPre=-/usr/bin/savelog -m640 -q -p -n -c 5 /var/log/dmesg
++ExecStart=/bin/journalctl --boot 0 --dmesg --output short-monotonic --quiet --no-pager --no-hostname
++ExecStartPost=/bin/chgrp adm /var/log/dmesg
++ExecStartPost=/bin/chmod 0640 /var/log/dmesg
++
++[Install]
++WantedBy=multi-user.target
 diff --git a/debian/patches/omusrmsg-bugfix-potential-double-free-which-can-caus.patch b/debian/patches/omusrmsg-bugfix-potential-double-free-which-can-caus.patch
 new file mode 100644
 index 0000000..4bcf9e9
 --- /dev/null
 +++ b/debian/patches/omusrmsg-bugfix-potential-double-free-which-can-caus.patch
@@ -0,0 +1,69 @@
++From c7c16b935c4b3fb740eacbd5dbb043f5cd457acd Mon Sep 17 00:00:00 2001
++From: Rainer Gerhards <rgerhards@adiscon.com>
++Date: Thu, 14 Dec 2023 12:57:00 +0100
++Subject: [PATCH 1/1] omusrmsg bugfix: potential double free, which can cause
++ segfault
++
++omusrmsg frees a string which points to OS/system library memory. When
++the os/libs clean up, it frees the memory as well. This results in a
++double free. This bug interestingly seems to go unnoticed in many cases.
++But it can cause a segfault or hard-to-trace memory corruptions which
++could lead to other problems later on. The outcome of this bug most
++probably depdns on os/library versions.
++
++closes https://github.com/rsyslog/rsyslog/issues/5294
++
++Author: Rainer Gerhards <rgerhards@adiscon.com>
++Origin: https://github.com/rgerhards/rsyslog/commit/c7c16b935c4b3fb740eacbd5dbb043f5cd457acd
++---
++ tools/omusrmsg.c | 8 +++-----
++ 1 file changed, 3 insertions(+), 5 deletions(-)
++
++diff --git a/tools/omusrmsg.c b/tools/omusrmsg.c
++index aaa36d9e5..479db5bbc 100644
++--- a/tools/omusrmsg.c
+++++ b/tools/omusrmsg.c
++@@ -272,14 +272,15 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData)
++
++ 		for (j = 0; j < sessions; j++) {
++ 	                uchar szErr[512];
++-			char *user = NULL, *tty;
+++			char *tty;
+++			const char *user = NULL;
++ 			uid_t uid;
++ 			struct passwd *pws;
++
++ 			sdRet = sd_session_get_uid(sessions_list[j], &uid);
++ 			if (sdRet >= 0) {
++ 				pws = getpwuid(uid);
++-				user = pws->pw_name;
+++				user = pws->pw_name; /* DO NOT FREE, OS/LIB internal memory! */
++
++ 				if (user == NULL) {
++ 					dbgprintf("failed to get username for userid '%d'\n", uid);
++@@ -303,7 +304,6 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData)
++ 					        break;
++ 				}
++ 				if(i == MAXUNAMES) { /* user not found? */
++-				        free(user);
++ 					free(sessions_list[j]);
++ 					continue; /* on to next user! */
++ 				}
++@@ -313,14 +313,12 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData)
++ 		                rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr));
++ 				dbgprintf("get tty for session '%s' failed with [%d]:%s\n",
++ 					  sessions_list[j], -sdRet, szErr);
++-				free(user);
++ 				free(sessions_list[j]);
++ 				continue; /* try next session */
++ 			}
++
++ 			sendwallmsg(tty, pMsg);
++
++-			free(user);
++ 			free(tty);
++ 			free(sessions_list[j]);
++ 		}
++--
++2.40.1
++
 diff --git a/debian/patches/series b/debian/patches/series
 index d44f829..6963e3a 100644
 --- a/debian/patches/series
 +++ b/debian/patches/series
@@ -1,2 +1,3 @@
  Don-t-create-a-database.patch
  Increase-timeouts-in-imfile-basic-2GB-file-and-imfile-tru.patch
++omusrmsg-bugfix-potential-double-free-which-can-caus.patch
 diff --git a/debian/reload-apparmor-profile b/debian/reload-apparmor-profile
 new file mode 100755
 index 0000000..25c39e3
 --- /dev/null
 +++ b/debian/reload-apparmor-profile
@@ -0,0 +1,14 @@
++#!/bin/sh
++
++apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
