I have a user ( and actually me too) getting this messages when the screen is idle, I need help on stopping this messages:
2012 Feb 20 13:30:22 servername Audit[11217]: LENGTH: "330" SESSIONID:[6] "339384" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[10] "OPS$PT2ADM" USERHOST:[13] "zzzzzzzzzzz" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[96] "Authenticated by: OS; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=161.134.154.206)(PORT=21889))" OS$USERID:[6] "pt2adm" DBID:[10] "1102948819" PRIV$USED:[1] "5"
2012 Feb 20 13:30:22 zzzzzzzzzzz Audit[11217]: LENGTH: "203" SESSIONID:[6] "339384" ENTRYID:[1] "1" ACTION:[3] "101" RETURNCODE:[1] "0" LOGOFF$PREAD:[1] "0" LOGOFF$LREAD:[2] "27" LOGOFF$LWRITE:[1] "0" LOGOFF$DEAD:[1] "0" DBID:[10] "1102948819" SESSIONCPU:[1] "1"
2012 Feb 20 13:30:22 zzzzzzzzz Audit[11217]: LENGTH: "331" SESSIONID:[6] "339385" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[5] "SAPR3" USERHOST:[13] "zzzzzzzzzzz" ACTION:[3] "100" RETURNCODE:[1] "0" COMMENT$TEXT:[102] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=161.134.154.206)(PORT=21889))" OS$USERID:[6] "pt2adm" DBID:[10] "1102948819" PRIV$USED:[1] "5"
Are you logged into the console of the machine? Looks like these are warning messages thrown to the STDERR stream of the console. You should not get these if you login through ssh or do a graphical login.
What application are you running on this machine? SAP (looks like one)? As far as I can tell you, this has nothing to do with RHEL, you may wan to check the application settings.
If the application uses syslog daemon to write logs, you may change *.emerg * to *.emerg /var/log/messages in the /etc/rsyslog.conf (or /etc/syslog.conf depending on the RHEL version) file to redirect the emergency messages to /var/log/messages file.
1 Like
Thanks for the note.
The messages are coming from ssh not from console. I get them and the users too.
There is SAP and I believe oracle too.
The *.emerg is commented out in the /etc/rsyslog.conf/rpmsave
I believe we maybe using a custom syslog program that is the one creating those messages.
I found this:
@version:3.2
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
options {
flush_lines (0);
time_reopen (10);
log_fifo_size (1000);
long_hostnames (off);
use_dns (no);
use_fqdn (no);
create_dirs (no);
keep_hostname (yes);
};
source s_sys {
file ("/proc/kmsg" program_override("kernel: "));
unix-stream ("/dev/log");
internal();
# udp(ip(0.0.0.0) port(514));
};
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };
# Some default filters require modification for DBA
filter f_kernel { facility(kern); };
filter f_default { level(info..emerg) and
not (facility(mail)
or facility(authpriv)
"syslog-ng.conf" [readonly] 111L, 4757C