Re: [mod-security-users] log
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-09-05 19:53:48
|
Jair Santos wrote: > HI, > > I upgraded mod-security from 1.x to 2.6 and have changed the directives. > > My logs are flooded with > > type=USER_ACCT msg=audit(1220642761.275:62823): user pid=5113 uid=0 > auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_ACQ msg=audit(1220642761.275:62824): user pid=5113 uid=0 > auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=LOGIN msg=audit(1220642761.275:62825): login pid=5113 uid=0 old > auid=4294967295 new auid=0 old ses=4294967295 new ses=10363 > type=USER_START msg=audit(1220642761.287:62826): user pid=5113 uid=0 > auid=0 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_DISP msg=audit(1220642761.595:62827): user pid=5113 uid=0 > auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_END msg=audit(1220642761.599:62828): user pid=5113 uid=0 > auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_ACCT msg=audit(1220642881.606:62829): user pid=5219 uid=0 > auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_ACQ msg=audit(1220642881.606:62830): user pid=5219 uid=0 > auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=LOGIN msg=audit(1220642881.606:62831): login pid=5219 uid=0 old > auid=4294967295 new auid=0 old ses=4294967295 new ses=10364 > type=USER_START msg=audit(1220642881.622:62832): user pid=5219 uid=0 > auid=0 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=CRED_DISP msg=audit(1220642881.934:62833): user pid=5219 uid=0 > auid=0 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > type=USER_END msg=audit(1220642881.934:62834): user pid=5219 uid=0 > auid=0 msg='PAM: session close acct="root" : exe="/usr/sbin/crond" > (hostname=?, addr=?, terminal=cron res=success)' > > Does anybody know how can I fine tune it to log only the relevants messages. These logs are not from ModSecurity, but are generated by PAM runing via cron (/usr/sbin/crond). What makes you think they are ModSecurity releated? -B -- Brian Rectanus Breach Security |