++include_dir="/etc/apparmor.d/rsyslog.d"
++
++[ -f "${apparmor_profile}" ] || exit 0
++[ -d "${include_dir}" ] || exit 0
++aa-status --enabled 2>/dev/null || exit 0
++
++apparmor_parser -r -W -T "${apparmor_profile}" || {
++    echo "Failed to reload the ${apparmor_profile} apparmor profile, continuing anyway" >&2
++}
++
++exit 0
 diff --git a/debian/rsyslog-gnutls.install b/debian/rsyslog-gnutls.install
 index c5784ce..4579469 100644
 --- a/debian/rsyslog-gnutls.install
 +++ b/debian/rsyslog-gnutls.install
@@ -1 +1,2 @@
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_gtls.so
++debian/apparmor/rsyslog-gnutls.apparmor etc/apparmor.d/rsyslog.d/
 diff --git a/debian/rsyslog-mysql.install b/debian/rsyslog-mysql.install
 index 9de8064..fedff5c 100644
 --- a/debian/rsyslog-mysql.install
 +++ b/debian/rsyslog-mysql.install
@@ -1,2 +1,3 @@
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ommysql.so
  debian/rsyslog-mysql.conf.template usr/share/rsyslog-mysql/
++debian/apparmor/rsyslog-mysql.apparmor etc/apparmor.d/rsyslog.d/
 diff --git a/debian/rsyslog-openssl.install b/debian/rsyslog-openssl.install
 index 492defb..bc5358e 100644
 --- a/debian/rsyslog-openssl.install
 +++ b/debian/rsyslog-openssl.install
@@ -1 +1,2 @@
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmnsd_ossl.so
++debian/apparmor/rsyslog-openssl.apparmor etc/apparmor.d/rsyslog.d/
 diff --git a/debian/rsyslog-pgsql.install b/debian/rsyslog-pgsql.install
 index 3fb57d3..946fe3f 100644
 --- a/debian/rsyslog-pgsql.install
 +++ b/debian/rsyslog-pgsql.install
@@ -1,2 +1,3 @@
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/ompgsql.so
  debian/rsyslog-pgsql.conf.template usr/share/rsyslog-pgsql/
++debian/apparmor/rsyslog-pgsql.apparmor etc/apparmor.d/rsyslog.d/
 diff --git a/debian/rsyslog.conf b/debian/rsyslog.conf
 index bdda81e..209d8aa 100644
 --- a/debian/rsyslog.conf
 +++ b/debian/rsyslog.conf
@@ -2,6 +2,8 @@
+ #
  # For more information install rsyslog-doc and see
  # /usr/share/doc/rsyslog-doc/html/configuration/index.html
++#
++# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
  #################
@@ -9,7 +11,6 @@
  #################
  module(load="imuxsock") # provides support for local system logging
--module(load="imklog")   # provides kernel logging support
  #module(load="immark")  # provides --MARK-- message capability
  # provides UDP syslog reception
@@ -20,19 +21,26 @@ module(load="imklog")   # provides kernel logging support
  #module(load="imtcp")
  #input(type="imtcp" port="514")
++# provides kernel logging support and enable non-kernel klog messages
++module(load="imklog" permitnonkernelfacility="on")
  ###########################
  #### GLOBAL DIRECTIVES ####
  ###########################
++# Filter duplicated messages
++$RepeatedMsgReduction on
++
+ #
  # Set the default permissions for all log files.
+ #
--$FileOwner root
++$FileOwner syslog
  $FileGroup adm
  $FileCreateMode 0640
  $DirCreateMode 0755
  $Umask 0022
++$PrivDropToUser syslog
++$PrivDropToGroup syslog
+ #
  # Where to place spool and state files
@@ -43,27 +51,3 @@ $WorkDirectory /var/spool/rsyslog
  # Include all config files in /etc/rsyslog.d/
+ #
  $IncludeConfig /etc/rsyslog.d/*.conf
--
--
--###############
--#### RULES ####
--###############
--
--#
--# Log anything besides private authentication messages to a single log file
--#
--*.*;auth,authpriv.none		-/var/log/syslog
--
--#
--# Log commonly used facilities to their own log file
--#
--auth,authpriv.*			/var/log/auth.log
--cron.*				-/var/log/cron.log
--kern.*				-/var/log/kern.log
--mail.*				-/var/log/mail.log
--user.*				-/var/log/user.log
--
--#
--# Emergencies are sent to everybody logged in.
