upgrade to version 8.2406

OBS-URL: https://build.opensuse.org/package/show/Base:System/rsyslog?expand=0&rev=369

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

0001-use-logind-instead-of-utmp-for-wall-messages-with-sy.patch

@@ -0,0 +1,204 @@
+From 87c31b946d8d0a230f2db842328067eb5d8c5b08 Mon Sep 17 00:00:00 2001
+From: Thomas Blume <Thomas.Blume@suse.com>
+Date: Wed, 18 Oct 2023 16:22:45 +0200
+Subject: [PATCH] use logind instead of utmp for wall messages with systemd
+
+Future SUSE versions will get rid of utmp due to a 32bit time_t counter
+overflow in 2038.
+See details at:
+
+https://github.com/thkukuk/utmpx/blob/main/Y2038.md
+
+On systemd based systems logind is an alternative to utmp.
+---
+ tools/omusrmsg.c | 142 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 110 insertions(+), 32 deletions(-)
+
+diff --git a/tools/omusrmsg.c b/tools/omusrmsg.c
+index 6086d2d6b..aaa36d9e5 100644
+--- a/tools/omusrmsg.c
++++ b/tools/omusrmsg.c
+@@ -56,6 +56,11 @@
+ #ifdef HAVE_PATHS_H
+ #include <paths.h>
+ #endif
++#ifdef HAVE_LIBSYSTEMD
++#include <systemd/sd-daemon.h>
++#include <systemd/sd-login.h>
++#include <pwd.h>
++#endif
+ #include "rsyslog.h"
+ #include "srUtils.h"
+ #include "stringbuf.h"
+@@ -201,6 +206,42 @@ void endutent(void)
+ #endif  /* #ifdef OS_BSD */
+ 
+ 
++static void sendwallmsg(const char *tty, uchar* pMsg)
++{
++	uchar szErr[512];
++	int errnoSave;
++	char p[sizeof(_PATH_DEV) + UNAMESZ];
++	int ttyf;
++	struct stat statb;
++	int wrRet;
++
++	/* compute the device name */
++	strcpy(p, _PATH_DEV);
++	strncat(p, tty, UNAMESZ);
++
++	/* we must be careful when writing to the terminal. A terminal may block
++	 * (for example, a user has pressed <ctl>-s). In that case, we can not
++	 * wait indefinitely. So we need to use non-blocking I/O. In case we would
++	 * block, we simply do not send the message, because that's the best we can
++	 * do. -- rgerhards, 2008-07-04
++	 */
++
++	/* open the terminal */
++	if((ttyf = open(p, O_WRONLY|O_NOCTTY|O_NONBLOCK)) >= 0) {
++	  if(fstat(ttyf, &statb) == 0 && (statb.st_mode & S_IWRITE)) {
++	    wrRet = write(ttyf, pMsg, strlen((char*)pMsg));
++	    if(Debug && wrRet == -1) {
++	      /* we record the state to the debug log */
++	      errnoSave = errno;
++	      rs_strerror_r(errno, (char*)szErr, sizeof(szErr));
++	      dbgprintf("write to terminal '%s' failed with [%d]:%s\n",
++			p, errnoSave, szErr);
++	    }
++	  }
++	  close(ttyf);
++	}
++}
++
+ /*  WALLMSG -- Write a message to the world at large
+  *
+  *	Write the specified message to either the entire
+@@ -215,20 +256,78 @@ void endutent(void)
+  */
+ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData)
+ {
+-
+-	uchar szErr[512];
+-	char p[sizeof(_PATH_DEV) + UNAMESZ];
+ 	register int i;
+-	int errnoSave;
+-	int ttyf;
+-	int wrRet;
+ 	STRUCTUTMP ut;
+ 	STRUCTUTMP *uptr;
+-	struct stat statb;
+ 	DEFiRet;
+ 
+ 	assert(pMsg != NULL);
+ 
++#ifdef HAVE_LIBSYSTEMD
++	if (sd_booted() > 0) {
++	        register int j;
++		int sdRet;
++		char **sessions_list;
++		int sessions = sd_get_sessions(&sessions_list);
