rsyslog.png
查看/var/log/message日志发现大量systemd: Started Session 4850 of user root.
log如下:

Oct 17 13:40:01 monitor-test systemd: Started Session 4850 of user root.
Oct 17 13:50:01 monitor-test systemd: Started Session 4851 of user root.
Oct 17 14:00:01 monitor-test systemd: Started Session 4852 of user root.
Oct 17 14:00:01 monitor-test systemd: Started Session 4853 of user root.
Oct 17 14:01:01 monitor-test systemd: Started Session 4854 of user root.
Oct 17 14:10:01 monitor-test systemd: Started Session 4855 of user root.
Oct 17 14:20:01 monitor-test systemd: Started Session 4856 of user root.
Oct 17 14:30:01 monitor-test systemd: Started Session 4857 of user root.
Oct 17 14:30:01 monitor-test systemd: Started Session 4858 of user root.
Oct 17 14:40:01 monitor-test systemd: Started Session 4859 of user root.
Oct 17 14:50:01 monitor-test systemd: Started Session 4860 of user root.
Oct 17 15:00:01 monitor-test systemd: Started Session 4861 of user root.
Oct 17 15:00:01 monitor-test systemd: Started Session 4862 of user root.
Oct 17 15:01:01 monitor-test systemd: Started Session 4863 of user root.
Oct 17 15:10:01 monitor-test systemd: Started Session 4864 of user root.
Oct 17 15:20:01 monitor-test systemd: Started Session 4865 of user root.
Oct 17 15:30:01 monitor-test systemd: Started Session 4866 of user root.
Oct 17 15:30:01 monitor-test systemd: Started Session 4867 of user root.
Oct 17 15:40:01 monitor-test systemd: Started Session 4868 of user root.
Oct 17 15:50:01 monitor-test systemd: Started Session 4869 of user root.
Oct 17 16:00:01 monitor-test systemd: Started Session 4870 of user root.
Oct 17 16:00:01 monitor-test systemd: Started Session 4871 of user root.
Oct 17 16:01:01 monitor-test systemd: Started Session 4872 of user root.
Oct 17 16:10:01 monitor-test systemd: Started Session 4873 of user root.
Oct 17 16:20:01 monitor-test systemd: Started Session 4874 of user root.
Oct 17 16:30:01 monitor-test systemd: Started Session 4876 of user root.
Oct 17 16:30:01 monitor-test systemd: Started Session 4875 of user root.
Oct 17 16:40:01 monitor-test systemd: Started Session 4877 of user root.

redhat官方回复这是正常的,每个用户登录后都能看到,如果要过滤并禁止掉该消息,用如下方法:

echo 'if $programname == "systemd" and ($msg contains "Starting Session" or $msg contains "Started Session" or $msg contains "Created slice" or $msg contains "Starting user-" or $msg contains "Starting User Slice of" or $msg contains "Removed session" or $msg contains "Removed slice User Slice of" or $msg contains "Stopping User Slice of") then stop' >/etc/rsyslog.d/ignore-systemd-session-slice.conf

最后重启rsyslog服务即可:

systemctl restart rsyslog

redhat官方说明:https://access.redhat.com/solutions/1564823

带符号 * 的表示必填项