Logs flooded with systemd messages: Created slice, Starting Session

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7, 8, 9

Issue

  • On my newly installed system I am seeing the following in /var/log/messages and journal all the time

    Jul 24 08:50:01 example.com systemd: Created slice user-0.slice.
    Jul 24 08:50:01 example.com systemd: Starting Session 150 of user root.
    Jul 24 08:50:01 example.com systemd: Started Session 150 of user root.
    Jul 24 09:00:01 example.com systemd: Created slice user-0.slice.
    Jul 24 09:00:02 example.com systemd: Starting Session 151 of user root.
    Jul 24 09:00:02 example.com systemd: Started Session 151 of user root.
    

Resolution

  • To suppress these log entries in /var/log/messages and journal you have following options:

    • enable lingering for the user so systemd --user instance will continue running even when user has no active sessions:

      # loginctl enable-linger testuser
      
    • restrict logging for systemd user manager for the user:

      # mkdir /etc/systemd/system/user@1000.service.d
      # cat > /etc/systemd/system/user@1000.service.d/logging.conf <<EOF
      [Service]
      LogLevelMax=notice
      EOF
      
    • restrict logging for systemd user manager globally:

      # sed -i -e 's/#LogLevel=info/LogLevel=notice/' /etc/systemd/user.conf
      
    • in RHEL 7, create a discard filter with rsyslog, e.g., run the following command:

      echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf
      

      Then restart the rsyslog service:

      systemctl restart rsyslog
      

      Note In case above rule only works for local syslog logging (/var/log/messages) but doesn't work for remote syslog server then we can understand this rule is read after syslog events are sent to syslog server. So in order to avoid this add the rule directly in rsyslog.conf above the line of remote syslog sending configuration. (*.* @@sys-log server)

Root Cause

  • These messages are normal and expected -- they will be seen any time a user logs in or e.g. a cron job is executed for the user

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments