Reduce Logging in /var/log/secure

[juana]

Hello,

We are required to preserve server logs for a certain extended amount of time. We currently use different log transferring tools such as logjam and rsync to move logs to dedicated log servers. We've noticed that Nagios populates heavy /var/log/secure with logs such as the snippet below. Is there any way we can reduce how much logging Nagios does? We have a lot of logs so the less data, the easier it is to move stuff around and preserve.

Code: Select all

Jul 14 14:58:56 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service crond
Jul 14 15:00:04 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service sshd
Jul 14 15:01:25 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service httpd
Jul 14 15:03:56 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service crond
Jul 14 15:05:04 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service sshd
Jul 14 15:06:24 hostxyx sudo:   nagios : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/local/nagios/libexec/check_init_service httpd

Thank you,

Juana

[abrist]

You may be able to reduce the log spam by changing the rsyslog config. Could you post a copy of the file:

Code: Select all

 /etc/rsyslog.conf

[juana]

This is on RHEL5 hence /etc/syslog.conf:

Code: Select all

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log
/etc/syslog.conf (END) 

[lmiltchev]

To stop the loggin in the "/var/log/secure" altogether, you can comment out this line to look like this:

Code: Select all

# authpriv.*                                              /var/log/secure

then restart the service:

Code: Select all

service rsyslog restart

If you want to change the level of logging in the "/var/log/secure", you may need to configure pam. I haven't done this, so I am not sure how to do it, but you can go to "/etc/pam.d" and look through the configs.

You can also reduce some of the logging in the "/var/log/messages" from nagios by setting "use_syslog=0" in the "nagios.cfg".

[juana]

Thank you! I'll try setting the "use_syslog=0" in the "nagios.cfg" as I we do want other logs to end up in /var/log/secure.

[lmiltchev]

You are welcome! Let us know if you have any more questions.

[juana]

Hello again,

On the Nagios XI master, I modified nagios.cfg and set use_syslog=0 and 'service nagios restart', but the logs are still happening on the clients. I did 'service syslog restart' on one of the clients, but no difference in the nagios logging performed in the client's /var/log/secure file. Ideas of what else I should try? Does the use_syslog=0 need to be set at the client level or just the nagios master? Should I reboot the Nagios XI master server?

Thank you,

Juana

[slansing]

but the logs are still happening on the clients.

What, specifically, do you mean by clients here? Are you referring to remote systems that nagios is checking? If so, that is not controlled by nagios, that is up to the agent you are using, or the services that are being used to check through such as xinetd, nsca, nrpe, etc.

[juana]

Hello,

Yes, I was refering to the remote system that Nagios is checking. Great, thank you for letting me know that is beyond Nagios.... makes absolute sense that the xinetd service (or *) handles that. I just needed to ensure my part (the Nagios side) has been properly handled and I think I have.

Thank you all for your great support!

jj