Mailing List Archive

Discard filters don't work
in centos 8, I added this file
cat test.conf
:msg, contains, "Cannot create session" stop
to /etc/rsyslog.d
then I did
systemctl restart rsyslog
but I keep seeing hundreds of messages like
Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot create
session: Already running in a session or user slice

what am I doing wrong?
Philip
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Discard filters don't work [ In reply to ]
you are probably discarding the message after it's been written out. but it's
impossible to tell without seeing your full config and knowing hat file you are
seeing the message in that you don't want there.

if you start rsyslog ith the -o flag (-o /path/to/file) then the file will
contain the combined configs that rsyslog sees, in the order that rsyslog sees
things. This assumes you are running a reasonably current rsyslog version.

David Lang

On Wed, 28 Jul 2021, Saint
Michael via rsyslog wrote:

> Date: Wed, 28 Jul 2021 23:26:03 -0400
> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> To: rsyslog@lists.adiscon.com
> Cc: Saint Michael <venefax@gmail.com>
> Subject: [rsyslog] Discard filters don't work
>
> in centos 8, I added this file
> cat test.conf
> :msg, contains, "Cannot create session" stop
> to /etc/rsyslog.d
> then I did
> systemctl restart rsyslog
> but I keep seeing hundreds of messages like
> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot create
> session: Already running in a session or user slice
>
> what am I doing wrong?
> Philip
> _______________________________________________
> rsyslog mailing list
> https://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Discard filters don't work [ In reply to ]
Ok, thanks for the clarification.
In reality I was mistaking systemd-journald for rsyslog.
It is confusing how they interact.
I am using Centos 8.
Can you elaborate on this point?


On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:

> you are probably discarding the message after it's been written out. but
> it's
> impossible to tell without seeing your full config and knowing hat file
> you are
> seeing the message in that you don't want there.
>
> if you start rsyslog ith the -o flag (-o /path/to/file) then the file will
> contain the combined configs that rsyslog sees, in the order that rsyslog
> sees
> things. This assumes you are running a reasonably current rsyslog version.
>
> David Lang
>
> On Wed, 28 Jul 2021, Saint
> Michael via rsyslog wrote:
>
> > Date: Wed, 28 Jul 2021 23:26:03 -0400
> > From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> > To: rsyslog@lists.adiscon.com
> > Cc: Saint Michael <venefax@gmail.com>
> > Subject: [rsyslog] Discard filters don't work
> >
> > in centos 8, I added this file
> > cat test.conf
> > :msg, contains, "Cannot create session" stop
> > to /etc/rsyslog.d
> > then I did
> > systemctl restart rsyslog
> > but I keep seeing hundreds of messages like
> > Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
> create
> > session: Already running in a session or user slice
> >
> > what am I doing wrong?
> > Philip
> > _______________________________________________
> > rsyslog mailing list
> > https://lists.adiscon.net/mailman/listinfo/rsyslog
> > http://www.rsyslog.com/professional-services/
> > What's up with rsyslog? Follow https://twitter.com/rgerhards
> > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> DON'T LIKE THAT.
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Discard filters don't work [ In reply to ]
which point do you need me to elaborate?

without the configs, I am only going to be able to guess.

David Lang

On Thu, 29 Jul 2021, Saint Michael wrote:

> Date: Thu, 29 Jul 2021 10:27:39 -0400
> From: Saint Michael <venefax@gmail.com>
> To: David Lang <david@lang.hm>
> Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Discard filters don't work
>
> Ok, thanks for the clarification.
> In reality I was mistaking systemd-journald for rsyslog.
> It is confusing how they interact.
> I am using Centos 8.
> Can you elaborate on this point?
>
>
> On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:
>
>> you are probably discarding the message after it's been written out. but
>> it's
>> impossible to tell without seeing your full config and knowing hat file
>> you are
>> seeing the message in that you don't want there.
>>
>> if you start rsyslog ith the -o flag (-o /path/to/file) then the file will
>> contain the combined configs that rsyslog sees, in the order that rsyslog
>> sees
>> things. This assumes you are running a reasonably current rsyslog version.
>>
>> David Lang
>>
>> On Wed, 28 Jul 2021, Saint
>> Michael via rsyslog wrote:
>>
>>> Date: Wed, 28 Jul 2021 23:26:03 -0400
>>> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
>>> To: rsyslog@lists.adiscon.com
>>> Cc: Saint Michael <venefax@gmail.com>
>>> Subject: [rsyslog] Discard filters don't work
>>>
>>> in centos 8, I added this file
>>> cat test.conf
>>> :msg, contains, "Cannot create session" stop
>>> to /etc/rsyslog.d
>>> then I did
>>> systemctl restart rsyslog
>>> but I keep seeing hundreds of messages like
>>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
>> create
>>> session: Already running in a session or user slice
>>>
>>> what am I doing wrong?
>>> Philip
>>> _______________________________________________
>>> rsyslog mailing list
>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>> http://www.rsyslog.com/professional-services/
>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>> DON'T LIKE THAT.
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Discard filters don't work [ In reply to ]
On Centos 8, Red Hat 8
There are two log managers,
systemd-journald and rsyslog
they are connected somehow


