This post is somewhat similar to another post here but mine is rather specific. CRON: pam_unix(cron:session): session opened for user root by (uid=0)

Is this really a bug? in our system this process is creating entries in every 5 minutes making the log backup guys' life v hard. lots lots of entries are being stored on the disk.

as per the following links, do we need to fix this issue or can we at least increase the time of listing between the entries?

https://bugs.debian.org/cgi-bin/bugr...cgi?bug=293272
http://languor.us/cron-pam-unix-cron...user-root-uid0


Can I at least reduce the time between entries? for my server currently its 1 pair of entry in every 5 minutes. Say, I've increased the time to 30 minutes , would I miss any login attempt(legit and not hacking
both) ?

You can always reduce the noise by filtering with "grep" or "awk" first.

or

Which distro and which version of it are you working with?

Why would it be? You (the system) ask cron to perform a job and it does just that...


I don't understand why that would be a problem unless you are short on disk space or don't logrotate often enough or don't filter before you process (like Turbocapitalist hints at)?


I'd say for most people this probably wouldn' count as an "issue" and increasing the time between log entries means increasing the time between cron job runs.post #36 explains how to get rid of things. Have you tried that? (Another way could be to make Rsyslogd (or Syslog-NG) filter before log entries get committed to file.)


This login is a consequence of what cron does so its logged under its own facility, it's not a regular user login process?..


*BTW please don't necropost (revive ancient threads).

Turbocapitalist,

My version is Debian Wheezy 7 n l . 7.10
You can always reduce the noise by filtering with "grep" or "awk" first. Please elaborate, what is noise, what does reducing it mean? I dont know much about Linux.

unSpawn,

I dont want to have no entries in auth.log, rather I want entries to be made in every 30 minutes instead of 5-10 minutes. Condition must be that no login attempt is missed to be added there. I guess the solutions in redhat and debain bugs are only to stop having any entry into that auth.log file. From the security point of view it is not recommended.

This is why its never recommended to Disable/Quiet the entries
----------------------------------------------------------------
http://forum.configserver.com/viewtopic.php?t=6087

Correct me If I am wrong.
Thank you all for your posts. They help a lot.

If you're looking through a log file on a system running Wheezy, then you can select what you see based on a pattern rather than having to wade through everything that is there. Since you do not want to look at cron entries, you could use one of the examples I showed above to hide the cron entries. Look at the manual page for grep as well as a tutorial or two to get the idea of what it can do, but in a few words prints (or hides) lines from a file that match a pattern that you specify.

So if you view the log file with "less", you will see everything including the CRON entries:

But if you want to hide the CRON entries so you can focus on what else is going on, then you can use grep. The -v option with grep hides lines that match the pattern. In this case the pattern would be the string "CRON" anywhere on the line:

If you want to get fancier, there is awk, which is a simple pattern scanning and processing scripting language. Getting familiar with grep is something I would say is essential for administration. And getting at least some familiarity with awk will pay off, too. For more complex activities, there is perl, a much more advanced pattern scanning and processing scripting language.

But for now, I'd recommend trying grep a little to work with the log files.

If it were me, I'd be looking for the cron that runs every 5 minutes.
Then start making sweeping declarations about 'bugs'.

Buds

I am not worried about what I can/dont want to see. I want my backup guys to give some respite. The Linux box we have is listing a lotttt of entries in that auth.log file. After reaching 6KB-30KB of size, it compresses the entries and create a file named as : auth.log.1.gz, auth.log.2.gz, auth.log..3.gz and so on. As we have more logins, we have more of these files in $ /var/log/ directory. Backing up these files are troublesome for the backup guys. So I want these files to be created taking more time. Say if one of these .gz file is now being created in every 1 day, I want them to created in every 2-3 days.

I hope that clarified my problem.

That can be tuned in logrotate. See the manual page for logrotate.conf for all the specifics, but the settings you are looking to change can be found in /etc/logrotate.d/rsyslog in the stanza for /var/log/auth Probably, if you have the defaults, that is lumped in with /var/log/messages and you will need to split it out into its own stanza. There the frequency of the rotations or the triggering size of the file can be set.

1 members found this post helpful.

Seems like logrotate is already working in my box, if it hadnt then I'd not see the .gz files of that auth.log file.

Now the question is, If I go on with this solution, would the the entries still be made and upon reaching a certain file size of auth.log, the file would create a tar.gz file?

You change the syslog file in /etc/logrotate.d/ with a text editor.
You can decrease the number of the .gz files by putting a lower number for "rotate". You can effectively decrease the frequency of the .gz file creation by changing to (or adding) an increased "minsize".
Example:
See the man page for all details
Attention: all files in /etc/logrotate.d/ are valid for logrotate. Some text editors leave a backup file of the original - delete it.

1 members found this post helpful.