++
++		for (j = 0; j < sessions; j++) {
++	                uchar szErr[512];
++			char *user = NULL, *tty;
++			uid_t uid;
++			struct passwd *pws;
++
++			sdRet = sd_session_get_uid(sessions_list[j], &uid);
++			if (sdRet >= 0) {
++				pws = getpwuid(uid);
++				user = pws->pw_name;
++
++				if (user == NULL) {
++					dbgprintf("failed to get username for userid '%d'\n", uid);
++					continue;
++				}
++			} else {
++		                /* we record the state to the debug log */
++		                rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr));
++				dbgprintf("get userid for session '%s' failed with [%d]:%s\n",
++					  sessions_list[j], -sdRet, szErr);
++				continue; /* try next session */
++			}
++			/* should we send the message to this user? */
++			if(pData->bIsWall == 0) {
++			        for(i = 0; i < MAXUNAMES; i++) {
++				        if(!pData->uname[i][0]) {
++					        i = MAXUNAMES;
++						break;
++					}
++					if(strncmp(pData->uname[i], user, UNAMESZ) == 0)
++					        break;
++				}
++				if(i == MAXUNAMES) { /* user not found? */
++				        free(user);
++					free(sessions_list[j]);
++					continue; /* on to next user! */
++				}
++			}
++			if ((sdRet = sd_session_get_tty(sessions_list[j], &tty)) < 0) {
++		                /* we record the state to the debug log */
++		                rs_strerror_r(-sdRet, (char*)szErr, sizeof(szErr));
++				dbgprintf("get tty for session '%s' failed with [%d]:%s\n",
++					  sessions_list[j], -sdRet, szErr);
++				free(user);
++				free(sessions_list[j]);
++				continue; /* try next session */
++			}
++
++			sendwallmsg(tty, pMsg);
++
++			free(user);
++			free(tty);
++			free(sessions_list[j]);
++		}
++		free(sessions_list);
++	} else {
++#endif
++
+ 	/* open the user login file */
+ 	setutent();
+ 
+@@ -259,35 +358,14 @@ static rsRetVal wallmsg(uchar* pMsg, instanceData *pData)
+ 				continue; /* on to next user! */
+ 		}
+ 
+-		/* compute the device name */
+-		strcpy(p, _PATH_DEV);
+-		strncat(p, ut.ut_line, UNAMESZ);
+-
+-		/* we must be careful when writing to the terminal. A terminal may block
+-		 * (for example, a user has pressed <ctl>-s). In that case, we can not
+-		 * wait indefinitely. So we need to use non-blocking I/O. In case we would
+-		 * block, we simply do not send the message, because that's the best we can
+-		 * do. -- rgerhards, 2008-07-04
+-		 */
+-
+-		/* open the terminal */
+-		if((ttyf = open(p, O_WRONLY|O_NOCTTY|O_NONBLOCK)) >= 0) {
+-			if(fstat(ttyf, &statb) == 0 && (statb.st_mode & S_IWRITE)) {
+-				wrRet = write(ttyf, pMsg, strlen((char*)pMsg));
+-				if(Debug && wrRet == -1) {
+-					/* we record the state to the debug log */
+-					errnoSave = errno;
+-					rs_strerror_r(errno, (char*)szErr, sizeof(szErr));
+-					dbgprintf("write to terminal '%s' failed with [%d]:%s\n",
+-						  p, errnoSave, szErr);
+-				}
+-			}
+-			close(ttyf);
+-		}
++		sendwallmsg(ut.ut_line, pMsg);
+ 	}
+ 
+ 	/* close the user login file */
+ 	endutent();
++#ifdef HAVE_LIBSYSTEMD
++	}
++#endif
+ 	RETiRet;
+ }
+ 
+-- 
+2.42.0
+

