On Sat, 2005-02-26 at 12:14 -0500, Matthew Miller wrote: > On Sat, Feb 26, 2005 at 12:33:42AM -0600, Jess Anderson wrote: > > Here's the substance: > > In /etc/syslog.conf, there's a line that reads > > *.info;mail.none;authpriv.none;cron.none /var/log/messages > > Changing that to > > *.info;auth.none;mail.none;authpriv.none;cron.none /var/log/messages > > and restarting syslogd (kill -SIGHUP <pid of running syslogd>) > > stops logging of the crond(pam_unix) items to syslog. > > Ian mentions that this may also stop important auth messages, > > in which case changing the priority level might be necessary. > > Yes. You're covering up the symptom (auth messages are being logged) without > solving the problem (cron/pam generating too many auth messages which aren't > very interesting). Meanwhile, since by definition auth messages are some of > the most important security events, you've significantly decreased the value > of your logs. I would say that certain 'auth' messages assigned certain priorities may have been important depending on what the machine was being used for and the software installed on it. 'auth' has been deprecated in favor of 'authpriv', which is accounted for in the default 'syslog.conf' file. >From the syslog man page in section 3 LOG_AUTH security/authorization messages (DEPRECATED Use LOG_AUTHPRIV instead) LOG_AUTHPRIV security/authorization messages (private) Some legacy applications, or even new applications, may have been mistakenly set up to log to 'auth' instead of 'authpriv'. However, the applications running on my machine, in which monitoring authentication attempts is useful, use 'authpriv'. The user would have to do the same assessment in order to make an informed choice about whether or not ignoring all 'auth' messages would in any way lessen the value of their logs. As to the cause of the numerous crond/pam messages showing up using the 'auth' facility which seem to occur every 5 minutes, I don't know the source. Ian