--#
--*.emerg				:omusrmsg:*
 diff --git a/debian/rsyslog.dirs b/debian/rsyslog.dirs
 index 5ef1d18..ea0002b 100644
 --- a/debian/rsyslog.dirs
 +++ b/debian/rsyslog.dirs
@@ -1,2 +1,3 @@
  /etc/rsyslog.d/
  /var/spool/rsyslog/
++/etc/apparmor.d/rsyslog.d/
 diff --git a/debian/rsyslog.docs b/debian/rsyslog.docs
 index 62deb04..336a33e 100644
 --- a/debian/rsyslog.docs
 +++ b/debian/rsyslog.docs
@@ -1 +1,2 @@
  AUTHORS
++debian/README.apparmor
 diff --git a/debian/rsyslog.install b/debian/rsyslog.install
 index 34cc673..66cd7b1 100755
 --- a/debian/rsyslog.install
 +++ b/debian/rsyslog.install
@@ -1,6 +1,9 @@
  #!/usr/bin/dh-exec
  debian/rsyslog.conf  etc/
++debian/00rsyslog.conf  usr/lib/tmpfiles.d/
++debian/50-default.conf /usr/share/rsyslog
  debian/rsyslog-rotate usr/lib/rsyslog/
++debian/reload-apparmor-profile usr/lib/rsyslog/
  usr/sbin/
  usr/share/man/man5/
  usr/share/man/man8/
@@ -22,7 +25,6 @@ usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmzlibw.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/lmzstdw.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmanon.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmexternal.so
--usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmnormalize.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmjsonparse.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmutf8fix.so
  usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/mmpstrucdata.so
@@ -37,3 +39,6 @@ usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/pm*.so
  [linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/imptcp.so
  [linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/imjournal.so
  [linux-any] usr/lib/${DEB_HOST_MULTIARCH}/rsyslog/omjournal.so
++debian/usr.sbin.rsyslogd etc/apparmor.d/
++debian/README.apparmor.rsyslog.d => etc/apparmor.d/rsyslog.d/README
++debian/dmesg.service lib/systemd/system
 diff --git a/debian/rsyslog.logcheck.ignore.server b/debian/rsyslog.logcheck.ignore.server
 index 6a56e7a..1186936 100644
 --- a/debian/rsyslog.logcheck.ignore.server
 +++ b/debian/rsyslog.logcheck.ignore.server
@@ -2,3 +2,6 @@
  ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] rsyslogd was HUPed$
  ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?: \[origin software="rsyslogd" swVersion="[0-9.]+" x-pid="[0-9]+" x-info="https://www.rsyslog.com"\] start$
  ^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?: imuxsock: Acquired UNIX socket '/run/systemd/journal/syslog' \(fd [0-9]+\) from systemd\.\s+\[v[0-9.]+\]$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?: rsyslogd's (groupid|userid) changed to [0-9]+$
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?:( rsyslogd:)? imklog: cannot open kernel log \(\/proc\/kmsg\): Permission denied.
