pam_unix produces lots of log messages, that pollute system log files. In my case this was in the
/var/log/auth.log file. Excessive log messages are logged in particular for
CRON. In the particular case, due to frequent usage of
sudo by Zabbix agent, log statements were written every few seconds.
This all took place on ubuntu 12.04 host, for the 10.04 I had same problem and I guess the solution would be similar. rsyslogd version 5.8.6
Below some examples of these log messages
authpriv.info: Jul &nbsp;8 07:56:57 xxxx sudo: pam_unix(sudo:session): session opened for user yyy by (uid=zzz) authpriv.info: Jul &nbsp;8 08:17:01 xxx CRON: pam_unix(cron:session): session opened for user root by (uid=0)
Some googling and quick look through
pam_unixsource code gave an impression that this logging cannot be controlled through the
pam_unixmodule itself. Fiddling with PAM settings in
/etc/pam.d/seemed to be too complex and potentially risky due to the lack of knowledge and information.
Using Filter Conditions of rsyslog one could implement some fine-grained filtering of log messages and then discard these annoying ones. It is understood to be a “symptom” cure, but still better than nothing.
Some explanation is here: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap09.html#tag_09_03
In the following we filter by syslog tag and syslog message:root@xxx:/var/log# cat /etc/rsyslog.d/35-pam_unix.conf #This will filter out and drop lines generated by pam_unix module presumably caused by #zabbix custom items that are using sudo if $syslogtag contains 'sudo' and $msg contains 'pam_u nix(sudo:session): session closed for user' then ~ if $syslogtag contains 'sudo' and $msg contains 'pam_u nix(sudo:session): session opened for user' and $msg contains ' by (uid=zzz)' then ~ #This one to block zabbix agent testing sshd deamon status if $syslogtag contains 'sshd[' and $msg contains 'Connection closed by 127.0.0.1 [preauth]' then ~ #This one to block CRON, this caused by sar utility if $syslogtag contains 'CRON[' and ($msg contains 'pam_unix(cron:session): session opened for user root by (uid=0)' or $msg contains 'pam_unix(cron:session): session closed for user root') then ~
In the above code xxx stand for our hostname and zzz for zabbix user id, which is using sudo.
- Use syslog restart, reload sometimes doesn’t pickup changes. Like
service rsyslog restart
- Make sure service is running after restart. Sometimes when
regexused service just silently won’t start
- Pay attention at what is syslogtagand what is msg in log file lines, could be confusing
- It seems
regexcannot be used in expression condition like
if ... then
regexwas planned, but then dropped the idea, too cumbersome and hard to debug due to differences between POSIX BRE, POSIX ERE and normal regular expressions as I know them from perl.
- Regular Expression Checker/Generator under http://www.rsyslog.com/regex/ rendered useless in my case, what worked in this tool, didn’t work on my system. For example, I realized that one needs to use double backslash to escape characters like [ or +. BTW, ] doesn’t need an escape. See POSIX BRE.