tlog icon indicating copy to clipboard operation
tlog copied to clipboard

Published 20 hours ago verified publisher icon Scribery

journal gets flooded when using cockpit with ssh session on remote hosts

Open msilveirabr opened this issue 2 years ago • 1 comments

After getting a "master" cockpit server up, added some client computers using SSH public key connection.

It took me a while to understand what was going on.... not sure how to solve this ( cockpit -> logs ) Screenshot from 2023-01-04 19-57-48

Detailed view of an entry:

tlog-rec-session
{"ver":"2.3","host":"tlog-fc37-client.local","rec":"49aa6e0d80704f17bb1872151b4d9abb-28a9-74d11a","user":"ansible","term":"","session":16,"id":143687,"pos":1147251,"time":1672873074.597,"timing":"<44+156<118+2<1526","in_txt":":5623808,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5246976,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5263360,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5279744,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5296128,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5296128,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5296128,\"command\":\"pong\",\"channel\":\"3:8!7\"}56\n\n{\"sequence\":5296128,\"command\":\"pong\",\"channel\":","in_bin":[],"out_txt":"","out_bin":[]}
CODE_FILE
journal_json_writer.c
CODE_FUNC
tlog_journal_json_writer_write
CODE_LINE
117
PRIORITY
6
SYSLOG_IDENTIFIER
tlog-rec-session
TLOG_ID
143687
TLOG_REC
49aa6e0d80704f17bb1872151b4d9abb-28a9-74d11a
TLOG_SESSION
16
TLOG_USER
ansible
_AUDIT_LOGINUID
1001
_AUDIT_SESSION
16
_BOOT_ID
49aa6e0d80704f17bb1872151b4d9abb
_CAP_EFFECTIVE
0
_CMDLINE
tlog-rec-session -c cockpit-bridge
_COMM
tlog-rec-sessio
_EXE
/usr/bin/tlog-rec-session
_GID
1001
_HOSTNAME
tlog-fc37-client.local
_MACHINE_ID
9d30c55c9c74420d95b559ef1afd61f6
_PID
10409
_SELINUX_CONTEXT
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
_SOURCE_REALTIME_TIMESTAMP
1672873074755555
_SYSTEMD_CGROUP
/user.slice/user-1001.slice/session-16.scope
_SYSTEMD_INVOCATION_ID
43d0002d24ed4802848380a4ef9b3a9b
_SYSTEMD_OWNER_UID
1001
_SYSTEMD_SESSION
16
_SYSTEMD_SLICE
user-1001.slice
_SYSTEMD_UNIT
session-16.scope
_SYSTEMD_USER_SLICE
-.slice
_TRANSPORT
journal
_UID
1001
__CURSOR
s=84f2e400fcb046f8b5828adc8d8c4f46;i=31fbdf;b=49aa6e0d80704f17bb1872151b4d9abb;m=1217937277;t=5f1781d600807;x=ec28f7486d7c150c
__MONOTONIC_TIMESTAMP
77704950391
__REALTIME_TIMESTAMP
1672873074755591

cockpit playback: Screenshot from 2023-01-04 20-02-15

What should be done to fix this? Add the user used to connect to the remote hosts to the exclude_users / exclude_groups in session_recording section of /etc/sssd/conf.d/sssd-session-recording.conf ?

UPDATE: After adding a cockpitremote user and adding it to the sssd config exclude_users= line worked. BTW, for testing purposes, I was using the same login user from terminal to connect remotely

I'll leave this open for a while in case anyone hits the same issue.

Is there any better approach to avoid this?

msilveirabr avatar Jan 04 '23 23:01 msilveirabr

The logs show "user":"ansible", did you setup recording for all users? You may need to exclude certain users or groups from recording if those users recording is generating useless recording data.

Ideally, to avoid excess noise, you would use scope=some and only apply to the users and/or groups you want to record, but exclude_* options were added to provide more flexibility with configuration also.

justin-stephenson avatar Jan 05 '23 14:01 justin-stephenson