• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 977
  • Last Modified:

/var/log/secure overcrowded

Hi,
   I am looking for a solution to keep /var/log/secure a bit cleaner. The issue is that on this machine there are automatic ssh privatekey logins every minute from another machine of mine. It is a script that copies some files every minute, and I have to keep it running. Since I have an entry in /var/log./secure every minute from the second machine, it is obvious that it becomes overcrowded and difficult to read. I was unable to find a solution to exclude from logging the private key sessions OR to exclude logins from that certain machine (my.other.machine's.ip)
  If anyone has a solution besides a cron script that will delete the entries from /var/log/secure, please take 500 points ;)

Here's an example of how the file looks:

Feb 11 15:21:03 gw sshd[24571]: Illegal user gordon from x.y.z.t
Feb 11 15:21:03 gw sshd[24573]: Illegal user williamb from x.y.z.t
Feb 11 15:21:05 gw sshd[24571]: Failed password for illegal user gordon from x.y.z.t port 37546 ssh2
Feb 11 15:21:05 gw sshd[24573]: Failed password for illegal user williamb from x.y.z.t port 37607 ssh2
Feb 11 15:21:08 gw sshd[24578]: Illegal user maartend from x.y.z.t
Feb 11 15:21:09 gw sshd[24577]: Illegal user williamb from x.y.z.t
Feb 11 15:21:11 gw sshd[24578]: Failed password for illegal user maartend from 125.22.251.218 port 37854 ssh2
Feb 11 15:21:11 gw sshd[24577]: Failed password for illegal user williamb from x.y.z.t port 37852 ssh2
Feb 11 15:21:14 gw sshd[24794]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:14 gw sshd[24823]: Illegal user maartend from x.y.z.t
Feb 11 15:21:16 gw sshd[24794]: Failed password for illegal user fahriald from x.y.z.t port 38124 ssh2
Feb 11 15:21:17 gw sshd[24823]: Failed password for illegal user maartend from x.y.z.t port 38133 ssh2
Feb 11 15:21:20 gw sshd[24837]: Illegal user michelle from x.y.z.t
Feb 11 15:21:20 gw sshd[24838]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:22 gw sshd[24837]: Failed password for illegal user michelle fromx.y.z.t port 38402 ssh2
Feb 11 15:21:22 gw sshd[24838]: Failed password for illegal user fahriald from x.y.z.t port 38416 ssh2
Feb 11 15:21:26 gw sshd[24843]: Illegal user michelle from x.y.z.t
Feb 11 15:21:28 gw sshd[24843]: Failed password for illegal user michelle from x.y.z.tport 38729 ssh2
Feb 11 15:21:40 gw sshd[25337]: Accepted publickey for root from my.other.machine's.ip port 54751 ssh2
Feb 11 15:22:39 gw sshd[26598]: Accepted publickey for root from my.other.machine's.ip port 54752 ssh2
Feb 11 15:23:40 gw sshd[27871]: Accepted publickey for root from my.other.machine's.ip port 54753 ssh2
Feb 11 15:24:40 gw sshd[29188]: Accepted publickey for root from my.other.machine's.ip port 54754 ssh2
Feb 11 15:25:40 gw sshd[30403]: Accepted publickey for root from my.other.machine's.ip port 54755 ssh2
Feb 11 15:26:40 gw sshd[31416]: Accepted publickey for root from my.other.machine's.ip port 54756 ssh2

As you can see, these entries overcrowd the file, making it a bit difficult to track for real events.

Any idea?

P.S. The machine is an old Red Hat 7.x
0
kronostm
Asked:
kronostm
  • 2
1 Solution
 
Maciej SsysadminCommented:
Solution is to install syslog-ng in place of default syslog daemon.
syslog-ng is very customizable, and you should be able to configure it in such way, that it doesn't log (or logs it to another file) ssh attempts from your particular host.
0
 
xDamoxCommented:
0
 
kronostmAuthor Commented:
Thanks for the tips guys. I know Syslog-ng, however I don't want to install anything else on the router. Installing even from RPM means I have to install libc and other dependencies, and for security reasons I don't want any compiler on the router.

If during the next few days nobody will come with another solution, I will award the points for syslog-ng
0
 
kronostmAuthor Commented:
I ended up by doing a scheduled sed script on the file. If anyone needs it it looks like this:

sed '/my.other.ip.address/d' /var/log/secure > /var/log/secure.clean
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now