Re: [mod-security-users] log

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Jair Santos wrote:
> HI,
>  
> I upgraded mod-security from 1.x to 2.6 and have changed the directives.
>  
> My logs are flooded with
>  
> type=USER_ACCT msg=audit(1220642761.275:62823): user pid=5113 uid=0
> auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1220642761.275:62824): user pid=5113 uid=0
> auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=LOGIN msg=audit(1220642761.275:62825): login pid=5113 uid=0 old
> auid=4294967295 new auid=0 old ses=4294967295 new ses=10363
> type=USER_START msg=audit(1220642761.287:62826): user pid=5113 uid=0
> auid=0 msg='PAM: session open acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_DISP msg=audit(1220642761.595:62827): user pid=5113 uid=0
> auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=USER_END msg=audit(1220642761.599:62828): user pid=5113 uid=0
> auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=USER_ACCT msg=audit(1220642881.606:62829): user pid=5219 uid=0
> auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1220642881.606:62830): user pid=5219 uid=0
> auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=LOGIN msg=audit(1220642881.606:62831): login pid=5219 uid=0 old
> auid=4294967295 new auid=0 old ses=4294967295 new ses=10364
> type=USER_START msg=audit(1220642881.622:62832): user pid=5219 uid=0
> auid=0 msg='PAM: session open acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=CRED_DISP msg=audit(1220642881.934:62833): user pid=5219 uid=0
> auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
> type=USER_END msg=audit(1220642881.934:62834): user pid=5219 uid=0
> auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond"
> (hostname=?, addr=?, terminal=cron res=success)'
>  
> Does anybody know how can I fine tune it to log only the relevants messages.

These logs are not from ModSecurity, but are generated by PAM runing via
cron (/usr/sbin/crond).  What makes you think they are ModSecurity releated?

-B

-- 
Brian Rectanus
Breach Security