- Red Hat Enterprise Linux 7
On my RHEL7 newely installed system I am seeing the following in
/var/log/messagesall the time
Jul 24 08:50:01 example.com systemd: Created slice user-0.slice. Jul 24 08:50:01 example.com systemd: Starting Session 150 of user root. Jul 24 08:50:01 example.com systemd: Started Session 150 of user root. Jul 24 09:00:01 example.com systemd: Created slice user-0.slice. Jul 24 09:00:02 example.com systemd: Starting Session 151 of user root. Jul 24 09:00:02 example.com systemd: Started Session 151 of user root.
These messages are normal and expected -- they will be seen any time a user logs in
To suppress these log entries in
/var/log/messages, create a discard filter with rsyslog, e.g., run the following command:
echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf
Then restart the rsyslog service
systemctl restart rsyslog
Note In case above rule only works for local syslog logging(/var/log/messages) but doesn't work for remote syslog server then we can understand this rule is read after syslog events are sent to syslog server. So in order to avoid this add the rule directly in rsyslog.conf above the line of remote syslog sending configuration. (. @@sys-log server)
- Red Hat Enterprise Linux
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.