Logging from syslog-ng

In this scenario, the host running sshguard runs syslogd-ng, that has to be configured for passing the log messages to monitor to sshguard.

Services

This setup assumes that only sshd monitoring is performed. Sshd logs messages with syslog's facility auth (LOG_AUTH). If more services must be monitored, log messages for their facilities will also need to be forwarded to sshguard.

Making syslog-ng pass service logs to sshguard

Edit syslogd-ng's log file, usually /etc/syslog-ng/syslog-ng.conf:

vim /etc/syslog-ng/syslog-ng.conf

Syslog-ng versions 2.x and 3.x implement slightly different configuration syntaxes.
For syslog-ng 2.x, put these lines into this file:

# pass only entries with auth+authpriv facilities from programs other than sshguard
filter sshlogs { facility(auth, authpriv) and not match("sshguard"); };
# pass to this process with this template (avoids <ID> prefixes)
destination sshguardproc {
    program("/usr/local/sbin/sshguard"
        template("$DATE $FULLHOST $MESSAGE\n"));
};
log { source(src); filter(sshlogs); destination(sshguardproc); };

For syslog-ng 3.x, when you have @version:3.0 enabled (you are not retaining 2.x compatibility), use these lines for the configuration file:

# enable 3.x mode
@version:3.0

# pass only entries with auth+authpriv facilities from programs other than sshguard
filter f_sshguard { facility(auth, authpriv) and not program("sshguard"); };
# pass entries built with this format
destination sshguard {
    program("/usr/sbin/sshguard"
        template("$DATE $FULLHOST $MSGHDR$MESSAGE\n")
    );
};
log { source(src); filter(f_sshguard); destination(sshguard); };

Let syslog-ng notice the configuration change;

killall -HUP syslog-ng

After the first message comes with the auth facility, ps ax | grep sshguard will show the sshguard process running into the system.