Environment
NetIQ Sentinel 7.0
Red Hat Enterprise Linux (RHEL)
Red Hat Enterprise Linux (RHEL)
Situation
The following lines appear in log files (/var/log/messages in this
case) repeatedly as searches where Sentinel uses squashfs files for
the search:
SELinux: initialized (dev loop4, type squashfs), not configured for labeling
SELinux: initialized (dev loop5, type squashfs), not configured for labeling
SELinux: initialized (dev loop3, type squashfs), not configured for labeling
SELinux: initialized (dev loop1, type squashfs), not configured for labeling
SELinux: initialized (dev loop2, type squashfs), not configured for labeling
SELinux: initialized (dev loop4, type squashfs), not configured for labeling
SELinux: initialized (dev loop5, type squashfs), not configured for labeling
This was noticed when these same messages appeared in Sentinel's web interface as severity zero events. Whenever a search or report took place over a time period that had archived files these messages showed up causing more data which really had no meaning.
SELinux: initialized (dev loop4, type squashfs), not configured for labeling
SELinux: initialized (dev loop5, type squashfs), not configured for labeling
SELinux: initialized (dev loop3, type squashfs), not configured for labeling
SELinux: initialized (dev loop1, type squashfs), not configured for labeling
SELinux: initialized (dev loop2, type squashfs), not configured for labeling
SELinux: initialized (dev loop4, type squashfs), not configured for labeling
SELinux: initialized (dev loop5, type squashfs), not configured for labeling
This was noticed when these same messages appeared in Sentinel's web interface as severity zero events. Whenever a search or report took place over a time period that had archived files these messages showed up causing more data which really had no meaning.
Resolution
The messages can be filtered out from being parsed within Sentinel
by adding a filter within Event Source Management on the
appropriate node (event source, connector, or collector).
Within the properties of the node click 'Set Filter' and then add a
new filter which is set to Deny events which matching. The
type of match should be REGEXP and the following is the pattern to
use:
.*SELinux: initialized.+squashfs.+not configured for labeling.*
Save the changes and restart the node if it does not restart automatically. Perform searching to ensure that the events are gone, and also test other types of events which should still be parsed by the collector to ensure they still show up correctly.
.*SELinux: initialized.+squashfs.+not configured for labeling.*
Save the changes and restart the node if it does not restart automatically. Perform searching to ensure that the events are gone, and also test other types of events which should still be parsed by the collector to ensure they still show up correctly.