Hi Not entirely sure about RHEL/CentOS 8 but it should be similar to RHEL/CentOS 7 where at boot the systemd-journald.socket unit creates /dev/log. Then all syslog() calls go to systemd journal. While rsyslog could read from /dev/log in RHEL 7 the standard rsyslog.conf contains those two lines: $ModLoad imjournal $IMJournalStateFile imjournal.state Thus rsyslog gets the messages from systemd journal. Depending on the rsyslog config it usually handles the basic logs (messages, maillog, cron etc.) allowing you to forward them to a remote rsyslog server. Sorry that sort of stuff is a bit over my head so my explanation is not perfect but it might give you some clues where to search further.
Best, Cyril Von: "Saint Michael via rsyslog" <[email protected]> An: "David Lang" <[email protected]> Kopie: "Saint Michael" <[email protected]>, "Saint Michael via rsyslog" <[email protected]> Datum: 29/07/2021 21:46 Betreff: Re: [rsyslog] Discard filters don't work Gesendet von: "rsyslog" <[email protected]> On Centos 8, Red Hat 8 There are two log managers, systemd-journald and rsyslog they are connected somehow On Thu, Jul 29, 2021 at 3:13 PM David Lang <[email protected]> wrote: > which point do you need me to elaborate? > > without the configs, I am only going to be able to guess. > > David Lang > > On Thu, 29 Jul 2021, Saint Michael wrote: > > > Date: Thu, 29 Jul 2021 10:27:39 -0400 > > From: Saint Michael <[email protected]> > > To: David Lang <[email protected]> > > Cc: Saint Michael via rsyslog <[email protected]> > > Subject: Re: [rsyslog] Discard filters don't work > > > > Ok, thanks for the clarification. > > In reality I was mistaking systemd-journald for rsyslog. > > It is confusing how they interact. > > I am using Centos 8. > > Can you elaborate on this point? > > > > > > On Thu, Jul 29, 2021 at 12:41 AM David Lang <[email protected]> wrote: > > > >> you are probably discarding the message after it's been written out. but > >> it's > >> impossible to tell without seeing your full config and knowing hat file > >> you are > >> seeing the message in that you don't want there. > >> > >> if you start rsyslog ith the -o flag (-o /path/to/file) then the file > will > >> contain the combined configs that rsyslog sees, in the order that > rsyslog > >> sees > >> things. This assumes you are running a reasonably current rsyslog > version. > >> > >> David Lang > >> > >> On Wed, 28 Jul 2021, Saint > >> Michael via rsyslog wrote: > >> > >>> Date: Wed, 28 Jul 2021 23:26:03 -0400 > >>> From: Saint Michael via rsyslog <[email protected]> > >>> To: [email protected] > >>> Cc: Saint Michael <[email protected]> > >>> Subject: [rsyslog] Discard filters don't work > >>> > >>> in centos 8, I added this file > >>> cat test.conf > >>> :msg, contains, "Cannot create session" stop > >>> to /etc/rsyslog.d > >>> then I did > >>> systemctl restart rsyslog > >>> but I keep seeing hundreds of messages like > >>> Jul 29 03:16:18 api sudo[1736451]: pam_systemd(sudo:session): Cannot > >> create > >>> session: Already running in a session or user slice > >>> > >>> what am I doing wrong? > >>> Philip > >>> _______________________________________________ > >>> rsyslog mailing list > >>> https://lists.adiscon.net/mailman/listinfo/rsyslog > >>> http://www.rsyslog.com/professional-services/ > >>> What's up with rsyslog? Follow https://twitter.com/rgerhards > >>> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a > myriad > >> of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > >> DON'T LIKE THAT. > >>> > >> > > > _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
_______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