NetworkManager.frule

@@ -0,0 +1,9 @@
+#
+# NetworkManager into separate file and stop their further processing
+#
+if      ($programname == 'NetworkManager') or \
+        ($programname startswith 'nm-') \
+then {
+        -/var/log/NetworkManager
+        stop
+}

acpid.frule

@@ -0,0 +1,14 @@
+#
+# acpid messages into separate file and stop their further processing
+#
+# => all acpid messages for debuging (uncomment if needed):
+#if     ($programname == 'acpid' or $syslogtag == '[acpid]:') then \
+#       -/var/log/acpid
+#
+# => up to notice (skip info and debug)
+if      ($programname == 'acpid' or $syslogtag == '[acpid]:') and \
+        ($syslogseverity <= 5 /* notice */) \
+then {
+        -/var/log/acpid
+        stop
+}

firewall.frule

@@ -0,0 +1,9 @@
+#
+# firewall messages into separate file and stop their further processing
+#
+if      ($syslogfacility-text == 'kern') and \
+        ($msg contains 'IN=' and $msg contains 'OUT=') \
+then {
+        -/var/log/firewall
+        stop
+}

journald-rsyslog.conf

@@ -0,0 +1,2 @@
+[Journal]
+ForwardToSyslog=yes

module-mysql

@@ -0,0 +1,6 @@
+  # for logging to mysql DB (rsyslog-module-mysql)
+  #include <abstractions/mysql>
+  #include <abstractions/p11-kit>
+  /etc/my.cnf r,
+  /etc/my.cnf.d/ r,
+  /etc/my.cnf.d/* r,

module-snmp

@@ -0,0 +1,7 @@
+  # for logging to (rsyslog-module-snmp)
+  #include <abstractions/wutmp>
+  /proc/uptime r,
+  /usr/share/snmp/mibs/ r,
+  /usr/share/snmp/mibs/*.txt r,
+  /var/lib/net-snmp/mib_indexes/ rw,
+  /var/lib/net-snmp/mib_indexes/* rw,

module-udpspoof

@@ -0,0 +1,3 @@
+  # for logging with omudpspoof (rsyslog-module-udpspoof)
+  capability net_raw,
+  network inet raw,

rsyslog-8.2306.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f6283efaadc609540a56e6bec88a362c966e77f29fe48e6b734bd6c1123e0be5
+size 3293380

rsyslog-8.2406.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1343e0269dd32166ffde04d7ceebfa0e7146cf1dbc6962c56bf428c61f01a7df
+size 3412827

rsyslog-doc-8.2306.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b8c6831305462c80cc13d9a7991c82d86ea229c3bdec2ccef6a6db2fce751445
+size 6637017

rsyslog-doc-8.2406.0.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5b4629d51651bcc4b10b9576c02add4a30d41871c3a56e11e442a7806889f1ef
+size 6568856

rsyslog-service-prepare.in

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+test -s "/etc/sysconfig/syslog" && \
+      . "/etc/sysconfig/syslog"
+
+run_dir="RUN_DIR"
+cfg_file="ADDITIONAL_SOCKETS"
+
+umask 0022
+/bin/mkdir -p -m 0755 "${run_dir}"
+
+#
+# Prepare include with sockets in chroot's
+#
+> "${cfg_file}"
+for variable in ${!SYSLOGD_ADDITIONAL_SOCKET*}; do
+	eval value=\$$variable
+	test -z "$value" && continue
+	test -d "${value%/*}" || continue
+	echo "\$AddUnixListenSocket $value"
+done >> "${cfg_file}"
+
+#
+# make sure xconsole exists and is a pipe
+#
+if test -e /dev/xconsole -a ! -p /dev/xconsole ; then
+	/bin/rm -f /dev/xconsole
+fi
+if test ! -e /dev/xconsole ; then
+	/bin/mknod -m 0600  /dev/xconsole p
+	/bin/chown root:tty /dev/xconsole
+	restorecon /dev/xconsole 2> /dev/null
+fi
+
+exit 0
+

