Suppress GnuPG entries from systemd and gpg-agent flooding Debian daemon.log during SSH connection

Ever since upgrading to Debian 9 Stretch, certain logs (e.g. /var/log/daemon.log and /var/log/syslog) on our very active SSH hosts has been flooded with many GnuPG entries generated by systemd and gpg-agent every time a user connects to one of our hosts via SSH. These lines were generating several GB of daily logs that were not necessary for our environment.

I implemented an rsyslog filter that suppresses these “Listening on GnuPG” and “Closed GnuPG” messages after considering solutions specific to this issue discussed here and here as well as solutions related to excessive logging discussed here and here.

Create a new rsyslog conf file for this filter:

vi /etc/rsyslog.d/ignore-systemd-gpg.conf

And populate the conf file:

# Disable the following messages that occur before/after every SSH login 
#
# Dec 10 02:31:39 data-e1-prd-001 systemd[991]: Listening on GnuPG network certificate management daemon.
# Dec 10 02:31:39 data-e1-prd-001 systemd[991]: Listening on GnuPG cryptographic agent and passphrase cache.
# Dec 10 02:31:39 data-e1-prd-001 systemd[991]: Listening on GnuPG cryptographic agent (access for web browsers).
# Dec 10 02:31:39 data-e1-prd-001 systemd[991]: Listening on GnuPG cryptographic agent and passphrase cache (restricted).
# Dec 10 02:31:39 data-e1-prd-001 systemd[991]: Listening on GnuPG cryptographic agent (ssh-agent emulation).
# Dec 10 02:31:40 data-e1-prd-001 systemd[991]: Closed GnuPG cryptographic agent and passphrase cache.
# Dec 10 02:31:40 data-e1-prd-001 systemd[991]: Closed GnuPG cryptographic agent (access for web browsers).
# Dec 10 02:31:40 data-e1-prd-001 systemd[991]: Closed GnuPG cryptographic agent and passphrase cache (restricted).
# Dec 10 02:31:40 data-e1-prd-001 systemd[991]: Closed GnuPG cryptographic agent (ssh-agent emulation).
# Dec 10 02:31:40 data-e1-prd-001 systemd[991]: Closed GnuPG network certificate management daemon.

if $programname == "systemd" and ($msg contains "Listening on GnuPG" or $msg contains "Closed GnuPG") then stop

Then restart the rsyslogd service.

/etc/init.d/rsyslog restart

Your daemon.log should no longer contain the extra GnuPG related entries!

tail -f /var/log/daemon.log

Here is another example that suppresses messages related to “User Slice”, “Reached target”, and “Stopped target”.

First, create a new rsyslog conf file for this filter:

vi /etc/rsyslog.d/ignore-systemd-session-slice.conf

And populate the file with content similar to the following:

# SYSTEM IS CREATING THESE LOG ENTRIES FOR EACH SSH CONNECTION
# Dec 10 03:00:56 HOST systemd[1]: Created slice User Slice of USERNAME.
# Dec 10 03:00:56 HOST systemd[1]: Starting User Manager for UID 2556...
# Dec 10 03:00:56 HOST systemd[1]: Started Session 4160929 of user USERNAME.
# Dec 10 03:00:56 HOST systemd[1190]: Reached target Timers.
# Dec 10 03:00:56 HOST systemd[1190]: Reached target Paths.
# Dec 10 03:00:56 HOST systemd[1190]: Reached target Sockets.
# Dec 10 03:00:56 HOST systemd[1190]: Reached target Basic System.
# Dec 10 03:00:56 HOST systemd[1190]: Reached target Default.
# Dec 10 03:00:56 HOST systemd[1190]: Startup finished in 16ms.
# Dec 10 03:00:56 HOST systemd[1]: Started User Manager for UID 2556.
# Dec 10 03:00:57 HOST systemd[1]: Stopping User Manager for UID 2556...
# Dec 10 03:00:57 HOST systemd[1190]: Stopped target Default.
# Dec 10 03:00:57 HOST systemd[1190]: Stopped target Basic System.
# Dec 10 03:00:57 HOST systemd[1190]: Stopped target Timers.
# Dec 10 03:00:57 HOST systemd[1190]: Stopped target Sockets.
# Dec 10 03:00:57 HOST systemd[1190]: Stopped target Paths.
# Dec 10 03:00:57 HOST systemd[1190]: Reached target Shutdown.
# Dec 10 03:00:57 HOST systemd[1190]: Starting Exit the Session...
# Dec 10 03:00:57 HOST systemd[1190]: Received SIGRTMIN+24 from PID 1223 (kill).
# Dec 10 03:00:57 HOST systemd[1]: user@2556.service: Killing process 1223 (kill) with signal SIGKILL.
# Dec 10 03:00:57 HOST systemd[1]: Stopped User Manager for UID 2556.
# Dec 10 03:00:57 HOST systemd[1]: Removed slice User Slice of USERNAME.

# SUPPRESS ALL LOG ENTRIES ABOVE, EXCEPT THE FOLLOWING
# Dec 10 03:00:56 HOST systemd[1]: Starting User Manager for UID 2556...
# Dec 10 03:00:56 HOST systemd[1190]: Startup finished in 16ms.
# Dec 10 03:00:57 HOST systemd[1190]: Received SIGRTMIN+24 from PID 1223 (kill).
# Dec 10 03:00:57 HOST systemd[1]: user@2556.service: Killing process 1223 (kill) with signal SIGKILL.
# Dec 10 03:00:57 HOST systemd[1]: Stopped User Manager for UID 2556.

if $programname == "systemd" and ($msg contains "Created slice User Slice of " or $msg contains "Started Session " or $msg contains "Reached target " or $msg contains "Started User Manager for UID " or $msg contains "Stopping User Manager for UID " or $msg contains "Stopped target " or $msg contains "Reached target Shutdown" or $msg contains "Starting Exit the Session." or $msg contains "Removed slice User Slice of ") then stop

Then restart the rsyslogd service.

/etc/init.d/rsyslog restart

If you would like to add or remove additional lines generated by the “systemd” service from your daemon.log file, modify the filter in the conf file by adding or removing rule sections.

Here is another example that suppresses “Deprecated option” messages generated by the “sshd” service.

Create new conf file

vi /etc/rsyslog.d/ignore-sshd-deprecated-option.conf

With sample of output we intend to suppress and associated rule:

# Dec 10 03:42:53 HOST sshd[16069]: rexec line 21: Deprecated option KeyRegenerationInterval
# Dec 10 03:42:53 HOST sshd[16069]: rexec line 22: Deprecated option ServerKeyBits
# Dec 10 03:42:53 HOST sshd[16069]: rexec line 34: Deprecated option RSAAuthentication
# Dec 10 03:42:53 HOST sshd[16069]: rexec line 41: Deprecated option RhostsRSAAuthentication
# Dec 10 03:42:53 HOST sshd[16069]: reprocess config line 34: Deprecated option RSAAuthentication
# Dec 10 03:42:53 HOST sshd[16069]: reprocess config line 41: Deprecated option RhostsRSAAuthentication

if $programname == "sshd" and ($msg contains "Deprecated option ") then stop

Then restart the rsyslogd service.

/etc/init.d/rsyslog restart

One thought on “Suppress GnuPG entries from systemd and gpg-agent flooding Debian daemon.log during SSH connection

  1. Thank you for this post. It fixed my problems nicely, after much time spent searching for a solution to unwanted noise in my logfiles.

Leave a Reply

Your email address will not be published. Required fields are marked *