sshguard does not parse RFC 5424 format syslog messages

Create issue
Issue #124 resolved
Jim P created an issue

FreeBSD 12.x added support for RFC 5424 format syslog messages (via syslogd -O rfc5424) but these messages do not appear to be parsed properly by sshguard. Failed logins which are parsed as expected with the default format (BSD, RFC 3164) are not flagged when using RFC 5424.

Here is a sample of a failed SSH login using this log format:

<35>1 2020-01-03T11:57:14.257387-05:00 host.example.com sshd 86784 - - error: PAM: Authentication error for root from 198.51.100.14
<38>1 2020-01-03T11:57:14.258186-05:00 host.example.com sshd 86784 - - Failed keyboard-interactive/pam for root from 198.51.100.14 port 15175 ssh2
<38>1 2020-01-03T11:57:14.891772-05:00 host.example.com sshd 86784 - - Failed unknown for root from 198.51.100.14 port 15175 ssh2
<38>1 2020-01-03T11:57:14.892446-05:00 host.example.com sshd 86784 - - user root login class  [preauth]
<38>1 2020-01-03T11:57:15.009161-05:00 host.example.com sshd 86784 - - Failed password for root from 198.51.100.14 port 15175 ssh2

Here is a sample of the old format which is parsed as expected:

Jan  3 12:01:34 host sshd[70419]: error: PAM: Authentication error for root from 198.51.100.14
Jan  3 12:01:34 host sshd[70419]: Failed unknown for root from 198.51.100.14 port 54588 ssh2
Jan  3 12:01:34 host sshd[70419]: user root login class  [preauth]
Jan  3 12:01:34 host sshguard[71549]: Attack from "198.51.100.14" on service SSH with danger 10.

Comments (2)

  1. Log in to comment