++^(\w{3} [ :0-9]{11}|[0-9T:.+-]{32}) [._[:alnum:]-]+ rsyslogd(\[[0-9]+\])?:( rsyslogd:)? activation of module imklog failed \[v[.0-9]+ try https:\/\/www.rsyslog.com\/e\/2145 \]$
 diff --git a/debian/rsyslog.postinst b/debian/rsyslog.postinst
 index b01dd34..ea93fbf 100644
 --- a/debian/rsyslog.postinst
 +++ b/debian/rsyslog.postinst
@@ -16,12 +16,41 @@ set -e
  case "$1" in
      configure)
++	adduser --system --group --no-create-home --quiet syslog || true
++	adduser syslog adm || true
++
  	# Fix permissions of the spool/work directory (Bug: #693099)
  	chmod 700 /var/spool/rsyslog
++	# fix ownership of work directory (LP: #1075901)
++	chown syslog:adm /var/spool/rsyslog
++
++	# ensure that rsyslogd can create log files after dropping
++	# privileges
++	chgrp syslog /var/log
++	chmod g+w /var/log
++
++	user_conf=/etc/rsyslog.d/50-default.conf
++	default_conf=/usr/share/rsyslog/50-default.conf
++
++	ucf --three-way --debconf-ok $default_conf $user_conf
++	ucfr rsyslog $user_conf
++
++	if which systemd-tmpfiles >/dev/null
++	then
++	    systemd-tmpfiles --create /usr/lib/tmpfiles.d/00rsyslog.conf || true
++	fi
++
  	if dpkg --compare-versions "$2" lt-nl "8.2110.0-2"; then
  		update-rc.d -f rsyslog remove || true
  	fi
++
++	if dpkg --compare-versions "$2" lt-nl "8.2210.0-3ubuntu2~"; then
++	    # In this version we removed the disabling of the rsyslog apparmor
++	    # profile, i.e., it's enabled by default.  Gate on it to avoid
++	    # re-enabling it if the user has explicitly disabled it afterwards.
++	    rm -f /etc/apparmor.d/disable/usr.sbin.rsyslogd
++	fi
      ;;
      triggered)
 diff --git a/debian/rsyslog.postrm b/debian/rsyslog.postrm
 index d37f025..c287b62 100644
 --- a/debian/rsyslog.postrm
 +++ b/debian/rsyslog.postrm
@@ -6,6 +6,19 @@ if [ "$1" = "remove" ]; then
  	[ -f /etc/logrotate.d/rsyslog ] && mv -f /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
  fi
++if [ "$1" = "purge" ]; then
++	if which ucfr >/dev/null; then
++		ucfr --purge rsyslog /etc/rsyslog.d/50-default.conf
++	fi
++	if which ucf >/dev/null; then
++		ucf --purge /etc/rsyslog.d/50-default.conf
++	fi
++	if [ -d /etc/rsyslog.d ]; then
++		rm -f /etc/rsyslog.d/50-default.conf
++		rmdir --ignore-fail-on-non-empty /etc/rsyslog.d
++	fi
++fi
++
  if [ "$1" = "purge" ] || [ "$1" = "disappear" ]; then
  	[ -f /etc/logrotate.d/rsyslog.disabled ] && rm -f /etc/logrotate.d/rsyslog.disabled
  fi
 diff --git a/debian/rsyslog.service b/debian/rsyslog.service
 index 5f591b1..78d2a4c 100644
 --- a/debian/rsyslog.service
 +++ b/debian/rsyslog.service
@@ -7,26 +7,22 @@ Documentation=https://www.rsyslog.com/doc/
  [Service]
