Bug#837893: systemd: Logging from gnome session is passed on to all syslog facilities

Nathan Dorfman ndorf at rtfm.net
Sun Mar 26 05:35:33 BST 2017 

I think these messages are being (erroneously) passed specifically to
the KERN facility, not all facilities as the summary states.

For one thing, the superfluous messages don't appear in the user.log
file, as they do in kern.log, despite the fact that rsyslogd is
configured to route all facility=USER messages there, as per the
Debian default:

root at stretch:/var/log# fgrep -c 'Mar 25 21:07:16 stretch NetworkManager[423]: <info>  [1490497636.9242] manager: startup complete' kern.log syslog user.log
kern.log:1
syslog:1
user.log:0
root at stretch:/var/log# egrep '(user|kern).log' /etc/rsyslog.conf 
kern.*              -/var/log/kern.log
user.*              -/var/log/user.log
root at stretch:/var/log# 

For another, after configuring rsyslogd with a custom template that
includes the facility (and priority) with each message, the offending
messages consistently have facility=KERN in every file in which they
do appear:

root at stretch:/var/log# fgrep template /etc/rsyslog.conf
$template MyFormat,"%pri-text%: %timegenerated% %HOSTNAME% %syslogtag%%msg:::drop-last-lf%\n"
root at stretch:/var/log# fgrep -R 'Mar 25 21:35:19 stretch NetworkManager[423]: <info>  [1490499319.1248] device (ens3): Activation: successful, device activated.'
messages:kern.info: Mar 25 21:35:19 stretch NetworkManager[423]: <info> [1490499319.1248] device (ens3): Activation: successful, device activated.
kern.log:kern.info: Mar 25 21:35:19 stretch NetworkManager[423]: <info>  [1490499319.1248] device (ens3): Activation: successful, device activated.
syslog:kern.info: Mar 25 21:35:19 stretch NetworkManager[423]: <info> [1490499319.1248] device (ens3): Activation: successful, device activated.
root at stretch:/var/log#

I'll go on the record with a prediction that this will turn out to be
directly related to the fact that the numeric value representing the
KERN facility is zero:

root at stretch:/var/log# fgrep KERN /usr/include/*/sys/syslog.h
#define LOG_KERN    (0<<3)  /* kernel messages */
    { "kern", LOG_KERN },
root at stretch:/var/log# 

Anyway, this problem also exists on jessie, with systemd 215.
NetworkManager doesn't exhibit the problem there, making it less
noticeable, but gnome-session and pulseaudio can be seen in the
kern.log file.

One acceptable workaround seems to be to just disable the broken
functionality altogether, with ForwardToSyslog=no in
/etc/systemd/journald.conf, and just use journalctl(1) to view those
messages. Note, however, that the journal is only stored under /run by
default and so will be lost on shutdown; to avoid that, you simply
have to create the default directory /var/log/journal, and it will be
persisted there.

-nd.

More information about the Pkg-systemd-maintainers mailing list