0

After running yum update on one of my boxes, I am receiving a continuous stream of entries in /var/log/messages and fill up the disk. I could not make out where the events are coming from

Linux host1 2.6.32-754.28.1.el6.x86_64 #1 SMP Wed Mar 11 18:38:45 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

log snippet

Apr 27 21:05:45 127.0.0.1 2020-04-27 21:05:45,537 [Thread-0] WARN  EventLog.confd- UserSessNotification[STOP, user=[name=admin, usid=981303, addr=127.0.0.1, prot=1], db=DB_NONE]
Apr 27 21:05:45 127.0.0.1 2020-04-27 21:05:45,537 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=107, user=admin, usid=981303, msg="Logged out from maapi ctx=mappi (end_user_session)"]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,587 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=105, user=admin, usid=981305, msg="assigned to groups: admin"]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,587 [Thread-0] WARN  EventLog.confd- UserSessNotification[START, user=[name=admin, usid=981305, addr=127.0.0.1, prot=1], db=DB_NONE]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,587 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=105, user=admin, usid=981305, msg="assigned to groups: admin"]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,587 [Thread-0] WARN  EventLog.confd- UserSessNotification[START, user=[name=admin, usid=981305, addr=127.0.0.1, prot=1], db=DB_NONE]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,589 [Thread-0] WARN  EventLog.confd- UserSessNotification[STOP, user=[name=admin, usid=981305, addr=127.0.0.1, prot=1], db=DB_NONE]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,590 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=107, user=admin, usid=981305, msg="Logged out from maapi ctx=mappi (end_user_session)"]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,589 [Thread-0] WARN  EventLog.confd- UserSessNotification[STOP, user=[name=admin, usid=981305, addr=127.0.0.1, prot=1], db=DB_NONE]
Apr 27 21:06:18 127.0.0.1 2020-04-27 21:06:18,590 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=107, user=admin, usid=981305, msg="Logged out from maapi ctx=mappi (end_user_session)"]
Apr 27 21:06:51 127.0.0.1 2020-04-27 21:06:51,636 [Thread-0] WARN  EventLog.confd- AuditNotification[logno=105, user=admin, usid=981306, msg="assigned to groups: admin"]
Apr 27 21:06:51 127.0.0.1 2020-04-27 21:06:51,636 [Thread-0] WARN  EventLog.confd- UserSessNotification[START, user=[name=admin, usid=981306, addr=127.0.0.1, prot=1], db=DB_NONE]

Can anyone recognise these entries and how can I suppress them?

I have checked in my rsyslog.conf and the system is definitely not logging kernel messages.

pablo808
  • 113
  • 6
  • 1
    Do "Cisco WAE" and its management agent API ring a bell? – Gerard H. Pille Apr 27 '20 at 13:30
  • Afraid not. This is a HP box and I uninstalled the HP System Management Homepage yum package but the events still appearing. Thanks for responding. – pablo808 Apr 27 '20 at 14:15
  • 1
    Could other systems be using this systems syslog? A management agent may go looking for a willing ear on its network. But given the 127.0.0.1, that's probably not the case. There must be a process that's activated every 30". – Gerard H. Pille Apr 27 '20 at 14:50
  • 2
    Cisco's ConfD (see https://www.tail-f.com/confd-basic/) is the only tool I find that uses a "maapi". As I see confd in your messages, you should have another look. – Gerard H. Pille Apr 27 '20 at 15:00
  • I wasn't able to identify the process. Tried filtering out 127.0.0.1 but didnt work so just filtered the content 'EventLog.confd' to drop all those events. I even tried a CentOS 7 box with the same IP. Must have been some network device sending the logs to this IP but then that doesn't explain why it's showing 127.0.0.1. The event shows 2 timestamps so I guess these events are being forwarded. I'm baffled with this one. Thank you for your time. – pablo808 Apr 28 '20 at 11:17

0 Answers0