Hi
Not entirely sure about RHEL/CentOS 8 but it should be similar to
RHEL/CentOS 7 where at boot the systemd-journald.socket unit
creates /dev/log. Then all syslog() calls go to systemd journal. While
rsyslog could read from /dev/log in RHEL 7 the standard rsyslog.conf
contains those two lines:
$ModLoad imjournal
$IMJournalStateFile imjournal.state
Thus rsyslog gets the messages from systemd journal. Depending on the
rsyslog config it usually handles the basic logs (messages, maillog, cron
etc.) allowing you to forward them to a remote rsyslog server. Sorry that
sort of stuff is a bit over my head so my explanation is not perfect but it
might give you some clues where to search further.
Best,
Cyril
Von: "Saint Michael via rsyslog" <rsyslog@lists.adiscon.com>
An: "David Lang" <david@lang.hm>
Kopie: "Saint Michael" <venefax@gmail.com>, "Saint Michael via
rsyslog" <rsyslog@lists.adiscon.com>
Datum: 29/07/2021 21:46
Betreff: Re: [rsyslog] Discard filters don't work
Gesendet von: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
On Centos 8, Red Hat 8
There are two log managers,
systemd-journald and rsyslog
they are connected somehow
On Thu, Jul 29, 2021 at 3:13 PM David Lang <david@lang.hm> wrote:
> which point do you need me to elaborate?
>
> without the configs, I am only going to be able to guess.
>
> David Lang
>
> On Thu, 29 Jul 2021, Saint Michael wrote:
>
> > Date: Thu, 29 Jul 2021 10:27:39 -0400
> > From: Saint Michael <venefax@gmail.com>
> > To: David Lang <david@lang.hm>
> > Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Discard filters don't work
> >
> > Ok, thanks for the clarification.
> > In reality I was mistaking systemd-journald for rsyslog.
> > It is confusing how they interact.
> > I am using Centos 8.
> > Can you elaborate on this point?
> >
> >
> > On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:
> >
> >> you are probably discarding the message after it's been written out.
but
> >> it's
> >> impossible to tell without seeing your full config and knowing hat
file
> >> you are
> >> seeing the message in that you don't want there.
> >>
> >> if you start rsyslog ith the -o flag (-o /path/to/file) then the file
> will
> >> contain the combined configs that rsyslog sees, in the order that
> rsyslog
> >> sees
> >> things. This assumes you are running a reasonably current rsyslog
> version.
> >>
> >> David Lang
> >>
> >> On Wed, 28 Jul 2021, Saint
> >> Michael via rsyslog wrote:
> >>
> >>> Date: Wed, 28 Jul 2021 23:26:03 -0400
> >>> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Saint Michael <venefax@gmail.com>
> >>> Subject: [rsyslog] Discard filters don't work
> >>>
> >>> in centos 8, I added this file
> >>> cat test.conf
> >>> :msg, contains, "Cannot create session" stop
> >>> to /etc/rsyslog.d
> >>> then I did
> >>> systemctl restart rsyslog
> >>> but I keep seeing hundreds of messages like
> >>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
> >> create
> >>> session: Already running in a session or user slice
> >>>
> >>> what am I doing wrong?
> >>> Philip
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
Not entirely sure about RHEL/CentOS 8 but it should be similar to
RHEL/CentOS 7 where at boot the systemd-journald.socket unit
creates /dev/log. Then all syslog() calls go to systemd journal. While
rsyslog could read from /dev/log in RHEL 7 the standard rsyslog.conf
contains those two lines:
$ModLoad imjournal
$IMJournalStateFile imjournal.state
Thus rsyslog gets the messages from systemd journal. Depending on the
rsyslog config it usually handles the basic logs (messages, maillog, cron
etc.) allowing you to forward them to a remote rsyslog server. Sorry that
sort of stuff is a bit over my head so my explanation is not perfect but it
might give you some clues where to search further.
Best,
Cyril
Von: "Saint Michael via rsyslog" <rsyslog@lists.adiscon.com>
An: "David Lang" <david@lang.hm>
Kopie: "Saint Michael" <venefax@gmail.com>, "Saint Michael via
rsyslog" <rsyslog@lists.adiscon.com>
Datum: 29/07/2021 21:46
Betreff: Re: [rsyslog] Discard filters don't work
Gesendet von: "rsyslog" <rsyslog-bounces@lists.adiscon.com>
On Centos 8, Red Hat 8
There are two log managers,
systemd-journald and rsyslog
they are connected somehow
On Thu, Jul 29, 2021 at 3:13 PM David Lang <david@lang.hm> wrote:
> which point do you need me to elaborate?
>
> without the configs, I am only going to be able to guess.
>
> David Lang
>
> On Thu, 29 Jul 2021, Saint Michael wrote:
>
> > Date: Thu, 29 Jul 2021 10:27:39 -0400
> > From: Saint Michael <venefax@gmail.com>
> > To: David Lang <david@lang.hm>
> > Cc: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> > Subject: Re: [rsyslog] Discard filters don't work
> >
> > Ok, thanks for the clarification.
> > In reality I was mistaking systemd-journald for rsyslog.
> > It is confusing how they interact.
> > I am using Centos 8.
> > Can you elaborate on this point?
> >
> >
> > On Thu, Jul 29, 2021 at 12:41 AM David Lang <david@lang.hm> wrote:
> >
> >> you are probably discarding the message after it's been written out.
but
> >> it's
> >> impossible to tell without seeing your full config and knowing hat
file
> >> you are
> >> seeing the message in that you don't want there.
> >>
> >> if you start rsyslog ith the -o flag (-o /path/to/file) then the file
> will
> >> contain the combined configs that rsyslog sees, in the order that
> rsyslog
> >> sees
> >> things. This assumes you are running a reasonably current rsyslog
> version.
> >>
> >> David Lang
> >>
> >> On Wed, 28 Jul 2021, Saint
> >> Michael via rsyslog wrote:
> >>
> >>> Date: Wed, 28 Jul 2021 23:26:03 -0400
> >>> From: Saint Michael via rsyslog <rsyslog@lists.adiscon.com>
> >>> To: rsyslog@lists.adiscon.com
> >>> Cc: Saint Michael <venefax@gmail.com>
> >>> Subject: [rsyslog] Discard filters don't work
> >>>
> >>> in centos 8, I added this file
> >>> cat test.conf
> >>> :msg, contains, "Cannot create session" stop
> >>> to /etc/rsyslog.d
> >>> then I did
> >>> systemctl restart rsyslog
> >>> but I keep seeing hundreds of messages like
> >>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot
> >> create
> >>> session: Already running in a session or user slice
> >>>
> >>> what am I doing wrong?
> >>> Philip
> >>> _______________________________________________
> >>> rsyslog mailing list
> >>> https://lists.adiscon.net/mailman/listinfo/rsyslog
> >>> http://www.rsyslog.com/professional-services/
> >>> What's up with rsyslog? Follow https://twitter.com/rgerhards
> >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a
> myriad
> >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
> >> DON'T LIKE THAT.
> >>>
> >>
> >
>
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
LIKE THAT.
Attached Files:
-
graycol.gif (0.10 KB)