Logging from syslog

In this scenario, the host running sshguard runs syslogd, that has to be configured for passing the log messages to monitor to sshguard.

Services

This setup assumes that only sshd monitoring is performed. Sshd logs messages with syslog's facility auth (LOG_AUTH). If more services must be monitored, log messages for their facilities will also need to be forwarded to sshguard.

Making syslog pass service logs to sshguard

Determine the flavour

Modern syslogd implementations can forward logging to external processes. Older implementations do not, but they often support dumping to FIFOs.

Depending on your syslogd flavour you have to follow one setup iter or one another, so determine this immediately.

  1. look at syslog.conf manual page: man syslog.conf
  2. search for pipe (if none found, search for |)
  3. if none is found, your syslog implementation is very minimal, it can't pass stuff to anything. Move to the tail+sshguard combo.
  4. if it's found and talks about FIFOs (or named pipes), then follow the older flavour setup.
  5. if it's found and talks about commands or external processes, then follow the modern flavour setup.

Modern flavour setup

Edit syslogd's log file, usually /etc/syslog.conf: 

vim /etc/syslog.conf

Put this line high into this file: 

auth.info;authpriv.info    |/usr/local/sbin/sshguard
Mind that no blanks follow the pipe symbol. Remind to adjust the path if you installed into a different path.

Let syslogd notice the configuration change: 

killall -HUP syslogd

After the first message comes with the auth facility, ps ax | grep sshguard will show the sshguard process running into the system.

Older flavour setup

Create a named pipe for syslog to write logs: 

mkfifo /var/log/sshguard.fifo

Edit syslogd's log file, usually /etc/syslog.conf: 

vim /etc/syslog.conf

Put this line high into this file: 

auth.info;authpriv.info    |/var/log/sshguard.fifo

Let syslogd notice the configuration change: 

killall -HUP syslogd

Run sshguard into background for fetching directly from this fifo: 

cat /var/log/sshguard.fifo | /usr/local/sbin/sshguard &

Lates Releases View all»

  • sshguard 1.5 This is a milestone release, coming after 18 months ...
  • sshguard 1.5 Sshguard monitors services through their logging activity. It reacts ...
  • sshguard 1.5rc4 This release candidate fixes the last known bugs submitted ...

F.A.Q. View all»