Logging from metalog or multilog

Both metalog and multilog rotate logs autonomously; none of them handles forwarding log entries to external processes. Their logging format is different, but this is trifling as long as log entries get to sshguard, as sshguard adapts to different logging formats transparently.

Configuration

Multilog

Multilog configuration is not covered. It is too free and if you're using multilog then you know what to do on your own.

Metalog

Edit metalog's configuration file (typically /etc/metalog.conf):

vim /etc/metalog.conf

Put this block in it:

Stuff to protect from brute force attacks :
    # for ssh
    facility = "*"
    program = "sshd"
    # other services ...
    # log to /var/log/sshguard directory
    logdir = "/var/log/sshguard"

Restart the multilog daemon. It will create the /var/log/sshguard directory and put all the selected logging into it. Much like multilog does, the newest activity is always put into the current file. When this file gets sufficiently big, it is renamed with a timestamped name and the fresh new current file is created for hosting the next logs.

Getting log entries to sshguard

What you need is to poll log entries directly from metalog or multilog files, and pass them to sshguard. This can be accomplished with the usual tail+sshguard combo, that should handle file rotation autonomously. Just make sure to poll from the right file:

• for metalog, poll from the file /var/log/sshguard/current (adjust the path if needed)
• for multilog, poll from the file /path/to/your/sshguard/dir/current (point the path to the correct multilog directory for the service to monitor)

Their sharing the same filename current for the newest activity file can be thought as incidental.