Since version 1.5 sshguard comes with the Log Sucker. The Log Sucker makes sshguard continually monitor a bunch of log sources (files, FIFOs or pipes) and read in log lines as soon as they appear. The Log Sucker senses when any file has been rotated, without needing notifications from the outside.

Because sshguard's parser engine supports several different log formats, the Log Sucker can be naturally used to poll log sources with different formats at the same time. For example, sshd logs from syslog, qmail logs from multilog, and logs from your own application logging raw messages to a file.

The Log Sucker handles volatile files. This is useful for processes that maintain a journal file while running, and remove it on termination.

Using the Log Sucker combined with Log Validation is discouraged in SSHGuard 1.5: since with the Log Sucker tiny latencies may occur between the log appearance and fetching, in some circumstances these lead the validator to not trust the log entry. A version of Log Sucking tailored to the own event system of each supported OS is coming in next versions.

Using the Log Sucker

Log sucking is enabled by indicating one or more log sources to monitor with the -l option:

sshguard -l /var/log/maillog -l /var/log/auth.log -l /opt/myapp/logging.fifo

When no files are configured, sshguard expects log entries in its standard input. Standard input can still be used with log sucking, by indicating - as a magic filename:

sshguard -l /var/log/auth.log -l -

Sshguard produces the following messages when a log file is rotated, disappears, or reappears:

Reloading rotated file /var/log/mylogfile.log.
[...]
File '/var/log/mylogfile.log' disappeared! Archiving it for later attempts.
[...]
File '/var/log/mylogfile.log' reappeared. Reloaded.

Latest Releases View all»

  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...
  • sshguard 1.5rc4 This release candidate fixes the last known bugs submitted ...

F.A.Q. View all»