Menu
▾
▴
Re: [Sshguard-users] sshguard 1.0 create huge amount log in suse 10.1 with default setting
|
From: Mij <mi...@bi...> - 2007-05-21 20:55:07
|
Truffe,
this is the mechanism that causes that loop:
1) log lines of the auth facility are given to sshguard
2) sshguard parses each line; the parser generates a log message
with "debug" level on its work result. All sshguard logging happens to
the auth facility
3) syslog takes these logs back to sshguard which then generates
further logging
I was aware of this possibility and relied on either of these
assumptions
for avoiding step 3 (and thus the whole loop):
# debug logs are typically discarded or directed to a specific log
file, e.g. "debug.log"
# log messages with "sshd" are filtered before passing to sshguard
If you use syslog-ng I suggest you to go the simpler (#2): specify
the following
filter for sshguard
filter sshlogs { facility(auth, authpriv) and match
("sshd"); };
In the future I will possibly remove that debug message.
Thanks for making me put this remark on the archives.
On 21/mag/07, at 19:09, Truffe Champagne wrote:
> I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> following instruction described in README.
> Installation and configuration following README seemed to work fine.
>
> However, after killall -HUP syslog-ng, HUGE amount
> (several GBs in a few minutes) of log is written in /var/log/
> messages .
> The messages are just in finite repeat of following message:
>
> ++++++++++++++++++++++++++++++++++
> May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> ': skip.
> ++++++++++++++++++++++++++++++++++
>
> Now sshguard is stopped by commenting syslog-ng conf file and restart
> syslog-ng.
>
> Probably I have mistaken at some steps in configuration.
> Is someone tell me what is wrong in my configuration?
>
> Thanks,
>
> ----------------------------------------------------------------------
> ---
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
|
