QRadar: Linux DSM events display stored systemd message

Troubleshooting

Problem

Stored messages may be found related to Linux events with a raw payload similar to: systemd: Created slice user-0.slice.

Symptom

Events such as:
<30>Jun 30 18:20:01 hostname systemd: Created slice user-0.slice. <30>Jun 30 18:20:01 hostname systemd: Started Session 8192 of user root. <30>Jun 30 18:20:01 hostname systemd: Removed slice user-0.slice. <30>Jun 30 18:20:01 hostname systemd: Starting user-0.slice. <30>Jun 30 18:20:01 hostname systemd: Stopping user-0.slice. <30>Jun 30 18:20:01 hostname systemd: Starting Session 8192 of user root. <78>Jun 30 18:20:01 hostname CROND[8695]: (root) CMD (/usr/lib64/sa/sa1 1 1)

Cause

These are low priority info level messages

Resolving The Problem

These are low priority info level messages that are generated on a systemd type Log Source such as RHEL 7 or Centos 7. There is no useful information that is associated with these events and QRadar is not trying to parse them. These low-level messages are triggered in the /var/log/messages folder on your log source. To stop these events from triggering and being sent to QRadar you may required to tune your Linux server by updating the systemd configuration:

Created Slice user-0.slice in /var/log/messages

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Events","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2;7.3","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips

QRadar: Linux DSM events display stored systemd message

Troubleshooting

Problem

Symptom

Cause

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?