On Tue, 2005-09-06 at 12:52 -0700, Kirk Bocek wrote:
> It took me a bunch of googling and a few dead ends to figure this one out.
>
> You want to edit your /etc/syslog.conf file. Change the line that reads:
>
> *.info;mail.none;authpriv.none;cron.none /var/log/messages
>
> to read:
>
> *.info;mail.none;authpriv.none;cron.none;auth.!=info /var/log/messages
>
> Then add:
>
> auth.info /var/log/auth.info
>
> And you probably want to add the new /var/log/auth.info to /etc/logrotate.d as well.
>
> This will move all of the auth messages to a separate file. It looks to me like all
> the messages are coming from the use of a new PAM module. Every time a cron job fires
> there is a round of authentication that gets logged. That's a problem if you've got
> jobs firing every couple of minutes like I do.
It's not a bug, though, and the way they had it was better ;-)
The old way, if something starts kicking off a lot of cron jobs (as some
worms do), you'll notice it the next morning when you look at the
logwatch report.
-David
