LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-01-2008, 04:08 PM   #1
andiramesh
LQ Newbie
 
Registered: Aug 2008
Posts: 4
Blog Entries: 1

Rep: Reputation: 0
User session opened and closed msg in /var/log/messages


Hi,
Due to one of our application, the following messages are logging frequently in var/log/messages in my linux server.I want to discard this particulat msg logging in /var/log/messages.Is it possible?
May 15 18:10:22 betaotuc su(pam_unix)[21589]: session closed for user htuser
May 15 18:11:16 betaotuc su(pam_unix)[22573]: session opened for user htuser by (uid=0)
May 15 18:11:22 betaotuc su(pam_unix)[22573]: session closed for user htuser
May 15 18:12:16 betaotuc su(pam_unix)[23574]: session opened for user htuser by (uid=0)
May 15 18:12:21 betaotuc su(pam_unix)[23574]: session closed for user htuser
May 15 18:13:16 betaotuc su(pam_unix)[24561]: session opened for user htuser by (uid=0)
May 15 18:13:22 betaotuc su(pam_unix)[24561]: session closed for user htuser
May 15 18:14:16 betaotuc su(pam_unix)[25554]: session opened for user htuser by (uid=0)


Please help me to disable this error mesg logging.

Last edited by andiramesh; 08-01-2008 at 04:58 PM.
 
Old 08-01-2008, 08:32 PM   #2
taxtropel
Member
 
Registered: Mar 2005
Location: Cascade Mountains WA USA
Distribution: Linux From Scratch (LFS)
Posts: 149

Rep: Reputation: 16
it looks like you are letting the web server user run the application as root. this is a serious security problem and you should probably look at setting the application up differently rather than trying to omit the log entry.
 
Old 08-01-2008, 08:38 PM   #3
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
Show your /etc/syslog.conf file please.

This logging is controlled there.
 
Old 08-04-2008, 02:09 AM   #4
andiramesh
LQ Newbie
 
Registered: Aug 2008
Posts: 4
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Thanksfor helping me.Please see the syslog.conf file below,

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;cron.none;authpriv.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure

# Log all the mail messages in one place.
mail.* -/var/log/maillog


# Log cron stuff
cron.* /var/log/cron

# Everybody gets emergency messages
*.emerg *

# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler

# Save boot messages also to boot.log
local7.* /var/log/boot.log
 
Old 08-04-2008, 03:28 AM   #5
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
The pam messages you are interested in should be logged at authpriv.info, and your syslog.conf file indicates that those messages should *not* be output to /var/log/messages. And yet they appear. It may be that the messages are logged at auth.info instead on your system, so change the following lines in syslog (changed marked in bold)):

Code:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;cron.none;authpriv.none /var/log/messages

# The authpriv file has restricted access.
authpriv.* /var/log/secure
to

Code:
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;cron.none;authpriv.none;auth.none /var/log/messages

# The authpriv file has restricted access.
auth.*;authpriv.* /var/log/secure
and restart syslog as root (use sudo or whatever method you use to be root):

/etc/init.d/sysklogd restart

Your syslog startup script may have a different name, so look in /etc/init.d/ for scripts that are similarly named.

Then, try your su test again and see if the pam_unix messages appear in one of the /var/log/auth* logs, and not /var/log/messages.
 
Old 08-05-2008, 09:32 AM   #6
andiramesh
LQ Newbie
 
Registered: Aug 2008
Posts: 4
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Thank You Mr.C. Your suggestion worked for me.Thanks a lot for your help.
Now the session opened and closed messages are logging in /var/log/secure which is not disturbing us.
 
Old 08-05-2008, 12:25 PM   #7
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
Great, thanks for posting that the solution worked so others can resolve the issue too.
 
Old 09-04-2008, 11:03 PM   #8
idallen
LQ Newbie
 
Registered: Sep 2008
Location: Ottawa, CANADA
Distribution: Ubuntu
Posts: 2

Rep: Reputation: 0
Quote:
Originally Posted by Mr. C. View Post
It may be that the messages are logged at auth.info instead on your system
You can find out exactly what level and priority are being logged
to syslog by adding a line similar to this to syslog.conf and
restarting/reloading syslog:

Code:
*.* @1.2.3.4
where IP address 1.2.3.4 is either some machine on your local network
such as your gateway/router (best) or some machine on a distant network.

This will redirect everything coming into syslog to that IP address, so
you can then use tcpdump (as root) to look at it as it leaves. (You don't
care if it arrives; you only want to see it leave.) I forwarded syslog
traffic back to my gateway router at 192.168.9.254 and dumped it:

Code:
*.* @192.168.9.254
Code:
# tcpdump -n -v -s 1500 -i eth0 host 192.168.9.254 and port 514
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
22:55:50.325483 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 90) 192.168.9.250.514 > 192.168.9.254.514: SYSLOG, length: 62
	Facility kernel (0), Severity info (6)
	Msg: kernel: [14957.892858] device eth0 entered promiscuous mode
22:55:50.325532 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 124) 192.168.9.250.514 > 192.168.9.254.514: SYSLOG, length: 96
	Facility kernel (0), Severity notice (5)
	Msg: kernel: [14957.892870] audit(1220583350.324:23): dev=eth0 prom=256 old_prom=0 auid=4294967295
22:56:01.769846 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 110) 192.168.9.250.514 > 192.168.9.254.514: SYSLOG, length: 82
	Facility authpriv (10), Severity info (6)
	Msg: CRON[3346]: pam_unix(cron:session): session opened for user idallen by (uid=0)
22:56:01.769918 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 111) 192.168.9.250.514 > 192.168.9.254.514: SYSLOG, length: 83
	Facility cron (9), Severity info (6)
	Msg: /USR/SBIN/CRON[3347]: (idallen) CMD (cd logs && $HOME/sh/doexpectspeedstats.sh)
...etc...
From the above, I can see that I need to ignore both authpriv.info and
cron.info to cut down on the CRON noise.
 
Old 09-04-2008, 11:41 PM   #9
Mr. C.
Senior Member
 
Registered: Jun 2008
Posts: 2,529

Rep: Reputation: 61
Or you can either attach a debugger to the running process, placing a breakpoint at syslog, and examine the arguments passed, or connect to it with strace -p PID and watch for syslog calls. Either of these is trivial to do.
 
Old 09-05-2008, 06:47 AM   #10
andiramesh
LQ Newbie
 
Registered: Aug 2008
Posts: 4
Blog Entries: 1

Original Poster
Rep: Reputation: 0
Thank you so much Mr.C.The information is very useful for us
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Very Urgent! Strange msg in /var/log/messages sathyguy Linux - Newbie 3 07-27-2006 05:07 AM
session opened for user nobody r.stiltskin Debian 4 03-13-2006 02:17 PM
Redirecting the kernel messages to file other than /var/log/messages jyotika_b83 Linux - General 3 04-28-2005 07:39 PM
Session closed when log on desktop debian_dummy Debian 3 10-15-2004 09:02 AM
/var/log/messages full of these messages. Should I be concerned? mdavis Linux - Security 5 04-16-2004 11:08 AM


All times are GMT -5. The time now is 10:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration