[CentOS] rsyslog.conf

Looking at the same manpage, it seems that these selectors are not really being removed, just renamed. The old names are being deprecated.


Instead of Use
========== ===
warn warning
err error
panic emerg






Best regards


Dave Windsor
AdP/TEF7

Thanks. I didn't see that.


Unfortunately, it still didn't solve the problem (my manager's
newly-upgraded fedora from 20->22, and according to the bugzilla bug, the
systemd developers want *all* logs, and they're dumping *everything* from
auditd, all successes by root jobs, cron, everything - fine, I suppose,
for someone debugging systemd....)


        mark

Sorry for the top post, Outlook defaults strike again.....


Best regards


Dave Windsor
AdP/TEF7

Outlook forces you to write above ? :-)

Perhaps I should say instead that it "strongly encourages" top posting, and all our internal emails follow that convention.


It's habit-forming.... :-)


Best regards


Dave Windsor
AdP/TEF7

Yeah, and it's an M$ innovation I *really* dislike. I've had disagreements
with my wife about that. What was it, Lookout, er Outlook '08 that did
that?


The *real* issue is that the way email traditionally was, with bottom
posting, or intercollation, made it *readable*, and esp. if you come into
a thread late, you could figure out what was going on.


I don't know of any written language on the planet that reads from the
bottom up... and if *anyone* doesn't top post, like a lot of us, it makes
it unreadable (up, down, up, down, down, up....)... which is why the
generally-agreed convention on every mailing list I'm on is traditional
format.


        mark "Kill Bill...."

and all our internal emails follow that convention.
posting, or intercollation, made it *readable*, and esp. if you come
into

"Come to the thread late" argument is the only rationale for "no top
posting" in case of mail lists I can figure myself. Plus to have all
messages in some standard format.


I hope, the following will make piece between you and your wife. In
regular e-mail exchange both parties are constantly "in sync", thus
understand what previous statements this particular message deals with.
Therefore I personally find it advantageous in private exchange to have
new information - i.e. message I'm writing - be right at the top of
current e-mail. This is my current message I want my recipient to read
(but the rest of exchange is after it as well for recipient's
convenience). I can say many bad words about Microsoft, but this rationale
for private mail exchange is something I will not blame them about.


So far I collected two arguments to not "top post" on mail lists:


1. standardized format of all messages with answers (like the whole thread
in front of your eyes, and it is always in the same format)


2. easier reading for "new comers" to the thread: in chronological order.


Any others rationales?


Valeri

bottom up... and if *anyone* doesn't top post, like a lot of us, it
makes
generally-agreed convention on every mailing list I'm on is traditional
format.



++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Physically dragging the thread back on topic...


I really am going crazy, trying to deal with the hourly logs from the
loghost. We've got 170+ servers and workstations... but a *very* large
percentage of what's showing up is from his bloody new fedora 22, with its
idiot systemd logging of *ever* selinux message to /var/log/messages.


I tried creating a rule, /etc/rsyslog.d/audit.conf, that reads:


if $msg contains "audit" and $msg,contains,'res=success' then -


but that seemed to send *everything* to /dev/null. That was my best guess,
based on googling (yahooing?) and man pages. Can anyone tell me what's
wrong with that syntax?


        mark

systemctl enable auditd
systemctl start auditd


Now your SELinux (and other audit) logs are going to
/var/log/audit/audit.log.

Um, no. That was where I started this thread - my manager updated his
fedora box from 20 to 22, and there's a bug about it
<https://bugzilla.redhat.com/show_bug.cgi?id27379>, where it appears
that the systemd folks have demanded *all* logs, and are multicast
spitting out the selinux logs *als0* to /var/log/messages.


And I just checked, and yes, auditd is running.


So I'm back to trying to find the correct syntax to filter all the
successes seen by auditd from getting to messages....


        mark

There's ~4 aspects to that bug so it's just going to have to settle
out, with the main one being comment 25 where systemd-journald is
enabling audit and inappropriately mixing data with different
discretion levels.

Well, my habit for regular e-mail exchange is "top posting" thus the
person reads my message thus is right to the point why this particular
message message was sent in a first place... But when mail lists are
concerned, I do an opposite, that is I follow mail lists conventions. I
never thought about rationale behind them, I'm just following them. I
believe, if some day someone gives reasons why top posting is bad in case
of mail lists it will really be great. The only reason I can come up with
myself would be: whoever reads message received through mail lists usually
has no idea about previous exchange in this thread, thus needs all
exchange in chronological order. Which I'm not certain is a good reason,
so those who know and insists strongly about "no top posting" are
encouraged to give others the reasons behind that. Again, I'm not "top
posting" on the lists. However, _this_ ("top posting") is my regular way
in private exchange (and it has good reasons behind it).


Valeri


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

well, as you wrote: ... because in conventional spelling systems of western
languages, text is written from the top to the bottom (applies also for reading).
To rephrase it: the "usability" is higher while reading bottom posted messages.
Furthermore stripping is normally done more (footers, disclaimers etc. disappears)
when bottom posted. This cleans the context additionally ...


The problem gets worse when both styles are mixed. Try to read a correspondence
from a year ago in such a style. Its horrible ...


:-)

<snip>
<snip>

The main reason actually is chronological order. But not just for the
reply .. but for IN-LINE posting.


