[GLLUG] RedHat syslog setup

Henrik Morsing henrik at morsing.cc
Tue Oct 1 11:57:07 UTC 2024 

I think, after looking around, that what they are trying to say is that Red Hat is using systemd for logging (*shudder*) which is a new thing to me. 

However, absolutely none of the different installation images we have from them did what they claim. 

Regards,
Henrik Morsing


On Fri, Sep 27, 2024 at 01:26:07PM +0100, Henrik Morsing via GLLUG wrote:
>
>Good afternoon,
>
>We, not sure where from, get some emails titled "Red Hat Insights" that we have so far ignored. Deciding that maybe we should pay some more attention to them, I picked up the first "issue" reported which link to this article:
>
>https://access.redhat.com/solutions/7068626
>
>Basically something about a process writing to /dev/log if you have selinux enabled will make the system very slow. I ran through the three checks mentioned in the article, all came back negative.
>
>So I submitted a ticket with RedHat "Support" and some bizarre 
>discussions ensued.
>
>The "Insight" apparently boils down to two things that we have allegedly altered from default (we have not):
>
>1) /dev/log is a device, not a link to /run/systemd/journal/dev-log
>2) Local logging is enabled as SysSock.Use="off" is missing from rsyslog.conf
>
>I've asked my three other team members (and already knew they weren't the type of people who'd fiddle with things like that) and checked our Ansible playbooks to make sure no-one in the past had snuck something in there changing these two things. Found nothing.
>
>I then went on to check three systems, two of which are new PoC systems installed from very recently downloaded RedHat images:
>
>RHEL x86 9.2
>RHEL x86 8.10
>RHEL PPC 8.6
>
>They're all the same. /dev/log is a socket and SysSock has not been disabled.
>
>I also don't understand the reasoning behind disabling local logging. Surely that's the whole purpose of syslog? I can understand a dedicated log collector, maybe (or?) but running syslog on hosts and disable logging just seems pointless to me.
>
>What am I getting wrong here? I escalated the ticket but the "Supporter" has just updated it saying he already spoke to his manager who agrees with him.
>
>I'm at a loss.
>
>Regards,
>Henrik Morsing
>
>-- 
>GLLUG mailing list
>GLLUG at mailman.lug.org.uk
>https://mailman.lug.org.uk/mailman/listinfo/gllug

--

More information about the GLLUG mailing list