Some versions of syslogd on BusyBox include a -S option which removes the hostname and service from the event log entries. On systems where this option is used when launching syslogd it will cause sshguard to not recognize any of the syslog entries.
BusyBox v1.24.2 (2017-12-08 19:09:25 UTC) multi-call binary.
Usage: syslogd [OPTIONS]
System logging utility
-n Run in foreground -R HOST[:PORT] Log to HOST:PORT (default PORT:514) -L Log locally and via network (default is network only if -R) -C[size_kb] Log to shared mem buffer (use logread to read it) -K Log to kernel printk buffer (use dmesg to read it) -O FILE Log to FILE (default:/var/log/messages, stdout if -) -s SIZE Max size (KB) before rotation (default:200KB, 0=off) -b N N rotated logs to keep (default:1, max=99, 0=purge) -l N Log only messages more urgent than prio N (1-8) -S Smaller output -D Drop duplicates -f FILE Use FILE as config (default:/etc/syslog.conf)
Below is an example of what the syslog entry looks like when the -S option is used.
May 9 11:11:17 sshd: Invalid user www from 18.104.22.168 port 51066
This problem can be resolved by removing the -S option from the startup script for syslogd, however, this may cause issues in other areas. Preferably sshguard would be able to recognize that the -S option has been used and adjust accordingly similar to the way syslog banner handles missing PID info.