Troubleshooting
Problem
Stored messages may be found related to Linux events with a raw payload similar to: systemd: Created slice user-0.slice.
Symptom
Events such as:
<30>Jun 30 18:20:01 hostname systemd: Created slice user-0.slice.
<30>Jun 30 18:20:01 hostname systemd: Started Session 8192 of user root.
<30>Jun 30 18:20:01 hostname systemd: Removed slice user-0.slice.
<30>Jun 30 18:20:01 hostname systemd: Starting user-0.slice.
<30>Jun 30 18:20:01 hostname systemd: Stopping user-0.slice.
<30>Jun 30 18:20:01 hostname systemd: Starting Session 8192 of user root.
<78>Jun 30 18:20:01 hostname CROND[8695]: (root) CMD (/usr/lib64/sa/sa1 1 1)
Cause
These are low priority info level messages
Resolving The Problem
These are low priority info level messages that are generated on a systemd type Log Source such as RHEL 7 or Centos 7. There is no useful information that is associated with these events and QRadar is not trying to parse them. These low-level messages are triggered in the /var/log/messages folder on your log source. To stop these events from triggering and being sent to QRadar you may required to tune your Linux server by updating the systemd configuration:
Created Slice user-0.slice in /var/log/messages
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21998963