Understanding auth.log
Hi I have the auth.log given below and I do not understand most of it. I googled around for a while to understand the cron:sessions happening regularly but I could not find anything useful. Also the successful su for www-data is another thing. If anybody could explain what is causing these it would be great. By the way I was sleeping while this auth.log is occuring so I did not get online. Thank you...
P.S:I am using debian lenny. Installed a couple of weeks ago... Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 9 06:09:01 hdd CRON[2116]: pam_unix(cron:session): session closed for user root Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 9 06:17:01 hdd CRON[2127]: pam_unix(cron:session): session closed for user root Jan 9 06:25:01 hdd CRON[2132]: pam_unix(cron:session): session opened for user root by (uid=0) Jan 9 06:25:03 hdd su[2147]: Successful su for www-data by root Jan 9 06:25:03 hdd su[2147]: + ??? root:www-data Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session opened for user www-data by (uid=0) Jan 9 06:25:03 hdd su[2147]: pam_unix(su:session): session closed for user www-data Jan 9 06:25:03 hdd su[2151]: Successful su for www-data by root Jan 9 06:25:03 hdd su[2151]: + ??? root:www-data Jan 9 06:25:03 hdd su[2151]: pam_unix(su:session): session opened for user www-data by (uid=0) Jan 9 06:25:04 hdd su[2151]: pam_unix(su:session): session closed for user www-data Jan 9 06:26:02 hdd CRON[2132]: pam_unix(cron:session): session closed for user root |
well, the CRON lines are for a cron job that runs as root.
the "su" lines are when a user needs to do something as another user. Here, it appears that root's cron that executed at Jan 9 06:25:01 had to do some stuff with apache (so it does it as the 'www-data' user to be safe).... notice the 06:25:01 CRON entry says "session opened for root" then a bunch of other "su" stuff, then @ 06:26:02 you see another CRON entry with "session closed for root"... So all that was what happened in root's cron. In other words, nothing to worry about. ;) |
The auth.log messages are normal and created by the pam module.
It would seem you have a cron job running under the 'www-date' userid. Check the system and www-data user cron jobs to determine what's running: sudo crontab -u www-data -l sudo cat /etc/crontab |
Quote:
# crontab -u www-data -l says no crontab for www-data Isn't that weird?? Actually my root device is a usb disk and I do not want that regular messages to appear. I do not want my usb disk to wear out soon. Any advice to prevent those messages? |
#17 * * * * root cd / && run-parts --report /etc/cron.hourly
#25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$ #47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$ #52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --repo$ I commented those lines. I think this will disable the messages happening again. Is that ok what I do in here? |
Quote:
cron jobs also live in /etc/cron.* Do you have apache running ? |
Quote:
|
All times are GMT -5. The time now is 11:32 AM. |