Hi,

On a SLES 11 SP2 server I see a lot of entries in /var/log/messages like these:

Jan 2 12:59:13 phire su: (to papercut) root on none
Jan 2 13:00:24 phire su: (to papercut) root on none
Jan 2 13:01:35 phire su: (to papercut) root on none
Jan 2 13:02:45 phire su: (to papercut) root on none
Jan 2 13:03:56 phire su: (to papercut) root on none
Jan 2 13:05:06 phire su: (to papercut) root on none
Jan 2 13:06:17 phire su: (to papercut) root on none
Jan 2 13:07:27 phire su: (to papercut) root on none

which correspond to the audit.log entries for example:

type=USER_AUTH msg=audit(1357150683.081:96790): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
type=USER_ACCT msg=audit(1357150683.081:96791): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
type=CRED_ACQ msg=audit(1357150683.125:96792): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
type=USER_START msg=audit(1357150683.125:96793): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
type=USER_END msg=audit(1357150683.177:96794): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
type=CRED_DISP msg=audit(1357150683.177:96795): user pid=3227 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="papercut" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'

Is there a way to find out which process run by root creates these log entries?

I have tried using "acct" package but it does not log the PID in the process history (lastcomm). The process exits too fast to see it in top or ps...
There is nothing in crontab that could be causing these logs. BTW, user papercut is used by an application, but even after stopping it the logs are being created.