Menu
▾
▴
Re: [Sshguard-users] sshguard 1.0 create huge amount log in suse 10.1 with default setting
|
From: Truffe C. <tru...@gm...> - 2007-05-22 02:33:13
|
Hi Mij,
> If you use syslog-ng I suggest you to go the simpler (#2): specify
> the following
> filter for sshguard
> filter sshlogs { facility(auth, authpriv) and match
> ("sshd"); };
According to the instruction, I have included following lines in the
/etc/syslog-ng/syslog-ng.conf:
filter sshlogs { facility(auth, authpriv) and match("sshd"); };
destination sshguardproc { program("/usr/local/sbin/sshguard"
template("$DATE $FULLHOST $MESSAGE\n")); };
log { source(src); filter(sshlogs); destination(sshguardproc); };
Then syslog-ng was restarted well with following message:
May 22 11:01:57 hostname sshguard[4098]: Started successfully
[(a,p,s)=(4, 420, 1200)], now ready to scan.
However, at the first remote ssh login after restarting syslog-ng,
same message loop happened.
If I use tail option, tail -n0 -F /var/log/messages | /usr/local/sbin/sshguard,
I got similar result.
truffe
> On 21/mag/07, at 19:09, Truffe Champagne wrote:
>
> > I have installed sshguard-1.0beta2 on suse 10.1 with iptables,
> > following instruction described in README.
> > Installation and configuration following README seemed to work fine.
> >
> > However, after killall -HUP syslog-ng, HUGE amount
> > (several GBs in a few minutes) of log is written in /var/log/
> > messages .
> > The messages are just in finite repeat of following message:
> >
> > ++++++++++++++++++++++++++++++++++
> > May 22 01:54:01 hostname sshguard[24897]: Parsing line 'May 22
> > 01:54:01 hostname sshguard[24897]: Parsing line 'May 22 01:54:01
> > hostname sshguard[24897]: Parsing line 'May22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 hostname
> > sshguard[24897]: Parsing line 'May 22 01:54:01 mesioa sshguard[24897]:
> > Parsing line 'May 22 01:54:01 hostname sshguard[24897]: Parsing line
> > 'May 22 01:42:13 hostname sshd': skip. ': skip. ': skip. ': skip. ':
> > skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip. ': skip.
> > ': skip.
> > ++++++++++++++++++++++++++++++++++
> >
> > Now sshguard is stopped by commenting syslog-ng conf file and restart
> > syslog-ng.
> >
> > Probably I have mistaken at some steps in configuration.
> > Is someone tell me what is wrong in my configuration?
> >
> > Thanks,
> >
> > ----------------------------------------------------------------------
> > ---
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2 express and take
> > control of your XML. No limits. Just data. Click to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Sshguard-users mailing list
> > Ssh...@li...
> > https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Sshguard-users mailing list
> Ssh...@li...
> https://lists.sourceforge.net/lists/listinfo/sshguard-users
>
|