Don't parse SSH logs with rsyslog 8 - Patch proposal

Create issue
Issue #128 resolved
steup created an issue
  • FreeBSD 12.1-p5
  • Rsyslog 8.2004.0 from ports
  • sshguard 2.4.0 from ports, with pf backend

With the sub mentioned config, sshguard do not see SSH activity from auth.log

I narrowed this issue down to the TAG syntax used by rsyslog, which do not add colon after the sshd PID :

2020-05-25T23:40:43.244636+02:00 bastion sshd[53186] Invalid user plop from 99.99.99.99 port 59418

I made a patch to make colon optional in both SYSLOG_BANNER and SYSLOG_BANNED_PID. This resolved the problem for my servers with the same configuration.

Could this be included in sshguard?

Here is the relatively basic rsyslog config triggering the issue :

module(load="immark")   # provides --MARK-- message capability
module(load="imuxsock") # mandatory for local system logging

global(workDirectory="/var/spool/rsyslog")

*.err;kern.warning;auth.notice;mail.crit;console.info           /var/log/console.log
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err   /var/log/messages
security.*                                                      /var/log/security
auth.info;authpriv.info                                         /var/log/auth.log
mail.info                                                       /var/log/maillog
cron.*                                                          /var/log/cron
*.emerg                                                         :omusrmsg:*

*.*  action(
  Action.resumeInterval="10"
  RebindInterval="10000"            # cycling TCP connections allows for load balancing
  Queue.Size="100000"
  Queue.DiscardMark="97500"
  Queue.HighWaterMark="80000"
  Queue.Type="LinkedList"
  Queue.FileName="rsyslogqueue"
  Queue.CheckpointInterval="100"
  Queue.MaxDiskSpace="2g"
  Action.ResumeRetryCount="-1"
  Queue.SaveOnShutdown="on"
  Queue.TimeoutEnqueue="10"
  Queue.DiscardSeverity="0"
  type="omfwd"
  target="graylog"
  protocol="tcp"
  port="1514"
  template="RSYSLOG_SyslogProtocol23Format" )

Comments (4)

  1. Kevin Zheng
    • changed status to open

    Thank you for your report and proposed patch.

    The proposed patch causes SSHGuard to misidentify previously recognized attacks (try running make check). Can you try again, or, when I have time, I'll take a look?

  2. steup reporter

    The “make check” is neat, I did not see it at first time.

    I pushed a little too far by patching SYSLOG_BANNER when it was not the cause of my problem. I made it with the assumption that the colon is not mandatory, but it breaks too many things in the parser.

    You will find another patch with only SYSLOG_BANNER_PID modified, and a new test for this case in tests.txt.

  3. Log in to comment