rsyslog.conf.in

@@ -0,0 +1,150 @@
+##
+## === When you're using remote logging, enable on-disk queues ===  
+## === in rsyslog.d/remote.conf.                               ===
+##
+## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules
+## (provided in separate rsyslog-module-* packages) are enabled, the
+## configuration can't be used on a system with /usr on a remote
+## filesystem, except on newer systems where initrd mounts /usr.
+## [The modules are linked against libraries installed bellow of
+##  /usr thus also installed in /usr/lib*/rsyslog because of this.]
+##
+
+#
+# if you experience problems, check
+# http://www.rsyslog.com/troubleshoot for assistance
+# and report them at https://bugzilla.suse.com/ for SUSE Linux Enterprise
+# or https://bugzilla.opensuse.org/ for openSUSE
+#
+
+# since rsyslog v3: load input modules
+# If you do not load inputs, nothing happens!
+
+# provides --MARK-- message capability (every 1 hour)
+$ModLoad immark.so
+$MarkMessagePeriod      3600
+
+# provides support for local system logging (e.g. via logger command)
+$ModLoad imuxsock.so
+
+# reduce dupplicate log messages (last message repeated n times)
+$RepeatedMsgReduction   on
+
+# kernel logging (may be also provided by /sbin/klogd)
+# see also http://www.rsyslog.com/doc-imklog.html.
+$ModLoad imklog.so
+
+#
+# Set the default permissions for all log files.
+#
+$FileOwner root
+$FileGroup root
+$FileCreateMode 0640
+$DirCreateMode 0750
+$Umask 0022
+
+# Use rsyslog native, rfc5424 conform log format as default
+# ($ActionFileDefaultTemplate RSYSLOG_FileFormat).
+#
+# To change a single file to use obsolete BSD syslog format
+# (rfc 3164, no high-precision timestamps), set the variable
+# bellow or append ";RSYSLOG_FileFormat" to the filename.
+# See
+#   http://www.rsyslog.com/doc/rsyslog_conf_templates.html
+# for more informations.
+#
+#$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
+
+#
+# Include config generated by /etc/init.d/syslog script
+# using the SYSLOGD_ADDITIONAL_SOCKET* variables in the
+# /etc/sysconfig/syslog file.
+#
+$IncludeConfig ADDITIONAL_SOCKETS
+
+#
+# Include config files, that the admin provided? :
+#
+$IncludeConfig ETC_RSYSLOG_D_GLOB
+
+###
+# print most important on tty10 and on the xconsole pipe
+#
+if	( \
+	    /* kernel up to warning except of firewall  */ \
+	    ($syslogfacility-text == 'kern')      and      \
+	    ($syslogseverity <= 4 /* warning */ ) and not  \
+	    ($msg contains 'IN=' and $msg contains 'OUT=') \
+	) or ( \
+	    /* up to errors except of facility authpriv */ \
+	    ($syslogseverity <= 3 /* errors  */ ) and not  \
+	    ($syslogfacility-text == 'authpriv')           \
+	) \
+then {
+	/dev/tty10
+	|/dev/xconsole
+}
+
+
+# Emergency messages to everyone logged on (wall)
+*.emerg					 :omusrmsg:*
+
+# enable this, if you want that root is informed
+# immediately, e.g. of logins
+#*.alert				root
+
+
+#
+# Additional filter rules
+#
+$IncludeConfig /etc/rsyslog.d/*.frule
+
+
+#
+# email-messages
+#
+mail.*					-/var/log/mail
+mail.info				-/var/log/mail.info
+mail.warning				-/var/log/mail.warn
+mail.err				 /var/log/mail.err
+
+
+#
+# news-messages
+#
+#news.crit				-/var/log/news/news.crit
+#news.err				-/var/log/news/news.err
+#news.notice				-/var/log/news/news.notice
+# enable this, if you want to keep all news messages
+# in one file
+#news.*					-/var/log/news.all
+
+
+#
+# Warnings in one file
+#
+*.=warning;*.=err			-/var/log/warn
+*.crit					 /var/log/warn
+
+
+#
+# the rest in one file
+#
+*.*;mail.none;news.none			-/var/log/messages
+
+
+#
+# enable this, if you want to keep all messages
+# in one file
+#*.*					-/var/log/allmessages
+
+
+#
+# Some foreign boot scripts require local7
+#
+local0.*;local1.*			-/var/log/localmessages
+local2.*;local3.*			-/var/log/localmessages
+local4.*;local5.*			-/var/log/localmessages
+local6.*;local7.*			-/var/log/localmessages
+
+###

