LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page [SOLVED] "systemd: Started Session ### of user root" in /var/log/messages
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-22-2014, 04:06 PM   #1
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Rep: Reputation: 1
"systemd: Started Session ### of user root" in /var/log/messages

My server recently had a major issue (mem and swap were maxed) and I was tracking it in the log and noticed theses lines everywhere:

Code:
Aug 22 01:40:02 servername systemd: Started Session 431 of user root.
I was asleep at 1:40 last night so that wasn't me. Tell me that is just a system service doing what it's supposed to do.
 
Old 08-22-2014, 04:17 PM   #2
TobiSGD
Moderator
 
Registered: Dec 2009
Location: Germany
Distribution: Whatever fits the task best
Posts: 17,148
Blog Entries: 2

Rep: Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886Reputation: 4886
Do you by any chance have cron-jobs (or a systemd timer) set up to run at that time?
 
Old 08-22-2014, 09:23 PM   #3
thealmightyos
Member
 
Registered: Mar 2009
Distribution: CentOS 6.5 / 7
Posts: 119

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by TobiSGD View Post
Do you by any chance have cron-jobs (or a systemd timer) set up to run at that time?
Not that I knew of.

But after reading your post I went and read all the *cron* files in etc. This is what I found:

Code:
# cat ./cron.d/sysstat
# Run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# 0 * * * * root /usr/lib64/sa/sa1 600 6 &
# Generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A
So that must be what is causing it cause it is showing up in the log every ten minutes.

Thanks. False alarm.
 
Old 09-12-2016, 02:01 PM   #4
sampappachan_nyc
Member
 
Registered: Jan 2009
Location: New York
Distribution: Red Hat, CentOS,Fedora, Ubuntu, SUSE, linux mint
Posts: 60

Rep: Reputation: 0
This will fix it. (tested working in red hat 7.2)
''echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-") then stop'>/etc/rsyslog.d/ignore-systemd-session-slice.conf''

systemctl restart rsyslog
 
Old 03-22-2017, 04:29 PM   #5
ebmnetwork
LQ Newbie
 
Registered: Mar 2017
Posts: 1

Rep: Reputation: Disabled
It worked for me in Red Hat Enterprise Linux Server release 7.2 (Maipo)

Source: https://access.redhat.com/solutions/1564823

Code:
#Add Filter
echo 'if ($programname == "systemd-logind" or $programname == "systemd") and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Removed session" or $msg contains "New session" or $msg contains "Created slice" or $msg contains "Starting user-") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf

#Restart Syslog
systemctl restart rsyslog
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Errors in /var/log/messages "error: Missing or invalid IP4 prefix '0'" kimurayuki Linux - Networking 5 12-06-2012 01:17 PM
User session opened and closed msg in /var/log/messages andiramesh Linux - Newbie 9 09-05-2008 05:47 AM
/var/log/messages: "Use a HIGHMEM enabled kernel" AtomicAmish Debian 12 05-04-2007 09:06 PM
Boot messages not the same as "dmesg" or "/var/log/messages"? massai Linux - General 5 03-10-2004 12:18 AM
/var/log/messages contains "localhost" instead of the real hostname allel Linux - Networking 0 07-15-2002 02:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:48 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration