Home / server / Questions / 1084999
In Process
DenisZ
Asked: 2021-12-01 08:34:11 +0800 CST

How to disable crontab list entries in cron log?

  • 772

I have a script on server that runs every few min, and among other things checks if some malicious crontab entries have been injected. In order to do this I check crontabs of all users, which works all good, but my /var/log/cron file gets filled up with entries of the all crontab listings, so everytime I run the script it would log all crontab lists like this:

Nov 30 17:16:02 myserv crontab[348610]: (root) LIST (root)
Nov 30 17:16:02 myserv crontab[348611]: (root) LIST (bin)
Nov 30 17:16:02 myserv crontab[348612]: (root) LIST (daemon)
Nov 30 17:16:02 myserv crontab[348613]: (root) LIST (adm)
Nov 30 17:16:02 myserv crontab[348614]: (root) LIST (lp)
Nov 30 17:16:02 myserv crontab[348615]: (root) LIST (sync)
Nov 30 17:16:02 myserv crontab[348616]: (root) LIST (shutdown)
Nov 30 17:16:02 myserv crontab[348617]: (root) LIST (halt)
Nov 30 17:16:02 myserv crontab[348618]: (root) LIST (mail)
Nov 30 17:16:02 myserv crontab[348619]: (root) LIST (operator)
Nov 30 17:16:02 myserv crontab[348620]: (root) LIST (games)
Nov 30 17:16:02 myserv crontab[348621]: (root) LIST (ftp)
Nov 30 17:16:02 myserv crontab[348622]: (root) LIST (smb)
Nov 30 17:16:02 myserv crontab[348623]: (root) LIST (named)
Nov 30 17:16:02 myserv crontab[348624]: (root) LIST (postgres)
Nov 30 17:16:02 myserv crontab[348625]: (root) LIST (mysql)
.....

so it fills up log file unnecessarily. I played with different selectors but it seems when choosing cron.info it shows all info, whereas cron.notice it doesn't show when crontab has been edited nor executed, which again I like in my logs.

# Log cron stuff
cron.*                                                  /var/log/cron

cron.* seems to be the same as cron.info Any Ideas how to exclude "LIST" entries? so /var/log/cron would look like:

Nov 30 17:24:02 mysrv CROND[349831]: (root) CMDEND (/etc/cron.b/check nout >/dev/null 2>&1)
Nov 30 17:28:01 mysrv CROND[350781]: (root) CMD (/etc/cron.b/check nout >/dev/null 2>&1)
cron rsyslog

2 Answers

  1. Try with cron.none . If you use * an asterisk ( * ) matches zero or more occurrences.

    Now your can modify the rule in order to move the log to another file /path/to/another/file

    UPDATE

    Compare-Operations

    The following compare-operations are currently supported:

    contains

    Checks if the string provided in value is contained in the property. There must be an exact match, wildcards are not supported.

    isequal

    Compares the “value” string provided and the property contents. These two values must be exactly equal to match. The difference to contains is that contains searches for the value anywhere inside the property value, whereas all characters must be identical for isequal. As such, isequal is most useful for fields like syslogtag or FROMHOST, where you probably know the exact contents.

    startswith

    Checks if the value is found exactly at the beginning of the property value. For example, if you search for “val” with

    :msg, startswith, "val"

    it will be a match if msg contains “values are in this message” but it won’t match if the msg contains “There are values in this message” (in the later case, “contains” would match). Please note that “startswith” is by far faster than regular expressions. So even once they are implemented, it can make very much sense (performance-wise) to use “startswith”.

    regex

    Compares the property against the provided POSIX BRE regular expression.

    ereregex

    Compares the property against the provided POSIX ERE regular expression.

    You can use the bang-character (!) immediately in front of a compare-operation, the outcome of this operation is negated. For example, if msg contains “This is an informative message”, the following sample would not match:

    :msg, contains, "error"

    but this one matches:

    :msg, !contains, "error"

    Using negation can be useful if you would like to do some generic processing but exclude some specific events. You can use the discard action in conjunction with that. A sample would be:

    *.* /var/log/allmsgs-including-informational.log
:msg, contains, "informational"  ~
*.* /var/log/allmsgs-but-informational.log

    Do not overlook the tilde in line 2! In this sample, all messages are written to the file allmsgs-including-informational.log. Then, all messages containing the string “informational” are discarded. That means the config file lines below the “discard line” (number 2 in our sample) will not be applied to this message. Then, all remaining lines will also be written to the file allmsgs-but-informational.log.

    • 1

  2. I found solution with filter, for anyone that's interested. I inserted a statement above cron.info, to remove unwanted messages. so my solution looks like:

    :msg, contains, "(root) LIST"                           ~
cron.*                                                  /var/log/cron

    now all lines with entries with "(root) LIST" will be discarded.

    • 0