Since version 1.5 sshguard comes with the Log Sucker. The Log Sucker makes sshguard continually monitor a bunch of log sources (files, FIFOs or pipes) and read in log lines as soon as they appear. The Log Sucker senses when any file has been rotated, without needing notifications from the outside.
Because sshguard's parser engine supports several different log formats, the Log Sucker can be naturally used to poll log sources with different formats at the same time. For example, sshd logs from syslog, qmail logs from multilog, and logs from your own application logging raw messages to a file.
The Log Sucker handles volatile files. This is useful for processes that maintain a journal file while running, and remove it on termination.
Using the Log Sucker combined with Log Validation is discouraged in SSHGuard 1.5: since with the Log Sucker tiny latencies may occur between the log appearance and fetching, in some circumstances these lead the validator to not trust the log entry. A version of Log Sucking tailored to the own event system of each supported OS is coming in next versions.
Using the Log Sucker
Log sucking is enabled by indicating one or more log sources to monitor with the -l option:
sshguard -l /var/log/maillog -l /var/log/auth.log -l /opt/myapp/logging.fifo
When no files are configured, sshguard expects log entries in its standard input. Standard input can still be used with log sucking, by indicating
- as a magic filename:
sshguard -l /var/log/auth.log -l -
Sshguard produces the following messages when a log file is rotated, disappears, or reappears:
Reloading rotated file /var/log/mylogfile.log. [...] File '/var/log/mylogfile.log' disappeared! Archiving it for later attempts. [...] File '/var/log/mylogfile.log' reappeared. Reloaded.
Latest Releases View all»
F.A.Q. View all»
- What is sshguard?Sshguard is a small program that monitors services running on your machine from the log files. When it ...
- I use IPFW and IPs are not successfully blockedFor minimizing the intrusiveness, sshguard puts blocking rules very low in the IPFW chain (with IDs from 55000 ...
- Sshguard does not workYou have one of these problems: sshguard is not given logs correctly sshguard cannot run the commands for ...