Menu
▾
▴
sshguard-users
|
From: Mij <mi...@ss...> - 2010-01-22 08:43:22
|
Dear syslog-ng folks, I am the maintainer of sshguard, see http://www.sshguard.net . Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng recently reported that switching to 3.x required a configuration change for preserving the original logging format, see https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-BECE-DED8C0272EDB%40sshguard.net&forum_name=sshguard-users https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-B32A-AF10B712E403%40sshguard.net&forum_name=sshguard-users We reflected the reports by updating the setup docs to contain a block for the 2.x version and one for 3.x , see http://www.sshguard.net/docs/setup/getlogs/syslog-ng/ However, this change is not apparent in your documentation or changelogs, and other users reported that with even more recent versions, the "old format" is again the correct one. Can you clarify what is the intended template for producing entry tags of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" in the different versions? thanks |
|
From: Balazs S. <ba...@ba...> - 2010-01-22 10:48:55
|
On Fri, 2010-01-22 at 09:43 +0100, Mij wrote: > Dear syslog-ng folks, > > I am the maintainer of sshguard, see http://www.sshguard.net . > Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng > recently reported that switching to 3.x required a configuration change > for preserving the original logging format, see > > https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-BECE-DED8C0272EDB%40sshguard.net&forum_name=sshguard-users > https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-B32A-AF10B712E403%40sshguard.net&forum_name=sshguard-users > > We reflected the reports by updating the setup docs to contain a block > for the 2.x version and one for 3.x , see > > http://www.sshguard.net/docs/setup/getlogs/syslog-ng/ > > However, this change is not apparent in your documentation or changelogs, > and other users reported that with even more recent versions, the "old format" > is again the correct one. syslog-ng can operate in both 2.x compatible mode and 3.x compatible mode. The '@version' header in the syslog-ng configuration file controls which one is used. If someone has no version header, syslog-ng assumes it wants syslog-ng 2.x compatibility. There was no macro related changes in the 3.0 series and still the format with the MSGHDR is the correct one. > > Can you clarify what is the intended template for producing entry tags > of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" > in the different versions? Can you show the user posting that states MSGHDR is the wrong approach to do? I might be able to help troubleshooting it. -- Bazsi |
|
From: Arne R. <arn...@go...> - 2010-01-22 16:03:11
|
As I understand, to use $MSGHDR$MESSAGE with syslog-ng 3.x there has to be a version 3 header in the config file, otherwise it has to be $MESSAGE because of version 2 compatibility. So the version 3 header is missing in the sshguard config example. 2010/1/22 Balazs Scheidler <ba...@ba...>: > On Fri, 2010-01-22 at 09:43 +0100, Mij wrote: >> Dear syslog-ng folks, >> >> I am the maintainer of sshguard, see http://www.sshguard.net . >> Sshguard can be interfaced with syslog-ng. Multiple users of syslog-ng >> recently reported that switching to 3.x required a configuration change >> for preserving the original logging format, see >> >> https://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-BECE-DED8C0272EDB%40sshguard.net&forum_name=sshguard-users >> https://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-B32A-AF10B712E403%40sshguard.net&forum_name=sshguard-users >> >> We reflected the reports by updating the setup docs to contain a block >> for the 2.x version and one for 3.x , see >> >> http://www.sshguard.net/docs/setup/getlogs/syslog-ng/ >> >> However, this change is not apparent in your documentation or changelogs, >> and other users reported that with even more recent versions, the "old format" >> is again the correct one. > > syslog-ng can operate in both 2.x compatible mode and 3.x compatible > mode. The '@version' header in the syslog-ng configuration file controls > which one is used. > > If someone has no version header, syslog-ng assumes it wants syslog-ng > 2.x compatibility. > > There was no macro related changes in the 3.0 series and still the > format with the MSGHDR is the correct one. > >> >> Can you clarify what is the intended template for producing entry tags >> of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" >> in the different versions? > > Can you show the user posting that states MSGHDR is the wrong approach > to do? I might be able to help troubleshooting it. > > -- > Bazsi > > > ------------------------------------------------------------------------------ > Throughout its 18-year history, RSA Conference consistently attracts the > world's best and brightest in the field, creating opportunities for Conference > attendees to learn about information security's most important issues through > interactions with peers, luminaries and emerging and established companies. > http://p.sf.net/sfu/rsaconf-dev2dev > _______________________________________________ > Sshguard-users mailing list > Ssh...@li... > https://lists.sourceforge.net/lists/listinfo/sshguard-users > |
|
From: Balazs S. <ba...@ba...> - 2010-02-06 15:58:31
|
On Fri, 2010-01-22 at 16:35 +0100, Mij wrote: > On Jan 22, 2010, at 11:25 , Balazs Scheidler wrote: > > >> Can you clarify what is the intended template for producing entry tags > >> of the classic format "Jan 21 12:54:09 examplehost proftpd[18965]: applmsg" > >> in the different versions? > > > > Can you show the user posting that states MSGHDR is the wrong approach > > to do? I might be able to help troubleshooting it. > > > sure. Confront: > > http://sourceforge.net/mailarchive/forum.php?thread_name=EE040D72-0185-41EB-BECE-DED8C0272EDB%40sshguard.net&forum_name=sshguard-users > http://sourceforge.net/mailarchive/forum.php?thread_name=DA2160C1-09A0-475D-B32A-AF10B712E403%40sshguard.net&forum_name=sshguard-users > > with: > > http://sourceforge.net/mailarchive/forum.php?thread_name=C5633AC6-CD8F-451F-B301-D0FDC5130AB1%40sshguard.net&forum_name=sshguard-users > http://sourceforge.net/mailarchive/forum.php?thread_name=8cb75a4a1001210418g30d0968ck79e8a4d1a6808bba%40mail.gmail.com&forum_name=sshguard-users > > Notice the double "proftpd[25517]: proftpd[25517]:" occurrence when prepending $MSGHDR . > I can't post there via the webpage, but the problem is most probably a missing "@version: 3.0" line in the configuration. without that syslog-ng 3.0 is operating in 2.x compatible mode. However the posts there didn't include a complete configuration file, but I guess this is the root cause of the problem. Also, the missing @version directive is logged as a warning at syslog-ng startup. -- Bazsi |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X