It took me a bunch of googling and a few dead ends to figure this one out. You want to edit your /etc/syslog.conf file. Change the line that reads: *.info;mail.none;authpriv.none;cron.none /var/log/messages to read: *.info;mail.none;authpriv.none;cron.none;auth.!=info /var/log/messages Then add: auth.info /var/log/auth.info And you probably want to add the new /var/log/auth.info to /etc/logrotate.d as well. This will move all of the auth messages to a separate file. It looks to me like all the messages are coming from the use of a new PAM module. Every time a cron job fires there is a round of authentication that gets logged. That's a problem if you've got jobs firing every couple of minutes like I do. Kirk Bocek Ugo Bellavance wrote: > Hi, > > Since I upgraded CentOS from 3 to 4, I get those enties in logwatch. > It seems to be caused by cron, opening a session everytime it executes a > task. Is that normal? > > crond: > Unknown Entries: > session closed for user root: 381 Time(s) > session opened for user root by (uid=0): 379 Time(s) > session closed for user user: 239 Time(s) > session opened for user user by (uid=0): 239 Time(s) > session closed for user backup_user: 2 Time(s) > session opened for user backup_user by (uid=0): 2 Time(s)