rsyslog.d.remote.conf.in

@@ -0,0 +1,85 @@
+##
+## === When you're using remote logging, enable on-disk queues ===  
+## === in rsyslog.d/remote.conf.                               ===
+##
+## Note, that when the MYSQL, PGSQL, GSSAPI, GnuTLS or SNMP modules
+## (provided in separate rsyslog-module-* packages) are enabled, the
+## configuration can't be used on a system with /usr on a remote
+## filesystem, except on newer systems where initrd mounts /usr.
+## [The modules are linked against libraries installed bellow of
+##  /usr thus also installed in /usr/lib*/rsyslog because of this.]
+##
+
+# ######### Enable On-Disk queues for remote logging ##########
+#
+# An on-disk queue is created for this action. If the remote host is
+# down, messages are spooled to disk and sent when it is up again.
+#
+#$WorkDirectory RSYSLOG_SPOOL_DIR # where to place spool files
+#$ActionQueueFileName uniqName # unique name prefix for spool files
+#$ActionQueueMaxDiskSpace 1g   # 1gb space limit (use as much as possible)
+#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
+#$ActionQueueType LinkedList   # run asynchronously
+#$ActionResumeRetryCount -1    # infinite retries if host is down
+
+# ######### Sending Messages to Remote Hosts ########## 
+
+# Remote Logging using TCP for reliable delivery
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @@remote-host
+
+# Remote Logging using UDP
+# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
+#*.* @remote-host
+
+# ######### Receiving Messages from Remote Hosts ########## 
+# TCP Syslog Server:
+# provides TCP syslog reception and GSS-API (if compiled to support it)
+# see https://www.rsyslog.com/receiving-messages-from-a-remote-system
+# module(load="imtcp")
+# input(type="imtcp" port="514" Address="10.10.0.1")
+# alternative syntax
+#$ModLoad imtcp.so         # load module
+#$Address 10.10.0.1        # force to listen on this IP only
+#$Port <port>              # Starts a TCP server on selected port
+# Legacy configuration parameters that should not be used when crafting new configuration files.
+##$UDPServerAddress 10.10.0.1 # force to listen on this IP only
+#$InputTCPServerRun <port> # Starts a TCP server on selected port
+
+# UDP Syslog Server:
+# module(load="imudp")
+# input(type="imudp" port="514" Address="10.10.0.1")
+# alternative syntax
+#$ModLoad imudp.so         # provides UDP syslog reception
+#$Adress 10.10.0.1         # force to listen on this IP only
+#$Port 514                 # start a UDP syslog server at standard port 514
+# Legacy configuration parameters that should not be used when crafting new configuration files.
+#$UDPServerAddress 10.10.0.1 # force to listen on this IP only
+#$UDPServerRun 514         # start a UDP syslog server at standard port 514
+
+########### Encrypting Syslog Traffic with TLS ##########
+# -- TLS Syslog Server: 
+## make gtls driver the default
+#$DefaultNetstreamDriver gtls
+#
+## certificate files
+#$DefaultNetstreamDriverCAFile ETC_RSYSLOG_D_DIR/ca.pem
+#$DefaultNetstreamDriverCertFile ETC_RSYSLOG_D_DIR/server_cert.pem
+#$DefaultNetstreamDriverKeyFile ETC_RSYSLOG_D_DIR/server_key.pem
+#
+#$ModLoad imtcp # load TCP listener
+#
+#$InputTCPServerStreamDriverMode 1 # run driver in TLS-only mode
+#$InputTCPServerStreamDriverAuthMode anon # client is NOT authenticated
+#$InputTCPServerRun 10514 # start up listener at port 10514
+#
+# -- TLS Syslog Client:
+## certificate files - just CA for a client
+#$DefaultNetstreamDriverCAFile ETC_RSYSLOG_D_DIR/ca.pem
+#
+## set up the action
+#$DefaultNetstreamDriver gtls # use gtls netstream driver
+#$ActionSendStreamDriverMode 1 # require TLS for the connection
+#$ActionSendStreamDriverAuthMode anon # server is NOT authenticated
+#*.* @@(o)server.example.net:10514 # send (all) messages
+

