Hi folks, first of all i am sorry about my English.
I am running Apache 2 mod php5, it uses a cron job for cleaning sessions, ok. Also, Debian uses another one.

CRON[x]: pam_unix(cron:session): session opened for user root by (uid=0), flood my auth.log

I want to keep this pam-cron logs, but not in auth.log, i tried to making an rsyslog.d rule, but it does not work:

# vi auth-cron.conf
if $syslogfacility-text == 'auth' \
and $msg contains 'CRON*' then -/var/log/auth-cron.log
if $syslogfacility-text == 'authpriv' \
and $msg contains 'CRON*' then -/var/log/auth-cron2.log
& ~

I am very bad with scripting, and much more bad with rsyslog scripting...

Any help? Thanks

Rsyslog comes with way more options than stock syslogd and I'm sure I haven't tried all options so YMMV(VM). "cron" is a facility ('man 3 syslog') so I'd say either:
which limits filtering by looking at the syslog facility first and then the message string (no regexes allowed) or more generic:

Dec 3 15:17:01 xxx CRON[20671]: pam_unix(cron:session): session opened for user root by (uid=0)

it does not work, but thank you for your reply.
Maybe it is a auth facility? because it is pam module, who logs cron sessions? i don't know...

Crap.


If it would be the auth facility then that's something you could test yourself. (Do let us know.) It isn't about PAM IIRC but the *source* of the messages. And that would be cron...