Many audit logs in messages

Hello everybody,

My server is receiving many of these logs below in /var/log/messages:

Code:

Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322612): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322613): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322614): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322615): pid=26973 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39139 res=1
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322616): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322617): pid=26979 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39140 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322618): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322619): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322620): pid=26968 uid=0 old-auid=4294967295 auid=977 old-ses=4294967295 ses=39141 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.659:322621): pid=26978 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: audit_printk_skb: 363 callbacks suppressed
Jul 12 18:00:12 example-server kernel: type=1104 audit(1468357212.127:322743): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: type=1106 audit(1468357212.128:322744): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322746): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: audit_lost=102646 audit_rate_limit=0 audit_backlog_limit=320
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322747): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: printk limit exceeded
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322748): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322749): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322750): pid=27831 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322751): pid=27832 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39158 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322752): pid=27830 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39159 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322753): pid=27831 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39160 res=1
Jul 12 18:02:01 example-server kernel: audit_printk_skb: 51 callbacks suppressed
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322771): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322772): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322773): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322774): pid=27922 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=39162 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322775): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322776): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322777): pid=27925 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39163 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.490:322778): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.490:322779): pid=27924 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39164 res=1
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.492:322780): pid=27923 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: audit_printk_skb: 60 callbacks suppressed
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322801): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322802): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322803): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322804): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322805): pid=28016 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39166 res=1
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322806): pid=28015 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39167 res=1
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322807): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322808): pid=28017 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39168 res=1
Jul 12 18:03:01 example-server kernel: type=1105 audit(1468357381.228:322809): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1110 audit(1468357381.229:322810): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

This is new,
It did not happen before.

SElinux is disabled.

 

Acess level: root

Cpanel plugins:
clamavconnector 0.99-4.cp1156
munin Version: obsolete
csf v9.10

Code:

/etc/redhat-release:CentOS Linux release 7.2.1511 (Core)
/usr/local/cpanel/version:11.56.0.25
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.18 (Unix)
Server built:   Jul  7 2016 03:17:41
Cpanel::Easy::Apache v3.34.1 rev9999
PHP 5.6.23 (cli) (built: Jul  7 2016 03:21:29)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH
mysql  Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using  EditLine wrapper

/etc/audit/rules.d/audit.rules:

Code:

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

/etc/audit/auditd.conf:

Code:

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

I'm sorry by the lack of information in my thread.

 

Code:

# getenforce
Disabled

After restart these logs stopped happening.

I can't say what happened. But it may have been an update that needed restart.

Thanks!