Bug 1731821

Summary: [Insights/Rule/Bug] rsyslog imjournal false positive
Product: Red Hat Hybrid Cloud Console (console.redhat.com) Reporter: Nikhil Gupta <ngupta>
Component: Insights - RulesAssignee: Zhang Jiajun <jiazhang>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Jaylin Zhou <zzhou>
Severity: low Docs Contact: Kevin Blake <kblake>
Priority: unspecified    
Version: unspecifiedCC: jnewton, peter.vreman, robwilli
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-09 00:23:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1122832    

Description Nikhil Gupta 2019-07-22 06:51:38 UTC
Description of problem:
The new rule 'Date and time jumps in logs managed by rsyslogd when imjournal.state is not configured' is triggered what looks to me 'random' set of 80 servers out of ~400.

And in the end we are not using the imjournal configuration item at all.

Please review the rule why on a subset of consistent configured servers are matching and why it can it is triggered although the keyword imjournal is not used.

Additional info:
Looking in rules.json i also find only /etc/rsyslog.conf is checked, but the /etc/rsyslog.d/*.conf files are not checked. We emptied the rsyslog.conf and only use /etc/rsyslog.d/*.conf files for the configuration