Su entries in auth log

I used to use CentOS for Virtualmin setups but now did a first Ubuntu install. Got few virtual servers set up already and in auth log there’s these entries every few minutes:

Jun 16 17:35:21 servername su[28624]: Successful su for username by root
Jun 16 17:35:21 servername su[28624]: + ??? root:username
Jun 16 17:35:21 servername su[28624]: pam_unix(su:session): session opened for user username by (uid=0)
Jun 16 17:35:21 servername systemd: pam_unix(systemd-user:session): session opened for user username by (uid=0)
Jun 16 17:35:21 servername systemd-logind[741]: New session c10478 of user username.
Jun 16 17:35:21 servername su[28624]: pam_unix(su:session): session closed for user username
Jun 16 17:35:21 servername systemd-logind[741]: Removed session c10478.

The entries are repeating for each virtual server. Found this thread about same topic but couldn’t find any cron job running this often: how to determine what is causing su entries in the auth log

What’s the best way to find out the reason for these login sessions?

Hi fundamentals regarding su and sudo, su have no tracking whatsoever and sudo does… Think and use your brain… Su is higher then sudo so… Su should be you and sudo should be your users… If need it…

Think and use your brain…

Not exactly the kind of advice I would expect on a forum where people are supposed to help each other in a polite way. You might want to consider what you write, this is not cool.

Sadly this doesn’t help with my question about why these records come up automatically every few minutes.

1 Like

@unborn, don’t be a jerk.

@hikiy, Webmin has its own built-in cron-like scheduled functions. Since these are happening on the 5 minute mark (it looks like), they are likely Virtualmin’s regular updates and validations, some of which run as the domain owner user. You can see the Webmin scheduled jobs in Webmin->Webmin->Webmin Configuration->Webmin Scheduled Functions. But, don’t mess with them, as some of them are pretty important for Virtualmin functionality. You can alter their frequency in Virtualmin’s config, but some of those are being modified in the next release to run less often, anyway…so the stuff that changes frequently will get checked every five minutes, but stuff that can safely only be checked daily will change.

But, I should mention that it’s not particularly resource-intensive. The change is because of aesthetics (people don’t like seeing the entries in their logs), no because they’re slowing things down or working the system particularly hard. Most of these actions are practically free and there could be hundreds of them happening every five minutes without any notable impact.


Thanks @Joe, appreciate you explaining this very well and it all makes sense now. There seems to be running every 5 minutes and I can’t think of anything else these entries could possibly be about as they’re following same pattern all the time. Glad to hear that this is nothing to worry about.

The reason I was wondering about these entries is that on CentOS similar entries doesn’t seem to be logged in secure log even though the same is running every 5 minutes. Guess the logging is just different between CentOS and Ubuntu.

Thanks again Joe!

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.