[Sshguard-users] Gotcha when upgrading to syslog-ng-3.0

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

Just thought I should mention that if you're piping messages into
sshguard via syslog-ng, you'll probably find that blocking stops
working when you upgrade to syslog-ng version 3.0. This is due to a
subtle change in message format macros.

The recommended configuration for version 2.x looks something like this:

destination sshguard {
        program("/usr/sbin/sshguard"
                template("$DATE $FULLHOST $MESSAGE\n")
        );
};
filter f_sshguard { facility(auth, authpriv) and match("sshd"); };
log { source(src); filter(f_sshguard); destination(sshguard); };

In previous versions $MESSAGE included the program name and pid.
However this has changed in version 3.0. You now need to include
$MSGHDR:

destination sshguard {
        program("/usr/sbin/sshguard"
                template("$DATE $FULLHOST $MSGHDR$MESSAGE\n")
        );
};
filter f_sshguard { facility(auth, authpriv) and program("sshd"); };
log { source(src); filter(f_sshguard); destination(sshguard); };

Note that I also changed match() to program() in the filter, this stops
syslog-ng complaining about a deprecated use of match.

Hopefully this might prevent someone else suddenly realising their
blocking isn't working and then spending 20 minutes trying to figure
out what has changed!

Cheers,

- atj

[Sshguard-users] Gotcha when upgrading to syslog-ng-3.0

Intelligently block brute-force attacks by aggregating system logs

[Sshguard-users] Gotcha when upgrading to syslog-ng-3.0