I'm using a monitoring agent (telegraf) to monitor fail2ban. Unfortunately, it requires SuperUser rights to execute fail2ban-client, which causes 24 system log messages every 10 seconds... Do the math, my system log is absolutely cluttered.
I'd like to suppress these messages in my system log, if possible only caused by telegraf:
sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
sudo: pam_unix(sudo:session): session closed for user root
I've tried using a custom "rule" in /etc/pam.d/sudo to suppress those messages, without success:
# cat /etc/pam.d/sudo
#%PAM-1.0
session required pam_env.so readenv=1 user_readenv=0
session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
@include common-auth
@include common-account
session [default=ignore] pam_succeed_if.so quiet uid = 0 user = root ruser = telegraf
@include common-session-noninteractive
Only the line starting with session was added in that file. The solution was adapted from How to stop sudo PAM messages in auth.log for a specific user?
However, the log messages still appear in /var/log/auth.log as well as journalctl -xe
I've tried quiet_success as well as quiet flags (found in man pam_succeed_if). Also using success=1 makes telegraf fail to execute fail2ban-client, I'd guess because it needs an interactive tty?
This is logged using the debug flag:
Sep 20 11:34:51 host sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Sep 20 11:34:51 host sudo: pam_succeed_if(sudo:session): 'uid' resolves to '0'
Sep 20 11:34:51 host sudo: pam_succeed_if(sudo:session): 'user' resolves to 'root'
Sep 20 11:34:51 host sudo: pam_succeed_if(sudo:session): 'ruser' resolves to 'telegraf'
Sep 20 11:34:51 host sudo: pam_unix(sudo:session): session closed for user root
As far as I can tell, the "rule" matches uid, user and ruser correctly, but does not suppress log messages. Am I missing a reboot, or what is happening?
