今天所做的努力
都是在为明天积蓄力量

【Linux】记一次系统日志中大量出现Started Session * of user root 查找和解决办法

安装的纯净版centos 系统日志中大量出现出现 Started Session * of user root。系统启动会话
很多用户在会在centos服务器日志中中发现大量系统启动会话,有频率的出现系统日志,这个信息并不是报错信息,但是大量这个又不方便你分析日志,所以禁用掉更方便你对服务器的维护
Jun 23 09:00:01 iZu8kiphd67xs1Z systemd: Started Session 775 of user root.
Jun 23 09:00:01 iZu8kiphd67xs1Z systemd: Starting Session 775 of user root.
Jun 23 09:01:01 iZu8kiphd67xs1Z systemd: Started Session 776 of user root.
Jun 23 09:01:01 iZu8kiphd67xs1Z systemd: Starting Session 776 of user root.
Jun 23 09:10:01 iZu8kiphd67xs1Z systemd: Started Session 777 of user root.
Jun 23 09:10:01 iZu8kiphd67xs1Z systemd: Starting Session 777 of user root.
Jun 23 09:20:01 iZu8kiphd67xs1Z systemd: Started Session 778 of user root.
Jun 23 09:20:01 iZu8kiphd67xs1Z systemd: Starting Session 778 of user root.
Jun 23 09:21:54 iZu8kiphd67xs1Z systemd: Started Session 779 of user root.
Jun 23 09:21:54 iZu8kiphd67xs1Z systemd-logind: New session 779 of user root.
Jun 23 09:21:54 iZu8kiphd67xs1Z systemd: Starting Session 779 of user root.
查看到这个信息是存在相关规律的,一般这种情况都是在计划任务中定时执行。查看用户计划任务,没有查看到有相关计划任务,那就怀疑是由系统计划cron引起的。/etc/cron.d中的文件可能会给您一些线索。
在/etc/cron.d目录下查看到存在两个文件
查看第一个0hourly文件,查看执行计划的时间,完全和我们日志的记录的对不上。
查看第二个任务,很明显查看到这个计划任务就是我们要找的,导致日志中大量出现 Started Session * of user root 元凶。
查看到是在执行/usr/lib64/sa/sa1,注释掉该计划任务即可。
该脚本的源码
#!/bin/sh
# /usr/lib64/sa/sa1
# (C) 1999-2012 Sebastien Godard (sysstat <at> orange.fr)
#
#@(#) sysstat-10.1.5
#@(#) sa1: Collect and store binary data in system activity data file.
#

# Set default value for some variables.
# Used only if ${SYSCONFIG_DIR}/sysstat doesn't exist!
HISTORY=0
SADC_OPTIONS=""
DDIR=/var/log/sa
DATE=`date +%d`
CURRENTFILE=sa${DATE}
CURRENTDIR=`date +%Y%m`
SYSCONFIG_DIR=/etc/sysconfig
umask 0022
[ -r ${SYSCONFIG_DIR}/sysstat ] && . ${SYSCONFIG_DIR}/sysstat
if [ ${HISTORY} -gt 28 ]
then
cd ${DDIR} || exit 1
[ -d ${CURRENTDIR} ] || mkdir -p ${CURRENTDIR}
# If ${CURRENTFILE} exists and is a regular file, then make sure
# the file was modified this day (and not e.g. month ago)
# and move it to ${CURRENTDIR}
[ ! -L ${CURRENTFILE} ] &&
[ -f ${CURRENTFILE} ] &&
[ "`date +%Y%m%d -r ${CURRENTFILE}`" = "${CURRENTDIR}${DATE}" ] &&
mv -f ${CURRENTFILE} ${CURRENTDIR}/${CURRENTFILE}
touch ${CURRENTDIR}/${CURRENTFILE}
# Remove the "compatibility" link and recreate it to point to
# the (new) current file
rm -f ${CURRENTFILE}
ln -s ${CURRENTDIR}/${CURRENTFILE} ${CURRENTFILE}
else
# If ${CURRENTFILE} exists, is a regular file and is from a previous
# month then delete it so that it is recreated by sadc afresh
[ -f ${CURRENTFILE} ] && [ "`date +%Y%m -r ${CURRENTFILE}`" -lt "${CURRENTDIR}" ] && rm -f ${CURRENTFILE}
fi
ENDIR=/usr/lib64/sa
cd ${ENDIR}
[ "$1" = "--boot" ] && shift && BOOT=y || BOOT=n
if [ $# = 0 ] && [ "${BOOT}" = "n" ]
then
# Note: Stats are written at the end of previous file *and* at the
# beginning of the new one (when there is a file rotation) only if
# outfile has been specified as '-' on the command line...
exec ${ENDIR}/sadc -F -L ${SADC_OPTIONS} 1 1 -
else
exec ${ENDIR}/sadc -F -L ${SADC_OPTIONS} $* -
fi
下次小白在分析该脚本
赞(3)
未经允许不得转载:流觞 » 【Linux】记一次系统日志中大量出现Started Session * of user root 查找和解决办法
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址