Re: [GLLUG] RedHat syslog setup

Tue, 01 Oct 2024 07:25:49 -0700 



I think, after looking around, that what they are trying to say is that Red Hat is using systemd for logging (*shudder*) which is a new thing to me. 

However, absolutely none of the different installation images we have from them did what they claim. 


Regards,
Henrik Morsing


On Fri, Sep 27, 2024 at 01:26:07PM +0100, Henrik Morsing via GLLUG wrote:


Good afternoon,

We, not sure where from, get some emails titled "Red Hat Insights" that we have so far 
ignored. Deciding that maybe we should pay some more attention to them, I picked up the first 
"issue" reported which link to this article:

https://access.redhat.com/solutions/7068626

Basically something about a process writing to /dev/log if you have selinux 
enabled will make the system very slow. I ran through the three checks 
mentioned in the article, all came back negative.


So I submitted a ticket with RedHat "Support" and some bizarre 
discussions ensued.


The "Insight" apparently boils down to two things that we have allegedly 
altered from default (we have not):

1) /dev/log is a device, not a link to /run/systemd/journal/dev-log
2) Local logging is enabled as SysSock.Use="off" is missing from rsyslog.conf

I've asked my three other team members (and already knew they weren't the type 
of people who'd fiddle with things like that) and checked our Ansible playbooks 
to make sure no-one in the past had snuck something in there changing these two 
things. Found nothing.

I then went on to check three systems, two of which are new PoC systems 
installed from very recently downloaded RedHat images:

RHEL x86 9.2
RHEL x86 8.10
RHEL PPC 8.6

They're all the same. /dev/log is a socket and SysSock has not been disabled.

I also don't understand the reasoning behind disabling local logging. Surely 
that's the whole purpose of syslog? I can understand a dedicated log collector, 
maybe (or?) but running syslog on hosts and disable logging just seems 
pointless to me.

What am I getting wrong here? I escalated the ticket but the "Supporter" has 
just updated it saying he already spoke to his manager who agrees with him.

I'm at a loss.

Regards,
Henrik Morsing

--
GLLUG mailing list
GLLUG@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/gllug


--


--
GLLUG mailing list
GLLUG@mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/gllug






















					Reply via email to