rsyslog.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=System Logging Service
+Requires=syslog.socket
+After=network.target network-online.target
+Conflicts=syslog-ng.service syslogd.service
+Documentation=man:rsyslogd(8)
+Documentation=http://www.rsyslog.com/doc/
+
+[Service]
+Type=notify
+Environment=RSYSLOGD_PARAMS=
+EnvironmentFile=-/etc/sysconfig/syslog
+ExecStartPre=/usr/sbin/rsyslog-service-prepare
+ExecStart=/usr/sbin/rsyslogd -n -iNONE $RSYSLOGD_PARAMS
+ExecReload=/bin/kill -HUP $MAINPID
+StandardOutput=null
+Restart=on-abort
+
+# Increase the default a bit in order to allow many simultaneous
+# files to be monitored, we might need a lot of fds.
+LimitNOFILE=16384
+
+[Install]
+WantedBy=multi-user.target
+Alias=syslog.service

rsyslog.sysconfig

@@ -0,0 +1,16 @@
+## Type:           string
+## Default:        ""
+## Config:         ""
+## ServiceRestart: syslog
+#
+# Parameters for rsyslogd, except of the version compatibility (-c)
+# and the config file (-f), because they're used by sysconfig and
+# earlysysconfig init scripts.
+#
+# See also the RSYSLOGD_COMPAT_VERSION variable in this file, the
+# documentation provided in /usr/share/doc/packages/rsyslog/doc by
+# the rsyslog-doc package and the rsyslogd(8) and rsyslog.conf(5)
+# manual pages.
+#
+RSYSLOGD_PARAMS=""
+

usr.sbin.rsyslogd

@@ -0,0 +1,51 @@
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2014 Novell/SUSE
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#include <tunables/global>
+
+/usr/sbin/rsyslogd {
+  #include <abstractions/base>
+  #include <abstractions/consoles>
+  # general networking is allowed here
+  #include <abstractions/nameservice>
+
+  capability dac_override,
+  capability sys_nice,
+  capability sys_tty_config,
+  capability syslog,
+  deny capability block_suspend,
+
+  /dev/tty* w,
+  /dev/xconsole rw,
+
+  /etc/rsyslog.conf r,
+  /etc/rsyslog.d/ r,
+  /etc/rsyslog.d/* r,
+
+  /usr/lib{,32,64}/rsyslog/* mr,
+  /usr/sbin/rsyslogd mr,
+
+  /var/log/** rw,
+  /var/lib/*/dev/log w,
+
+  /proc/kmsg r,
+
+  /{var/,}run/rsyslog/* r,
+  /{var/,}run/rsyslogd.pid rwk,
+  /{var/,}run/systemd/journal/syslog w,
+
+  # include rules for rsyslog-module-* packages
+  #include "/usr/share/apparmor/extra-profiles/rsyslog.d"
+  
+  # for logging via TLS (rsyslog-module-gtls)
+  # keys/certificates need to be located under /etc/rsyslog.d or permissions need to be adjusted here
+  # rsyslog tries to write to the certificates for no reason, so deny this quietly
+  deny /etc/rsyslog.d/* w,
+}