Adrian Dobrota
asked on
/var/log/secure overcrowded
Hi,
I am looking for a solution to keep /var/log/secure a bit cleaner. The issue is that on this machine there are automatic ssh privatekey logins every minute from another machine of mine. It is a script that copies some files every minute, and I have to keep it running. Since I have an entry in /var/log./secure every minute from the second machine, it is obvious that it becomes overcrowded and difficult to read. I was unable to find a solution to exclude from logging the private key sessions OR to exclude logins from that certain machine (my.other.machine's.ip)
If anyone has a solution besides a cron script that will delete the entries from /var/log/secure, please take 500 points ;)
Here's an example of how the file looks:
Feb 11 15:21:03 gw sshd[24571]: Illegal user gordon from x.y.z.t
Feb 11 15:21:03 gw sshd[24573]: Illegal user williamb from x.y.z.t
Feb 11 15:21:05 gw sshd[24571]: Failed password for illegal user gordon from x.y.z.t port 37546 ssh2
Feb 11 15:21:05 gw sshd[24573]: Failed password for illegal user williamb from x.y.z.t port 37607 ssh2
Feb 11 15:21:08 gw sshd[24578]: Illegal user maartend from x.y.z.t
Feb 11 15:21:09 gw sshd[24577]: Illegal user williamb from x.y.z.t
Feb 11 15:21:11 gw sshd[24578]: Failed password for illegal user maartend from 125.22.251.218 port 37854 ssh2
Feb 11 15:21:11 gw sshd[24577]: Failed password for illegal user williamb from x.y.z.t port 37852 ssh2
Feb 11 15:21:14 gw sshd[24794]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:14 gw sshd[24823]: Illegal user maartend from x.y.z.t
Feb 11 15:21:16 gw sshd[24794]: Failed password for illegal user fahriald from x.y.z.t port 38124 ssh2
Feb 11 15:21:17 gw sshd[24823]: Failed password for illegal user maartend from x.y.z.t port 38133 ssh2
Feb 11 15:21:20 gw sshd[24837]: Illegal user michelle from x.y.z.t
Feb 11 15:21:20 gw sshd[24838]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:22 gw sshd[24837]: Failed password for illegal user michelle fromx.y.z.t port 38402 ssh2
Feb 11 15:21:22 gw sshd[24838]: Failed password for illegal user fahriald from x.y.z.t port 38416 ssh2
Feb 11 15:21:26 gw sshd[24843]: Illegal user michelle from x.y.z.t
Feb 11 15:21:28 gw sshd[24843]: Failed password for illegal user michelle from x.y.z.tport 38729 ssh2
Feb 11 15:21:40 gw sshd[25337]: Accepted publickey for root from my.other.machine's.ip port 54751 ssh2
Feb 11 15:22:39 gw sshd[26598]: Accepted publickey for root from my.other.machine's.ip port 54752 ssh2
Feb 11 15:23:40 gw sshd[27871]: Accepted publickey for root from my.other.machine's.ip port 54753 ssh2
Feb 11 15:24:40 gw sshd[29188]: Accepted publickey for root from my.other.machine's.ip port 54754 ssh2
Feb 11 15:25:40 gw sshd[30403]: Accepted publickey for root from my.other.machine's.ip port 54755 ssh2
Feb 11 15:26:40 gw sshd[31416]: Accepted publickey for root from my.other.machine's.ip port 54756 ssh2
As you can see, these entries overcrowd the file, making it a bit difficult to track for real events.
Any idea?
P.S. The machine is an old Red Hat 7.x
I am looking for a solution to keep /var/log/secure a bit cleaner. The issue is that on this machine there are automatic ssh privatekey logins every minute from another machine of mine. It is a script that copies some files every minute, and I have to keep it running. Since I have an entry in /var/log./secure every minute from the second machine, it is obvious that it becomes overcrowded and difficult to read. I was unable to find a solution to exclude from logging the private key sessions OR to exclude logins from that certain machine (my.other.machine's.ip)
If anyone has a solution besides a cron script that will delete the entries from /var/log/secure, please take 500 points ;)
Here's an example of how the file looks:
Feb 11 15:21:03 gw sshd[24571]: Illegal user gordon from x.y.z.t
Feb 11 15:21:03 gw sshd[24573]: Illegal user williamb from x.y.z.t
Feb 11 15:21:05 gw sshd[24571]: Failed password for illegal user gordon from x.y.z.t port 37546 ssh2
Feb 11 15:21:05 gw sshd[24573]: Failed password for illegal user williamb from x.y.z.t port 37607 ssh2
Feb 11 15:21:08 gw sshd[24578]: Illegal user maartend from x.y.z.t
Feb 11 15:21:09 gw sshd[24577]: Illegal user williamb from x.y.z.t
Feb 11 15:21:11 gw sshd[24578]: Failed password for illegal user maartend from 125.22.251.218 port 37854 ssh2
Feb 11 15:21:11 gw sshd[24577]: Failed password for illegal user williamb from x.y.z.t port 37852 ssh2
Feb 11 15:21:14 gw sshd[24794]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:14 gw sshd[24823]: Illegal user maartend from x.y.z.t
Feb 11 15:21:16 gw sshd[24794]: Failed password for illegal user fahriald from x.y.z.t port 38124 ssh2
Feb 11 15:21:17 gw sshd[24823]: Failed password for illegal user maartend from x.y.z.t port 38133 ssh2
Feb 11 15:21:20 gw sshd[24837]: Illegal user michelle from x.y.z.t
Feb 11 15:21:20 gw sshd[24838]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:22 gw sshd[24837]: Failed password for illegal user michelle fromx.y.z.t port 38402 ssh2
Feb 11 15:21:22 gw sshd[24838]: Failed password for illegal user fahriald from x.y.z.t port 38416 ssh2
Feb 11 15:21:26 gw sshd[24843]: Illegal user michelle from x.y.z.t
Feb 11 15:21:28 gw sshd[24843]: Failed password for illegal user michelle from x.y.z.tport 38729 ssh2
Feb 11 15:21:40 gw sshd[25337]: Accepted publickey for root from my.other.machine's.ip port 54751 ssh2
Feb 11 15:22:39 gw sshd[26598]: Accepted publickey for root from my.other.machine's.ip port 54752 ssh2
Feb 11 15:23:40 gw sshd[27871]: Accepted publickey for root from my.other.machine's.ip port 54753 ssh2
Feb 11 15:24:40 gw sshd[29188]: Accepted publickey for root from my.other.machine's.ip port 54754 ssh2
Feb 11 15:25:40 gw sshd[30403]: Accepted publickey for root from my.other.machine's.ip port 54755 ssh2
Feb 11 15:26:40 gw sshd[31416]: Accepted publickey for root from my.other.machine's.ip port 54756 ssh2
As you can see, these entries overcrowd the file, making it a bit difficult to track for real events.
Any idea?
P.S. The machine is an old Red Hat 7.x
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the tips guys. I know Syslog-ng, however I don't want to install anything else on the router. Installing even from RPM means I have to install libc and other dependencies, and for security reasons I don't want any compiler on the router.
If during the next few days nobody will come with another solution, I will award the points for syslog-ng
If during the next few days nobody will come with another solution, I will award the points for syslog-ng
ASKER
I ended up by doing a scheduled sed script on the file. If anyone needs it it looks like this:
sed '/my.other.ip.address/d' /var/log/secure > /var/log/secure.clean
sed '/my.other.ip.address/d' /var/log/secure > /var/log/secure.clean
Have a look at
http://www.novell.com/communities/node/5003/syslog-ng-ssh-logging