3

A monitoring service that executes every minute requires sudo. With this my logs are full of pam_unix entries, telling me that this service logged in with sudo.

Now that I have journald on this machine, I thought maybe I could filter those logs, so that journald simply ignores them (by regex matching/other parameters).

I don't want to filter the output (I could do that with journalctl), I don't want those entries to be stored.

Is this possible with journald?

sourcejedi
  • 48,311
  • 17
  • 143
  • 296
Ethan Leroy
  • 161
  • 3
  • Nothing in the journald-related manpages indicates this is possible. You could tell journald to forward everything to rsyslog and get rsyslog to do the filtering, but I suppose this is not what you want. – muru Feb 14 '16 at 22:47
  • @muru I checked the `rsyslog` docs and it has a filtering concept, but for filtering to different files. I couldn't find anything in the `rsyslog` docs to indicate that it could be used for discarding the messages, but setting the file to `/dev/null` might work. – jordanm Feb 14 '16 at 22:48
  • @jordanm you don't have to send it to a file in `rsyslog`. There is a discard action: http://www.rsyslog.com/doc/master/configuration/actions.html?highlight=tilde#discard – muru Feb 14 '16 at 22:52
  • Thanks for your comments, but really? There is no way to do this with journald? I thought journald is so great, there must be an option for filtering logs when they come in. – Ethan Leroy Feb 15 '16 at 17:47
  • [This SO question](https://unix.stackexchange.com/questions/224370/how-to-stop-sudo-pam-messages-in-auth-log-for-a-specific-user) does not answer the journald filtering, but it does address the `sudo` / `pam_unix` messages: – thom_nic Apr 17 '18 at 14:14

0 Answers0