Don’t log cron events in auth.log

cronlogsrsyslog

In my /etc/rsyslog.conf, I have the following line to log the auth facility into /var/log/auth.log:

auth,authpriv.*           /var/log/auth.log

but the file is flooded with cron logs, such as these:

CRON[18620]:  pam_unix(cron:session): session opened for user root by (uid=0)
CRON[18620]:  pam_unix(cron:session): session closed for user root

I would like to get rid of the cron logs, and only have real "auth" events being logged into that file. By that I mean, I want to see which users have logged into the system, or made su -.

How can I achieve that?

Best Answer

I believe this is what you are looking for:

:msg, contains, "pam_unix(cron:session)" ~
auth,authpriv.* /var/log/auth.log

the first line matches cron auth events, and deletes them. The second line then logs as per your rule, minus the previously deleted lines.

Related Solutions

Debian – CRON: pam_unix(cron:session): session opened for user root by (uid=0): Is it a must have process

The entries are added to the log each time a cron job runs. To reduce the time between entries, you would have to look at your cron jobs and change their timings. This, though, may break something that relies on those jobs running at specific intervals.

If they really do annoy you, then simply follow the instructions on the Debian bug report and stop cron from logging an entry in the auth.log each time a job runs. That is, edit /etc/pam.d/common-session-noninteractive and add:

session     [success=1 default=ignore] pam_succeed_if.so service in cron quiet use_uid

before the line: session required pam_unix.so

and restart the cron service (as per links provided by original poster)

Best Answer

Related Solutions

Debian – CRON: pam_unix(cron:session): session opened for user root by (uid=0): Is it a must have process

Related Question