centos7のsyslogを削減する

Centos７で、こんなMSGが出力されているので抑止する。
参考

program	MSG
systemd	Starting User Slice
sshd	pam_unix(sshd:session): session opened for user
systemd	Created slice User Slice
systemd-logind	New session *** of user
sshd	authentfication MSG ex. Accepted publickey for admin from
systemd	Starting Session *** of user
systemd	Stopping User Slice of admin
systemd	Removed slice User Slice
systemd-logind	Removed session ***
sshd	pam_unix(sshd:session): session closed for user

セッション確立時のMSGを抑止

systemdの出力MSGを抑止

/etc/rsyslog.d/ignore-systemd-session-slice.conf

# cat /etc/rsyslog.d/ignore-systemd-session-slice.conf 
if $programname == "systemd" and
  ($msg contains "Starting Session" or 
   $msg contains "Started Session"  or
   $msg contains "Created slice"    or
   $msg contains "Starting user-"   or
   $msg contains "Starting User Slice of" or 
   $msg contains "Removed session" or
   $msg contains "Removed slice User Slice of" or 
   $msg contains "Stopping User Slice of") then stop
# systemctl restart rsyslog

systemd-logindの出力MSGを抑止

/etc/rsyslog.d/ignore-systemd-logind-session.conf

# cat  ignore-systemd-logind-session.conf 
if $programname == "systemd-logind" and
  ($msg contains "New session" or 
   $msg contains "Removed session") then stop
# systemctl restart rsyslog

sshdの出力MSGを抑止

/etc/rsyslog.d/ignore-sshd-session.conf

# cat /etc/rsyslog.d/ignore-sshd-session.conf 
if $programname == "sshd" and
  ($msg contains "pam_unix(sshd:session)" or
   $msg contains "session opened" or
   $msg contains "Received disconnect" or
   $msg contains "Connection closed by 127.0.0.1" or
   $msg contains "Connection closed by 192.168.*.***" ) then stop
# systemctl restart rsyslog

192.168.*.***は環境のあわせて修正してください。

daemon由来でのMSGを抑止

sudoを使った時に、こんなMSGが沢山出ている。
参考

program	MSG
sudo	pam_unix(sudo:session): session opened for user root by (uid=0)
sudo	pam_unix(sudo:session): session closed for user root

pamの設定を変更する

# grep -E "session.*pam_unix" /etc/pam.d/* でsession required pam_unix.soが設定されている箇所を検索し、その直上に挿入する。

全ユーザのsudoからのMSGを抑止

session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet uid = 0

特定ユーザのsudoからのMSGを抑止

session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = nagios

サンプル

/etc/pam.d/system-auth

....
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
# -- add hiroshi
session [success=1 default=ignore] pam_succeed_if.so service in sudo quiet uid = 0
# session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = nagios
# session [success=1 default=ignore] pam_succeed_if.so quiet uid = 0 ruser = apache
session     required      pam_unix.so