On Thu, Jul 29, 2021 at 3:13 PM David Lang <david@lang.hm> wrote:

> which point do you need me to elaborate?
>
> without the configs, I am only going to be able to guess.
>
> David Lang
>
> On Thu, 29 Jul 2021, Saint Michael wrote:
>
> > Date: Thu, 29 Jul 2021 10:27:39 -0400
> > From: Saint Michael <venefax@gmail.com>
> > To: David Lang <david@lang.hm>
> > Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Discard filters don't work
> >
> > Ok, thanks for the clarification.
> > In reality I was mistaking systemd-journald for rsyslog.
> > It is confusing how they interact.
> > I am using Centos 8.
> > Can you elaborate on this point?
> >
> >
> > On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:
> >
> >> you are probably discarding the message after it's been written out. but
> >> it's
> >> impossible to tell without seeing your full config and knowing hat file
> >> you are
> >> seeing the message in that you don't want there.
> >>
> >> if you start rsyslog ith the -o flag (-o /path/to/file) then the file
> will
> >> contain the combined configs that rsyslog sees, in the order that
> rsyslog
> >> sees
> >> things. This assumes you are running a reasonably current rsyslog
> version.
> >>
> >> David Lang
> >>
> >> On Wed, 28 Jul 2021, Saint
> >> Michael via rsyslog wrote:
> >>
> >>> Date: Wed, 28 Jul 2021 23:26:03 -0400
> >>> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Saint Michael <venefax@gmail.com>
> >>> Subject: [rsyslog] Discard filters don't work
> >>>
> >>> in centos 8, I added this file
> >>> cat test.conf
> >>> :msg, contains, "Cannot create session" stop
> >>> to /etc/rsyslog.d
> >>> then I did
> >>> systemctl restart rsyslog
> >>> but I keep seeing hundreds of messages like
> >>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
> >> create
> >>> session: Already running in a session or user slice
> >>>
> >>> what am I doing wrong?
> >>> Philip
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
Re: Discard filters don't work [ In reply to ]
without seeing your configs (remember, I don't manage how RedHat sets their
configs, so I don't know what their defaults are), I can only guess.

But my guess is that rsyslog reads logs from journald

David Lang

On Thu, 29 Jul 2021, Saint Michael wrote:

> Date: Thu, 29 Jul 2021 15:45:37 -0400
> From: Saint Michael <venefax@gmail.com>
> To: David Lang <david@lang.hm>
> Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> Subject: Re: [rsyslog] Discard filters don't work
>
> On Centos 8, Red Hat 8
> There are two log managers,
> systemd-journald and rsyslog
> they are connected somehow
>
>
> On Thu, Jul 29, 2021 at 3:13 PM David Lang <david@lang.hm> wrote:
>
>> which point do you need me to elaborate?
>>
>> without the configs, I am only going to be able to guess.
>>
>> David Lang
>>
>> On Thu, 29 Jul 2021, Saint Michael wrote:
>>
>>> Date: Thu, 29 Jul 2021 10:27:39 -0400
>>> From: Saint Michael <venefax@gmail.com>
>>> To: David Lang <david@lang.hm>
>>> Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
>>> Subject: Re: [rsyslog] Discard filters don't work
>>>
>>> Ok, thanks for the clarification.
>>> In reality I was mistaking systemd-journald for rsyslog.
>>> It is confusing how they interact.
>>> I am using Centos 8.
>>> Can you elaborate on this point?
>>>
>>>
>>> On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:
>>>
>>>> you are probably discarding the message after it's been written out. but
>>>> it's
>>>> impossible to tell without seeing your full config and knowing hat file
>>>> you are
>>>> seeing the message in that you don't want there.
>>>>
>>>> if you start rsyslog ith the -o flag (-o /path/to/file) then the file
>> will
>>>> contain the combined configs that rsyslog sees, in the order that
>> rsyslog
>>>> sees
>>>> things. This assumes you are running a reasonably current rsyslog
>> version.
>>>>
>>>> David Lang
>>>>
>>>> On Wed, 28 Jul 2021, Saint
>>>> Michael via rsyslog wrote:
>>>>
>>>>> Date: Wed, 28 Jul 2021 23:26:03 -0400
>>>>> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
>>>>> To: rsyslog@lists.adiscon.com
>>>>> Cc: Saint Michael <venefax@gmail.com>
>>>>> Subject: [rsyslog] Discard filters don't work
>>>>>
>>>>> in centos 8, I added this file
>>>>> cat test.conf
>>>>> :msg, contains, "Cannot create session" stop
>>>>> to /etc/rsyslog.d
>>>>> then I did
>>>>> systemctl restart rsyslog
>>>>> but I keep seeing hundreds of messages like
>>>>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
>>>> create
>>>>> session: Already running in a session or user slice
>>>>>
>>>>> what am I doing wrong?
>>>>> Philip
>>>>> _______________________________________________
>>>>> rsyslog mailing list
>>>>> https://lists.adiscon.net/mailman/listinfo/rsyslog
>>>>> http://www.rsyslog.com/professional-services/
>>>>> What's up with rsyslog? Follow https://twitter.com/rgerhards
>>>>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
>> myriad
>>>> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
>>>> DON'T LIKE THAT.
>>>>>
>>>>
>>>
>>
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.