How to stop crond logging to syslog -- success!
Ian P. Thomas
ipt at scraemon.org
Sat Feb 26 18:08:22 UTC 2005
On Sat, 2005-02-26 at 12:14 -0500, Matthew Miller wrote:
> On Sat, Feb 26, 2005 at 12:33:42AM -0600, Jess Anderson wrote:
> > Here's the substance:
> > In /etc/syslog.conf, there's a line that reads
> > *.info;mail.none;authpriv.none;cron.none /var/log/messages
> > Changing that to
> > *.info;auth.none;mail.none;authpriv.none;cron.none /var/log/messages
> > and restarting syslogd (kill -SIGHUP <pid of running syslogd>)
> > stops logging of the crond(pam_unix) items to syslog.
> > Ian mentions that this may also stop important auth messages,
> > in which case changing the priority level might be necessary.
>
> Yes. You're covering up the symptom (auth messages are being logged) without
> solving the problem (cron/pam generating too many auth messages which aren't
> very interesting). Meanwhile, since by definition auth messages are some of
> the most important security events, you've significantly decreased the value
> of your logs.
I would say that certain 'auth' messages assigned certain priorities may
have been important depending on what the machine was being used for and
the software installed on it. 'auth' has been deprecated in favor of
'authpriv', which is accounted for in the default 'syslog.conf' file.
>From the syslog man page in section 3
LOG_AUTH
security/authorization messages (DEPRECATED Use LOG_AUTHPRIV instead)
LOG_AUTHPRIV
security/authorization messages (private)
Some legacy applications, or even new applications, may have been
mistakenly set up to log to 'auth' instead of 'authpriv'. However, the
applications running on my machine, in which monitoring authentication
attempts is useful, use 'authpriv'. The user would have to do the same
assessment in order to make an informed choice about whether or not
ignoring all 'auth' messages would in any way lessen the value of their
logs.
As to the cause of the numerous crond/pam messages showing up using the
'auth' facility which seem to occur every 5 minutes, I don't know the
source.
Ian
More information about the fedora-list
mailing list