Stop pam_unix polluting log files

Posted on by admin

Problem

PAM module pam_unix produces lots of log messages, that pollute system log files. In my case this was in the /var/log/auth.log file. Excessive log messages are logged in particular for sudo, sshd and CRON. In the particular case, due to frequent usage of sudo by Zabbix agent, log statements were written every few seconds.

This all took place on ubuntu 12.04 host, for the 10.04 I had same problem and I guess the solution would be similar. rsyslogd version 5.8.6

Symptoms

Below some examples of these log messages

authpriv.info: Jul  8 07:56:57 xxxx sudo: pam_unix(sudo:session): session opened for user yyy by (uid=zzz)

authpriv.info: Jul  8 08:17:01 xxx CRON[5903]: pam_unix(cron:session): session opened for user root by (uid=0)



Discussion


Some googling and quick look through pam_unix source code gave an impression that this logging cannot be controlled through the pam_unix module itself. Fiddling with PAM settings in /etc/pam.d/ seemed to be too complex and potentially risky due to the lack of knowledge and information.


 


Solution


Using Filter Conditions of rsyslog one could implement some fine-grained filtering of log messages and then discard these annoying ones. It is understood to be a “symptom” cure, but still better than nothing.

Some explanation is here: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap09.html#tag_09_03 


In the following we filter by syslog tag and syslog message:


 





root@xxx:/var/log# cat /etc/rsyslog.d/35-pam_unix.conf
#This will filter out and drop lines generated by pam_unix module presumably caused by
#zabbix custom items that are using sudo
if $syslogtag contains 'sudo' and $msg contains 'pam_u nix(sudo:session): session closed for user' then ~
if $syslogtag contains 'sudo' and $msg contains 'pam_u nix(sudo:session): session opened for user' and $msg contains ' by (uid=zzz)' then ~

#This one to block zabbix agent testing sshd deamon status
if $syslogtag contains 'sshd[' and $msg contains 'Connection closed by 127.0.0.1 [preauth]' then ~

#This one to block CRON, this caused by sar utility
if $syslogtag contains 'CRON[' and ($msg contains 'pam_unix(cron:session): session opened for user root by (uid=0)' or $msg contains 'pam_unix(cron:session): session closed for user root') then ~




In the above code xxx stand for our hostname and zzz for zabbix user id, which is using sudo.


Caveats


    

  • Use syslog restart, reload sometimes doesn’t pickup changes. Like service rsyslog restart
    • 

  • Make sure service is running after restart. Sometimes when regex used service just silently won’t start
    • 

  • Pay attention at what is syslogtagand what is msg in log file lines, could be confusing
    • 

  • It seems regex cannot be used in expression condition like if ... then
    • 

  • regex was planned, but then dropped the idea, too cumbersome and hard to debug due to differences between POSIX BRE, POSIX ERE and normal regular expressions as I know them from perl.
    • 

  • Regular Expression Checker/Generator under http://www.rsyslog.com/regex/ rendered useless in my case, what worked in this tool, didn’t work on my system. For example, I realized that one needs to use double backslash to escape characters like [ or +. BTW, ] doesn’t need an escape. See POSIX BRE.
    • 





Comments
 comments