  Type=notify
++ExecStartPre=/usr/lib/rsyslog/reload-apparmor-profile
  ExecStart=/usr/sbin/rsyslogd -n -iNONE
  StandardOutput=null
++StandardError=journal
  Restart=on-failure
  # Increase the default a bit in order to allow many simultaneous
  # files to be monitored, we might need a lot of fds.
  LimitNOFILE=16384
--CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_DAC_OVERRIDE CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG
++CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_DAC_OVERRIDE CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOG CAP_MAC_ADMIN CAP_SETGID CAP_SETUID
  SystemCallFilter=@system-service
  RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
  NoNewPrivileges=yes
--PrivateTmp=yes
--PrivateDevices=yes
--ProtectHome=yes
--ProtectSystem=full
--ProtectKernelTunables=yes
--ProtectKernelModules=yes
++ProtectHome=readonly
  ProtectClock=yes
--ProtectControlGroups=yes
  ProtectHostname=yes
  [Install]
 diff --git a/debian/rules b/debian/rules
 index dae9262..bd3e6ab 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -7,6 +7,10 @@ export DEB_CPPFLAGS_MAINT_APPEND = -DPATH_PIDFILE=\"/run/rsyslogd.pid\"
  export PYTHON=/usr/bin/python3
++# the default LDFLAGS="-Wl,-Bsymbolic-functions" caused rsyslog to
++# segfault on receipt of first message (see LP: #794230)
++export DEB_LDFLAGS_MAINT_STRIP = -Wl,-Bsymbolic-functions
++
  %:
  	dh $@
@@ -40,13 +44,11 @@ override_dh_auto_configure:
  		--enable-pmciscoios \
  		--enable-pmcisconames \
  		--enable-pmlastmsg \
--		--enable-pmnormalize \
  		--enable-pmsnare \
  		--enable-omstdout \
  		--enable-omprog \
  		--enable-omuxsock \
  		--enable-mmanon \
--		--enable-mmnormalize \
  		--enable-mmjsonparse \
  		--enable-mmutf8fix \
  		--enable-mmpstrucdata \
@@ -79,6 +81,10 @@ override_dh_install:
  	find debian/tmp -name '*.la' -print -delete
  	dh_install
++override_dh_installinit:
++	dh_apparmor --profile-name=usr.sbin.rsyslogd -prsyslog
++	dh_installinit
++
  override_dh_auto_test:
  ifeq (, $(filter nocheck, $(DEB_BUILD_OPTIONS)))
  	PATH=$$PATH:/usr/sbin dh_auto_test || ( cat tests/test-suite.log; exit 1 ) && ( cat tests/test-suite.log )
 diff --git a/debian/tests/apparmor-include-mechanism b/debian/tests/apparmor-include-mechanism
 new file mode 100755
 index 0000000..728d17f
 --- /dev/null
 +++ b/debian/tests/apparmor-include-mechanism
@@ -0,0 +1,92 @@
++#!/bin/bash
++
++set -e
++set -o pipefail
++
++include_dir="/etc/apparmor.d/rsyslog.d"
++apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
++declare -i ret
++ret=0
++
++cleanup() {
++    rm -f "${include_dir}"/do-not-include*
++    rm -f "${include_dir}"/README
++    rm -f "${include_dir}"/pkg1.apparmor
++    rm -f "${include_dir}"/randomfile
++}
++
++trap cleanup EXIT
++
++standard_backup_files_are_not_included() {
++    local -a ignored_suffixes
++    local -a exclusions
++    local -a inclusions
++    local -i lines=0
++    local fname
++    local suffix
++    local full_profile
++
++    cleanup
++
++    # taken from https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L65
++    # and https://sources.debian.org/src/apparmor/3.0.8-2/libraries/libapparmor/src/private.c/#L133
++    ignored_suffixes=(.dpkg-new .dpkg-old .dpkg-dist .dpkg-bak .dpkg-remove .pacsave .pacnew .rpmnew .rpmsave .orig .rej \~)
++    exclusions+=("README" ".somedotfile")
++    for suffix in "${ignored_suffixes[@]}"; do
++        exclusions+=("do-not-include${suffix}")
++    done
++
++    echo "## Files with known backup extensions, that start with a dot, and a README file, are not included. Testing with:"
++    echo "${exclusions[*]}"
++    echo
++
++    for fname in "${exclusions[@]}"; do
++        echo "# BUG this should not be included: ${fname}" > "${include_dir}/${fname}"
++    done
++
++    # just a few, for a sanity check
++    inclusions=(pkg1.apparmor randomfile)
++    echo "## These, however, should be included: ${inclusions[*]}"
++    for fname in "${inclusions[@]}"; do
++        echo "# must be included: ${fname}" > "${include_dir}/${fname}"
++    done
++
++    echo "## Generated test files:"
++    ls -la /etc/apparmor.d/rsyslog.d/
++
++    full_profile=$(apparmor_parser -p "${apparmor_profile}")
++
++    echo "## Verifying that none of the excluded files were included in the apparmor profile:"
++    if echo "${full_profile}" | grep -F "BUG this should not be included"; then
++        return 1 # the caller will print ## FAIL
++    else
++        echo "## OK"
++    fi
++
++    echo "## Verifying that all the allowed files were included:"
++    lines=$(echo "${full_profile}" | grep -F "must be included" | wc -l)
++    if [ ${lines} -ne ${#inclusions[@]} ]; then
++        echo "## Found ${lines} inclusions, expected ${#inclusions[@]}"
++        return 1
++    fi
++}
++
++
++for t in \
++    standard_backup_files_are_not_included; do
++
++    echo
++    if "${t}"; then
++        echo "## OK"
++    else
++        ret=1
++        echo "## FAIL"
++    fi
++done
++
++echo
++if [ ${ret} -ne 0 ]; then
++    echo "## One or more tests FAILED"
++fi
++
++exit ${ret}
 diff --git a/debian/tests/control b/debian/tests/control
 index 7cd47a9..0328b4d 100644
 --- a/debian/tests/control
 +++ b/debian/tests/control
@@ -1,3 +1,23 @@
  Tests: logcheck
  Depends: rsyslog, logcheck, coreutils
  Restrictions: needs-root, breaks-testbed
++
++Tests: apparmor-include-mechanism
++Depends: rsyslog, apparmor
++Restrictions: needs-root allow-stderr
++
++Tests: simple-logger
++Depends: rsyslog, bsdutils, apparmor-utils, uuid-runtime
++Restrictions: needs-root allow-stderr
++
++Tests: simple-mysql
++# rsyslog-mysql has to be installed by the test script, because it pulls in dbconfig-common
++# which will be setup *before* mysql-server is configured and running, which fails.
