Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Stale repeating log entries in /var/log/secure

Discussion in 'General Discussion' started by ottdev, Nov 14, 2017.

  1. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Server has unexplained entries in /var/log/secure.
    It looks like on a weekly basis, PAST entries for pam_unix and unix_chkpwd get dumped into the /var/log/secure file.

    See after the first 2 proper entries, some old items are dumped in

    A chunk of entries beginning with "Sep 23" were repeatedly inserted on Oct 18, Oct 19, Oct 19, Oct21,Oct 21,Oct 27, Nov 4, Nov 14. The "chunk" is growing as more entries accumulate in whatever log they originally came from. The dates and times are not consistent so they don't appear to be related to any cron. At this point, we know it was sometime after 2:35am and before 4:00am

    lfd detects these entries when it runs and sends a "su login failed" email for each auth failure in the chunk, though they aren't "new" activity. The question is how/why are these past entries being randomly copied to the /var/log/secure?
     
    #1 ottdev, Nov 14, 2017
    Last edited: Nov 14, 2017
  2. rclemings

    rclemings Active Member

    Joined:
    Nov 5, 2007
    Messages:
    43
    Likes Received:
    4
    Trophy Points:
    58
    I've been seeing the same thing for more than a month. I first noticed it happening when I did a graceful server reboot after a WHM update, but lately it's been happening at random times.

    I opened a ticket with my server provider, who opened a ticket with cPanel, who said "That seems to be an issue with syslog and not one that would be caused by cPanel or the basic configuration of the cPanel-bundled software."

    The server provider then updated the system kernel (two days ago), and I haven't seen any stale pam_unix entries since then, but a little while ago I got a chunk of stale ssh "refused connect from" entries instead, along with a bunch of corresponding lfd reports.

    FWIW I have two other cPanel servers at a different provider but haven't seen this problem there. All three run CentOS Linux release 7.4.1708 and cPanel v66.0.29 or v66.0.30.

    At this point everybody seems mystified.
     
  3. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hi @ottdev,

    Could you open a support ticket using the link in my signature so we can take a closer look and rule out any issues with the cPanel software itself?

    Thank you.
     
  4. ottdev

    ottdev Well-Known Member

    Joined:
    Oct 1, 2013
    Messages:
    104
    Likes Received:
    3
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,782
    Likes Received:
    1,712
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    It looks like CentOS has already published the updated rsyslog RPM:

    Code:
    # rpm -q --changelog rsyslog-8.24.0-12.el7.x86_64|grep 1216957
      resolves: rhbz#1216957
    Thank you.
     
Loading...

Share This Page