Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Many audit logs in messages

Discussion in 'General Discussion' started by Rodrigo Gomes, Jul 12, 2016.

  1. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    102
    Likes Received:
    26
    Trophy Points:
    28
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Hello everybody,

    My server is receiving many of these logs below in /var/log/messages:

    Code:
    Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322612): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322613): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322614): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322615): pid=26973 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39139 res=1
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322616): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322617): pid=26979 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39140 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322618): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322619): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322620): pid=26968 uid=0 old-auid=4294967295 auid=977 old-ses=4294967295 ses=39141 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.659:322621): pid=26978 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: audit_printk_skb: 363 callbacks suppressed
Jul 12 18:00:12 example-server kernel: type=1104 audit(1468357212.127:322743): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: type=1106 audit(1468357212.128:322744): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322746): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: audit_lost=102646 audit_rate_limit=0 audit_backlog_limit=320
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322747): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: printk limit exceeded
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322748): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322749): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322750): pid=27831 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322751): pid=27832 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39158 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322752): pid=27830 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39159 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322753): pid=27831 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39160 res=1
Jul 12 18:02:01 example-server kernel: audit_printk_skb: 51 callbacks suppressed
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322771): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322772): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322773): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322774): pid=27922 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=39162 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322775): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322776): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322777): pid=27925 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39163 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.490:322778): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.490:322779): pid=27924 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39164 res=1
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.492:322780): pid=27923 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: audit_printk_skb: 60 callbacks suppressed
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322801): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322802): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322803): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322804): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322805): pid=28016 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39166 res=1
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322806): pid=28015 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39167 res=1
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322807): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322808): pid=28017 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39168 res=1
Jul 12 18:03:01 example-server kernel: type=1105 audit(1468357381.228:322809): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1110 audit(1468357381.229:322810): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
    This is new,
    It did not happen before.

    SElinux is disabled.
     
    #1 Rodrigo Gomes, Jul 12, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Please ensure you review Guide To Opening An Effective Forums Thread and let us know the requested information about your system.

    Also, please let us know the contents of the " /etc/audit/rules.d/audit.rules" file on this system.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelMichael, Jul 13, 2016
  3. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    102
    Likes Received:
    26
    Trophy Points:
    28
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Acess level: root

    Cpanel plugins:
    clamavconnector 0.99-4.cp1156
    munin Version: obsolete
    csf v9.10

    Code:
    /etc/redhat-release:CentOS Linux release 7.2.1511 (Core)
/usr/local/cpanel/version:11.56.0.25
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.18 (Unix)
Server built:   Jul  7 2016 03:17:41
Cpanel::Easy::Apache v3.34.1 rev9999
PHP 5.6.23 (cli) (built: Jul  7 2016 03:21:29)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH
mysql  Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using  EditLine wrapper
    /etc/audit/rules.d/audit.rules:
    Code:
    # This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page
    /etc/audit/auditd.conf:
    Code:
    #
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
    I'm sorry by the lack of information in my thread.
     
    #3 Rodrigo Gomes, Jul 13, 2016
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Your auditd configuration matches up with the default correction. You mentioned that SELinux is disabled. Could you confirm the output from the "getenforce" command?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 cPanelMichael, Jul 14, 2016
  5. Rodrigo Gomes

    Rodrigo Gomes Well-Known Member

    Joined:
    Apr 6, 2016
    Messages:
    102
    Likes Received:
    26
    Trophy Points:
    28
    Location:
    Brazil
    cPanel Access Level:
    Root Administrator
    Code:
    # getenforce
Disabled
    After restart these logs stopped happening.

    I can't say what happened. But it may have been an update that needed restart.

    Thanks!
     
    #5 Rodrigo Gomes, Jul 17, 2016
    Last edited: Jul 17, 2016
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    43,711
    Likes Received:
    1,794
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 cPanelMichael, Jul 18, 2016
(You must log in or sign up to post here.)
Loading...
Similar Threads - Many audit logs
  1. RobNH

    MySQLi - Too Many Connections Error due to Amazon AWS

    RobNH, Jun 21, 2018 at 7:47 AM, in forum: Database Discussion
    Replies:
    5
    Views:
    40
    Infopro
    Jun 21, 2018 at 10:03 AM
  2. hicom

    Shutdown halts with many Unmounted /home/virtfs

    hicom, May 20, 2018, in forum: General Discussion
    Replies:
    3
    Views:
    85
    hicom
    May 21, 2018
  3. Lethe

    FTP too many connections - None listed in cPanel

    Lethe, May 16, 2018, in forum: General Discussion
    Replies:
    1
    Views:
    63
    Infopro
    May 16, 2018
  4. Taha Haider

    Too many spam emails sent

    Taha Haider, Apr 26, 2018, in forum: E-mail Discussion
    Replies:
    7
    Views:
    149
    cPanelLauren
    May 7, 2018
  5. tejli

    Many /usr/sbin/httpd -k start processes

    tejli, Mar 9, 2018, in forum: EasyApache
    Replies:
    1
    Views:
    530
    cPanelMichael
    Mar 9, 2018

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice