/var/log/secure overcrowded

Hi,
   I am looking for a solution to keep /var/log/secure a bit cleaner. The issue is that on this machine there are automatic ssh privatekey logins every minute from another machine of mine. It is a script that copies some files every minute, and I have to keep it running. Since I have an entry in /var/log./secure every minute from the second machine, it is obvious that it becomes overcrowded and difficult to read. I was unable to find a solution to exclude from logging the private key sessions OR to exclude logins from that certain machine (my.other.machine's.ip)
  If anyone has a solution besides a cron script that will delete the entries from /var/log/secure, please take 500 points ;)

Here's an example of how the file looks:

Feb 11 15:21:03 gw sshd[24571]: Illegal user gordon from x.y.z.t
Feb 11 15:21:03 gw sshd[24573]: Illegal user williamb from x.y.z.t
Feb 11 15:21:05 gw sshd[24571]: Failed password for illegal user gordon from x.y.z.t port 37546 ssh2
Feb 11 15:21:05 gw sshd[24573]: Failed password for illegal user williamb from x.y.z.t port 37607 ssh2
Feb 11 15:21:08 gw sshd[24578]: Illegal user maartend from x.y.z.t
Feb 11 15:21:09 gw sshd[24577]: Illegal user williamb from x.y.z.t
Feb 11 15:21:11 gw sshd[24578]: Failed password for illegal user maartend from 125.22.251.218 port 37854 ssh2
Feb 11 15:21:11 gw sshd[24577]: Failed password for illegal user williamb from x.y.z.t port 37852 ssh2
Feb 11 15:21:14 gw sshd[24794]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:14 gw sshd[24823]: Illegal user maartend from x.y.z.t
Feb 11 15:21:16 gw sshd[24794]: Failed password for illegal user fahriald from x.y.z.t port 38124 ssh2
Feb 11 15:21:17 gw sshd[24823]: Failed password for illegal user maartend from x.y.z.t port 38133 ssh2
Feb 11 15:21:20 gw sshd[24837]: Illegal user michelle from x.y.z.t
Feb 11 15:21:20 gw sshd[24838]: Illegal user fahriald from x.y.z.t
Feb 11 15:21:22 gw sshd[24837]: Failed password for illegal user michelle fromx.y.z.t port 38402 ssh2
Feb 11 15:21:22 gw sshd[24838]: Failed password for illegal user fahriald from x.y.z.t port 38416 ssh2
Feb 11 15:21:26 gw sshd[24843]: Illegal user michelle from x.y.z.t
Feb 11 15:21:28 gw sshd[24843]: Failed password for illegal user michelle from x.y.z.tport 38729 ssh2
Feb 11 15:21:40 gw sshd[25337]: Accepted publickey for root from my.other.machine's.ip port 54751 ssh2
Feb 11 15:22:39 gw sshd[26598]: Accepted publickey for root from my.other.machine's.ip port 54752 ssh2
Feb 11 15:23:40 gw sshd[27871]: Accepted publickey for root from my.other.machine's.ip port 54753 ssh2
Feb 11 15:24:40 gw sshd[29188]: Accepted publickey for root from my.other.machine's.ip port 54754 ssh2
Feb 11 15:25:40 gw sshd[30403]: Accepted publickey for root from my.other.machine's.ip port 54755 ssh2
Feb 11 15:26:40 gw sshd[31416]: Accepted publickey for root from my.other.machine's.ip port 54756 ssh2

As you can see, these entries overcrowd the file, making it a bit difficult to track for real events.

Any idea?

P.S. The machine is an old Red Hat 7.x
LVL 14
Adrian DobrotaNetworking EngineerAsked:
Who is Participating?
 
Maciej SsysadminCommented:
Solution is to install syslog-ng in place of default syslog daemon.
syslog-ng is very customizable, and you should be able to configure it in such way, that it doesn't log (or logs it to another file) ssh attempts from your particular host.
0
 
xDamoxCommented:
0
 
Adrian DobrotaNetworking EngineerAuthor Commented:
Thanks for the tips guys. I know Syslog-ng, however I don't want to install anything else on the router. Installing even from RPM means I have to install libc and other dependencies, and for security reasons I don't want any compiler on the router.

If during the next few days nobody will come with another solution, I will award the points for syslog-ng
0
 
Adrian DobrotaNetworking EngineerAuthor Commented:
I ended up by doing a scheduled sed script on the file. If anyone needs it it looks like this:

sed '/my.other.ip.address/d' /var/log/secure > /var/log/secure.clean
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.