Re: [Sshguard-users] sshguard-1.5-r1 on gentoo: log entries missed

[Mij <mi...@ss...>]

On Mar 17, 2010, at 8:18 , Robert S wrote:

> After a bit of fiddling around it appears that this pattern is being recognised, but there is no evidence of this in my system log.  It appears that there are no ssghard messages appearing in my log.  For example:
>  
> hostname robert # killall -HUP syslog-ng
> hostname robert # tail /var/log/messages
> Mar 17 18:00:32 hostname syslog-ng[30304]: Configuration reload request received, reloading configuration;
> [ .. other system log messages ]
> hostname robert # ps ax |grep sshguard
> 21209 ?        Sl     0:00 /usr/sbin/sshguard -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist
>  
> I am using syslog-ng 3.0.4 on gentoo.  Here is the relevant bit out of my syslog-ng config:
>  
> # pass only entries with auth+authpriv facilities from programs other than sshguard
> filter f_sshguard { facility(auth, authpriv) and not program("sshguard"); };
> # pass entries built with this format
> destination sshguard {
>         program("/usr/sbin/sshguard -f 100:/var/run/sshd.pid -b /usr/local/var/sshguard/blacklist.db -w /etc/sshguard.whitelist"
>         template("$DATE $FULLHOST $MSGHDR$MESSAGE\n")
>         );
> };
> log { source(src); filter(f_sshguard); destination(sshguard); };

Some of the syslog-ng guys can probably help you better here, but this conf snippet is
for sending log entries *to* sshguard only, not for gathering message *from* it.

sshguard logs its activity with AUTH facility. Where these messages go depends on
how you configured this facility (destination and level) -- I'm not familiar with gentoo's
default configuration. Try a "grep -r sshguard /var/log" if you have no clue.


> I've used the log sucker and SSHGUARD_DEBUG, but this is rather cumbersome and really only useful for debugging.

Yes, DEBUG is meant for debug, not regular use.