In a discussion where you need to make points in-line and where you only
need some of and not all of the other posts, something that happens
frequently on mailing lists, it is very much easier to read that type of
collaborated message in chronological order.


I mean, you don't read a book or a newspaper article or a blog post from
bottom to top, right? Why would you read communications from bottom to
top? And it is not really even bottom to top. If you take 4 emails of
10 lines each (and 40 lines total) .. it is 75% down to 100% (original
mail)... then up to 50% and read down to 75% (2nd mail), then up to 25%
and read down to 50%, then up to 0% and read down to 25%. What if
someone made you read blog posts that way, or books or newspaper articles?

OK, the shortest I can re-formulate your message is: on mail lists we are
collectively writing the book for someone else to read (much less
communicating with each other in real time ;-) Any accepted convention is
better than no convention: save everybody's time. Suits me (as far as mail
lists are concerned).


Valeri


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

I consider email as an asynchronous communication,
therefore "book style convention" is recommended.

Yup. We're writing electronic *mail*, not text messages (here, you've got
140 char, tell me everything you know....), and you don't have a two-line
pager screen.... I see it as a slo-mo group conversation, and top-posting
is like the person who suddenly utters a nonsequitur, louder than everyone
else is speaking....


         mark

It originates from early Usenet practice where it had some useful
purpose given the way Usenet feeds were typically consumed and
forwarded. Generally Usenet News servers maintained posts for a
limited period of time. If you did not connect to obtain the news-feed
within that window then all earlier posts were 'lost' to you. Thus
encapsulating the entire discussion in chronological order in each
reply compensated for the technological (storage) limits prevalent in
the 1980/90s.


The orthodox justification for bottom-posting is often exemplified by
tag lines similar in content to the following:


However, forcing your correspondents to wade through an interminable
wall of text that regurgitates the previous thread before getting to
the point of the message arguably interferes with proper understanding
no less than top-posting does. I am unaware of any scientific study
that purports to support either position. So, in the absence of that
I conclude:


         De gustibus non est disputandum.


At this point the practice, particularly for archived mailing lists,
is little more than dogmatic adherence to a style that serves only to
distinguish the 'in group' from the 'other'.

There is absolutely no need to include irrelevant text when replying to
a posting. Trim and Cut were sensible skills acquired by some of us in
the 1980's and 1990's. Pertinent points pleases people perpetually.

Precisely. A small amount of effort by the sender makes
the discussion easier to follow for the many recipients.

Every email sent to this list includes the following in the headers:


     List-Archive: <http://lists.centos.org/pipermail/centos/>


People should trim any included text (and properly quote whatever they
leave in place). If someone needs more context the list archives can
supply that extra detail.


Stuart

And Lennart blames Linus[1] for why he gets hate mail.


We are giving RHEL-7 a pass on this iteration. We have installed it on
a couple of test hosts and are not favourably impressed with much of
the user interface. At least not from the sys-admin side of things.
This is not to imply that there is nothing good in 7. There are at
lot of improvements that we certainly value. But it is too early in
systemd development for us to waste time debugging somebody else's
pipe-dream on our dime.


We will see what 8 offers and decide then whether to move to something
else.


[1].
https://plus.google.com/app/basic/stream/z13rdjryqyn1xlt3522sxpugoz3gujbhh04

If selinux is causing you a headache, then disable it.


-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of James B. Byrne
Sent: Friday, July 24, 2015 8:16 AM
To: CentOS mailing list
Subject: Re: [CentOS] rsyslog.conf




And Lennart blames Linus[1] for why he gets hate mail.


We are giving RHEL-7 a pass on this iteration. We have installed it on a couple of test hosts and are not favourably impressed with much of the user interface. At least not from the sys-admin side of things.
This is not to imply that there is nothing good in 7. There are at lot of improvements that we certainly value. But it is too early in systemd development for us to waste time debugging somebody else's pipe-dream on our dime.


We will see what 8 offers and decide then whether to move to something else.


[1].
https://plus.google.com/app/basic/stream/z13rdjryqyn1xlt3522sxpugoz3gujbhh04

Indeed. And thanks to Linus we have Linux kernel. And thanks to Lennart we
have config files polluted with XML tags.


Good for you. I started installing CentOS 7 on all new workstations (but
we do pass on Linux on all new servers in favor of FreeBSD - number
crunchers and maybe workstations have to be Linux though...)


Valeri




++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

There's no XML in the systemd configuration language. You might be
thinking of launchd.

For what it's worth, the problem described at the beginning of this
thread doesn't happen in RHEL7. Yet. Supposedly systemd is being
rebased in 7.2 so we'll see.


This is why Fedora exists, to work out all these kinds of problems
before it hits an enterprise OS.

Ok, this is frustrating. May I take it, then, that no one has written the
conditional filters described in the rsyslog manual?


I've tried several variations, such as
if $msg contains 'audit' and $msg contains 'res=success' then -
which resulted in *all* messages going to /dev/null, even though
everything I find in googling (or I should say what little I find in
googling) suggests that should work.


       mark

We?ve had this in our RHEL6 and now our RHEL7 rsyslog.conf:


# Ignore OpenAFS errors
:msg, contains, "byte-range lock/unlock ignored" ~
:msg, contains, "byte-range locks only enforced for processes on this machine" ~


I?m seeing warnings in the logs that this is an old syntax on RHEL7, but it still works.