[SSHGuard-users] socklog lines not captured

[Georg L. <jor...@ma...>]

Hello List!

I am operating some Debian/Linux servers (Squeeze/ 7.x) where Syslog is 
replaced by socklog.

This week I tried out sshguard, but got no matches on my logfiles.

My socklog's loglines look like this:
- - -
auth.info: Jul  7 20:54:30 sshd[24329]: User root from 218.205.161.10 
not allowed because not listed in AllowUsers
auth.info: Jul  7 20:54:30 sshd[24329]: input_userauth_request: invalid 
user root [preauth]
auth.info: Jul  7 20:54:30 sshd[24329]: Connection closed by 
218.205.161.10 [preauth]
- - -

After trying all else I checked out current sources. Where socklog is 
mentioned attack_scanner.l gives example loglines:

   * "2015-05-27T04:31:28.10040 auth.info: May 27 04:31:28 sshd[30993]: "
   * "2015-05-27T04:31:28.10040 auth.info: sshd[30993]: "

So, my socklog does not insert timestamps in front of the logged messages.

Find below a patch to make the timestamp optional.  Since I have an 
"old" iptables (1.4.14) I needed to remove the "-w" option for iptables 
in commands_iptables.h.

Best Regards,

   Georg Lehner

diff --git a/src/fwalls/command_iptables.h b/src/fwalls/command_iptables.h
index aea039c..9b659e4 100644
--- a/src/fwalls/command_iptables.h
+++ b/src/fwalls/command_iptables.h
@@ -26,8 +26,8 @@

  #include "../config.h"

-/* backwards compatible with -w  */
-#define IPTBLCMD "TBL=iptables; if [ x$SSHG_ADDRKIND = x6 ]; then 
TBL=ip6tables; fi; iptblscmd() { " IPTABLES_PATH "/$TBL -w $@; r=$?; if 
[ $r -eq 2 ]; then exec " IPTABLES_PATH "/$TBL $@; fi; exit $r; }; 
iptblscmd "
+/* removed -w for old iptables (1.4.14  */
+#define IPTBLCMD "TBL=iptables; if [ x$SSHG_ADDRKIND = x6 ]; then 
TBL=ip6tables; fi; iptblscmd() { " IPTABLES_PATH "/$TBL $@; r=$?; if [ 
$r -eq 2 ]; then exec " IPTABLES_PATH "/$TBL $@; fi; exit $r; }; iptblscmd "

  /* for initializing the firewall (+ make sure we have sufficient 
credentials) */
  #define COMMAND_INIT       IPTBLCMD "-L -n"
diff --git a/src/parser/attack_scanner.l b/src/parser/attack_scanner.l
index 9b43f31..9dc3382 100644
--- a/src/parser/attack_scanner.l
+++ b/src/parser/attack_scanner.l
@@ -113,13 +113,16 @@ FACLEVEL (<[a-zA-Z0-9]+\.[a-zA-Z0-9]+>)
    *
    * Some strip the redundant timestamp, eg
    * "2015-05-27T04:31:28.10040 auth.info: sshd[30993]: "
+  *
+  * Other don't timestamp lines at all:
+  * "auth.info: May 27 04:31:28 sshd[30993]: "
    */
-{TIMESTAMP_ISO8601}" "{WORD}.{WORD}": "({TIMESTAMP_SYSLOG}" 
")?{PROCESSNAME}("/"{PROCESSNAME})?"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
+({TIMESTAMP_ISO8601}" ")?{WORD}.{WORD}": "({TIMESTAMP_SYSLOG}" 
")?{PROCESSNAME}("/"{PROCESSNAME})?"["{NUMBER}"]: "{SOLARIS_MSGID_TAG}? {
          yylval.num = getsyslogpid(yytext, yyleng);
          return SOCKLOG_BANNER_PID;
          }

-{TIMESTAMP_ISO8601}" "{WORD}.{WORD}": "({TIMESTAMP_SYSLOG}" 
")?({PROCESSNAME}("/"{PROCESSNAME})?":")?   { return SOCKLOG_BANNER; }
+({TIMESTAMP_ISO8601}" ")?{WORD}.{WORD}": "({TIMESTAMP_SYSLOG}" 
")?({PROCESSNAME}("/"{PROCESSNAME})?":")?   { return SOCKLOG_BANNER; }


   /* SSH: invalid or rejected user (cross platform [generated by 
openssh]) */