- changed status to open
sshguard does not parse RFC 5424 format syslog messages
Issue #124
resolved
FreeBSD 12.x added support for RFC 5424 format syslog messages (via syslogd -O rfc5424
) but these messages do not appear to be parsed properly by sshguard
. Failed logins which are parsed as expected with the default format (BSD, RFC 3164) are not flagged when using RFC 5424.
Here is a sample of a failed SSH login using this log format:
<35>1 2020-01-03T11:57:14.257387-05:00 host.example.com sshd 86784 - - error: PAM: Authentication error for root from 198.51.100.14
<38>1 2020-01-03T11:57:14.258186-05:00 host.example.com sshd 86784 - - Failed keyboard-interactive/pam for root from 198.51.100.14 port 15175 ssh2
<38>1 2020-01-03T11:57:14.891772-05:00 host.example.com sshd 86784 - - Failed unknown for root from 198.51.100.14 port 15175 ssh2
<38>1 2020-01-03T11:57:14.892446-05:00 host.example.com sshd 86784 - - user root login class [preauth]
<38>1 2020-01-03T11:57:15.009161-05:00 host.example.com sshd 86784 - - Failed password for root from 198.51.100.14 port 15175 ssh2
Here is a sample of the old format which is parsed as expected:
Jan 3 12:01:34 host sshd[70419]: error: PAM: Authentication error for root from 198.51.100.14
Jan 3 12:01:34 host sshd[70419]: Failed unknown for root from 198.51.100.14 port 54588 ssh2
Jan 3 12:01:34 host sshd[70419]: user root login class [preauth]
Jan 3 12:01:34 host sshguard[71549]: Attack from "198.51.100.14" on service SSH with danger 10.
Comments (2)
-
-
- changed status to resolved
Fixed in c18687f, thanks!
- Log in to comment
Thanks for the report.