[GLLUG] RedHat syslog setup

[Henrik Morsing]

Good afternoon,

We, not sure where from, get some emails titled "Red Hat Insights" that we have so far ignored. Deciding that maybe we should pay some more attention to them, I picked up the first "issue" reported which link to this article:

https://access.redhat.com/solutions/7068626

Basically something about a process writing to /dev/log if you have selinux enabled will make the system very slow. I ran through the three checks mentioned in the article, all came back negative.

So I submitted a ticket with RedHat "Support" and some bizarre discussions ensued. 

The "Insight" apparently boils down to two things that we have allegedly altered from default (we have not):

1) /dev/log is a device, not a link to /run/systemd/journal/dev-log
2) Local logging is enabled as SysSock.Use="off" is missing from rsyslog.conf

I've asked my three other team members (and already knew they weren't the type of people who'd fiddle with things like that) and checked our Ansible playbooks to make sure no-one in the past had snuck something in there changing these two things. Found nothing.

I then went on to check three systems, two of which are new PoC systems installed from very recently downloaded RedHat images:

RHEL x86 9.2
RHEL x86 8.10
RHEL PPC 8.6

They're all the same. /dev/log is a socket and SysSock has not been disabled.

I also don't understand the reasoning behind disabling local logging. Surely that's the whole purpose of syslog? I can understand a dedicated log collector, maybe (or?) but running syslog on hosts and disable logging just seems pointless to me.

What am I getting wrong here? I escalated the ticket but the "Supporter" has just updated it saying he already spoke to his manager who agrees with him.

I'm at a loss.

Regards,
Henrik Morsing