can I increase the time for the entries of auth.log?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
can I increase the time for the entries of auth.log?
This post is somewhat similar to another post here but mine is rather specific. CRON: pam_unix(cron:session): session opened for user root by (uid=0)
Is this really a bug? in our system this process is creating entries in every 5 minutes making the log backup guys' life v hard. lots lots of entries are being stored on the disk.
as per the following links, do we need to fix this issue or can we at least increase the time of listing between the entries?
Can I at least reduce the time between entries? for my server currently its 1 pair of entry in every 5 minutes. Say, I've increased the time to 30 minutes , would I miss any login attempt(legit and not hacking
both) ?
Why would it be? You (the system) ask cron to perform a job and it does just that...
Quote:
Originally Posted by Rtwo
in our system this process is creating entries in every 5 minutes making the log backup guys' life v hard. lots lots of entries are being stored on the disk.
I don't understand why that would be a problem unless you are short on disk space or don't logrotate often enough or don't filter before you process (like Turbocapitalist hints at)?
Quote:
Originally Posted by Rtwo
as per the following links, do we need to fix this issue or can we at least increase the time of listing between the entries?
I'd say for most people this probably wouldn' count as an "issue" and increasing the time between log entries means increasing the time between cron job runs.post #36 explains how to get rid of things. Have you tried that? (Another way could be to make Rsyslogd (or Syslog-NG) filter before log entries get committed to file.)
Quote:
Originally Posted by Rtwo
would I miss any login attempt(legit and not hacking both) ?
This login is a consequence of what cron does so its logged under its own facility, it's not a regular user login process?..
*BTW please don't necropost (revive ancient threads).
Last edited by unSpawn; 05-05-2016 at 04:32 AM.
Reason: //Added mod nudge
My version is Debian Wheezy 7 n l . 7.10
You can always reduce the noise by filtering with "grep" or "awk" first. Please elaborate, what is noise, what does reducing it mean? I dont know much about Linux.
unSpawn,
I dont want to have no entries in auth.log, rather I want entries to be made in every 30 minutes instead of 5-10 minutes. Condition must be that no login attempt is missed to be added there. I guess the solutions in redhat and debain bugs are only to stop having any entry into that auth.log file. From the security point of view it is not recommended.
If you're looking through a log file on a system running Wheezy, then you can select what you see based on a pattern rather than having to wade through everything that is there. Since you do not want to look at cron entries, you could use one of the examples I showed above to hide the cron entries. Look at the manual page for grep as well as a tutorial or two to get the idea of what it can do, but in a few words prints (or hides) lines from a file that match a pattern that you specify.
So if you view the log file with "less", you will see everything including the CRON entries:
Code:
less /var/log/syslog
But if you want to hide the CRON entries so you can focus on what else is going on, then you can use grep. The -v option with grep hides lines that match the pattern. In this case the pattern would be the string "CRON" anywhere on the line:
Code:
grep -v CRON /var/log/syslog | less
If you want to get fancier, there is awk, which is a simple pattern scanning and processing scripting language. Getting familiar with grep is something I would say is essential for administration. And getting at least some familiarity with awk will pay off, too. For more complex activities, there is perl, a much more advanced pattern scanning and processing scripting language.
But for now, I'd recommend trying grep a little to work with the log files.
This post is somewhat similar to another post here but mine is rather specific. CRON: pam_unix(cron:session): session opened for user root by (uid=0)
Is this really a bug? in our system this process is creating entries in every 5 minutes making the log backup guys' life v hard. lots lots of entries are being stored on the disk.
as per the following links, do we need to fix this issue or can we at least increase the time of listing between the entries?
Can I at least reduce the time between entries? for my server currently its 1 pair of entry in every 5 minutes. Say, I've increased the time to 30 minutes , would I miss any login attempt(legit and not hacking
both) ?
If it were me, I'd be looking for the cron that runs every 5 minutes.
Then start making sweeping declarations about 'bugs'.
I am not worried about what I can/dont want to see. I want my backup guys to give some respite. The Linux box we have is listing a lotttt of entries in that auth.log file. After reaching 6KB-30KB of size, it compresses the entries and create a file named as : auth.log.1.gz, auth.log.2.gz, auth.log..3.gz and so on. As we have more logins, we have more of these files in $ /var/log/ directory. Backing up these files are troublesome for the backup guys. So I want these files to be created taking more time. Say if one of these .gz file is now being created in every 1 day, I want them to created in every 2-3 days.
As we have more logins, we have more of these files in $ /var/log/ directory. Backing up these files are troublesome for the backup guys. So I want these files to be created taking more time. Say if one of these .gz file is now being created in every 1 day, I want them to created in every 2-3 days.
That can be tuned in logrotate. See the manual page for logrotate.conf for all the specifics, but the settings you are looking to change can be found in /etc/logrotate.d/rsyslog in the stanza for /var/log/auth Probably, if you have the defaults, that is lumped in with /var/log/messages and you will need to split it out into its own stanza. There the frequency of the rotations or the triggering size of the file can be set.
That can be tuned in logrotate. See the manual page for logrotate.conf for all the specifics, but the settings you are looking to change can be found in /etc/logrotate.d/rsyslog in the stanza for /var/log/auth Probably, if you have the defaults, that is lumped in with /var/log/messages and you will need to split it out into its own stanza. There the frequency of the rotations or the triggering size of the file can be set.
Seems like logrotate is already working in my box, if it hadnt then I'd not see the .gz files of that auth.log file.
Now the question is, If I go on with this solution, would the the entries still be made and upon reaching a certain file size of auth.log, the file would create a tar.gz file?
You change the syslog file in /etc/logrotate.d/ with a text editor.
You can decrease the number of the .gz files by putting a lower number for "rotate". You can effectively decrease the frequency of the .gz file creation by changing to (or adding) an increased "minsize".
Example:
Code:
rotate 5
minsize 1M
See the man page for all details
Code:
man logrotate
Attention: all files in /etc/logrotate.d/ are valid for logrotate. Some text editors leave a backup file of the original - delete it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.