Entries in auth.log

I just got an alert from ossec and I thought my web and possibly server got hacked, damn, and it was like on day in production.
Jan 7 00:30:01 sudo: root : TTY=unknown ; PWD=/var/www/clients/client1/web3 ; USER=web3 ; COMMAND=/usr/bin/find . -group client1 -print
Jan 7 00:30:01 sudo: pam_unix(sudo:session): session opened for user web3 by (uid=0)
Jan 7 00:30:01 sudo: pam_unix(sudo:session): session closed for user web3
Jan 7 00:30:02 sshd[4893]: Connection closed by 127.0.0.1 [preauth]
Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client1/web3 ; USER=web3 ; COMMAND=/usr/bin/find . -user www-data -print
Jan 7 00:30:03 sudo: pam_unix(sudo:session): session opened for user web3 by (uid=0)
Jan 7 00:30:03 sudo: pam_unix(sudo:session): session closed for user web3
Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client2/web5 ; USER=web5 ; COMMAND=/usr/bin/find . -group client2 -print
Jan 7 00:30:03 sudo: pam_unix(sudo:session): session opened for user web5 by (uid=0)
Jan 7 00:30:03 sudo: pam_unix(sudo:session): session closed for user web5
Jan 7 00:30:03 sudo: root : TTY=unknown ; PWD=/var/www/clients/client2/web5 ; USER=web5 ; COMMAND=/usr/bin/find . -user www-data -print

Just to realize 10min later it was a cron job of ispconfig... Huh. Btw. above is used for what? So, I probably can't deinstall sudo on ISPconfig server?

 

Got it. Thanks