Weblog entry #33 for Utumno

See all weblog entries made by Utumno.

XML logo

#33
question about syslog
Posted by Utumno on Mon 17 Dec 2007 at 11:17
Tags: none.

I have several cronjobs running every 5 minutes. Each cronjob pollutes auth.log with the following spam:

Dec 17 19:00:04 tajwan CRON[29249]: pam_unix(cron:session): session closed for user munin
Dec 17 19:05:01 tajwan CRON[29412]: pam_unix(cron:session): session opened for user munin by (uid=0)
Dec 17 19:05:04 tajwan CRON[29412]: pam_unix(cron:session): session closed for user munin
Dec 17 19:08:36 tajwan sshd[29580]: Accepted password for leszek from CE.N.SO.RED port 9883 ssh2
Dec 17 19:08:36 tajwan sshd[29584]: pam_unix(ssh:session): session opened for user leszek by (uid=0)
Dec 17 19:09:01 tajwan CRON[29622]: pam_unix(cron:session): session opened for user root by (uid=0)
Dec 17 19:09:01 tajwan CRON[29622]: pam_unix(cron:session): session closed for user root
Dec 17 19:09:03 tajwan su[29630]: Successful su for root by leszek
Dec 17 19:09:03 tajwan su[29630]: + pts/0 leszek:root
Dec 17 19:09:03 tajwan su[29630]: pam_unix(su:session): session opened for user root by leszek(uid=1000)
Dec 17 19:10:01 tajwan CRON[29638]: pam_unix(cron:session): session opened for user www-data by (uid=0)
Dec 17 19:10:01 tajwan CRON[29640]: pam_unix(cron:session): session opened for user munin by (uid=0)
Dec 17 19:10:03 tajwan CRON[29638]: pam_unix(cron:session): session closed for user www-data
Dec 17 19:10:04 tajwan CRON[29640]: pam_unix(cron:session): session closed for user munin
Dec 17 19:15:01 tajwan CRON[29813]: pam_unix(cron:session): session opened for user munin by (uid=0)
Dec 17 19:15:05 tajwan CRON[29813]: pam_unix(cron:session): session closed for user munin

Here's relevant line from /etc/syslog.conf:

auth,authpriv.*         /var/log/auth.log

I would like to adjust my syslog.conf and move the lines sent by CRON from auth.log to cron.log. How can I do it?

[ 3 Comments | Add Comment | XML logo ]
<<< Previous Next >>>

 

Comments on this Entry

#1
Re: question about syslog
Posted by mwr (24.158.xx.xx) on Mon 17 Dec 2007 at 15:00
[ Send Message | View Weblogs ]

With the setup you show, if cron (or any other program) logs with the auth or authpriv facility, it'll end up in auth.log. I don't think you can filter it otherwise with syslog, so you'd have to switch to something like syslog-ng. See here for a simple example of filtering one program's output differently than others.

[ Parent | Reply to this comment ]

#2
Re: question about syslog
Posted by endecotp (86.6.xx.xx) on Tue 18 Dec 2007 at 11:03
[ Send Message | View Weblogs ]
You might be able to adjust this from the PAM side, rather than the syslog side. Have a look at /etc/pam.d/cron. I was hoping to see a line in there, or one of the files that it includes, that explicitly does the logging and that you could remove; but it's not that simple. Perhaps the answer is in the PAM documentation somewhere.

Of course, disabling this will hide any evidence of e.g. a vulnerability in munin letting an attacker log in. Are you sure you want to do this?

[ Parent | Reply to this comment ]

#3
Re: question about syslog
Posted by mwr (24.158.xx.xx) on Tue 18 Dec 2007 at 14:31
[ Send Message | View Weblogs ]

Oh, and since I forgot about it previously, you probably want to install logcheck. I've got a few dozen systems all sending syslog to a central host, and this ensures I'm not deluged with emails about routine stuff. If you're working from a single host, it's even better, since lots of Debian packages add logcheck ignore files during installation.

[ Parent | Reply to this comment ]

User Login

Username:

Password:

[ Advanced Login ]

Register Account

Quick Site Search