Menu
▾
▴
[Sshguard-users] how to configure sshguard for proftpd?
|
From: Art S. <art...@gm...> - 2009-09-24 08:19:29
|
Using OpenSUSE 11.1, and currently have sshguard 1.4 running fine scanning
sshd. I've recently installed proftpd 1.3.2a and would like to configure
sshguard to scan for proftpd log entries.
I have proftpd set to default syslog. Here are my configurations.
/etc/syslog-ng/syslog-ng.conf
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
#filter f_proftpd { facility(auth, authpriv) and match("proftpd"); };
destination sshguardproc {
program("/usr/local/sbin/sshguard" template("$DATE $FULLHOST
$MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };
log { source(src); filter(f_proftpd); destination(sshguardproc); };
The log format shows up as
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
If pasted into a debug session of sshguard
Started successfully [(a,p,s)=(4, 420, 1200)], now ready to scan.
Sep 24 02:01:59 srvtwc proftpd[9682]: server.ip (client.ip[client.ip]) -
USER asdfasdfasf: no such user found from client.ip [client.ip] to
server.ip:21
Starting parse
Entering state 0
Reading a token: --accepting rule at line 102 ("Sep 24 02:01:59 srvtwc
proftpd[9682]:")
Next token is token SYSLOG_BANNER_PID ()
Shifting token SYSLOG_BANNER_PID ()
Entering state 1
Reading a token: --accepting rule at line 180 (" ")
--accepting rule at line 162 ("server.ip")
Next token is token IPv4 ()
Error: popping token SYSLOG_BANNER_PID ()
Stack now 0
Cleanup: discarding lookahead token IPv4 ()
Stack now 0
Any advice on what I'm doing wrong?
Thanks!
|
