Logs flooded with systemd messages: Created slice, Starting Session or Starting User Manager, Reached target
Environment
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Red Hat Enterprise Linux 10
- rsyslog
- systemd-journald
Issue
-
On my newly installed system I am seeing the following events in
/var/log/messagesand journal all the time:In a RHEL 7,
Jul 24 08:50:01 example.com systemd: Created slice user-0.slice. Jul 24 08:50:01 example.com systemd: Starting Session 150 of user root. Jul 24 08:50:01 example.com systemd: Started Session 150 of user root. Jul 24 09:00:01 example.com systemd: Created slice user-0.slice. Jul 24 09:00:02 example.com systemd: Starting Session 151 of user root. Jul 24 09:00:02 example.com systemd: Started Session 151 of user root.In a RHEL 8 and latest,
Dec 01 14:14:18 r96 systemd[1]: Starting User Manager for UID 1000... Dec 01 14:14:18 r96 systemd[22233]: pam_unix(systemd-user:session): session opened for user user(uid=1000) by user(uid=0) Dec 01 14:14:18 r96 systemd[22233]: Queued start job for default target Main User Target. Dec 01 14:14:18 r96 systemd[22233]: Created slice User Application Slice. Dec 01 14:14:18 r96 systemd[22233]: Started Mark boot as successful after the user session has run 2 minutes. Dec 01 14:14:18 r96 systemd[22233]: Started Daily Cleanup of User's Temporary Directories. Dec 01 14:14:18 r96 systemd[22233]: Reached target Paths. Dec 01 14:14:18 r96 systemd[22233]: Reached target Timers. Dec 01 14:14:18 r96 systemd[22233]: Starting D-Bus User Message Bus Socket... Dec 01 14:14:18 r96 systemd[22233]: Starting Create User's Volatile Files and Directories... Dec 01 14:14:18 r96 systemd[22233]: Listening on D-Bus User Message Bus Socket. Dec 01 14:14:18 r96 systemd[22233]: Reached target Sockets. Dec 01 14:14:18 r96 systemd[22233]: Finished Create User's Volatile Files and Directories. Dec 01 14:14:18 r96 systemd[22233]: Reached target Basic System. Dec 01 14:14:18 r96 systemd[22233]: Reached target Main User Target. Dec 01 14:14:18 r96 systemd[22233]: Startup finished in 83ms. Dec 01 14:14:18 r96 systemd[1]: Started User Manager for UID 1000. Dec 01 14:15:39 r96 systemd[22233]: Activating special unit Exit the Session... Dec 01 14:15:39 r96 systemd[22233]: Stopped target Main User Target. Dec 01 14:15:39 r96 systemd[22233]: Stopped target Basic System. Dec 01 14:15:39 r96 systemd[22233]: Stopped target Paths. Dec 01 14:15:39 r96 systemd[22233]: Stopped target Sockets. Dec 01 14:15:39 r96 systemd[22233]: Stopped target Timers. Dec 01 14:15:39 r96 systemd[22233]: Stopped Mark boot as successful after the user session has run 2 minutes. Dec 01 14:15:39 r96 systemd[22233]: Stopped Daily Cleanup of User's Temporary Directories. Dec 01 14:15:39 r96 systemd[22233]: Closed D-Bus User Message Bus Socket. Dec 01 14:15:39 r96 systemd[22233]: Stopped Create User's Volatile Files and Directories. Dec 01 14:15:39 r96 systemd[22233]: Removed slice User Application Slice. Dec 01 14:15:39 r96 systemd[22233]: Reached target Shutdown. Dec 01 14:15:39 r96 systemd[22233]: Finished Exit the Session. Dec 01 14:15:39 r96 systemd[22233]: Reached target Exit the Session. Dec 01 14:15:39 r96 systemd[1]: Stopping User Manager for UID 1000... Dec 01 14:15:39 r96 systemd[1]: user@1000.service: Deactivated successfully. Dec 01 14:15:39 r96 systemd[1]: Stopped User Manager for UID 1000.
Resolution
-
On RHEL 7, create a discard filter in a rsyslog.d/ drop-in configuration file, e.g.,
# vi /etc/rsyslog.d/0-ignore-systemd-session-slice.conf if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop -
On RHEL 8 and later, also create a rsyslog.d drop-in configuration file but with two discard filters in it, e.g.,
# vi /etc/rsyslog.d/0-ignore-systemd-session-slice.conf if $programname == "systemd" and ($msg contains "User Manager for UID" or $msg contains "user@" or $msg contains "run-user-" or $msg contains "user-runtime-dir@" or $msg contains "slice User Slice of UID" or $msg contains "User runtime directory /run/user/" ) then stop if ($programname == "systemd" and $procid != "1") and ( $msg contains "slice User Application Slice" or $msg contains "Queued start job for default target Main User Target" or $msg contains "Mark boot as successful after the user" or $msg contains "Daily Cleanup of User's Temporary Directories" or $msg contains "D-Bus User Message Bus Socket" or $msg contains "Create User's Volatile Files and Directories" or $msg contains "Exit the Session" or $msg contains "Reached target" or $msg contains "Stopped target" or $msg contains "Startup finished in" ) then stopThen restart the rsyslog service:
# systemctl restart rsyslogNOTE: In case the filter only works for local syslog logging (
/var/log/messages) but does not work for remote syslog servers then we can understand this rule is read after syslog events are sent to the remote syslog server. In order to avoid this add the rule directly in rsyslog.conf above the line of remote syslog forwarding configuration.(*.* @logcollector:514 server) -
Alternatively, In RHEL 8 and later you can prevent logging of anything done by the user under it's session at the `systemd --user session level (systemd-journald)
-
enable lingering for the user so
systemd --userinstance will continue running even when user has no active sessions (this will show the logs but only once as there will be no session getting closed):# loginctl enable-linger testuser
or
-
restrict logging for systemd user manager for the user (change "1000" with the user's actual UID) (this will impact logging of this specific user):
# mkdir /etc/systemd/system/user@1000.service.d # cat > /etc/systemd/system/user@1000.service.d/logging.conf <<EOF [Service] LogLevelMax=notice EOF
or
-
restrict logging for systemd user manager globally (this will impact logging for all users):
# sed -i -e 's/#LogLevel=info/LogLevel=notice/' /etc/systemd/user.conf
-
WARNING: This last method will prevent logging of anything executed within the user session that does not generates events of notice or above.
Root Cause
- These messages are normal and expected, they will be seen any time a user logs in or logs out, e.g. when a
cronjob is executed for the user - In RHEL 8 and later these messages are generated when the systemd user instance is spawned automatically upon user's slice creation (
systemd --user). - The systemd(1) system manager (PID 1) spwans user manager instances as
user@UID.service, with the user's numerical UID used as the unit identifier. These instances use the same process name as the system manager, but running in a mode where it starts a different set of units. Eachsystemd --userinstance manages a hierarchy of units specific to that user starting with thedefault.target.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments