Results 1 to 4 of 4

Thread: The system log is full of 'audit' log lines

  1. #1
    Join Date
    Jul 2009
    Location
    Birkerød, Denmark
    Posts
    24

    Default The system log is full of 'audit' log lines

    I see a lot of messages in the system log (/var/log/messages and the journal). A random sample from /var/log/messages is shown below. They irritate me for several reasons:
    1. I have very little idea of what it is all about
    2. There are so many of them
    3. I cannot control the level of logging.

    Most of the lines have "res=success" at the end, so I assume they refer to something that is legal in this context. A few of the lines (there is one in the sample) ends in " res=failed" so those lines may refer to something I should attend to.

    This gives rise to the following questions:

    1. Which module creates these log messages?
    2. How do I interpret these messages - is there a manual or similar somewhere?
    3. How do you configure the logging level? It would be nice to be able to suppress all the successful messages so only the failed ones are logged.

    Here is the sample of loglines.

    Code:
    Nov 11 10:20:54 www kernel: [53881.007141] audit: type=2404 audit(1447237254.128:2491): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=00:3b:6a:34:de:f6:fb:09:e4:9e:b4:bc:3f:89:f2:95 [MD5] direction=? spid=4704 suid=0  exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
    Nov 11 10:20:54 www kernel: [53881.007212] audit: type=2404 audit(1447237254.128:2492): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=46:15:9c:ca:6e:4b:eb:72:c9:ef:9d:69:8e:c7:e5:ea [MD5] direction=? spid=4704 suid=0  exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
    Nov 11 10:20:54 www kernel: [53881.007318] audit: type=1112 audit(1447237254.128:2493): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
    Nov 11 10:25:01 www kernel: [54127.895232] audit: type=1101 audit(1447237501.018:2494): pid=4813 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_listfile acct="mailman" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    Nov 11 10:25:01 www kernel: [54127.896625] audit: type=1103 audit(1447237501.022:2495): pid=4813 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_rootok acct="mailman" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'

  2. #2
    alanbortu NNTP User

    Default Re: The system log is full of 'audit' log lines

    On 11/11/2015 02:16 PM, BentBagger wrote:
    >
    > I see a lot of messages in the system log (/var/log/messages and the
    > journal). A random sample from /var/log/messages is shown below. They
    > irritate me for several reasons:
    > 1. I have very little idea of what it is all about
    > 2. There are so many of them
    > 3. I cannot control the level of logging.
    >
    > Most of the lines have "res=success" at the end, so I assume they refer
    > to something that is legal in this context. A few of the lines (there is
    > one in the sample) ends in " res=failed" so those lines may refer to
    > something I should attend to.
    >
    > This gives rise to the following questions:
    >
    > 1. Which module creates these log messages?
    > 2. How do I interpret these messages - is there a manual or similar
    > somewhere?
    > 3. How do you configure the logging level? It would be nice to be able
    > to suppress all the successful messages so only the failed ones are
    > logged.
    >
    > Here is the sample of loglines.
    >
    >
    > Code:
    > --------------------
    > Nov 11 10:20:54 www kernel: [53881.007141] audit: type=2404 audit(1447237254.128:2491): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=00:3b:6a:34:de:f6:fb:09:e4:9e:b4:bc:3f:89:f2:95 [MD5] direction=? spid=4704 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
    > Nov 11 10:20:54 www kernel: [53881.007212] audit: type=2404 audit(1447237254.128:2492): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=46:15:9c:ca:6e:4b:eb:72:c9:ef:9d:69:8e:c7:e5:ea [MD5] direction=? spid=4704 suid=0 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
    > Nov 11 10:20:54 www kernel: [53881.007318] audit: type=1112 audit(1447237254.128:2493): pid=4704 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct=28756E6B6E6F776E207573657229 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=ssh res=failed'
    > Nov 11 10:25:01 www kernel: [54127.895232] audit: type=1101 audit(1447237501.018:2494): pid=4813 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_listfile acct="mailman" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    > Nov 11 10:25:01 www kernel: [54127.896625] audit: type=1103 audit(1447237501.022:2495): pid=4813 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_rootok acct="mailman" exe="/usr/sbin/cron" hostname=? addr=? terminal=cron res=success'
    > --------------------
    >
    >


    Just a guess but I assume it comes from auditd, so perhaps there is documentation for controlling its logging?

    Code:
    linux:~ # systemctl status auditd
    auditd.service - Security Auditing Service
    Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled)
    Active: active (running) ...ago
    Main PID: xxx (auditd)
    CGroup: /system.slice/auditd.service
    └─xxx /sbin/auditd -n
    --
    openSUSE Leap (42.1) 64 bit
    Plasma 5

  3. #3
    Join Date
    Jul 2009
    Location
    Birkerød, Denmark
    Posts
    24

    Default Re: The system log is full of 'audit' log lines

    Quote Originally Posted by alanbortu View Post
    Just a guess but I assume it comes from auditd, so perhaps there is documentation for controlling its logging?
    That would also have been my first assumption, but auditd is not installed on my system. The messages does not come from polkit either, because the messages keep coming even if I stop polkit.

    Taking a closer look at the log messages reveals that the messages come from 'kernel' (3rd element on the line after <timestamp> and <host>) rather that from some named process, so my suspicion is right now directed towards a process called kaudit, which appears with a low PID (< 100) when you run the command 'ps aux | grep audit', but what the function of that process/module really is, is not clear to me. Perhaps somebody can enlighten me?

    /Bent

  4. #4
    Join Date
    Jul 2009
    Location
    Birkerød, Denmark
    Posts
    24

    Default Re: The system log is full of 'audit' log lines

    I have proved - at least to myself - that the many log lines are generated by the kernel's audit facility. I rebooted the server(s) in question and added 'audit=0' to the end of the kernel command line and now there were no audit lines in neither /var/log/messages nor the journal.

    So now I know how to turn off this function. But I would still like to learn how to interpret the lines and equally important: how do you control the amount of output from the audit function. It appears that some lines have contents that deserves a follow up.

    Any suggestions, anybody?

    /Bent

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •