auth.log fills disk

I would suggest something like:

Defaults:quantum !syslog

- but this would turn off all logging of 'sudo' activity from quantum - it would be better if it were more specific, specifying the actual rootwrap command for no-log treatment.

(also, /etc/sudoers.d/quantum-rootwrap is straight out of the package, it seems; we don't reconfigure it, and my changes persist over a puppet rerun.)

OK, of the three lines in the syslog, that removes only one - the 'session opened' and 'session closed' lines still need disabling.

And, additionally (it removes all PAM session recording, mind - not ideal, though sudo and friends should be logging what people try):

auth,authpriv.notice /var/log/auth.log

either in rsyslog.g/50-default, or in a later file, overriding it.

What's the burn rate here? E.g. is the right answer simply to rotate the logs so that you can still see when Quantum/OVS are doing things (as I imagine security auditors might well want to know this sort of thing)? Or is disk being consumed to quickly to make that feasible?

every 2 seconds per router/tap interface. This is basically creating way too much noise to find anything useful in the auth.log.

-rw-r----- 1 syslog adm 332M Jul 10 12:44 auth.log
-rw-r----- 1 syslog adm 464M Jul 7 06:25 auth.log.1

this is only with 4 routers

Another thought to add to Ian's: the frequency could also be toned down by changing report_interval in quantum.conf I believe, though that may have other undesirable impacts.

This is a bit fun since the logging is a combination of the PAM module and sudo

Here's my proposed fix:

- change /etc/sudoers.d/quantum_sudoers to include

Defaults:quantum syslog_badpri=err, syslog_goodpri=info

- change /etc/rsyslog.d/50-default.conf auth* priority to

auth.* /var/log/auth.log
authpriv.notice /var/log/auth.log

With that, normal sudo commands still log, as do errored commands from the quantum rootwrap and errors from the PAM session handling

The two things that are not logged in that configuration are

- normal successful quantum rootwrap sudo commands run
- PAM session start / stop for all sudo commands (though the actual command is still logged)

Users in environments which don't mind the noise can simply change authpriv.notice back to authpriv.* in 50-default.conf

Any objections? I'm not thrilled about changing authpriv as there may be other stuff logging at info or debug levels that people care about, but it's probably cleaner than anything else we might do

That autopriv setting is very very verbose to my mind so I'm not offended
by changing it.

I'm also ok with this. Like you I'd prefer not to have to quash the authpriv stuff, but the logspam is bad enough that other such messages are largely getting drowned out anyway so I think it's a reasonable compromise.

Relevant pull requests:
https://github.com/CiscoSystems/grizzly-manifests/pull/97
https://github.com/CiscoSystems/puppet-coe/pull/2