Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Many audit logs in messages

Discussion in 'General Discussion' started by Rodrigo Gomes, Jul 12, 2016.

  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello everybody,

    My server is receiving many of these logs below in /var/log/messages:

    Code:
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322612): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322613): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322614): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322615): pid=26973 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39139 res=1
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322616): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322617): pid=26979 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39140 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322618): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322619): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322620): pid=26968 uid=0 old-auid=4294967295 auid=977 old-ses=4294967295 ses=39141 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.659:322621): pid=26978 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: audit_printk_skb: 363 callbacks suppressed
Jul 12 18:00:12 example-server kernel: type=1104 audit(1468357212.127:322743): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: type=1106 audit(1468357212.128:322744): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322746): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: audit_lost=102646 audit_rate_limit=0 audit_backlog_limit=320
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322747): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: printk limit exceeded
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322748): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322749): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322750): pid=27831 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322751): pid=27832 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39158 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322752): pid=27830 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39159 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322753): pid=27831 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39160 res=1
Jul 12 18:02:01 example-server kernel: audit_printk_skb: 51 callbacks suppressed
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322771): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322772): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322773): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322774): pid=27922 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=39162 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322775): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322776): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322777): pid=27925 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39163 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.490:322778): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.490:322779): pid=27924 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39164 res=1
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.492:322780): pid=27923 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: audit_printk_skb: 60 callbacks suppressed
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322801): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322802): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322803): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322804): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322805): pid=28016 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39166 res=1
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322806): pid=28015 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39167 res=1
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322807): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322808): pid=28017 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39168 res=1
Jul 12 18:03:01 example-server kernel: type=1105 audit(1468357381.228:322809): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1110 audit(1468357381.229:322810): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    This is new,
    It did not happen before.

    SElinux is disabled.
     
    #1 Rodrigo Gomes, Jul 12, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Please ensure you review Guide To Opening An Effective Forums Thread and let us know the requested information about your system.

    Also, please let us know the contents of the " /etc/audit/rules.d/audit.rules" file on this system.

    Thank you.
     
    #2 cPanelMichael, Jul 13, 2016
  3. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Acess level: root

    Cpanel plugins:
    clamavconnector 0.99-4.cp1156
    munin Version: obsolete
    csf v9.10

    Code:
    /etc/redhat-release:CentOS Linux release 7.2.1511 (Core)
/usr/local/cpanel/version:11.56.0.25
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.18 (Unix)
Server built:   Jul  7 2016 03:17:41
Cpanel::Easy::Apache v3.34.1 rev9999
PHP 5.6.23 (cli) (built: Jul  7 2016 03:21:29)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH
mysql  Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using  EditLine wrapper
    /etc/audit/rules.d/audit.rules:
    Code:
    # This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
    /etc/audit/auditd.conf:
    Code:
    #
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
    I'm sorry by the lack of information in my thread.
     
    #3 Rodrigo Gomes, Jul 13, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Your auditd configuration matches up with the default correction. You mentioned that SELinux is disabled. Could you confirm the output from the "getenforce" command?

    Thank you.
     
    #4 cPanelMichael, Jul 14, 2016
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    88
    Likes Received:
    21
    Trophy Points:
    8
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Code:
    # getenforce
Disabled
    After restart these logs stopped happening.

    I can't say what happened. But it may have been an update that needed restart.

    Thanks!
     
    #5 Rodrigo Gomes, Jul 17, 2016
    Last edited: Jul 17, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,127
    Likes Received:
    1,366
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
    #6 cPanelMichael, Jul 18, 2016
(You must log in or sign up to post here.)
Loading...
Similar Threads - Many audit logs
  1. romant

    License has been activated too many times error

    romant, Aug 29, 2017, in forum: General Discussion
    Replies:
    3
    Views:
    171
    Infopro
    Aug 30, 2017
  2. bejbi

    Configuration dns cluster: many webservers and 3 dns-only servers

    bejbi, Jul 25, 2017, in forum: Bind / DNS / Nameserver Issues
    Replies:
    5
    Views:
    138
    cPanelMichael
    Jul 26, 2017
  3. Phillneish

    Too many "Received" headers - suspected mail loop

    Phillneish, Jul 12, 2017, in forum: E-mail Discussions
    Replies:
    7
    Views:
    231
    cPanelMichael
    Jul 13, 2017
  4. Jack Gold

    Too many forwards?

    Jack Gold, Jun 27, 2017, in forum: E-mail Discussions
    Replies:
    4
    Views:
    144
    Jack Gold
    Jun 28, 2017
  5. Rodrigo Gomes

    Very strange IP ( 0.0.0.4) making many connections

    Rodrigo Gomes, Jun 24, 2017, in forum: Security
    Replies:
    9
    Views:
    285
    Rodrigo Gomes
    Jun 29, 2017

Share This Page