++Depends: bsdutils, apparmor-utils, mysql-server, uuid-runtime
++Restrictions: needs-root allow-stderr
++
++Tests: simple-pgsql
++# rsyslog-pgsql has to be installed by the test script, because it pulls in dbconfig-common
++# which will be setup *before* postgresql is configured and running, which fails.
++Depends: bsdutils, apparmor-utils, postgresql, postgresql-client, uuid-runtime
++Restrictions: needs-root allow-stderr
 diff --git a/debian/tests/logcheck b/debian/tests/logcheck
 index 913b870..d575720 100755
 --- a/debian/tests/logcheck
 +++ b/debian/tests/logcheck
@@ -2,6 +2,12 @@
  set -eu
++# if rsyslog is already running then merely doing 'start+stop'
++# will not reload the new config
++systemctl stop rsyslog 2>&1 #(redirect stderr because systemd tells us that syslog.socket will restart rsyslog)
++# Wait until log is written
++sleep 3
++
  echo "* Checking logcheck rules"
  # tell rsyslog to output to a file other than /var/log/syslog to isolate
  # rsyslog messages. nb that rsyslog.service is hardened so this file
@@ -11,13 +17,16 @@ cat > /etc/rsyslog.d/rsyslog-logcheck.conf <<EOF
  EOF
  : > /var/log/test-rsyslog-syslog.log
++chown syslog:syslog /var/log/test-rsyslog-syslog.log
  echo "** Starting and stopping rsyslog"
--# if rsyslog is already running then merely doing 'start+stop'
--# will not reload the new config
--systemctl stop rsyslog 2>&1 #(redirect stderr becuase systemd tells us that syslog.socket will restart rsyslog)
++timestamp="$(date '+%Y-%m-%d %T')"
  systemctl start rsyslog
  systemctl stop rsyslog 2>&1
++
++# Give rsyslog time to write the file
++sleep 3
++
  echo "** rsyslog generated the following lines in syslog:"
  cat /var/log/test-rsyslog-syslog.log
  if [ ! -s /var/log/test-rsyslog-syslog.log ]; then
@@ -27,7 +36,7 @@ if [ ! -s /var/log/test-rsyslog-syslog.log ]; then
  fi
  echo "** rsyslog generated the following lines in the systemd journal:"
--journalctl --since=-5min _COMM=rsyslogd \
++journalctl --since="$timestamp" _COMM=rsyslogd \
  	| tee /tmp/test-rsyslog-journal.log
  if [ ! -s /tmp/test-rsyslog-journal.log ]; then
  	echo >&2 "ERROR: rsyslog produced no journal entries at all"
 diff --git a/debian/tests/simple-logger b/debian/tests/simple-logger
 new file mode 100755
 index 0000000..e7741b1
 --- /dev/null
 +++ b/debian/tests/simple-logger
@@ -0,0 +1,24 @@
++#!/bin/bash
++
++set -e
++set -o pipefail
++
++source debian/tests/utils
++
++# make sure we are confined and in enforce mode for this test, if supported
++try_enforce_apparmor
++
++message="logger-test-value=$(uuidgen)"
++
++echo "Logging message: ${message}"
++logger --id=$$ --priority user.notice "${message}"
++
++logs=$(tail -n 10 /var/log/syslog)
++if echo "${logs}" | grep -qE "${message}"; then
++    echo "Message correctly found in system logs"
++else
++    echo "Failed to find message \"${message}\" in /var/log/syslog"
++    echo "Last 5 lines are:"
++    echo "${logs}"
++    exit 1
++fi
 diff --git a/debian/tests/simple-mysql b/debian/tests/simple-mysql
 new file mode 100755
 index 0000000..c0d0c9e
 --- /dev/null
 +++ b/debian/tests/simple-mysql
@@ -0,0 +1,29 @@
++#!/bin/bash
++
++set -e
++set -o pipefail
++
++source debian/tests/utils
++
++# make sure we are confined and in enforce mode for this test, if supported
++try_enforce_apparmor
++
++# Installing rsyslog-mysql without having a mysql DB already configured on
++# localhost fails, because the dbconfig-common postinst runs before the mysql
++# postinst. A Depends cannot be used in the packaging because the database
++# might be remote.
