SwirlyMyself

2007-09-11T09:13:56+00:00

Cron’s syslog messages

On a modern debian system (and other linuxes as well), the cron daemon is PAM-enabled, which is probably a good thing. One downside is that you get your /var/log/auth.log full of messages like:

Sep 11 11:15:01 otto CRON[8755]: pam_unix(cron:session): session opened for user jojo by (uid=0)
Sep 11 11:15:01 otto CRON[8755]: pam_unix(cron:session): session closed for user jojo

I think these are pretty useless and make it harder to find real authentication related entries in auth.log, especially if you get them every five minutes. Luckily, the fix is pretty simple: Just edit /etc/pam.d/cron and comment out the line @include common-session, as that only calls pam_unix.so which in turn, for session management, does nothing but logging anyways.

To further separate the cron logs, you can remove these entries to syslog:

Sep 11 07:17:01 quimby /USR/SBIN/CRON[7949]: (root) CMD (   run-parts --report /etc/cron.hourly)

by configuring /etc/syslog.conf to move them to a logfile on its own:

*.*;auth,authpriv,cron.none     -/var/log/syslog
cron.*                          -/var/log/cron.log

Comments

Wahey, excellent; this is something that's been annoying me a lot but not quite enough to delve into it. :)

thanks!
#1 Tore Bekkedal (Homepage) am 2007-09-11T16:18:12+00:00

Have something to say? You can post a comment by sending an e-Mail to me at <mail@joachim-breitner.de>, and I will include it here.