Menu
▾
▴
Re: [Sshguard-users] problems with Log Sucker in sshguard 1.5rc4
|
From: Mij <mi...@ss...> - 2010-11-20 11:46:14
|
[ emerging from the catacombs ]
This is an interesting report. What happens is that syslog-ng prints log entries
to file with one format, and to processes with another format. The file output
appears truncated, but that's just the scanner ignoring anything after a line is
recognized as non-matching.
So this is up to the parser not recognizing this syslog-ng format. Backtracking
on the scanner's output, on auth.log you get
Aug 10 23:57:39 charlie vsftpd[1]: pam_unix <something>
while piped from syslog-ng you get
Aug 10 23:57:39 charlie vsftpd[1]: [fijam] FAIL LOGIN: Client "192.168.1.11"
Now, some relevant questions:
* Did you configure for different output, or is that syslog-ng default behavior?
* If the latter, which version of syslog-ng?
* Can you report the full line from file?
cheers
michele
On Aug 11, 2010, at 00:38 , op...@ni... wrote:
> Hello,
>
> Having found out that 1.4.4 does not support vsftpd I quickly compiled
> 1.5 rc4 for my system. While syslog-ng log parsing works like a charm,
> I have problems with the Log Sucker.
>
> I started sshguard in debug mode:
> env SSHGUARD_DEBUG=foo sshguard -l /var/log/auth.log
>
> Then I made some bogus ftp and ssh connections from another machine:
>
> Read line from '/var/log/auth.log'.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 110 ("Aug 10 23:57:37
> charlie vsftpd[1]: ")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 220 ("pam_unix")
> Next token is token WORD ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
>
> Read line from '/var/log/auth.log'.
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 110 ("Aug 10 23:59:42
> charlie sshd[5509]: ")
> Next token is token SYSLOG_BANNER_PID ()
> Shifting token SYSLOG_BANNER_PID ()
> Entering state 1
> Reading a token: --accepting rule at line 220 ("pam_unix")
> Next token is token WORD ()
> Error: popping token SYSLOG_BANNER_PID ()
> Stack now 0
> Cleanup: discarding lookahead token WORD ()
> Stack now 0
>
> It looks like the log entry is truncated. I am using syslog-ng 3.1.1.
> If I start sshguard without -l and feed it the line then it works
> properly:
>
> Aug 10 23:57:39 charlie vsftpd[1]: [fijam] FAIL LOGIN: Client "192.168.1.11"
> Starting parse
> Entering state 0
> Reading a token: --accepting rule at line 196 ("Aug 10 23:57:39
> charlie vsftpd[1]: [fijam] FAIL LOGIN: Client "")
> Next token is token VSFTPD_LOGINERR_PREF ()
> Shifting token VSFTPD_LOGINERR_PREF ()
> Entering state 22
> Reading a token: --accepting rule at line 201 ("192.168.1.11")
> Next token is token IPv4 ()
> Shifting token IPv4 ()
> Entering state 50
> Reducing stack by rule 23 (line 203):
> $1 = token IPv4 ()
> -> $$ = nterm addr ()
> Stack now 0 22
> Entering state 69
> Reading a token: --accepting rule at line 197 (""")
> Next token is token VSFTPD_LOGINERR_SUFF ()
> Shifting token VSFTPD_LOGINERR_SUFF ()
> Entering state 82
> Reducing stack by rule 47 (line 339):
> $1 = token VSFTPD_LOGINERR_PREF ()
> $2 = nterm addr ()
> $3 = token VSFTPD_LOGINERR_SUFF ()
> -> $$ = nterm vsftpdmsg ()
> Stack now 0
> Entering state 45
> Reducing stack by rule 21 (line 179):
> $1 = nterm vsftpdmsg ()
> -> $$ = nterm msg_single ()
> Stack now 0
> Entering state 28
> Reducing stack by rule 9 (line 163):
> $1 = nterm msg_single ()
> -> $$ = nterm logmsg ()
> Stack now 0
> Entering state 27
> Reducing stack by rule 4 (line 125):
> $1 = nterm logmsg ()
> -> $$ = nterm text ()
> Stack now 0
> Entering state 23
> Reading a token: --(end of buffer or a NUL)
> --accepting rule at line 221 ("
> ")
> --(end of buffer or a NUL)
> --EOF (start condition 0)
> Now at end of input.
> Stack now 0 23
> Cleanup: popping nterm text ()
> Matched address 192.168.1.11:4 attacking service 330, dangerousness 10.
> Purging stale attackers.
>
> If you require any more info please let me know.
>
> Regards,
> J.
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