++# Therefore we add mysql-server to the DEP8 dependency list in d/t/control, and
++# install rsyslog-mysql from inside the test. In this way, mysql is already
++# configured when we get here.
++DEBIAN_FRONTEND=noninteractive apt-get install -y rsyslog-mysql
++
++# Values from a default install of rsyslog-mysql
++DBNAME="Syslog"
++TABLE="SystemEvents"
++
++message="logger-test-value=$(uuidgen)"
++
++echo "Logging message: ${message}"
++logger --id=$$ --priority user.notice "${message}"
++
++check_db_for_message mysql "${message}"
 diff --git a/debian/tests/simple-pgsql b/debian/tests/simple-pgsql
 new file mode 100755
 index 0000000..a09f3a8
 --- /dev/null
 +++ b/debian/tests/simple-pgsql
@@ -0,0 +1,25 @@
++#!/bin/bash
++
++set -e
++set -o pipefail
++
++source debian/tests/utils
++
++# make sure we are confined and in enforce mode for this test, if supported
++try_enforce_apparmor
++
++# Installing rsyslog-pgsql without having a postgresq DB already configured on
++# localhost fails, because the dbconfig-common postinst runs before the
++# postgresql postinst. A Depends cannot be used in the packaging because the
++# database might be remote.
++# Therefore we add postgresql to the DEP8 dependency list in d/t/control, and
++# install rsyslog-pgsql from inside the test. In this way, postgresql is
++# already configured when we get here.
++DEBIAN_FRONTEND=noninteractive apt-get install -y rsyslog-pgsql
++
++message="logger-test-value=$(uuidgen)"
++
++echo "Logging message: ${message}"
++logger --id=$$ --priority user.notice "${message}"
++
++check_db_for_message postgresql "${message}"
 diff --git a/debian/tests/utils b/debian/tests/utils
 new file mode 100644
 index 0000000..ecc942b
 --- /dev/null
 +++ b/debian/tests/utils
@@ -0,0 +1,76 @@
++check_db_for_message() {
++    local db="${1}"
++    local message="${2}"
++    local -i counter=10
++
++    case "${db}" in
++        mysql)
++            dbname="Syslog"
++            table="SystemEvents"
++            cmd="mysql -uroot ${dbname} --batch -N -e \"SELECT COUNT(*) FROM ${table} WHERE trim(Message) = \\\"${message}\\\";\""
++            ;;
++        postgresql)
++            dbname="Syslog"
++            table="systemevents"
++            cmd="sudo -u postgres -i  psql -At -d ${dbname} -c \"SELECT COUNT(*) FROM ${table} WHERE trim(message) = '${message}';\""
++            ;;
++        *)
++            echo "Unrecognized db: ${db}"
++            return 1
++            ;;
++    esac
++    echo -n "Checking ${db} for the message (${counter} attempts): "
++    while [ ${counter} -gt 0 ]; do
++        count=$(eval "${cmd}")
++        if [ ${count} -eq 1 ]; then
++            echo
++            echo "Message correctly found in the ${db} ${dbname}.${table} table"
++            break
++        else
++            echo -n "."
