I have this sorts of entries in my /var/log/auth.log:

Apr  3 12:32:23 machine_name su[1521]: Successful su for user1 by root
Apr  3 12:32:23 machine_name su[1654]: Successful su for user2 by root
Apr  3 12:32:24 machine_name su[1772]: Successful su for user3 by root

Situation:

• All users are real accounts in /etc/passwd;
• None of the users has its own crontab;
• All of those users are logged in the machine some time ago via SSH or No Machine – time varies from few minutes to few hours;
• no cron jobs are scheduled to run at that time, anacron is removed;
• I can see similar entries for other days and other times. The common part is the users are logged in when it appears. It does not appear during login, but some time afterwards.

This machine has similar setup with few others but it is the only one where I see these entries.

What causes them?
Thanks

Edit: I managed to narrow it down. I believe it is caused by cron @reboot. The funny part is – it runs "something" only for the users logged in right before the reboot. I checked /var/spool/cron, crontab -u <username> -l, grep -r @reboot /etc /var and can't see anything.

How I could run cron @reboot manually?