1251177 – RFC: Reduce verbosity in /var/log/messages (or journalctl)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1251177 - RFC: Reduce verbosity in /var/log/messages (or journalctl)

Summary: RFC: Reduce verbosity in /var/log/messages (or journalctl)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	setroubleshoot
Sub Component:
Version:	7.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Lautrbach
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1252069 (view as bug list)
Depends On:
Blocks:	1203710 1295396 1296594 1313485
TreeView+	depends on / blocked

Reported:	2015-08-06 15:53 UTC by Paulo Andrade
Modified:	2019-12-16 04:51 UTC (History)
CC List:	8 users (show)
Fixed In Version:	setroubleshoot-3.2.26-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 02:56:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2298	0	normal	SHIPPED_LIVE	setroubleshoot bug fix update	2016-11-03 13:38:51 UTC

Internal Links: 1252069

Description Paulo Andrade 2015-08-06 15:53:12 UTC

Is there some way to reduce verbosity in setroubleshoot
log messages?

  User wants to only see:

$DATE $HOST setroubleshoot: SELinux is preventing $SOMETHING. For complete SELinux messages. run sealert -l $HASH

and then run the suggested command manually, without
clobbering the logs with too many, too long, and repeated
messages.

Comment 2 Petr Lautrbach 2015-08-07 13:12:28 UTC

I'm afraid that it is not possible directly in setroubleshootd now.

There's an ongoing update for rhel-7.2 which removes debug messages from logs  unless loglevel is set to DEBUG.

However, it won't remove a plugin output from logs. Please file a RFE bug for rhel-7.3 with this feature and we'll try to provide a way how to disable logging of plugins output or make it at least simple filterable if it's feasible.

Comment 3 Paulo Andrade 2015-08-07 14:04:32 UTC

Petr,

In case you missed it, there is a collaboration note, from
ssekidde at redhat.com, in the Customer Portal, that better
describe the user problem:

---8<---
Looking at /var/log/messages

Jul 29 17:35:03 HOSTNAME audispd: queue is full - dropping event

$ grep "audispd: queue is full - dropping event" SOSREPORT/var/log/messages | wc -l
544

Basically these messages appear when audispd is trying to send current events to all the plugins but the plugins aren't working fast enough. 

And which plugins are these? 

ll /etc/audisp/plugins.d/
total 12
-rw-r-----. 1 root root 358 Jan 14  2015 af_unix.conf
-rw-r--r--. 1 root root 170 Mar 23 04:56 sedispatch.conf <-------
-rw-r-----. 1 root root 453 Jan 14  2015 syslog.conf

The SELinux notification workflow assuming auditd, rsyslog and sedispatch are running is

 auditd --> audispd --> sedispatch --> [dbus message] --> setroubleshootd --> [dbus signal] --> (seapplet) --> sealert

Why is it happening? 

This is an overflow condition as the warning message is from audispd

From /etc/audisp/audispd.conf 

      6 q_depth = 150
      7 overflow_action = SYSLOG <------
      8 priority_boost = 4

The fix is to increase the queue and priority above. More so the priority, but the bigger problem is getting the SELinux problems fixed.
---8<---

Comment 4 Petr Lautrbach 2015-08-07 14:22:00 UTC

I've read it but I might not understand it right or there are two problems.

My understanding is that the customer wants suppress output from plugin analysis like:

    *****  Plugin %s (%.4s confidence) suggests 
    ...

while he wants to have messages suggesting use sealert:

    For complete SELinux messages. run sealert -l %s


The plugin analysis is sent using:

    systemd.journal.send(siginfo.format_text(), OBJECT_PID=pid)

therefore it can't be dropped or filtered right now as there's no FACILITY, PRIORITY or a config option for that.

Comment 7 Steve B 2015-08-10 16:15:42 UTC

I have the same problem (and the same request), but I have a workaround for the mean time until a proper fix is done.

I added a rsyslog filter in a file in the folder /etc/rsyslog.d/ with

if $programname == 'python' and $msg startswith 'SELinux is preventing' then {
   action(type="omfile" file="/var/log/selinux-python-output.log")
   stop
}

It removes the detailed plugin suggestions from /var/log/messages but keeps the first ...setroubleshoot: SELinux is preventing... in it.

Comment 9 Petr Lautrbach 2016-05-31 10:48:33 UTC

*** Bug 1252069 has been marked as a duplicate of this bug. ***

Comment 11 Petr Lautrbach 2016-06-02 14:44:47 UTC

$ cat /etc/setroubleshoot/setroubleshoot.conf
...
[setroubleshootd_log]
# log_full_report: True|False, log full report analysis to journal
log_full_report = True


log_full_report = True => the behavior doesn't change and a whole report analysis is logged to journal.

log_full_report = False => only 'sealert -l ...' is logged and it's up to a user to run sealert herself.

Comment 15 errata-xmlrpc 2016-11-04 02:56:55 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2298.html

Note You need to log in before you can comment on or make changes to this bug.