On a SLES 11 SP2 server I see a lot of entries in /var/log/messages like these:
Jan 2 12:59:13 phire su: (to papercut) root on none
Jan 2 13:00:24 phire su: (to papercut) root on none
Jan 2 13:01:35 phire su: (to papercut) root on none
Jan 2 13:02:45 phire su: (to papercut) root on none
Jan 2 13:03:56 phire su: (to papercut) root on none
Jan 2 13:05:06 phire su: (to papercut) root on none
Jan 2 13:06:17 phire su: (to papercut) root on none
Jan 2 13:07:27 phire su: (to papercut) root on none
which correspond to the audit.log entries for example:
Is there a way to find out which process run by root creates these log entries?
I have tried using “acct” package but it does not log the PID in the process history (lastcomm). The process exits too fast to see it in top or ps…
There is nothing in crontab that could be causing these logs. BTW, user papercut is used by an application, but even after stopping it the logs are being created.
Sorry, yes, I meant /var/log/audit/audit.log file.
But actually I am trying to find out what process is causing these messages to be logged by the audit daemon in the audit.log, I see now that my question is a bit confusing.
Am 03.01.2013 15:44, schrieb ablovatskia:[color=blue]
Sorry, yes, I meant /var/log/audit/audit.log file.
But actually I am trying to find out what process is causing these
messages to be logged by the audit daemon in the audit.log, I see now
that my question is a bit confusing. :-)[/color]
Or I should read more then just the headline…
Assuming that there are just a few processes started by the user
papercut and the pid is everytime changing try this
This will show a condensed view of processes started by papercut, updated every second. You may want to pipe the result in a logfile, so
add >>/var/log/my.log before the ’ at the end.
Thanks for the help here!
I have been running the watch command for about 5 hours now and it still did not log any interesting PIDs listed in the audit.log. The process seems to be exiting too fast to catch with the 1s refresh interval…
I don’t believe that. Maybe it’s the ‘su’ hiding the user papercut at
the process list. The problem seems to be a process running for a very
short period, right?
Either you have to snip all pids from the ps command
watch -n1 ‘ps aux >> mylog’
and compare with the pid shown in the audit.log
or you have to do some tricky awk/sed scripting to grep the pid at
runtime from audit.log. That’s a hard task because tailf and piping is
an ugly couple.
Personally I would use ‘either’, but your log will grow fast doing so.
You could write a small script which logs information about the parent process ( e. g.: ps -ocommand= -p $PPID | awk -F/ ‘{print $NF}’ | awk ‘{print $1}’ )
I should have looked at the auditd man in the first place, though! I was able to trace back the [P]PIDs of the offending process by adding a auditd rule to log all processes started by root:
auditctl -a exit,always -S execve -F uid=0
auditctl -l
LIST_RULES: exit,always uid=0 syscall=execve
this logs a lot of data to the /var/log/audit/audit.log file, so to remove the rul, use: