Re: [rsyslog] rsyslog trying to read /run/systemd/sessions/*

[Andreas Hasenack via rsyslog]

Hi,

On Tue, Aug 20, 2024 at 12:03 PM David Lang <da...@lang.hm> wrote:
>
> I would guess that it's trying to get info on the process connecting to it to
> get full metadata. But I wouldn't expect that if you are using imjournal.
>
> full rsyslog config please?

Attached "fullconf", as generated by the "-o" option. Note that there
is a line which looks like was incorrectly generated by this command:

$IncludeConfig /etc/rsyslog.d/*.conf/etc/rsyslog.d/*.conf

That second "/etc/rsyslog.d/*.conf" is not there in the config file.

-v output:
# rsyslogd -v
rsyslogd  8.2406.0 (aka 2024.06) compiled with:
        PLATFORM:                               x86_64-pc-linux-gnu
        PLATFORM (lsb_release -d):
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        systemd support:                        Yes
        Config file:                            /etc/rsyslog.conf
        PID file:                               /run/rsyslogd.pid
        Number of Bits in RainerScript integers: 64

See https://www.rsyslog.com for more information.


And this is what one of those session files looks like:
# cat /run/systemd/sessions/11
# This is private data. Do not parse.
UID=1000
USER=ubuntu
ACTIVE=1
IS_DISPLAY=1
STATE=active
REMOTE=1
LEADER_FD_SAVED=1
TYPE=tty
ORIGINAL_TYPE=tty
CLASS=user
SCOPE=session-11.scope
FIFO=/run/systemd/sessions/11.ref
REMOTE_HOST=10.10.10.212
SERVICE=sshd
POSITION=0
LEADER=2117
AUDIT=11
REALTIME=1724172908471482
MONOTONIC=891057382

## full conf created by rsyslog version 8.2406.0 at 2024-08-20 17:01:46 ##

##### BEGIN CONFIG: /etc/rsyslog.conf (put on stack)
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf/etc/rsyslog.d/*.conf
##### BEGIN CONFIG: /etc/rsyslog.d/50-default.conf (put on stack)

##### BEGIN CONFIG: /etc/rsyslog.d/21-cloudinit.conf (put on stack)

##### BEGIN CONFIG: /etc/rsyslog.d/20-ufw.conf (put on stack)
# Log kernel generated UFW log messages to file
:msg,contains,"[UFW " /var/log/ufw.log

# Uncomment the following to stop logging anything that matches the last rule.
# Doing this will stop logging kernel generated UFW log messages to the file
# normally containing kern.* messages (eg, /var/log/kern.log)
#& stop

##### END   CONFIG: /etc/rsyslog.d/20-ufw.conf
# Log cloudinit generated log messages to file
:syslogtag, isequal, "[CLOUDINIT]" /var/log/cloud-init.log

# comment out the following line to allow CLOUDINIT messages through.
# Doing so means you'll also get CLOUDINIT messages in /var/log/syslog
& stop

##### END   CONFIG: /etc/rsyslog.d/21-cloudinit.conf
#  Default rules for rsyslog.
#
#                       For more information see rsyslog.conf(5) and 
/etc/rsyslog.conf

#
# First some standard log files.  Log by facility.
#
auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
#cron.*                         /var/log/cron.log
#daemon.*                       -/var/log/daemon.log
kern.*                          -/var/log/kern.log
#lpr.*                          -/var/log/lpr.log
mail.*                          -/var/log/mail.log
#user.*                         -/var/log/user.log

#
# Logging for the mail system.  Split it up so that
# it is easy to write scripts to parse these files.
#
#mail.info                      -/var/log/mail.info
#mail.warn                      -/var/log/mail.warn
mail.err                        /var/log/mail.err

#
# Some "catch-all" log files.
#
#*.=debug;#     auth,authpriv.none;#    news.none;mail.none     -/var/log/debug
PreprocFileLineNumber(31)
#*.=info;*.=notice;*.=warn;#    auth,authpriv.none;#    cron,daemon.none;#      
mail,news.none          -/var/log/messages
PreprocFileLineNumber(35)

#
# Emergencies are sent to everybody logged in.
#
*.emerg                         :omusrmsg:*

#
# I like to have messages displayed on the console, but only on a virtual
# console I usually leave idle.
#
#daemon,mail.*;#        news.=crit;news.=err;news.=notice;#     
*.=debug;*.=info;#      *.=notice;*.=warn       /dev/tty8

##### END   CONFIG: /etc/rsyslog.d/50-default.conf


##### END   CONFIG: /etc/rsyslog.conf

_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.