++            counter=$((counter-1))
++            sleep 1s
++            continue
++        fi
++    done
++    if [ ${counter} -eq 0 ]; then
++        echo
++        echo "Failed to find message \"${message}\" in the ${db} ${dbname}.${table} table"
++        return 1
++    fi
++}
++
++try_enforce_apparmor() {
++    local apparmor_profile="/etc/apparmor.d/usr.sbin.rsyslogd"
++    local -i rc=0
++
++    if [ ! -d /etc/apparmor.d/rsyslog.d ]; then
++        echo "No /etc/apparmor.d/rsyslog directory, not touching apparmor status"
++
++    elif [ ! -f "${apparmor_profile}" ]; then
++        echo "No ${apparmor_profile} file, not touching apparmor status"
++
++    elif ! aa-status --enabled 2>/dev/null; then
++        echo "Apparmor disabled (aa-status)"
++
++    else
++        echo "Enforcing the ${apparmor_profile} apparmor profile"
++        aa-enforce "${apparmor_profile}" || rc=$?
++        if [ ${rc} -ne 0 ]; then
++            # This can fail on armhf in the Ubuntu DEP8 infrastructure
++            # because that environment restricts changing apparmor profiles.
++            # (See LP: #2008393)
++            arch=$(dpkg --print-architecture)
++            vendor=$(dpkg-vendor --query Vendor)
++            if [ "${arch}" = "armhf" ] && [ "${vendor}" = "Ubuntu" ]; then
++                echo "WARNING: failed to enforce apparmor profile."
++                echo "On armhf and Ubuntu DEP8 infrastructure, this is not a fatal error."
++                echo "See #2008393 for details."
++                rc=0
++            else
++                echo "ERROR: failed to enforce apparmor profile"
++            fi
++        fi
++    fi
++    return ${rc}
++}
 diff --git a/debian/usr.sbin.rsyslogd b/debian/usr.sbin.rsyslogd
 new file mode 100644
 index 0000000..73a4b96
 --- /dev/null
 +++ b/debian/usr.sbin.rsyslogd
@@ -0,0 +1,55 @@
++# Last Modified: Sun Sep 25 08:58:35 2011
++#include <tunables/global>
++
++# Debugging the syslogger can be difficult if it can't write to the file
++# that the kernel is logging denials to. In these cases, you can do the
++# following:
++# watch -n 1 'dmesg | tail -5'
++
++profile rsyslogd /usr/sbin/rsyslogd {
++  #include <abstractions/base>
++  #include <abstractions/nameservice>
++
++  capability sys_tty_config,
++  capability dac_override,
++  capability dac_read_search,
++  capability setuid,
++  capability setgid,
++  capability sys_nice,
++  capability syslog,
++
++  unix (receive) type=dgram,
++  unix (receive) type=stream,
++
++  # rsyslog configuration
++  /etc/rsyslog.conf r,
++  /etc/rsyslog.d/ r,
++  /etc/rsyslog.d/** r,
++  /{,var/}run/rsyslogd.pid{,.tmp} rwk,
++  /var/spool/rsyslog/ r,
++  /var/spool/rsyslog/** rwk,
++
++  /usr/sbin/rsyslogd mr,
++  /usr/lib{,32,64}/{,@{multiarch}/}rsyslog/*.so mr,
++
++  /dev/tty*                     rw,
++  /dev/xconsole                 rw,
++  @{PROC}/kmsg                  r,
++  # allow access to console (LP: #2009230)
++  /dev/console                  rw,
++
++  /dev/log                      rwl,
++  /{,var/}run/utmp              rk,
++  /var/lib/*/dev/log            rwl,
++  /var/spool/postfix/dev/log    rwl,
++  /{,var/}run/systemd/notify    w,
++
++  # 'r' is needed when using imfile
++  /var/log/**                   rw,
++
++  # apparmor snippets for rsyslog from other packages
++  include if exists <rsyslog.d>
++
++  # Site-specific additions and overrides. See local/README for details.
++  #include <local/usr.sbin.rsyslogd>
++}

Ubuntursyslog package

Merge ~xypron/ubuntu/+source/rsyslog:merge-lp2045033-noble-8.2312.0-2 into ubuntu/+source/rsyslog:debian/sid

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
rsyslog package