Can the logging to /var/log/auth.log be reduced?

[E3V3A]

Because our arp-scan require sudo, we get excessive logs, every time it is ran.
you can check this with journalctl -b or cat /var/log/auth.log:

May 10 11:28:03 sudo[26437]:       pi : TTY=unknown ; PWD=/home/pi/MagicMirror ; USER=root ; COMMAND=/usr/bin/arp-scan -q -l
May 10 11:28:03 sudo[26437]: pam_unix(sudo:session): session opened for user root by (uid=0)
May 10 11:28:07 sudo[26437]: pam_unix(sudo:session): session closed for user root

Would be great to find a way to remove this noise, since it is also using up SD space and keeping more important messages from showing in journalctl logs.

[ianperrin]

@E3V3A - interesting spot. I don’t think there is a way to stop the logging via the code.

A quick search turned up this but I’d want to be sure that there was a way to isolate the configuration so that only sudo requests made by the module bypass the auth.log before recommending.

[E3V3A]

I managed to get rid of all lines. For the first line:

# sudo nano /etc/sudoers.d/020_pi
Defaults:pi     !logfile, !syslog
pi xxx = (root) NOPASSWD: /usr/bin/arp-scan

For the session lines:

# sudo cat /etc/pam.d/sudo

#%PAM-1.0

@include common-auth
@include common-account
session [success=1 default=ignore] pam_succeed_if.so quiet_success uid = 0 ruser = pi
@include common-session-noninteractive

Unfortunately, AFAIK, PAM does not seem to keep track of the processes. So yes, using that second line would remove all (sudo based) root requests from most non-interactive process. (Which I don't mind.)

In order to work around it, we'd have to create a separate user or service for this... which is out of scope for most MM modules. But it may still be possible using other methods provided by the sudo node module....

We could offer the silence solution as a script to run, for those users who want more silent logs. I think that's a good idea, because my auth.log was going into the megabytes, just after a day.