CentOS 7
系统日志文件/var/log/messages出现大量重复的日志,约10分钟就出现一次,如下所示

[[email protected] ~]# cat /var/log/messages 
Jul 30 08:01:01 centos systemd: Started Session 235 of user root. 
Jul 30 08:01:01 centos systemd: Starting Session 235 of user root. 
Jul 30 08:10:01 centos systemd: Started Session 236 of user root. 
Jul 30 08:10:01 centos systemd: Starting Session 236 of user root. 
Jul 30 08:20:01 centos systemd: Started Session 237 of user root. 
Jul 30 08:20:01 centos systemd: Starting Session 237 of user root. 
Jul 30 08:30:01 centos systemd: Started Session 238 of user root. 
Jul 30 08:30:01 centos systemd: Starting Session 238 of user root. 
Jul 30 08:40:01 centos systemd: Started Session 239 of user root. 
Jul 30 08:40:01 centos systemd: Starting Session 239 of user root. 
Jul 30 08:50:01 centos systemd: Started Session 240 of user root. 
Jul 30 08:50:01 centos systemd: Starting Session 240 of user root.

这似乎是某个计划任务产生的日志

[[email protected] ~]# find / -name "cron.d"
/etc/cron.d
[[email protected] ~]# ll /etc/cron.d/
total 8
-rw-r--r--. 1 root root 128 Apr 11 09:48 0hourly
-rw-------. 1 root root 235 Apr 11 11:33 sysstat
[[email protected] ~]# cat /etc/cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

红帽官网提到这是个正常现象,只要有用户登录系统,在执行计划任务时就会有这样的日志? 可以抑制这些日志,操作如下

[[email protected] ~]# echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf
[[email protected] ~]# systemctl restart rsyslog

参考资料

https://www.linuxquestions.org/questions/linux-security-4/systemd-started-session-of-user-root-in-var-log-messages-4175515978/ https://access.redhat.com/solutions/1564823

0 Comments

发表评论

电子邮件地址不会被公开。 必填项已用*标注