Many audit logs in messages

Hello everybody, My server is receiving many of these logs below in /var/log/messages:

Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322612): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322613): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322614): pid=26973 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322615): pid=26973 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39139 res=1
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322616): pid=26979 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322617): pid=26979 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39140 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.658:322618): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1103 audit(1468357201.658:322619): pid=26968 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:01 example-server kernel: type=1006 audit(1468357201.658:322620): pid=26968 uid=0 old-auid=4294967295 auid=977 old-ses=4294967295 ses=39141 res=1
Jul 12 18:00:01 example-server kernel: type=1101 audit(1468357201.659:322621): pid=26978 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: audit_printk_skb: 363 callbacks suppressed
Jul 12 18:00:12 example-server kernel: type=1104 audit(1468357212.127:322743): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:00:12 example-server kernel: type=1106 audit(1468357212.128:322744): pid=26968 uid=0 auid=977 ses=39141 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="munin" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322746): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: audit_lost=102646 audit_rate_limit=0 audit_backlog_limit=320
Jul 12 18:01:01 example-server kernel: type=1101 audit(1468357261.132:322747): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: audit: printk limit exceeded
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322748): pid=27830 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322749): pid=27832 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1103 audit(1468357261.132:322750): pid=27831 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322751): pid=27832 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39158 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322752): pid=27830 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39159 res=1
Jul 12 18:01:01 example-server kernel: type=1006 audit(1468357261.132:322753): pid=27831 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39160 res=1
Jul 12 18:02:01 example-server kernel: audit_printk_skb: 51 callbacks suppressed
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322771): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322772): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322773): pid=27922 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322774): pid=27922 uid=0 old-auid=4294967295 auid=0 old-ses=4294967295 ses=39162 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.489:322775): pid=27925 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.489:322776): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.489:322777): pid=27925 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39163 res=1
Jul 12 18:02:01 example-server kernel: type=1103 audit(1468357321.490:322778): pid=27924 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:02:01 example-server kernel: type=1006 audit(1468357321.490:322779): pid=27924 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39164 res=1
Jul 12 18:02:01 example-server kernel: type=1101 audit(1468357321.492:322780): pid=27923 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: audit_printk_skb: 60 callbacks suppressed
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322801): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322802): pid=28015 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322803): pid=28016 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1101 audit(1468357381.215:322804): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322805): pid=28016 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39166 res=1
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322806): pid=28015 uid=0 old-auid=4294967295 auid=1018 old-ses=4294967295 ses=39167 res=1
Jul 12 18:03:01 example-server kernel: type=1103 audit(1468357381.215:322807): pid=28017 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser02" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1006 audit(1468357381.215:322808): pid=28017 uid=0 old-auid=4294967295 auid=1058 old-ses=4294967295 ses=39168 res=1
Jul 12 18:03:01 example-server kernel: type=1105 audit(1468357381.228:322809): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
Jul 12 18:03:01 example-server kernel: type=1110 audit(1468357381.229:322810): pid=28016 uid=0 auid=1018 ses=39166 msg='op=PAM:setcred grantors=pam_env,pam_hulk,pam_unix acct="examapleuser01" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

This is new, It did not happen before. SElinux is disabled.

cPanelMichael

July 13, 2016 15:44

It did not happen before.

Hello, Please ensure you review Guide To Opening An Effective Forums Thread and let us know the requested information about your system. Also, please let us know the contents of the " /etc/audit/rules.d/audit.rules" file on this system. Thank you.

Rodrigo Gomes

July 13, 2016 19:02

Acess level: root Cpanel plugins: clamavconnector 0.99-4.cp1156 munin Version: obsolete csf v9.10

/etc/redhat-release:CentOS Linux release 7.2.1511 (Core)
/usr/local/cpanel/version:11.56.0.25
/var/cpanel/envtype:kvm
CPANEL=release
Server version: Apache/2.4.18 (Unix)
Server built:   Jul  7 2016 03:17:41
Cpanel::Easy::Apache v3.34.1 rev9999
PHP 5.6.23 (cli) (built: Jul  7 2016 03:21:29)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
    with Suhosin v0.9.38, Copyright (c) 2007-2015, by SektionEins GmbH
mysql  Ver 14.14 Distrib 5.6.30, for Linux (x86_64) using  EditLine wrapper

/etc/audit/rules.d/audit.rules:

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320

# Feel free to add below this line. See auditctl man page

/etc/audit/auditd.conf:


#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

I'm sorry by the lack of information in my thread.

July 14, 2016 21:02

Hello, Your auditd configuration matches up with the default correction. You mentioned that SELinux is disabled. Could you confirm the output from the "getenforce" command? Thank you.

July 17, 2016 11:23

# getenforce
Disabled

After restart these logs stopped happening. I can't say what happened. But it may have been an update that needed restart. Thanks!

July 18, 2016 16:05

I'm happy to see the issue is now resolved. Thank you for updating us with the outcome.

Many audit logs in messages

Comments

Didn't find what you were looking for?